Business Intelligence & Risk (BI&R) – Beta Development

Description

Why the Work is Being Done NHS Digital’s Data Security Centre (DSC) has established a Cyber BI&R function which provides: 1. Intelligence-led improvements: to security services, operations, and the identification of new requirements based on an understanding of the threat landscape and the risk profile of the system. 2. A view of the systemic risk across the NHS: that provides a variety of data inputs to provide a risk profile across the system that can be interrogated by theme (e.g. technology vulnerabilities) or by organisation to determine trends over-time. This work will deliver the Beta phase of the BI&R platform. Problem to Be Solved The Health and Care sector comprises disparate organisations that deliver a wide range of patient outcomes. These organisations contain multiple disparate data sources, have inconsistent business intelligence requirements, multiple technologies, no common data model, and inconsistent risk definitions. Security teams (local, regional, or national) cannot easily and productively contribute to the overall corporate business intelligence in a meaningful way. Organisations have plenty of cyber-related information (e.g. firewall logs, policy exceptions, self-assessments, assets registers), but this data isn’t organised or presented in a way that lends itself to business intelligence. This can result in security decisions being made based on intuition. Who Are the Users BI&R has local, regional, and national users. The platform manages a wide set of personas including technical and non-technical users. Two current personas include a CIO and NHSX Programme Manager. Example of needs: As a BI&R User, I need to be provided data driven cyber business intelligence, So that I can articulate security risks clearer along with their impact on the organisation. As a BI&R user, I need to view information security in terms of my organisations’ business intelligence, So that I can be more accurate and precise when defining and delivering a cybersecurity related budget. Early Market Engagement There has been no relevant early market engagement. BI&R has already completed a Discovery, Analysis and Alpha delivery phases through the DSC’s Cyber Security Innovation Factory (CSIF). The Alpha delivery phase is due to complete in September 2020. The DSC has been working with a strategic supplier under CSIF which has delivered the work to date for BI&R. All IPR is owned and controlled by NHS Digital and all development work has taken place on NHS Digital’s development environment. All design and strategy for BI&R has been delivered by the DSC’s internal CSIF team and primarily only the build and development has been provided by strategic suppliers. Work Already Done BI&R has completed a Discovery, Analysis and Alpha delivery phases. Discovery: •Technology-neutral high-level design. •Analysis of sample data sources. •Initial risk metric research. •Initial prototype wireframes. Analysis: •Fully elaborated requirements. •Technology-specific high-level design. •Validated business use cases and user stories of two key personas. •Initial cyber risk calculus engine. •Analysis of key data sources. •End to end pre-MvP platform. Alpha (completion September 2020): •MvP. •Ability for users to identify an initial view of their cyber business risks. •Ability for users to identify organisations at risk. •Test, validate and improve the maturity of cyber business risks calculus. •MvP maturity engineering artefacts. Existing Team The DSC has had a strategic supplier in place under CSIF which has delivered the work to date for BI&R. This supplier is due to complete the Alpha phase by September 2020. No members of the current supplier’s team will remain in place for the Beta phase. The DSC’s innovation team provide the only remaining team members and the supplier for Beta will work with this team: • Enterprise Architect and Security SME. • Product Manager. • Product Owner. • Project Manager and Security SME. • Lead Data Scientist. • Business Analyst. Current Phase Beta Work Location The preferred working location is Leeds. London is an acceptable alternative if a) required travel to Leeds is met and b) providing office space for the existing DSC team (up to 5 members) in the supplier’s London office. Minimum travel, for selected team members, may be required to other regions in England. Although the preference is for collaborative work in the same location, remote-working is acceptable in line with the current government COVID-19 guidance. Proposed team members must be dedicated fulltime to this project. Where proposed roles only require part-time members, assurance for resource continuity must be demonstrated. Working Arrangments The DSC will provide the Enterprise Architect, Product Manager, Lead Data Scientist and Security SMEs. For this reason, it is important that the supplier team is co-located with the DSC Innovation team. This can be achieved by working onsite at the NHS Leeds Office or providing working space at the supplier office for the core DSC team (up to 5). All development activities will take place on NHS Digital’s dedicated development platform (Based on AWS) and all information will be stored on NHS Digital’s information and knowledge management platforms (Confluence, Jira and SharePoint). Security Clearance Individuals in the supplier’s team that have access to Authority’s data must be SC cleared or clearable. Additional T&Cs Draft Order Form, the initial Statement of Work (SOW) and Draft Order Form/Call-off Terms and Conditions are available at the following link: https://nhsdigital.bravosolution.co.uk/web/login.html Bravo reference: prj_4551 To view the above you must be registered on NHS Digital's e-tendering portal. Suppliers not registered please register using the link above. The Buyer reserves the right to award future SOWs under this Call-off Contract against all charging methods in the framework. Skills & Experience The supplier must provide evidence of the ability to create a national scale data analytics solution which will be web-based accessed to the maturity required for a national live service Experience in cyber security risk management including a sound understanding of managing security risk in an operational environment. The supplier must provide evidence of the ability to analyse disparate data sets and work with biometric, event and static qualitative and quantitative data sets. Experience of proficiency in the following technologies: React, D3, html, GraphQL, Java, Python and Elasticsearch. Experience in maintaining a DevOps pipeline including releases, environments and standards. Experienced DevOps in containerised microservices implementation and maintenance (AWS technologies, Docker, Jenkins, etc.). Proficiency in data science demonstrating problem solving, critical thinking and the ability to understand business challenges and inspect complex disparate data sources to develop solutions that met those challenges. The supplier must provide evidence of proficiency in data engineering including developing the data flow within a risk model and back-end development of Python and Elasticsearch. The supplier must demonstrate proficiency and experience in agile development projects that include business analysis, data consulting, data strategy, user experience research and design for a similar scale product. Experience in engaging senior business and user stakeholders (up to board level), feeding back into requirements and ensuring that the product delivers user expectations and requirements. The supplier must demonstrate experience of Interpreting research findings to formulate actionable insights that drive the development of service design in a Health and Care setting. The supplier must provide evidence of driving consistently high-quality test standards across development activities. Developing test strategies, defining test boundaries, defining, and managing test scenarios based on user stories. Proven ability to hand over a Beta product to a live service team where any potential new added Intellectual Property during the programme will reside solely with the customer Nice to Haves Experience in delivering a national data analytics solution involving cyber security. Demonstrate experience in Machine Learning and Artificial Intelligence. Demonstrable mentoring capabilities for permanent staff during the transition to path to live and live environments. Sound understanding of the NHS infrastructure and programmes. Experience of customer and end user engagement across varied health care Programmes. No. of Suppliers to Evaluate 5 Proposal Criteria Capability to deliver a national scale data analytics solution within a healthcare sector Capability of proposed team to implement and deliver risk calculation from disparate data sources Capability to deliver a scalable cloud-based platform (built from existing MvP that is based on containerised microservices architecture) Capability to deliver using Agile delivery methodology to Government Standards (including: Government Digital Service Standards) Cultural Fit Criteria Approach to innovation with a succeed-quickly and fail-fast mentality. Raising issues early and learning lessons from past work. Collaboration with the DSC team working as part of a single team. Approach to user-centric design methodology (putting the user at the core of the design activities), data driven analysis and experience in using data to challenge existing mindset. Approach to leveraging existing supplier knowledge and experience to the benefit of the wider programme. Also, approach to proactive issue management, problem resolution and improving ways of working Value for money. Strategy for leaving a sustainable legacy by providing learning opportunities / knowledge transfer events for the DSC team. Payment Approach Capped time and materials Assessment Method Case study Work history Reference Presentation Evaluation Weighting Technical competence 55% Cultural fit 10% Price 35% Questions from Suppliers No questions have been answered yet Budget range £1,000,000 to £1,500,000