This opportunity is closed for applications

The deadline was Monday 12 April 2021
London Borough of Redbridge

Cyber Security Knowledge Transfer

19 Incomplete applications

15 SME, 4 large

4 Completed applications

4 SME, 0 large

Important dates

Published
Monday 29 March 2021
Deadline for asking questions
Monday 5 April 2021 at 11:59pm GMT
Closing date for applications
Monday 12 April 2021 at 11:59pm GMT

Overview

Summary of the work
To enable cyber and data security knowledge transfer to all at LBR by defining the knowledge to be transferred to which roles, creating content and delivering. To create complete web content journeys via online knowledge hub, training online and in person (Teams). Create content to populate a cyber knowledge hub.
Latest start date
Monday 10 May 2021
Expected contract length
3-6 Months
Location
London
Organisation the work is for
London Borough of Redbridge
Budget range
Up to £50,000.00

About the work

Why the work is being done
To reduce organisation risk in relation to data and cyber security.
Problem to be solved
Tailored Data and Cyber Security training content and support information produced and published to existing platforms.

Analysis of key roles within the organisation to identify risk responsibilities and create supporting content and training to embed responsibilities in to these roles.

Production and publishing of content to deliver a ‘rounded’ – i.e. no content gaps - support micro site. Outcomes must include an engaging front page, existing policy documents turned in to web pages which are easily consumable and content for staff to get relevant help and advice for following best data and cyber security practices.

Production of repeatable training content and support materials for workshops for key roles. Delivery of training workshops via Teams. Delivery approach must be interactive to facilitate and embed learning.

Overall delivery of a consistent message across training and online platforms.
Who the users are and what they need to do
Two key roles across the authority in senior or executive positions comprising approximately 100 people. Plus, an undefined number of risk champions and provision of online content for all staff.

Example user stories:

As a corporate director, I need to monitor and act on escalated risks.

As a head of service, I need to participate in the identification, assessment and planning of threats and opportunities.

As a service manager, I need to establish how risk management will be integrated with change control and performance management.

As a risk manager, I need to prepare risk management reports.

As a risk champion, I need to assist in embedding risk management throughout my service area.
Early market engagement
Conversations with potential suppler to ensure the specified requirement is deliverable.
Any work that’s already been done
Umbraco based micro website developed and delivered as a blank canvas. MetaCompliance online training platform procured and implemented for LBR.
Existing team
IT Project Manager & Information Security Manager
Current phase
Discovery

Work setup

Address where the work will take place
Ilford, London
Working arrangements
Remotely with regular engagement via video conference (MS Teams)
Security clearance

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Experience of delivery of similar outcomes for a large organisation with complex ICT systems evidenced by a case study and a reference contact.
  • Demonstrate a broad understanding of cyber security & data protection topics to underpin delivery of the outcomes.
  • Be able to create and publish customised user-centred content to deliver a consistent message across website & blogs, in person training and online training. Please provide examples of previous work.
  • Demonstrate capability to engage with multiple stakeholders and audiences at all levels and understanding of these levels and roles within a Local Authority.
  • Analysis of key roles across the organisation to identify risk responsibilities and inform tailored workshop-based training.
  • Be able to produce tailored training on data protection and cyber security Topics, for key management and senior management roles.
  • Tailor training and support content to specific service areas within a Local Authority that highlights what they need to know and do to perform their role effectively.
  • Create supporting web-content or other documentation related to the training to support and embed learning before/after delivered training workshop.
  • Be able to demonstrate ability to explain complex issues in novel and simple ways.
  • Demonstrate how workshop-based training which is relevant and engaging for the target audience will be reusable by internal training resources once this engagement has ended.
  • Evidence utilisation of different learning techniques within delivered training to cater for different learning styles, e.g. exercises, scenarios, quizzes, group discussions, role-play.
  • Understand learning principles and be able to apply this to delivery and creation of training content.
  • Be able to take existing policy, guidance and support content, update and reframe to target formats in partnership with subject matter stakeholders.
  • Ownership of produced content and data will remain with London Borough of Redbridge Local Authority.
Nice-to-have skills and experience
  • Experience of working with Local Government, demonstrated knowledge of the audience being targeted.
  • Experience of developing other similar programmes of work, including the associated measures of benefit.
  • Demonstrate Metacompliance and Umbraco publishing experience.
  • Those delivering training to have teaching or training qualification such as PTLLS or CTLLS and evidence of over 2 years’ experience of delivering training in a corporate environment.
  • Experience or knowledge of storyboarding for eLearning.
  • Knowledge of the full training cycle.

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
5
Proposal criteria
  • Demonstrated understanding of the requirement.
  • Comprehensive description of proposed delivery.
  • Detailed descriptions of how content will be tailored for different audiences.
  • Explain your approach to producing engaging content as a key part of the user experience that meets end user needs. Including for users with accessibility and assisted digital needs.
  • Approach and methodology (training delivery, environments, data sets, scenarios, etc).
  • Approach and methodology (Online support content).
  • Overall knowledge of the training life-cycle within projects of this size or similar.
  • Value for money.
  • Approach to QA.
  • Evidence of similar digital services and being successfully delivered on time and within budget.
Cultural fit criteria
  • Work as a team with our organisation and other suppliers.
  • Be transparent and collaborative when making decisions.
  • Take responsibility for their work.
  • Share knowledge and experience with other team members.
  • Work openly.
  • Be comfortable with an agile working culture.
  • Be comfortable standing up for their discipline.
  • Can work with clients with low technical expertise.
  • Approach to defining training scenarios and workflows.
  • Take responsibility for delivery of work, and build positive successful relationships by sharing knowledge and experiences.
  • Be transparent, collaborative, and innovative in terms of problem solving and decision making.
Payment approach
Capped time and materials
Additional assessment methods
  • Case study
  • Work history
  • Reference
  • Presentation
Evaluation weighting

Technical competence

75%

Cultural fit

5%

Price

20%

Questions asked by suppliers

1. Is there a current incumbent or preferred supplier for this project please?
No
2. 1. Please advise how many existing policies documents you have?
2. When were these documents last updated/reviewed?
3. Are the policies up to date with current mode of working and strategy, such as if you have a cloud strategy then the policies are cloud aware? If not who will update them and how long will it take before they are approved?
4. Do you have an existing risk framework in place and associated artefacts such as risk register, risk assessments, risk policy?
Please come to our Q&A session on 7th April.
3. Does the 50k budget include all of – ascertaining user needs, creating customised training content, rendering content on training platform and also training the staff?
Yes
4. Looking at roles, an undefined number of Risk Champions are specified, how are they to be treated, how many would there be?
Our estimate is circa 50, this deliverable may change how the role is defined and this the number. The Risk Champions’ role is supporting the other key roles with advice and guidance.
5. In terms of the delivery, are you looking for a package i.e. videos, exercises etc. or a person and team to deliver it, or a mixture?
Targeted training of key roles, in person with supporting content. These roles are spread out across the organisation in different service areas, so there would be an element of tailoring to meet the needs of each area.
6. The specification mentions that suppliers need a broad range of knowledge of Cyber Security – is there a view to use this as part of an on-boarding process?
No, we have an on-boarding process and induction programme which covers broad stroke data protection and cyber security topics.
7. Are the deliverables are for teams you want to develop outside of IT such as Social Workers, Rent Collectors etc?
The roles are staff with specific risk responsibilities.
8. Are you not planning to train the entire staff?
We already have the broad strokes induction programme, we are looking to train the key roles.
9. How many employees are there at London Borough of Redbridge?
Approx. 2600
10. What triggered the initiative?
The initiative is triggered by creation of a cyber security strategy for the authority which is part of a drive to create a positive cyber aware culture and ensure people have the skills and knowledge to meet their obligations.
11. Was the cyber security strategy an internal strategy?
Yes
12. Content to be delivered includes blogs and on demand content. Do you have a location on line for this to be hosted?
We are currently building a platform to host this content.
13. How regularly would content need to be delivered?
At this stage, an initial push to get the majority of content reframed and updated and then redeployed from its current location to the new platform.
14. What level of depth is expected? For example, specific aspects of information security and risk management, governances, risk structures, metrics etc. What are the priorities in terms of scope of delivery?
With different levels of management and risk responsibility, there will be different focus. For example, system managers would focus on a system; information asset managers would view the broad spectrum of a service and the information within it, information asset owners would take a more strategic view of risk. We want to understand these roles and their needs and provide them tailored training. The audience is predominantly business staff, they are non technical.
15. Is there a requirement to log who has been trained?
Yes, we have a platform that can track that and would prefer to leverage that.
16. Are there any specific qualifications that training should align to? I.e. GIAC, implementations of ISO.
No, this is not part of the requirement.
17. Our approach would be to start with user research, then user journeys, content & interaction design, are you planning to do something similar, would we embed in to that kind of framework?
We are not looking to be proscriptive and want to leverage your expertise in how best to achieve the deliverables.
18. Will London Borough of Redbridge be identifying the users that need to be researched?
Broadly speaking, yes.
19. Does London Borough of Redbridge want content to be rewritten to be clear and easily understandable, is this part of the scope?
Yes, part of this will be framed by the platform hosting the content.
20. Can training be provided on how to use the Umbraco platform?
Yes, that would be possible, the platform is easy to use so minimal training should be needed.
21. Are the policies to be reviewed and rewritten already existing?
We have a range of policies which are constantly being reviewed and updated. The expectation is that some would be lift and shift while others would need more engagement internally to be reframed and updated.
22. The specification states that ownership of content would remain with London Borough of Redbridge, could you expand on this.
Content is required which is bespoke for London Borough of Redbridge and tailored for specific roles and responsibilities. That content would be hosted on LBRs platforms and reusable.
23. Does London Borough of Redbridge have any specific cyber security policies that are published internally, can we see what has been produced thus far?
Cannot publish in advance but whoever wins the tender would have access. The policies are about risk management so there is an element of cyber security in most of them.
24. Are the roles mentioned all London Borough of Redbridge employees, or contractors and external people?
All internal staff.
25. Has the specification been produced internally?
Internally
26. When do you hope to go live with the system? To start delivering training to staff.
Something to be worked out; indicatively, delivery in the summer.
27. Are suppliers allowed to work with partners who are not registered on DOS 5?
Please comply with the regulations of DOS 5. Please indicate if you intend to use a 3rd party to supply part of the requirement. The contract would be between London Borough of Redbridge and a single DOS 5 supplier.