Electoral Commission

Cyber security strategy and testing partner

Incomplete applications

23
Incomplete applications
20 SME, 3 large

Completed applications

25
Completed applications
15 SME, 10 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Saturday 24 August 2019
Deadline for asking questions Friday 30 August 2019 at 11:59pm GMT
Closing date for applications Saturday 7 September 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work Testing of our network, application and device security controls and consultancy to shape future work in this area
Latest start date Friday 4 October 2019
Expected contract length Two years with the option for a further one year extension
Location London
Organisation the work is for Electoral Commission
Budget range

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done We are delivering substantial change across our technology estate. We need assurance, through testing, that our current controls are fit for purpose. Further support to ensure that technology changes are underpinned by robust security controls and tools during transition and implementation.

This should cover infrastructure and network controls, access management (including privileged account management), audit and reporting, application controls and device management.
Problem to be solved We have a small in house IT/IM team and limited resources and capacity to undertake this work. We need assurance that we have adequate security controls (device, network and application) and that these controls will be fit for purpose as we roll out planned changes.
Who the users are and what they need to do As a member of the technical team I need independent verification of our security controls and future requirements to deliver business needs

As the Head of DDaT I need assurance that our cyber security is fit for purpose and offers value for money so that assurance can be given
Early market engagement
Any work that’s already been done Some preliminary work undertaken in house. Current cyber essentials accreditation in place
Existing team We are a small in house team including Senior Leads for Desktop & Comms and Infrastructure & Network. We also have an Information Systems team who support SharePoint, Dynamics CRM and a bespoke web based platform.
Current phase Discovery

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Our London office, 3 Bunhill Row
Working arrangements We would expect in person engagement at our London office with technical team
Security clearance Base line checks

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Technical capability to design and plan implementation for new security infrastructures.
  • Proven ability to assist in setting the strategic direction for Cyber Security projects.
  • Capability to support and assist the internal team in the assessment and risk identifying, against new services.
  • Knowledge of a range of security standards including but not limited to ISO27000, SOC 2, CIS & NIST.
  • Knowledge and Experience of widely used IaaS/PaaS/SaaS environments.
  • Knowledge and experience of best practice regarding implementing least privilege security models and approaches within cloud and on-premise environments
  • Ability to provide guidance on appropriate separation of roles across the various operation planes (management, control & data), within cloud and on-premise environments.
  • Knowledge and experience of best practices to implement scalable and secure methods of storing sensitive data within cloud and on-premise environments.
  • Experience of implementing Service based authentication within service and on-premise environments.
  • Experience of designing and implementing the use of modern device-based authentication methods
Nice-to-have skills and experience

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 5
Proposal criteria
  • Approach and methodology
  • How the approach or solution meets your organisation’s policy or goal
  • Examples (more than one) of similar, successful projects they have delivered
  • How they’ve identified risks and dependencies and offered approaches to manage them
  • Value for money
Cultural fit criteria
  • Be transparent and collaborative when making decisions
  • Share knowledge and experience with other team members
  • Work as a team with our organisation and other suppliers
Payment approach Capped time and materials
Assessment methods
  • Written proposal
  • Case study
  • Work history
  • Reference
Evaluation weighting

Technical competence

60%

Cultural fit

10%

Price

30%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. with regards to "Working Arrangements – We would expect in person engagement at our London office with technical team and a group of users"
Are you mandating a full-time, in-person presence at your London Office for the Discovery project, or simply that some in-person engagement some of the time, is required.
Simply that in person engagement would be required. We are not mandating full time presence at our offices.
2. Does 'testing' in 'Cyber security strategy and testing partner' include penetration testing? Yes
3. Please could you explain what is meant by 'testing' in 'Cyber security strategy and testing partner'? This contract would include standard penetration testing of our applications and networks
4. Just wondering if their was a budget in mind/how many days work is estimated? There is not a budget set for this opportunity we are looking for a competitive tender to meet our specification.
5. What is the max budget available? There is not a budget set for this opportunity we are looking for a competitive tender to meet our specification.
6. Please advise the budget range. There is not a budget set for this opportunity we are looking for a competitive tender to meet our specification.
7. Will there be a need for surge capability during specific times, specifically election periods? Potentially there would be a need for unscheduled tests to be run in the run up to an electoral event.
8. What level of effort do you envisage this task to have? Do you want a level of call off or do you aspire to have resource embedded within your team for the duration of the contract? We do not propose having a resource embedding within our team. We would envisage an initial engagement with a call off arrange for further work including penetration testing. We would however be open to alternative proposals.
9. What level of effort do you envisage this task to have? Do you want a level of call off or do you aspire to have resource embedded within your team for the duration of the contract? We do not propose having a resource embedding within our team. We would envisage an initial engagement with a call off arrange for further work including penetration testing. We would however be open to alternative proposals.
10. Please can you clarify what you mean by "assurance, by testing"?
Are you looking for penetration testing, utilising tools, to prove the controls or assurance that controls are compliant with particular standards or good practices?
We are looking for both a testing partner but we also want to work with the supplier to look forward to planned technology developments and our assurance framework to ensure it is fit for purpose and meets relevant standards.
11. 1) Is the CHECK Scheme mandatory or can we utilise the Tiger Scheme for the pentesting?
2) You mentioned a number of standards but is there a specific Information Risk Management Framework/Maturity Model that you would like to be assessed against?
3) You reference BPSS Security Clearance but what is the highest government security classification that you are looking to implement?
1) Our preference is for the CHECK scheme in line with NCSC guidance
2) We have no specific preference and this can be proposed and then agreed with the successful supplier
3) We hold information at the Official level and not routinely any higher. Our staff are required to have BPSS security checks and we would require a supplier to meet this standard
12. The opportunity title, overview and summary of the work suggest that you are looking for a supplier with penetration testing capability, though the criteria outlined in the skills/experience section only cover strategy. Can the authority please confirm whether any penetration testing activity will be required? If so, will this capability need to be covered in the proposal section, once suppliers are shortlisted? We are looking for both a testing partner but we also want to work with the supplier to look forward to planned technology developments and our assurance framework to ensure it is fit for purpose and meets relevant standards.
13. A cyber security strategy should be far more holistic than a technical security testing (pentesting etc) strategy. Can the EC please confirm they are looking for a technical security testing validation strategy or a more holistic cyber security strategy to ensure solutions are built with security as a cornerstone than as a retrospective activity? If a more holistic strategy, would the EC consider splitting this work? We are looking for both. We require a testing partner but we also want to work with the supplier to look forward to planned technology developments and our assurance framework to ensure it is fit for purpose and meets relevant standards.