Department for Work and Pensions

Secure Design Lead & Information Assurance Services for Dataworks replatforming

16 Incomplete applications

14 SME, 2 large

11 Completed applications

9 SME, 2 large

Important dates

Published
Tuesday 25 February 2020
Deadline for asking questions
Thursday 27 February 2020 at 11:59pm GMT
Closing date for applications
Tuesday 3 March 2020 at 11:59pm GMT

Overview

Specialist role
Cyber security consultant
Summary of the work
Develop & document security-architecture & data-handling approach.
Develop & maintain security policies and procedures.
Security representation to senior stakeholders.
Identify, document and manage security risks.
Security input to project-planning.
Conduct internal security-audits and remedial activities.
Manage external security-audit (e.g.ITHC) and remedial-activities.
Manage implementation of security-tooling.
Ongoing skills-transfer to DWP staff.
Latest start date
Tuesday 31 March 2020
Expected contract length
6 Months
Location
Yorkshire and the Humber
Organisation the work is for
Department for Work and Pensions
Maximum day rate
£950

About the work

Early market engagement
None
Who the specialist will work with
You will provide security direction & support to the DataWorks team including a broad mix of engineers, architects & specialist roles covering the full spectrum of big-data, cloud infrastructure and business analysis
You will engage with other DWP teams, eg:

UCFS, Data Warehouse & RIS for service integration.
Design Authority for design sign-off.
Data Protection team for data governance.
ESRM for Risk Assessment.
DWP Security Architecture team.
D&A security team.
CRC for vulnerability management.
SRE for acceptance into service.
Stakeholder teams, e.g. data analysts & scientists.

You will also engage with 3rd party suppliers and auditors (e.g. IT Health-Check teams).
What the specialist will work on
Data ingestion from Universal Credit Full Service (UCFS), surfacing of data to users of DataWorks new AWS Data Platform and data transfer to downstream systems which consume this data (e.g. Data Warehouse & RIS).

Work setup

Address where the work will take place
DWP Offices - Quarry House, Leeds, LS27UA
Working arrangements
Flexible working, at the discretion of the supplier, to deliver the service. Some travel to other sites may be required in line with DWP travel and expense policy.
Security clearance
DV clearance is required, due to the sensitive nature of some of the work.

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Membership of a relevant professional body (e.g. BCS, CIISec).
  • At least 10 years of broad security experience, with a relevant general security qualification (e.g. CISSP, CRISC, CISM).
  • At least 10 years of experience in interpreting & implementing HMG security policy.
  • At least 10 years of experience developing security architecture, with a relevant senior security architecture qualification (e.g. CCP Senior Security Architect).
  • At least 5 years of experience in risk assessment and risk management, with a relevant risk management qualification (e.g. CCP SIRA).
  • Demonstrate extensive experience in providing board-level representation of security within the last 2 years.
  • Demonstrate extensive experience in the development and implementation of security strategy, policies and procedures within the last 2 years.
  • Demonstrate extensive experience in provision of Security Education & Awareness Training (SEAT) within the last 2 years.
  • Demonstrate extensive experience in security incident response within the last 2 years.
  • Demonstrate extensive experience of managing security within agile teams within the last 2 years.
  • Demonstrate extensive experience in managing the conduct of Security IT Health Checks (ITHC) and remedial activities, ideally having led an ITHC engagement within the last 2 years.
  • Demonstrate a solid understanding of securely handling sensitive data, including data valuation and interpretation of GDPR, DPA and other relevant legal instruments within the last 2 years.
  • Demonstrate experience of managing security in the context of open-source code repositories and products within the last 2 years.
  • Demonstrate extensive knowledge of working with the AWS cloud platform within the last 2 years.
  • Demonstrate extensive knowledge of AWS Identity and Access Management (IAM) within the last 2 years.
  • Demonstrate extensive knowledge of AWS security and monitoring tools (e.g. AWS Security Hub, AWS Config, AWS CloudWatch) within the last 2 years.
  • Demonstrate experience in the practical hands-on implementation and management of security tools within the last 2 years.
Nice-to-have skills and experience
  • Senior membership of a relevant professional body (e.g. FBCS, FCIISec).
  • Demonstrate experience of implementing systems of record within the last 2 years.
  • Demonstrate knowledge of AWS networking concepts within the last 2 years.
  • Demonstrate experience of using and securing AWS Key Management Service (KMS) within the last 2 years.
  • Demonstrate experience of using and securing AWS Cloud Hardware Security Module (CloudHSM) within the last 2 years.
  • Demonstrate experience of using and securing AWS Certificate Manager Private Certificate Authority (ACM PCA) within the last 2 years.
  • Demonstrate experience of using and securing AWS Simple Storage Service (S3) within the last 2 years.
  • Demonstrate experience of using and securing AWS Elastic Cloud Compute (EC2) within the last 2 years.
  • Demonstrate experience of using open-source security tools (e.g. Snyk)within the last 2 years.
  • Demonstrate experience of Continuous Integration and Continuous Deployment (CI/CD) within the last 2 years.
  • Demonstrate experience of using Infrastructure as Code to provision and manage cloud infrastructure using terraform within the last 2 years.
  • Demonstrate experience of using Git and GitHub, GitLab or Bitbucket within the last 2 years.
  • Demonstrate practical experience of configuring physical network and security tools (firewalls, switches, load balancers, etc) within the last 2 years.
  • Demonstrate experience of managing service migration from on-premise to cloud-hosted platforms within the last 2 years.
  • Demonstrate experience working in Data Centres within the last 2 years.

How suppliers will be evaluated

All suppliers will be asked to provide a work history.

How many specialists to evaluate
3
Cultural fit criteria
  • Demonstrate experience of working in a multi-disciplinary team where Design, build and support are the whole team’s responsibilities.
  • Demonstrate ability to work collaboratively with existing internal teams and other supplier teams.
  • Demonstrable experience of working in and ea 'no-blame' culture environment whilst encouraging people to learn from their mistakes.
  • Demonstrable experience of remaining delivery focussed whilst working in an agile way.
Additional assessment methods
  • Reference
  • Interview
Evaluation weighting

Technical competence

65%

Cultural fit

15%

Price

20%

Questions asked by suppliers

1. Is there a current incumbent or preferred supplier for this role please?
No
2. Is there an incumbent supplier in the role?
No
3. Has an IR35 assessment been conducted for this role? If so, what was the determination?
This role is out of scope of IR35 as the requirements is for a service.
4. Is DV clearance required from start of the role or will this be sponsored?
Required from the start of the role.
5. Please confirm if you have an incumbent in place? There are 32 skills listed and it will easily take a day to complete the write-up. Please let us know how you will score against each skill?
No Incumbent. Demonstrate experience of implementing each of the essential skills will be weighted more than the nice to haves. If not all skills are met, DWP will take and overall view to understand if those that are met are deemed sufficient to deliver the services.
6. 32 required skills at 100 words each is an extensive application for a supplier / specialist to complete with no guarantee of an interview.
This may deter the best talent from completing an application – is there any way DWP can shorten she required essential / nice-to-have skills?
DWP do not require the maximum 100 words against each, just a short demonstration of the skill, and where it was implemented.
7. I have SC clearance – would DWP be prepared to sponsor me for DV clearance? I am also a Lead CCP SIRA – is a CPP Architure qualification required as well or would the CCP SIRA qualification be sufficient?
No, we require DV clearance from the start of the engagement, it is a short term contract hence DV is needed from day 1.
8. Are candidates expected to provide individual answers for all of the 30+ deliverables listed? This is over 3000 words they would be expected to write, with no guarantee of progression to the next stages.
No, I would be happy to have statements that cover overall experience that would include the essential skills eg a project may have covered several of the required skills.
9. I note that you require DV for this role due to the nature of some of the work – however, would you consider an applicant with SC, as this level is acceptable for long-term, frequent and uncontrolled access to "S" classified information, and also allows for occasional, supervised access to TS information?
No, I require DV. There will be several highly sensitive discussions and workshops to be conducted, as it is a short term contract DV must be in place from day 1.
10. Is DV a specific requirement or can it be applied for whilst undertaking the role, if the individual is SC Cleared ?
No, we require DV clearance from the start of the engagement, it is a short term contract hence DV is needed from day 1.
11. Will DWP be able to accept and SC cleared specialist eligible for DV?
No, we require DV clearance from the start of the engagement, it is a short term contract hence DV is needed from day 1.
12. Will a Contractor with at least 10 years of experience developing security architecture, but without a relevant senior security architecture qualification (e.g. CCP Senior Security Architect) be considered?
Qualifications would be beneficial, the demonstrate a level of expertise in a the area of cyber security.