I am writing to make a request for information under the Freedom of Information Act 2000.
If this request is too wide or unclear, I would be grateful if you could contact me as I understand that under the Act, you are required to advise and assist requesters. If any of this information is already in the public domain, please can you direct me to it, with page references and URLs if necessary.
I understand that you are required to respond to my request within the 20 working days after you receive this letter. Answers will be anonymised upon receipt.
1 How would you best describe your organisation’s approach to software security?
2 What is the biggest challenge your organisation faces in implementing an application security program?
3 When working with a third party, what standards do you use to ensure data is processed and managed in a compliant manner?
4 What percentage of software applications are developed in-house vs. supplied by third parties (commercial software and open source components)?
a. Less than 10 percent;
b. More than 10 percent, but less than 50 percent; or
c. More than 50 percent.
5 What percentage of your software development organization has received data privacy related training?
a. Less than 10 percent;
b. More than 10 percent, but less than 50 percent; or
c. More than 50 percent.
6 With the GDPR deadline nearly a year past, how have software procurement, development, and management practices changed from prior practices?
7 When data processing by external providers is involved, to which security frameworks are providers held to account?
8 Are security reviews of external providers performed primarily by internal teams or are industry certifications and auditor reports used to verify ongoing compliance?
9 What controls are in place to ensure reviews of consent and data processing polices remain current as applications evolve? (For example, should additional data processing via external sources be required, but consent for such processing wasn’t originally obtained, that updated consent be sought.)
10 In the past five years, has your organisation suffered a data privacy incident which would now be required to be reported under GDPR?
a. What processes were implemented to address shortcomings contributing to these incidents?
11 Has your organisation suffered at least one data privacy incident which was reported under GDPR?
12 To which position(s) does your data protection officer report (For example, CISO, CRMO, CIO, CFO, MD, CEO)?
13 Has your organisation received any requests under the GDPR “Right to Access” provisions?
a. If yes, what is the average response time to compile and communicate the response?
14 How does your organisation verify the security of third-party software prior to purchasing and deploying it?
DfI/2019-0168: FOI Request