Request for information – Firewall, Anti-virus, and Enterprise Agreement
Request ID: FOI-2565-2324 Date published: 09 November 2023
You asked
Data and Information Officer
I am currently embarking on a research project around Cyber Security and was hoping you could provide me with some contract information relating to following information:
1. Standard Firewall (Network) - Firewall service protects your corporate Network from unauthorised access and other Internet security threats
2. Anti-virus Software Application - Anti-virus software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more.
3. Microsoft Enterprise Agreement - is a volume licensing package offered by Microsoft.
The information I require is around the procurement side and we do not require any specifics (serial numbers, models, location) that could bring threat/harm to the organisation.
For each of the different types of cyber security services can you please provide me with:
1. Who is the existing supplier for this contract?
2. What does the organisation annually spend for each of the contracts?
3. What is the description of the services provided for each contract?
4. Primary Brand (ONLY APPLIES TO CONTRACT 1&2)
5. What is the expiry date of each contract?
6. What is the start date of each contract?
7. What is the contract duration of contract?
8. The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address.
9. Number of Licenses (ONLY APPLIES TO CONTRACT 3)
Thank you, they said that you will send me a confirmation email.
We answered
Our ref: FOI-2565-2324/GH
Thank you for your request received by Transport for London (TfL) on 16 October 2023 asking for information about Firewall, Anti-virus, and Enterprise Agreement.
Your request has been considered under the requirements of the Freedom of Information Act 2000 and our information access policy. I can confirm that we do hold the information you require.
1. Standard Firewall (Network) - Firewall service protects your corporate Network from unauthorised access and other Internet security threats 2. Anti-virus Software Application - Anti-virus software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more.
In accordance with the FOI Act, we are not obliged to supply any of the information as it is subject to a statutory exemption to the right of access to information under section 31 of the FOI Act, which relates to law enforcement. Specifically, section 31(1)(a), which relates to information whose disclosure would be likely to prejudice theprevention or detection of crime. Release of information under the Freedom of Information Act is a release to the public at large. Therefore TfL must consider how any potential recipient of the information might use it, rather than make assumptions about the intentions of the individual making the request.
In this instance the exemption has been applied as disclosure of the information you have requested would pose a real threat to our IT systems, and consequently, the prevention or detection of crime as it would assist a third party to mount an attack on our IT systems. It is the sort of information that could be combined with other information available to an attacker or already in the public domain, to target our systems.
The London transport system is a critical piece of national infrastructure and as such we employ rigorous safeguards to protect it from cyber attack. Like other organisations we are subject to these regularly. These attacks are unlawful under the Computer Misuse Act, and whilst the motive is not always apparent, we are aware of the risk to critical national infrastructure that may result from a successful attack. We consider that releasing the information you have asked for would be likely to prejudice our efforts to prevent and detect future attacks and undermine our ability to safeguard our information systems.
The use of this exemption is subject to an assessment of the public interest in relation to the disclosure of the information concerned. We recognise the need for openness and transparency by public authorities, but in this instance we consider that there is greater public interest in safeguarding our information systems and to ensure that cyber attacks, or any other criminal activity is prevented wherever possible.
The Information Commissioner’s Office has previously issued a Decision Notice regarding the application of section 31 to withhold information in relation to cyber security. Whilst the information requested in the referenced case is different to the information you asked for, we believe the same arguments can be applied. Please see the decision in the following link: https://ico.org.uk/media/action-weve-taken/decision-notices/2016/1623677/fs_50600199.pdf
We can however, provide the requested information for this part of your request:
3. Microsoft Enterprise Agreement
1. Who is the existing supplier for this contract? Microsoft UK Ltd and Boxxe Limited, as the licensing solution partner
2. What does the organisation annually spend for each of the contracts? Approx £15m, varies based on consumption/demand
3. What is the description of the services provided for each contract? Enterprise Subscription Agreement: Primarily End User Computing related products such as Office365, Windows 10/11, Dynamics CRM, Security and Compliance. Server and Cloud Enrolment: Primarily hosting related products such as Windows Server, SQL and SCCM. Usage of Cloud services within Azure. Unified Support: Incorporates 24/7 support for Microsoft products/services Consultancy: framework option to call off defined packages
5. What is the expiry date of each contract? November 2025
6. What is the start date of each contract? December 2022
7. What is the contract duration of contract? 3 years with an option to extend for a further period.
8. The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address. Please note that in accordance with TfL’s obligations under Data Protection legislation we do not disclose individual employees names and contact details, as required by section 40(2) of the FOI Act. This is because disclosure of this personal data would be a breach of the legislation, specifically the first principle which requires all processing of personal data to be fair and lawful. It would not be fair to disclose this personal information when the individuals have no expectation it would be disclosed and TfL has not satisfied one of the conditions which would make the processing ‘fair’.
9. Number of Licenses (ONLY APPLIES TO CONTRACT 3) Licence metrics vary by product / service – however, sufficient coverage for ~30,000 users. Please see the attached information sheet for details of your right to appeal.
Yours sincerely
Graham Hurt FOI Case Officer FOI Case Management Team General Counsel Transport for London
