Cyber Security Criticalities Assessment Service

Description

Summary of the work The Home Office is seeking a service provider to Design, Develop, Deliver and Refine a Criticalities assessment process for the Home Office, considering the business impact of Home Office Assets, intended to deliver a corporate cyber security criticalities assessment to be used within the Assurance Process across the Home Office. Expected Contract Length 6 months Latest start date Friday 30 September 2022 Budget Range £300,000 to £500,000 Why the Work is Being Done The Home Office is updating the way it undertakes cyber security, this includes the way it measures compliance and the way it directs and prioritises security resource. It is seeking to engage a supplier to help develop a Business Impact and Criticality Assessment and deploy this across the vast Home Office estate. This process will establish the criticality of all Home Office services and systems and prioritise them by criticality. This scope includes more than 600 services and systems including PaaS, IaaS, SaaS as well as Government Off The Shelf Solution (GOTS), Modified Off The Shelf Solution (MOTS) and Commercially Off The Shelf Solution (COTS) applications. Problem to Be Solved •There are several hundred systems across the Home Office, this project will improve central visibility on the corporate service management tool building a richer picture of services and the business impact if they were compromised. •The Home Office IT landscape is complex and fragmented with a number of cyber security roles that do not take a consistent approach and understanding the criticality to services therefore no central view is clearly held that provides a clear understanding of what systems exist and their importance. •Enable the HO to work more intelligently, integrate and share data across the organisation to minimise the resource necessary to access the relevant data. •Enable Home Office Cyber Security to prioritise security resources towards the most critical assets. •Provide a central view of systems and services criticality that is accessible and relevant. •Understand the business impact of a service or asset so that its value is well understood and suitable controls may be considered within its lifecycle. Who Are the Users •Home Office Cyber Security (HOCS) are responsible for providing information assurance services across the Home Office which is the government department responsible for the UK's borders and homeland security and has users both in the UK and abroad. The Home Office have nearly 40,000 staff and operate a range of IT Systems and Services. •HOCS need to be able to clearly and consistently understand the value of IT systems and services and the impact to a system or service in the event of a compromise or disruption. •A business impact assessment is used by HOCS to prioritise limited security resources towards the most critical systems and services and ensure these have adequate protection. This assessment is managed by Home Office Corporate Accreditors but is agreed by the business. •It is envisaged that a lightweight assessment could be completed quickly to provide a view and a more detailed assessment could be completed as required on more critical assets identified from the initial assessment. Work Already Done The Home Office have Business Impact Assessments and Centre for the Protection of National Infrastructure (CPNI) Assessments that would need to be taken into consideration. HOCS is in discussion with Home Office ServiceNow Team to be more integrated. Existing Team The existing Cyber Security Assurance ServiceS (CSAS) team sits within Home Office Cyber Security. CSAS consists of a small team of security specialists that cover project assurance, live systems assurance and supplier assurance. Current Phase Live Skills & Experience • Demonstrable and recent (within the last 2 years) experience of delivering Business Impact Assessments. • Demonstrable and recent (within the last 2 years) experience of delivering projects at pace in large, complex organisations with multiple senior stakeholders. • Demonstrable and recent (within the last 2 years) experience of delivering Cyber Security Assurance Services. • Demonstrable and recent (within the last 2 years) experience of providing business and management information from security processes and data. • Demonstrable and recent (within the last 2 years) experience of undertaking large data collection exercises and ability to dissect and scrutinise responses to get to root causes and underlying information. • Demonstrable and recent (within the last 2 years) experience of automating security or assurance processes and outcomes. • Demonstrate adequate professional resource capability and capacity to deliver outputs on time and to budget. Resources assigned to this work must have suitable cyber security or Business Impact experience. • Previous evidence of delivering similarly related, large projects at pace across complex organisations for public or private sector organisations. Nice to Haves • Hold NCSC Certified Cyber Professional (CCP) accreditation. • Demonstrable and recent (within the last 2 years) experience of designing and implementing a range of business impact assessments. • Demonstrable and recent (within the last 2 years) experience of delivering cyber security assurance to projects and live services • Demonstrable and recent (within the last 2 years) experience of delivering new security methodologies and techniques. • Demonstrable and recent (within the last 2 years) experience of automation and presenting management information and deriving business information from security processes. Work Location The team is required to work from within the UK at home or in a safe environment and to attend meetings using digital channels or face to face at suitable Home Office locations. Remote working is conducted in line with Home Office policy. Working Arrangments This will be based on the output of deliverables and availability of stakeholders during normal office hours. Service Providers will undertake work within the United Kingdom on Home Office supplied devices. All staff to be UK based and clearable (i.e. right to work or UK Citizenship) Security Clearance The service providers’ staff will be required to have as a minimum SC level security clearance prior to commencing work, staff not in current possession of SC security clearance must undergo SC security clearance. All clearances will be confirmed by the Home Office Security prior to commencement. Additional T&Cs The work will be subject to the terms of the DOS 5 Framework and conducted under Statement of Work which will be subject to either Fixed Price or Time and Materials basis. No. of Suppliers to Evaluate 3 Proposal Criteria • Mobilisation and Transition • Scoping and Definition of Work Packages and SOWs • Successful end-to-end implementation of Business Impact Assessments • Case Studies • Successful end-to-end delivery and handover to HOCS within a multi-party landscape • Integration of the business impact and Home Office Criticality Assessment • Delivery of a Business Impact Assessment Processes and methodology or case study • Innovation and Added value • Social Value • Defining the methodology and processes • Onboarding systems and services Cultural Fit Criteria • Demonstrate innovation and Added Value • Demonstrate Social Value Payment Approach Fixed price Assessment Method • Case study • Work history • Reference • Presentation Evaluation Weighting Technical competence 60% Cultural fit 10% Price 30% Questions from Suppliers 1. Is there a current incumbent? There is no existing supplier. 2. What technology is the Corporate Services Management Tool composed of and who has access? The Service Management Tool is accessible to privileged users and individuals within DDaT with the need to access the service. Some suppliers and third parties will be provided remote access to the Service Management Tool where they meet connectivity and security requirements. 3. Is there a preferred criticality analysis methodology for the exercise? No, however the objective would be to prioritise services from this exercise. 4. Who would the successful candidate be reporting to? CSAS Manager/HOCS Manager? Head of CSAS (G6) who reports to the Home Office CISO (Head of HOCS) 5. How do CSAS and HOCS work together and are there any other relevant cyber security teams to be aware of? Cyber Security Assurance Services are a team within Home Office Cyber Security. There are several teams within HOCS including GRC (responsible for strategic risk and auditing), CSOC responsible for incident management and protective monitoring, TVM responsible for Threat and Vulnerability Management. 6. What level of support will the CSAS Team be able to provide to the project? At least one member of staff would be able to meet with the team on a daily basis to assist with any questions and support. The wider team would be accessible and able to provide a level of assistance and support to aid in this delivery? 7. Can we use our own IT to access HO systems or will each member of the team need to be issued with HO IT equipment? The Home Office will supply corporate laptops that will be used to support the exercise. 8. Can the Authority please confirm whether there is an incumbent supplier, and if so, who? There is no existing supplier. 9. •How many assets are there?Can they be broken down by type e.g servers, network devices, endpoints, etc?•Have they been assigned criticality and are they tagged in some way? 9a) There are several hundred assets.9b) They are not clearly and consistently categorised currently.9c) They are not all clearly and consistently assigned a criticality. Some have been tagged within ServiceNow as Low Criticality or High Criticality, 10. •Is there a centralised asset database?•Can we have sight of the work that has been done that we need to factor in e.g Business Impact Analysis and CPNI assessments?•What are the main compliance drivers e.g NIST ?•What Vulnerability Management tools are used ?•What endpoint detection tools are used? •There is a CMDB within the Home Office, ServiceNow acts a central Service Management tool•The CPNI criticality process is available here: https://www.cpni.gov.uk/resources/cni-criticalities-kb-flyerExisting Business Impact Assessments would need to be identified and reviewed during the exercise to develop the new process.• The main compliance drivers are legal, regulatory and CAF which was recently deployed to measure cyber security across HMG.•This information won't be shared due to security sensitivities. But details may be provided as part of the delivery.•This information won't be shared due to security sensitivities. But details may be provided as part of the delivery. 11. "In regards to the evidence of experience of automating security or assurance processes and outcomes, are you looking for technical/tooling processes that have been implemented?" All experience would be considered including technical/ tooling processes that have been implemented. 12. "What was the scope of existing Business Impact Assessments and Centre for the Protection of National Infrastructure (CPNI) Assessments?" These assessments have not been consistently applied within the Home Office to date. The scope of this exercise would be for all technology solutions and services. 13. "Do you expect supplier to develop a new Business Impact and Criticality Assessment for the systems/services for which Business Impact Assessments already exists?" Yes. The objective is to establish a standard within the Home Office and then develop a delivery plan to deploy this. 14. "Following development of the assessment framework, is the supplier expected to provide Cyber Security Assurance Services or work closely with the HOCS team to implement the framework?" It is expected the team will deploy the assessments very much independently from the existing CSAS Assurance team. Following a handover this team will then progress and manage the process as BAU. 15. "Which cyber security framework does Home Office measures compliance against?" Currently there are multiple frameworks used to measure cyber compliance within the Home Office. The current work is to move towards the CAF as a primary reference however it is expected that other frameworks will continue to be used. 16. "How do you expect the corporate service management tool to improve central visibility? Do you expect the Business Impact and Criticality Assessment framework to be embedded in the tool for performing the BIA/Criticality assessments or do you expect the output of this exercise (supplier deliverables) to feed into the tool?" "• ServiceNow is the corporate strategic platform for managing IT Services within the Home Office. It is envisaged that this would serve as the primary knowledge / reference base. •This would be for the supplier to identify with the business however it is likely that the assessment would be seperate from ServiceNow but just have the output populated within the solution." 17. "Is there an incumbent supplier within the existing team?" No, there is no existing supplier 18. •You have indicated fixed price as your preferred payment approach – would this be based on individual SOW’s as per the breakdown of your requirements or a single SOW which would cover the entirety of the engagement?•What notice period would you give a successful supplier to mobilise their team? •A single statement of work may cover the entirety of the agreement however individual SOW may be used.•This would be negotiated however it would be reasonable to mobilise within 1 month of contract award and this would include the Home Office deploying any equipment and facilitating access to vetted personnel. The contract and work would not start until suitable resources are in place with access to Home Office systems to deliver outcomes. 19. •Can the HO advise how they would expect the successful supplier to work with their teams?•Has the HO grouped/categorised its 600 services according to their criticality?•Is the HO using a Business Impact Analysis tool, if so what is this called? •They would be expected to work very much independently, the contract owner (Head of CSAS) or a deputy would liaise and be the primary contact between the successful supplier and the business for escalations and general direction and updates.•None of the existing systems have been consistently grouped based on criticality.•No existing tools are used consistently.