HMCTS-Reform Continuous IA Risk & Assurance Service

Description

Summary of the work Provision of a Risk and Assurance function supporting Public Cloud and Agile methods, provide an SSDLC delivery assurance function, support, reframe and embed a BAU SecOps capability covering vulnerability management, security log event collection, correlation, analytics and security incident, and then handover to HMCTS BAU capabilities as required. Expected Contract Length 2 years. First SOW will be 3 months. Subsequent SOWs will be aligned to phases typically 3-6 months Latest start date Monday 16 October 2017 Budget Range HMCTS are targetting a maximum rate for Leadership resource at £1400 per day, for Architecture resource at £1100 per day, and Delivery resource at £900 per day. The expectation is that the initial SoW will require a team of 5, which will scale to a team of around 12-14 during the programmes peak, and will scale back down before the transition to BAU (however as part of the presentations we will require suppliers to suggest their approach) Why the Work is Being Done HMCTS Reform is a set of cross-judiciary transformation programmes. The transformation includes key concepts including; cloud native technology embracing IaaS, PaaS, and containerisation; reuse of platform services;  Agile methods, Micro-Services and RESTFUL APIs, and a fully automated SDLC based on Continuous Integration and Deployment to build secure infrastructure and software delivery assurance; and introducing SecOps into the operating model to move toward ‘continuous security’, aligned to the risk landscape and so protect Citizens’ Official Sensitive data. Problem to Be Solved HMCTS and Reform requires augmentation of the current Technical Security Information Assurance and Design capability to support Agile methods and DevOps operating processes and target operating models using the technologies described above. The successful partner will work with the current programme team to assist developing the security elements in support of the programme’s evolving delivery and operating models to address: security automation, assurance and compliance at scale, threat and incident management, vulnerability and compliance scanning, audit, monitoring, patching and host hardening. Provide guidance during Discovery and Alpha phases to build secure by design services, UX and workflow. Who Are the Users The Users may include: 1. The citizen (general public) 2. Her Majesty’s Courts and Tribunals Service (HMCTS) 3. Legal defence community 4. Police 5. Other Judiciary and Legal authorities 6. Solicitors and Legal Representatives. Internal users include support and DevOps, the programme/ governance representatives and the development community tasked with delivering the new services in a responsive though safe and secure way. Early Market Engagement No early market engagement Work Already Done A number of preliminary Discovery, Alpha phases have been completed within the Change Portfolio, with a couple of projects in Private Beta using the GDS agile methodology and NCC IA/Review. There are a number of projects as yet to commence. Existing Team There is an existing set of programme, development and DevOps teams (around 200 staff) supporting a range of projects and initiatives. Within that there is a limited amount of IA support which needs augmenting. Considering IA, there is no incumbent supplier. Current Phase Not applicable Skills & Experience • Demonstrable experience providing resource that has experience filling the HMG IS1&2 standards in Accreditor role or similar.(2%) • Experience providing resource with accreditations such as Certified Information Systems Security Professional, Certified Information Security Manager including cloud centric accreditations especially in an Agile/ Continuous Integration / Continuous Deployment architecture.(2%) • Demonstrable evidence IT Security capability, capacity and experience of previous strategies and ISM policies delivered to other customers operating Public Cloud Agile environments.(3%) • Demonstrable evidence showing where they have designed, implemented and delivered a comparable SecOps function.(4%) • The supplier can provide either anonymised SecOps function structures previously implemented or close examples to include roles, security controls employed and security monitoring capability.(3%) • The supplier can provide evidence how they have continuously accredited their security monitoring capability.(3%) • The supplier can provide evidence how they have implemented a security awareness programme and measured its success.(2%) • Evidence of delivering a security operations service, supporting the creation of an internal capability for an organisation and progressively transferring the service back to the organisation to run in-house.(2%) Nice to Haves • Demonstrable experience of assuring projects, and where issues are identified performing root cause analysis and defining remediation plans.(1%) • Demonstrable evidence of strong stakeholder management showing staff with experience of managing expectations and reporting to a wide range of internal departmental and cross-Government stakeholders, including those at senior level.(1%) • Demonstrable experience of working on digital by default service standard compliant government or regulated website.(1%) • Demonstrable experience of Incident Management reporting including defining processes.(1%) • Demonstrable experience of supporting Dev Ops in respect to delivery of specific security controls, particular in respect of using cloud providers.(1%) • Demonstrable experience of assuring and securing solutions built at Official data classifications.(1%) • Demonstrable evidence of strong understanding of General Protection Data Regulation legislation and its application to a government organisation such as HMCTS.(1%) • Demonstrable evidence of defining and implementing automated security tests.(1%) • Demonstrable evidence of building an in-house PEN test capability.(1%) • Demonstrable evidence of providing a business concentric view on information risks.(1%) Work Location Programmes will be based in London at the following locations (with possible occasional travel to other UK locations): - 102 Petty France, London SW1H 9AJ - Rose Court, 2 Southwark Bridge, London SE1 9HS - Southern House, Wellesley Grove, Croydon, CR0 1XG Working Arrangments On-site working at the specified base location working a five (5) day week, except where off-site research and testing sessions are required. For any work performed at a location different to that of the Base location and London (outside of the M25), all reasonable travel and expenses costs shall be met in accordance with the rates set out in the MoJ travel and subsistence policy. All expenses will require prior approval from HMCTS before being reimbursed. The Service is being delivered against the GDS Service Manual (e.g. agile delivery aligned to scrum methodology). Security Clearance Baseline Personnel Security Check (BPSS) which must be dated within three months of the start date. Enhanced security clearance (SC clearance) may be required for some roles where access to sensitive data is required. Any such requirement for SC clearance will be communicated as soon as is practicable. Additional T&Cs Any expenses shall be submitted in line with the Ministry of Justice standard Travel and Subsistence policy. No. of Suppliers to Evaluate 5 Proposal Criteria • Must provide anonymised risk and assurance strategies to support Agile Public Cloud environments implemented before or close examples. Key points -Incorporation of standard frameworks e.g. OWASP Application Security Verification.(4%) • Evidence of a SSDLC delivery assurance framework previously defined and implemented, and anonymised evidence showing accreditation of results or statements about the level of accreditation received.(4%) • Demonstrate how the SSDLC framework can provide level of assurance to equal their use. Include references to frameworks, accreditations, tools used, ethical hackers, application verification standard.(3%) • Understanding of HMCTS (or a simiar government department) frameworks/polices. Define the delivery of capabilities required for BAU existing systems, alongside the need for new services from the programme.(5%) • Evidence capability, capacity and experience of ISM policies/strategies (including IS27001:13) delivered to customers operating Cloud environments. Standards Framework alignment should be noted with accreditation to these for previous SecOps implementation.(6%) • Evidence of automated validation of cloud services vulnerability profiling and compliance to any defined standards. Reference consistency with minimal human intervention, and external/Internal tools with an emphasis on opensource.(5%) • Evidence an identified team/organisation and named key resources with the requisite skills, and demonstrate the capability and the capacity to deliver the services throughout the duration of the contract.(5%) Cultural Fit Criteria • Explain the approach for working with multi-vendor teams across both programmes in multiple projects at different locations.(4%) • Explain how you will ensure collaboration at all levels of the project and programme delivery between users, team members, and management. Give examples of where you have taken this approach.(3%) Payment Approach Time and materials Evaluation Weighting Technical competence 63% Cultural fit 7% Price 30% Questions from Suppliers 1. The tender response portal provides spaces for us to provide 100 word answers for each of the Essential and Nice to Have requirements. However, there are other requirements listed under Proposal criteria and Cultural fit criteria on the first page of the portal, and I cannot see where to answer these. Do you require us to provide these responses in a separate document? Thanks. For the initial stage of the DOS process, it is only the essential and nice to have criteria that we require responses to. The proposal and cultural fit criteria are sections that will applicable to those shortlisted suppliers and will be assessed in the further stages of the competition. 2. For the following question: "The supplier can provide either anonymised SecOps function structures previously implemented or close examples to include roles, security controls employed and security monitoring capability" do you require us to provide the structures/examples as part of our response, or just confirm that we can do so, and provide a summary, with the actual examples to follow at the next stage? (as the example/anonymised documents will obviously be longer than 100 words, and there doesn't seem to be an option to upload a document). Confirmation that you have met the criteria and can provide evidence if called upon will suffice. We would also suggest providing as much detail that is possible within the word limit. If invited to the further stages of the competition it is likely that the evaluation panel will ask for details on the information already provided. 3. Hello and good afternoon, You have referenced incident management, is that restricted to procedural governance around a response, or supporting HMCT's capability to handle a response? Thank you It covers the creation of a security incident and event management process and the provision of an ability to execute against it in the event of a security incident or event, for the defined HMCTS Reform Azure hosted applications. Such a process will follow the model of detection, containment, eradication and recoverability, the supplier will lead and take end to end ownership of the process and delivery against it. Advance cyber forensics will not be expected. The supplier will look to support HMCTS but not take the lead for security incidents and events not associated with the Reform Applications 4. Do HMCTS have controlled applications that are currently hosted in-house, with the aim of transitioning these applications to a cloud based host? If these applications have already been migrated to a cloud based environment, can HMCTS advise which cloud provider is being used? These (are, some already Private Beta) will be new application portals transforming current paper based legacy processes online. Platform is currently Azure PaaS (but could change although unlikely), being developed via Agile / Continuous Integration. Secure application development and deployment framework to support this is required but critically verification assurance that the code deployed by this rapid iterative transformation is free from vulnerabilities. 5. Interpretation: This project covers applications created by the development function that are currently hosted in-house, but are being migrated to cloud based systems. HMCTS requires support to ensure that development operations are functioning securely and that all applications are developed and deployed securely. Consideration must be given to several areas as specified in the opportunity information, all within the context of cloud based systems. Is this correct? Applications are currently hosted in-house, with the aim of migrating these applications to a cloud based host? If these applications have already been migrated, can HMCTS advise which cloud provider is being used? These (are, some already Private Beta) will be new application portals transforming current paper based legacy processes online. Platform is currently Azure PaaS (but could change although unlikely), being developed via Agile/ Continuous Integration. Secure application development and deployment framework to support this is required but critically verification assurance that the code deployed by this rapid iterative transformation is free from vulnerabilities. 6. The supplier can provide evidence how they have continuously accredited their security monitoring capability.(3%) Could you please confirm for our interpretation of the above question which is as follows: the supplier can supply evidence how that have continuously checked the security and correct functioning of their SIEM services. Proactive Monitoring should be accredited to identify security incidents and events in line with current threat intelligence.