Information & Cyber Security Discovery - To inform business case

Description

Summary of the work To further enhance and improve upon existing information and cyber security capabilities, a discovery phase analysis outcome is required to identify whether the Local Pensions Partnership (LPP) can utilise and benefit from the usage of third party partner 'Security Operations Centre' (SOC) services. Expected Contract Length We would expect this outcome to be completed in no more than 2 working months (40 days - maximum) Latest start date Thursday 2 January 2020 Budget Range £15,000 (Fixed price) Why the Work is Being Done To further enhance and improve upon existing information and cyber security capabilities, a discovery phase analysis outcome is required to identify whether the Local Pensions Partnership (LPP) can utilise and benefit from the usage of third party partner 'Security Operations Centre' (SOC) services. Such services would include the full range of SOC services as well as the usage of new and existing digital information and cyber security tools to extend monitoring, detection and response to threats, as well as to take proactive preventative action. The usage of such services would extend LPP's information and cyber security capabilities to a 24/7/365 basis. The content of the analysis would determine the feasibility and provide content to inform a business case. Problem to Be Solved This outcome will provide a comprehensive documented view of the following: - The information & cyber security SOC requirements within LPP. (which will need to be identified as part of this outcome, and should also cover the required coverage and resource skills that a SOC will provide LPP.) - A traceable view of the requirements to what a SOC can provide LPP. - A determination of high level costs (internal v's external). - An understanding of the information & cyber security digital technologies in use within LPP, which would be within the scope of a SOC to monitor. - The benefits of utilising a SOC, as opposed to the current approach in use. - The high level costs of both approaches. - A recommendation on which approach to proceed with. Who Are the Users The following list is a subset or identified user-stories: 1) As a security manager, I need to ensure that LPP's IT technologies, data and domain are subject to continuous threat-monitoring. 2) As a security manager,. I need to ensure that pro-active preventative measures are undertaken to protect LPP, based on a changing environment / threat landscape. 3) As a security manager,, I need to ensure that pro-active and reactive threat detection is occurring on a continuous basis, thereby enabling action to be taken to protect LPP technologies, data and the domain. 4) As a security manager, I need to ensure that LPP's security monitoring is continuously reflective of industry standards, and is subject to continuous improvement. 5) As a security manager, I need to ensure technologies and awareness exists which can identify/resolve any new or existing threats, in order to protect LPP technologies, data and the domain. 6) As a security manager, I need to ensure all threat monitoring, detection, prevention or responses are subject full documentation, in an auditable manner. 7) As a security manager, I need to ensure a cost effective approach to 24/7/365 security threat-monitoring, detection and any response to protect LPP technologies, data and the domain. Existing Team LPP's Security Working Group and its membership form the existing team with responsibility for information and cyber security. Current Phase Discovery Skills & Experience • Demonstrable experience of delivering a discovery phase analysis within a public sector organisation • Demonstrable experience of deliver a discovery phase analysis within a highly regulated organisation. • Demonstrable experience of delivering a discovery phase analysis within a financial sector organisation • Demonstrable experience of analysing information and cyber security requirements within a financial sector organisation • Demonstrable experience of utilising the services of a security operations centre within a customers organisation. • Demonstrable understanding of the typical security components and capabilities found within public and private cloud services, as well as IdAM & network technologies • Demonstrable understanding of typical security needs within organisations and their technological ecosystems Nice to Haves • Ability to source all required skillsets to successfully deliver this outcome • Demonstrable experience of flexible working Work Location LPP's Central London Office - Union Street, London, SE1 Working Arrangments It is envisioned that a supplier would work on-site (to interact and interview key members of LPP's Security Working Group), as well as off-site to document and prepare the analysis. Security Clearance All supplier resources should be subject to BPSS clearance at a minimum, which should be undertaken by the supplier prior to commencement of the outcome engagement. Additionally, suppliers must adhere to LPP IT policies, which includes the mandatory usage of encryption on devices, with up-to-date A/V & firewall software in-place. Additional T&Cs The contract will utilise the Standard Framework terms and conditions, as well as LPP's standard terms and conditions (where necessary). No. of Suppliers to Evaluate 3 Proposal Criteria • A plan for delivery of the outcome in full, including (but not limited to) milestones & phases • An understanding of value for money • Approach and methodology to deliver this outcome in full • How risk will be minimised to ensure delivery of this outcome in full Cultural Fit Criteria • Work as a team with our organisation and other suppliers • Take responsibility for their work • Challenge the status quo • Can work with clients with low technical expertise Payment Approach Fixed price Assessment Method • Reference • Presentation Evaluation Weighting Technical competence 75% Cultural fit 5% Price 20% Questions from Suppliers 1. Will bidding on this discount us from bidding on the actual SOC service, should you consider going down this route? The decision to continue to Alpha and Beta stages will be dependent on the outcome of the Discovery project. We welcome all bids, at all stages, from suppliers who can meet our requirements. 2. Is the 15k inclusive of VAT? No it is not. 3. Can you confirm this is outside IR35? At this time it is understood that this discovery exercise is outside of IR35. 4. Our primary consultants are booked in Jan but we have an associate network that we can use which will have the right person, is this something you would be happy with? (we can provide additional support from Head office) As a buyer we are focused on the successful completion of the outcome. It is up to each supplier to determine how they can successfully delivery the outcome, including which resources they utilise. 5. What is the expected split between on site and offsite work? Please refer to the field 'Working arrangements' for an answer to this question. 6. Does bidding for the Discovery phase preclude you from being able to deliver the SOC capability, if that is a route chosen by LPP as a result of this exercise? The decision to continue to Alpha and Beta stages will be dependent on the outcome of the Discovery project. We welcome all bids, at all stages, from suppliers who can meet our requirements. 7. Please clarify if by doing this work would we still be able to compete to be the SOC provider. The decision to continue to Alpha and Beta stages will be dependent on the outcome of the Discovery project. We welcome all bids, at all stages, from suppliers who can meet our requirements. 8. What is meant by 'experience of utilising the services of a security operations centre' This relates to a supplier demonstrating to us that they are familiar with (in depth) in the utilisation of the services of a Security Operations Centre within a customers environment, as opposed to only within their own environment. 9. What products are within the environment? Vendor name, product name and versions?Number of licensesNumber of LocationsDo you need to comply with anything ie PCI-DSS or any other?Do you operate 24x7Do you have your own data centre’s In reference to your specific question: We are unable to provide a full list of products, including vendor name and versions, number of licenses, number of locations, in the 100 word response which we are limited to within the Digital Marketplace.To provide relevant information:- We are predominantly utilise Microsoft technologies, across four physical 'office; locations, We currently utilise two data-centres, as well as Microsoft's cloud.We generally operation 8am-8pm, although please note that this outcome covers 24x7x365 security monitoring. We adhere to data compliance as well as being FCA regulated.