Skip to content

Cyber security contracts (FOI231194)

This Freedom of Information request asks for details of our cyber security contracts.

Request for information - Ref No: FOI231194

Request

Thank you for your email of 16 October 2023, requesting information from OS in accordance with the Freedom of Information Act (FOIA) 2000, as set out in the extract below:

“I am currently embarking on a research project around Cyber Security and was hoping you could provide me with some contract information relating to following information:

  • Standard Firewall (Network) - Firewall service protects your corporate Network from unauthorised access and other Internet security threats
  • Anti-virus Software Application - Anti-virus software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more.
  • Microsoft Enterprise Agreement - is a volume licensing package offered by Microsoft. 

The information I require is around the procurement side and we do not require any specifics (serial numbers, models, location) that could bring threat/harm to the organisation.

For each of the different types of cyber security services can you please provide me with:

  1. Who is the existing supplier for this contract?
  2. What does the organisation annually spend for each of the contracts?
  3. What is the description of the services provided for each contract?
  4. Primary Brand (ONLY APPLIES TO CONTRACT 1&2)
  5. What is the expiry date of each contract?
  6. What is the start date of each contract?
  7. What is the contract duration of contract?
  8. The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address.
  9. Number of Licenses (ONLY APPLIES TO CONTRACT 3)”

Our response

I confirm that OS does hold the information you have requested. Where information is exempt from disclosure, this is stated.

Taking each request in turn, I confirm the following:

Contract 1 – Standard Firewall (Network)

Q1.       Who is the existing supplier for this contract?

I confirm that our firewall contract supplier is Computacenter

Q2.       What does the organisation annually spend for each of the contracts?

OS annually spends £441,000 exclusive of VAT on this contract.

Q3.       What is the description of the services provided for each contract?

The contract provides the gateway and security to all OS systems both from an external customer and internal employee perspective.

Q4.       Primary Brand (ONLY APPLIES TO CONTRACT 1&2)

The primary Brand is Checkpoint.

Q5.       What is the expiry date of each contract?

The expiry date for this contract is 26 June 2026.

Q6.       What is the start date of each contract?

The start date for this contract is 27 June 2023.

Q7.       What is the contract duration of contract?

The contract duration is 3 years.

Q8.       The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address.

The information relating to the contact name, is held by OS but is exempt from disclosure under section 40(2) (personal information) of the FOIA, as the information constitutes personal data. I confirm the team responsible for dealing with contract is the Software Asset Management team.

Section 40(2) provides that personal data is exempt information if one of the conditions set out in section 40(3) is satisfied. In our view, disclosure of this information would breach the data protection principles contained in the General Data Protection Regulations and Data Protection Act 2018

In reaching this decision, we have particularly considered:

  • the reasonable expectations of the employees: given their positions, OS considered that none of the individuals would have a reasonable expectation that their personal data would be disclosed;
  • the consequences of disclosure; and
  • any legitimate public interest in disclosure.

Section 40(2) is an absolute exemption and therefore not subject to the public interest test.

However, under the duty to provide information and assistance in accordance with section 16 of FOIA, you can find out information in relation to Cyber Security on our website: Ordnance Survey | See A Better Place

Contract 2 - Anti-virus Software Application

Q1.       Who is the existing supplier for this contract?

The supplier of this contract is Softcat Limited.

Q2.       What does the organisation annually spend for each of the contracts?

OS annually spends circa £200,000 exclusive of VAT on this contract.

Q3.       What is the description of the services provided for each contract?

The contract provides anti-virus protection for OS.

Q4.       Primary Brand (ONLY APPLIES TO CONTRACT 1&2)

The primary brand is Microsoft Corporation.

Q5.       What is the expiry date of each contract?

The expiry date for this contract is 30 November 2024.

Q6.       What is the start date of each contract?

The start date for this contract is 1 December 2021.

Q7.       What is the contract duration of contract?

The contract duration is 3 years.

Q8.       The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address.

The information relating to the contact name, is held by OS but is exempt from disclosure under section 40(2) (personal information) of the FOIA, as the information constitutes personal data. I confirm the team responsible for dealing with contract is the Software Asset Management team.

Section 40(2) provides that personal data is exempt information if one of the conditions set out in section 40(3) is satisfied. In our view, disclosure of this information would breach the data protection principles contained in the General Data Protection Regulations and Data Protection Act 2018

In reaching this decision, we have particularly considered:

  • the reasonable expectations of the employees: given their positions, OS considered that none of the individuals would have a reasonable expectation that their personal data would be disclosed;
  • the consequences of disclosure; and
  • any legitimate public interest in disclosure.

Section 40(2) is an absolute exemption and therefore not subject to the public interest test.

However, under the duty to provide information and assistance in accordance with section 16 of FOIA, you can find out information in relation to Cyber Security on our website: Ordnance Survey | See A Better Place

Contract 3 - Microsoft Enterprise Agreement

Q1.       Who is the existing supplier for this contract?

The supplier of this contract is Softcat Limited.

Q2.       What does the organisation annually spend for each of the contracts?

OS annually spends £1.67m exclusive of VAT on this contract.

Q3.       What is the description of the services provided for each contract?

The contract provides OS with FSCM, CRM, Modern Workplace and Server software.

Q4.       What is the expiry date of each contract?

The expiry date of this contract is 30 November 2024.

Q5.       What is the start date of each contract?

The start date of this contract is 1 December 2021.

Q6.       What is the contract duration of contract?

The contract duration is 3 years.

Q7.       The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address.

The information relating to the contact name, is held by OS but is exempt from disclosure under section 40(2) (personal information) of the FOIA, as the information constitutes personal data. I confirm the team responsible for dealing with contract is the Software Asset Management team.

Section 40(2) provides that personal data is exempt information if one of the conditions set out in section 40(3) is satisfied. In our view, disclosure of this information would breach the data protection principles contained in the General Data Protection Regulations and Data Protection Act 2018

In reaching this decision, we have particularly considered:

  • the reasonable expectations of the employees: given their positions, OS considered that none of the individuals would have a reasonable expectation that their personal data would be disclosed;
  • the consequences of disclosure; and
  • any legitimate public interest in disclosure.

Section 40(2) is an absolute exemption and therefore not subject to the public interest test.

However, under the duty to provide information and assistance in accordance with section 16 of FOIA, you can find out information in relation to Cyber Security on our website: Ordnance Survey | See A Better Place

Q8. Number of Licenses (ONLY APPLIES TO CONTRACT 3)

The number of licences is 3,780, subject to head count changes.

Internal review

Your enquiry has been processed according to the Freedom of Information Act (FOIA) 2000. If you are unhappy with our response, you may request an internal review with our Internal Review Officer by contacting them, within two months of receipt of our final response to your Freedom of Information (FOI) request, as follows:

Internal Review Officer
Customer Service Centre
Ordnance Survey
Adanac Drive
Southampton
SO16 0AS

Contact us via our FoI form

Please include the reference number above. You may request an internal review where you believe Ordnance Survey has:

  • Failed to respond to your request within the time limits (normally 20 working days)
  • Failed to tell you whether or not we hold the information
  • Failed to provide the information you have requested
  • Failed to explain the reasons for refusing a request
  • Failed to correctly apply an exemption or exception

The Internal Review Officer will not have been involved in the original decision. They will conduct an independent internal review and will inform you of the outcome of the review normally within 20 working days, but exceptionally within 40 working days, in line with the Information Commissioner’s guidance.

The Internal Review Officer will either: uphold the original decision, provide an additional explanation of the exemption/s applied or release further information, if it is considered appropriate to do so.

Appeal to Information Commissioner’s Office (ICO)

If you are still dissatisfied after our internal review, you can complain to the Information Commissioner’s Office (ICO). You should make complaints to the ICO within six weeks of receiving the outcome of an internal review. The easiest way to lodge a complaint is through the ICO website.