Skip to main content
Home

What types of information could you consider withholding?

Contents

Hackers or other malicious parties may draw on a wide range of sources to find out information about an organisation’s cyber-security arrangements. They might compile information from numerous FOI requests sent to similar organisations to understand supply chains, interconnectivity, or commonalities which present an opportunity to exploit infrastructure.

Cyber security-related FOI requests usually involve requesting information about four areas and there are risks associated with disclosing information in each one.

Please note the sections below are not an exhaustive list of considerations. You should have appropriate processes in place to accurately assess the level of risk when disclosing information. You should not take a blanket approach to handling requests for this type of information. You should also seek legal advice where appropriate.

Infrastructure – hardware

Disclosing information about physical hardware such as servers or user devices and even the lack of certain equipment can lead to a number of risks.

For example, revealing the physical location of devices may lead to risk of theft, service disruption or vandalism. Revealing makes and models of devices can give insight into the age of your infrastructure and likely vulnerabilities.

Infrastructure – software and licensing

Disclosing information about software such as operating systems, web services or corporate applications could reveal the types of services you procure. This could give rise to upstream supply chain risk. For commonplace software like Windows, you may feel comfortable disclosing the overall OS you are using, but withhold version numbers, for example. For more unique or bespoke software specific to your operations, you may need to withhold wider information, taking into consideration the risk that hackers might target one of your suppliers in order to use their product to gain access to your systems.

In some cases, revealing a lack of software can also lead to risks.

Security controls

Disclosing information about security controls such as physical security, cyber policies and security systems can lead to a number of risks.

Releasing policy documents relating to incident response and disaster recovery, may reveal contextual information which is useful to hackers or cyber criminals. For example, attitudes to ransom payments, resilience levels, or proposed alternative ways of working after an incident.

Security incidents

Disclosing information about successful or unsuccessful attacks may give rise to additional attempts to exploit the same attack vectors or security issues. This may increase the risk of future successful attacks.

Providing details on the numbers of incidents or the level of staffing for example could provide malicious attackers with information about existing security levels.