Cabinet Office

Main navigation

IA in the Procurement Process

Introduction

Furthermore, a requirement for accreditation has the capability to significantly impact a project, usually at a late stage, if it is not correctly managed.

Careful ongoing monitoring of the project-related risks associated with the IA requirement is a necessary precursor to successful procurement management.

Statement of Best Practice

Principles of Governance

There are a number of principles of governance relating to this process:

• HMG Infosec Standard No 2 (IS2) proposes an IA lifecycle model that is closely linked to the OGC Gateway^(TM) review process. Information on the Gateway(TM) process is available from the OGC web site.
• The recommended project management method for HMG projects is PRINCE2^(TM). Information is available from the OGC web site.
• Where Government information is being held or processed, MPS and associated CESG Memoranda and HMG Infosec Standards must be consulted to determine their applicability.
• ISO/IEC 17799 provides guidance on some elements of system development and procurement.

The Gateway^(TM) Process

Programmes and procurement projects in Central Government are subject to OGC Gateway(TM) Reviews. The process is recommended here as best practice.

The OGC Gateway^(TM) process examines programmes and projects at critical stages in their lifecycle to provide assurance that they can progress to the next stage. There are five OGC Gateway(TM) Reviews during the lifecycle of a project, three before contract award and two looking at service implementation and confirmation of the operational benefits.

Security in the Gateway^(TM) Process

IA is incorporated into the OGC Gateway(TM) process, which states explicitly that for IT enabled projects:

• A Security Manager/Accreditor must be appointed before proceeding to the procurement stage.
• Information assurance must be addressed at each stage, by identifying business impacts, by undertaking information risk assessment and management, and by producing evidence of compliance with IT security requirements.
• Documentation must be produced, such as the security policy statement and information assurance tests (such as IT Health Check results).

Gateway^(TM) Review 1

At this point the main focus is on preparation - the development of a sound business case.

In practical terms the key factors for IA are to confirm the involvement of relevant external agencies (CPNI for example where the project forms part of the Critical National Infrastructure), and to ensure that the IA aspects are feasible and that costs and major project risks arising from IA have been identified. This may involve the production of a high level set of IA requirements even at this very early stage.

Wherever relevant the IA factors must be taken into account in Value for Money assessments.

It is also important from a very early stage to ensure that project-related risks and issues arising from IA are visible, by ensuring that:

• the project risks and issues have an owner; and
• the IA-related project risks and issues are recorded and managed in the same way as those arising from any other source.

Gateway^(TM) Review 2

In practical terms, the key factor in IA at this point is to ensure that the requirements have been specified in a way which is appropriate to the procurement.

Current HMG security documentation standards are based on a model in which a security policy statement is produced at an early stage. In some cases this is not possible; for example in a service-based procurement. In these cases it can be difficult to specify the IA requirements in a way which does not also specify the way in which they will be delivered.

The overall aim for service related procurements should be to place the emphasis on the supplier to meet the necessary standards, but to retain visibility in order to be able to manage project risk.

Gateway^(TM) Review 3

Ensure that there is a plan for achieving security in the end service, which is credible, realistic, monitored and adjusted where necessary, and ensure that it ties in with the overall plans for the project.

When assessing competing proposals (before entering the third gateway) the usual process is to construct an agreed set of criteria and assess each proposal against those criteria (so-called ‘weight and rate’). When constructing criteria for security appraisals, organisations may wish to adopt a model developed for use as part of the DERA (QinetiQ) security domains approach:

• Buildability. The risks and benefits associated with the bidder’s chosen security architecture, given the limits of available technology.
• Useability. The seamlessness with which security measures support the business model.
• Accreditability. The ease with which the implemented solution may be accredited.

Gateway^(TM) Review 4

Part of the ‘readiness for service’ assessment will include confirmation of accreditation. Where qualified accreditation has been granted, or where accreditation has been granted on a time-limited basis, there will be risks to the business, which must be recognised and managed.

It is vital to consider IA in the context of the supporting processes, particularly aspects such as change control, and in terms of the effectiveness of the management structure.

Gateway^(TM) Review 5

Gateway^(TM) review 5 is concerned with project closure. The termination phase has a number of important IA aspects, mostly relating to the maintenance of control during project termination.

However, the gateway is primarily aimed at reviewing the benefits gained.

Security in PRINCE2^(TM)

Departments are strongly advised to appoint as part of the project team, an individual such as the System Manager, with responsibility for co-ordination of security, so that the project risk arising from IA requirements can be owned and managed.

There should be a Security Working Group established which can monitor and track IA issues.

All security related deliverables must be identified, have acceptance criteria associated with them, and have delivery timescales.

Application of Standards

HMG Standards
As noted elsewhere in this document, the relevant HMG security standards apply not only to the target system but also to any related environments such as project office networks.

Gateway^(TM) reviews must ensure adherence and application of the appropriate standards at each stage. The conduct of a residual risk calculation in accordance with HMG Infosec Std No 1 Residual Risk Assessment Method (IS1) is a mandatory part of the RMADS in the case where protectively marked information is being processed. In such cases, interconnections between business domains may also need to be assessed in accordance with HMG Infosec Std No 3 Connecting Business Domains (IS3).

ISO/IEC 17799
The standard applies to the management environment rather than specifically the project or procurement process. Nevertheless some aspects of the standard should be borne in mind:

• stated best practice is to assign responsibilities and to establish a management structure and/or integrative processes which will ensure that IA is linked in as a business issue. This applies as much to procurement as it does to operation.
• Where the standard applies, Gateway^(TM) reviews must assess compliance against best practice recommendations. Business Continuity Management is an important aspect of this.
• The standard sets out IA principles across the board. It should be used as a baseline when drawing up service specifications and when assessing RMADSs associated with competing proposals.
• The standard calls for security in outsourcing contracts, achieved through an appropriate flowdown of responsibilities. Gateway^(TM) reviews should confirm that all IA related responsibilities have been allocated.
• Achieving compliance with regulatory requirements and applicable legislation can be a specialist area - advice should be sought from the Treasury solicitors