We were contracted via a Tier One service provider to deliver security architecture design services, CLAS Accreditation and CHECK penetration testing services. These services were in support of a c£400m project for the design, configuration, assurance, delivery and security accreditation of an integrated IT Facilities Management (FM) solution for a UK police service operating at the Business Impact Level 2 (Protect) and Business Impact Level 3 (Restricted).
To develop a solution to provide a secure means of information sharing and allocating FM work requests, tracking completion, and issuing and receiving payments between the UK police service, the solution provider and approximately twenty smaller (second tier) service providers that connect to the solution through un-trusted end points.
Our risk consultants were deployed into the service provider’s delivery team and employed as the service provider’s security and accreditation subject matter experts, accreditor and engagement leads.
Our approach included breaking down the project’s ultimate objective of achieving full security accreditation into individual milestones with clearly identifiable and documented criteria for achievement.
These milestones were designated as accreditation decision points (ADPs), each of which has a security critical deliverable attached (e.g. risk assessment, penetration test, or assurance plan).
These ADPs were integrated into the overall programme plan and closely aligned with the delivery schedule. By integrating them in this manner we were able to ensure both the police service and service provider’s programme management team had complete visibility of progress and was able to ensure complementary work stream activity was closely aligned.
Throughout the engagement, we operated in complete transparency with their partners and were always completely open about technical, assurance and security challenges.
In order to support open dialogue and ensure stakeholder views were fully considered, we set up and ran the project’s security working group (SWG). The SWG was the main forum for all project stakeholders to openly discuss issues, overcome challenges and ensure the delivery team clearly understood business priorities. Additionally, it served as the platform for presenting penetration test results and the mitigation actions required to ensure all vulnerabilities were appropriately addressed.
The solution operates through logically segregated IL2 & IL3 data repositories with redacted data sets shared between user communities. User communities have varying levels of access on a ‘need to know’ and ‘proven business requirement’ basis. The solution operates a UK cyber security standard compliant protective monitoring capability within a secure network operations centre (SNOC) designed and developed by Gemserv in conjunction with the service provider’s technical teams.
Full security accreditation of the solution was completed in accordance with the original project forecast and all eight ADPs were completed on target.
The SWG continues to operate as a means of ensuring open dialogue and transparency between the service provider and the Police Service, and the delivery of the live service continues.
The business benefits to the UK police service include:
- Increased accuracy, granularity and reliability of management information available to the internal property services business units.
- Improved contractor efficiency through better resource and task allocation and oversight via the centralised management of work orders and the monitoring of task completion.
- The UK police service and service providers can now share protectively marked information across a diverse range of user communities with a varying risk level, from internalUsers working in a low risk, secure environment, to higher risk FM service providers working from untrusted end points on their local networks.
The solution is currently running at full operating capacity and will continue to deliver service in a secure and efficient manner throughout the duration of the contract.