Hackney Council is building new security assurance capabilities, following a Cyber attack in 2020.

Description

Summary of the work Our security risks are known and managed across all our ICT environments so that we minimise the threat of a future cyber attack on Council services and the residents and businesses we serve. Latest start date Monday 1 February 2021 Budget Range £200,000 - £250,000 + VAT Why the Work is Being Done Hackney Council is reviewing the way we deliver security assurance, following a Cyber attack in October 2020 and implementing changes to where required. This work will include a review of some of our technological tools as well our governance arrangements and processes. This work will be underpinned by a concurrent piece of work focused upon the security culture within the team. Problem to Be Solved We are delivering two key strands of work: Behaviour, Culture & Skills (Analysis, recommendation & implementation) Policy, Process & Procedure (Review, recommendation, change/strengthen) We have identified some skills gaps and capacity shortages that would hinder rapid delivery of a high quality set of outcomes. User Research (to help design, conduct and understand behavioural and culture now) Business/Procedure/Policy Analysis (to help create and distill user stories, conversations and data and turn into actionable procedures/practice). Senior Security Practice to act as a second pair of eyes and to help design new processes, deliver training and best practice to our teams. Who Are the Users As a Head of Platform, I need… ● to have a detailed understanding of how staff understand their responsibilities towards security and value its governance, so that we address cultural risks that leave us vulnerable to future attacks and implement the changes necessary to prevent them ● the team to create and the department (and wider organisation) adopt effective security policies and practices that are straightforward to adopt and monitor so I am assured that Council data and systems are protected. Existing Team Head of Platform (Project Sponsor) Service Delivery Manager (Product Owner - Policy & Procedure) Senior Delivery Manager (Acting as Product Owner - Behaviour & Culture Discovery) Delivery Manager Core Team members responsible for security knowledge Security Apprentices Lead Technical Architect Current Phase Not applicable Skills & Experience • Ability to design an internal research campaign exploring skills, culture & behaviour • Extremely strong interpersonal skills and the ability to help people feel at ease during exploratory conversations. • Have led significant user research that has helped to uncover unknown insights about users and groups of people. • Create high quality interviews and research programmes that can be iterated as they progress. • Ability to independently to find their way through large organisational structures to reach all of the relevant voices and users that may not be immediately obvious. • Understanding of what is not being said as well as what is being said and probing further to get to the underlying issues. • Ability to distill high volumes of information and opinions into key insights about policy and procedural positions. • Excellent listening skills to be able to understand and assimilate the multitude of requirements and opinions in the space of policy and procedure development • Be able to analyse data and information and spot trends and patterns that might not have been immediately obvious to the organisation • Have informed and intelligent conversations with large numbers of users, stakeholders and interested parties and translate them in to applicable user stories • Using data gathered from users, collaborators, team members and stakeholders, be able to model various ‘how might we’ and ‘what if’ scenarios to deliver solutions to complex problems. • Translate complex data insights into approachable concepts and strategies. • Exceptional knowledge of Cyber Security for large organisations with complex ICT systems. • Has helped in developing and enhancing major ICT cyber security projects from a number of angles, including policy, procedure, culture and technical architecture. • A detailed and up to date knowledge of the (ICT) security risks posed to a large political organisation and the most up to date methods and strategies to prevent them. • Ability to listen to, absorb and carry forward strategic direction from senior staff members and stakeholders • Experienced in being hands on in a team, being able to lead from the front when upskilling and from the back when encouraging the team to implement new learnings • Highly articulate, being able to converse coherently at all levels of technicality, from senior engineers who are designing our systems, through to non-technical users who use every day conversational language. • Comfortable in leading meetings, workshops, training sessions and presentations that are relevant and engaging for the audience they are aimed at. • Know how to impart knowledge effectively enough that they are able to leave the project team as an ongoing self sufficient unit. Nice to Haves • Familiar with Agile working practices and project delivery • Knowledge of behavioural insights and behavioural science • Use of Gsuite business tools (docs, sheets, slides, chat, meet) • Have been involved in and assisted with cultural change within an organisation • Ability to upskill other team members in the art of user research Work Location Almost certainly remotely via google suite tools. If Covid restrictions lift, possibly in the Hackney offices, London, E8. Working Arrangments The internal team will work with Hackney Council staff in an agile project style of working, most likely remotely, although perhaps in the office sometimes if Covid restrictions allow. Security assistance 5 days per week for 6 months Research assistance 5 days per week, 3 months initially Business analyst 5 days per week, 3 months initially No. of Suppliers to Evaluate 3 Proposal Criteria • Understanding of organisational needs • Understanding of user needs • Quality of the technical solution • Clarity of approach • How they’ve identified risks and dependencies and offered approaches to manage them • Team structure, including skills, experiences and relevance of individuals • Experience from a similar project • Estimated time-frame for the work Cultural Fit Criteria • Work as a team with our organisation and other suppliers • Be transparent and collaborative when making decisions • Have a no-blame culture and encourage people to learn from their mistakes • Take responsibility for their work • Share knowledge and experience with other team members • Work openly • Be comfortable with an agile working culture Payment Approach Capped time and materials Assessment Method • Case study • Work history • Reference Evaluation Weighting Technical competence 60% Cultural fit 20% Price 20% Questions from Suppliers 1. Could we please ask for confirmation of the latest start date listed in the opportunity? It states the 1 February, but the DOS Stage 1 submission is the 2nd Feb. The start date will be the end of February. 1st Feb was published in error. 2. Hi, would you consider splitting this work for example taking a bid for the security aspects and not for the BA? We are looking for bids covering all the roles described. 3. Please can you confirm the latest start date as it appears currently to be before your request is closed for applications. The start will be the end of February. 1st February was published in error. 4. Please could you clarify if this opportunity relates to digital outcomes or digital specialists? We are looking to address skills gaps and capacity in the following areas: user research, business analysis and security. These roles will work with an in-house team to fulfil the user needs described in the brief. 5. Can you please provide details of what tools will be part of the review process. Tools and ways of working will be defined by the team. We anticipate tools would be based on user research and service design practices. 6. Can you please provide details of what tools will be part of the review process. Also ‘is your intention that we review the adequacy of those tools for the job and/or the configuration of those tools for the function they perform’? The scope of review will be defined with team. The configuration of tools could be looked at in the context of assessing whether they are fit for purpose and meet our user needs. 7. Do you require security clearance from day 1 from the consultant or are you happy to sponsor this process and have them onsite without this initially? The successful supplier will be required to sign an NDA. 8. Is there any level of security clearance required for those undertaking the work? If yes will Hackney Council sponsor obtaining the clearance? The successful supplier will be required to sign an NDA. 9. Re Question 3: Do all Hackney Council staff (including ancillary / support staff) have access to IT (laptops, desktops etc.) or council information systems? In principle, staff have devices and access to the relevant information systems they need to perform their roles. Post the cyber attack, access to information systems is limited for some teams.