M365 Document Management Monitoring, Alerting & Reporting - design & implementation

Description

Summary of the work FCA have implemented SharePoint as their primary document management platform and moved documents onto the new platform Support now required to improve collaboration and productivity, provide a controls framework to mitigate compliance risk, monitor and establish an operating model and BAU capability to alert, report and remediate. Expected Contract Length 6 months with an option to extend for up to a further 6 months Latest start date Monday 31 January 2022 Why the Work is Being Done During 2020-2021 the FCA implemented SharePoint as their primary document management platform, with c4000 users who between them have access to c28m documents Focus has been on configuring and deploying the platform, moving documents from the legacy EDRM. A follow on phase of work is now being mobilised with the objectives of improving collaboration and productivity, provide a controls framework to mitigate risk, identify instances of poor compliance and establish an operating model and BAU capability to alert, report and remediate. Problem to Be Solved The FCA has a suite of tools (M365 Compliance/Security Center E5) which it now needs to prioritise, configure and optimise to provide insights. A team to run this capability needs to be designed & stood up, embedded in the overall operating model and a roadmap for continuous improvement designed. Who Are the Users FCA as an organisation seeks to: - set up of new Compliance Assurance function for the business, embedding processes within the wider business landscape and enabling technology to add value early on, set up for success & continuous improvement -establish a maturity framework and roadmap to develop the initial Assurance model. - develop an overarching control framework including the ability to fix and find, (reactively and proactively), detect and report levels of non-adherence to internal policy. - Design KPIs and associated reporting to support business leaders in assessing and reviewing operational activities and compliance position - Select, design and proof of concept appropriate monitoring, alerting and threat management tools (e.g. trainable data classifiers) - optimise the implementation of sensitivity labelling, records management, retention and disposition management, automating policies within M365 Existing Team There is a Compliance Assurance team lead in place who will run the function in BAU and who will work with the supplier as the supplier designs and implements the operating model, processes, technology, roadmap to build the capability. Current Phase Not started Skills & Experience • Previous experience of designing, delivering and embedding Compliance Monitoring and Alerting technologies & capabilities for a variety of clients. • Proven experience in developing and embedding risk & controls frameworks for collaboration, compliance & assurance capabilities. • Expertise in business and technical architecture for Security & Compliance assurance across the Microsoft product estate • Proven expertise in security & compliance of M365 suite of applications and supporting toolkits • Previous experience of developing maturity roadmaps and continuous improvement capabilities for collaboration and compliance. • Proven expertise in designing and developing insights and dashboards with Microsoft Power BI for Microsoft 365 Work Location Stratford, London 2 days per week (rest remotely) Working Arrangments Stratford, London 2 days per week (rest remotely). Standard business hours. No. of Suppliers to Evaluate 3 Proposal Criteria • Domain experience; • Innovation of approach and methodology; • How the approach or solution meets FCA needs; • Estimated timeframes for the work; • Approach to identifying & managing risks and dependencies; • Team structure; • Value for money. • Service Quality Management; • Flexibility & agility of response; • Value add proposition; • Skills profiles of resources; Cultural Fit Criteria • be transparent and collaborative when making decisions • share knowledge and experience with other team members Payment Approach Capped time and materials Evaluation Weighting Technical competence 70% Cultural fit 10% Price 20% Questions from Suppliers 1. What is your budget please? – We need to know if this opportunity is the right size for us to go after. We expect the budget to be between £500k - £1m, inc VAT 2. Is there an incumbent? No, this is a new piece of work to be mobilised 3. Who will make up the evaluation panel? – Both for this stage and the next? The evaluation panel will review all responses, both pre and post shortlist. There are 4 evaluators who are all stakeholders or SME's. 4. What is the rationale for the 6 months optional extension? We are anticipating a 6-9 month initiative to design and deliver a first transition state for Compliance & Assurance model. The initial contract is for 6 months. 5. What is expected to achieve within 6 months? We are expecting the team that comes in to work with us to design a roadmap and the first 6-9 month transition state, and to use their previous experience to inform what is achievable. We will agree MVP as part of that. 6. Is vetting/security clearance required? We do background checks on all consultants who work at FCA. Security Clearance may be required for those who will have access to the most sensitive document classification. 7. What regulations and frameworks does FCA need to comply with? There are a number of frameworks and regulations that we must abide by. The key regulatory ones are MAR, FSMA, GDPR and UK DPA 2018.For frameworks, we follow ISO27001/002, ISO 15489, NIST & CIS. 8. Is there an existing Data Classification scheme in place? If so, is it currently in use and/or enforced? Yes there is a new information classification scheme and policy that has not fully matured across the organisation as it was only launched in 2020. 9. Is the start date based on a compelling event or aspirational? - Start date is the desirable date in order to meet project timescales 10. What is the current licensing profile for Microsoft 365? i.e. do all users have E3/E5 +- add-ons? E3 and E5 licenses available for all staff. E5 licenses have been procured but not fully implemented. Limited e5 components currently used, I.e. Bit Locker, Advanced eDiscovery and some components of advanced threat protection. There is a keen requirement to enable further e5 components including Data Loss Protection (DLP), Information Protection and Governance, and advanced threat protection. 11. What configuration, if any, has been applied with regards to the Microsoft 365 Security & Compliance features? - Minimal configuration has been applied to M365 security and compliance features, the majority areas of development have been powershell/BI scripting to generate requested reporting and auditing 12. Are there other systems, apart from Microsoft 365, that are used to store documents and subject to Records Management/Retention policies? - Yes, and we are looking at additional work to centralise disparate repositories within SharePoint. The scope of the work for the next 6-9 months is SharePoint centric 13. Are any retention policies currently being enforced on the Microsoft 365 platform? - Yes in part. Some of the data-based and event-based policies need to be optimised and robust supporting processes designed and implemented. This work is planned.