This opportunity was cancelled

The buyer cancelled this opportunity, for example because they no longer have the budget. They may publish an updated version later.
Government Digital Service (GDS)

WP1365 - SecOps Security Engineer

10 Incomplete applications

10 SME, 0 large

8 Completed applications

5 SME, 3 large

Important dates

Published
Friday 12 May 2017
Deadline for asking questions
Tuesday 16 May 2017 at 11:59pm GMT
Closing date for applications
Friday 19 May 2017 at 11:59pm GMT

Overview

Specialist role
Cyber security consultant
Summary of the work
Deliver alphas of security tooling.
Securing build pipelines.
Document security processes.

This role is outside of IR-35.

* We would like the person to start as soon as possible. The latest start date to allow for any delays in the procurement process is 28th June 2017 *
Latest start date
Wednesday 28 June 2017
Expected contract length
18 weeks
Location
London
Organisation the work is for
Government Digital Service (GDS)
Maximum day rate
£650 (Exc. VAT) per day

About the work

Early market engagement
Who the specialist will work with
You will be working within a core team of security specialists including: security engineers, security architect, security operations, security analyst, security intelligence analyst, ethical hacker. The wider 'matrix managed' team that is made up of tech architects, developers, user support managers, product managers, delivery managers and the Enabling Delivery and Support team.
What the specialist will work on
Alpha Deliverables
- Build prototypes for the following secrets management problems:
* Solution tailored to type of secret being stored.
* SSH Key management & rotation
- Develop tools for use in internal security testing
- Build an AWS account management solution for specific teams consistent to GDS TechOps goals
- Create Build Pipelines with push button deploy, authorisation and access control for specific teams.
- Setup Egress Proxying for specific teams
- Set up AWS base images
Secure continuous integration and build infrastructure.
Build robust security processes for these tools/services and create security awareness amongst technical teams.

Work setup

Address where the work will take place
Government Digital Service
Aviation House
125 Kingsway
London
WC2B 6NH until mid June 2017.

Whitechapel building, Aldgate, London from mid June 2017.
Working arrangements
Onsite, co-located with the core team. There may be some need for travel to other government/third parties for reference visits - only when needed.
Security clearance
SC clearance

Additional information

Additional terms and conditions
DOS Terms and conditions will apply, the only addition, if required, would be Cabinet Office T&S Policy will apply for any Supplier expenses which will need to be pre-approved by Cabinet Office.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • At least 2 years significant experience of application security
  • At least 2 years technical knowledge in security engineering, authentication and security protocols, cryptography
  • At least 2 years knowledge of system security vulnerabilities and remediation techniques
  • At least 2 years analytic skills to understand security implications of technical events
  • At least 2 years experience of working within a software development team/writing code
  • At least 2 years software engineering skills, including experience building, managing and deploying modern technical systems
  • At least 2 years working knowledge of Linux
  • At least 2 years experience working with cloud environments
Nice-to-have skills and experience
  • At least 2 years experience of managing security in an environment with frequent change
  • At least 2 years well recognised security certifications or training
  • At least 2 years experience with penetration testing, network security monitoring or incident response
  • At least 2 years experience supervising technical specialists
  • At least 2 years experience of configuration management processes and tools - e.g. Puppet or Chef
  • At least 2 years experience of working with IaaS and PaaS cloud environments
  • At least 2 years experience of working with PCI environments

How suppliers will be evaluated

How many specialists to evaluate
3
Cultural fit criteria
  • Work as a team with our organisation and other suppliers
  • Be transparent and collaborative when making decisions
  • Have a no-blame culture and encourage people to learn from their mistakes
  • Take responsibility for their work
  • Share knowledge and experience with other team members
  • Challenge the status quo
  • Be comfortable standing up for their discipline
  • Can work with clients with low technical expertise
Assessment methods
  • Work history
  • Reference
  • Interview
Evaluation weighting

Technical competence

55%

Cultural fit

15%

Price

30%

Questions asked by suppliers

1. Please confirm the IR35 status for this position.
This role is outside IR35. The intermediaries legislation does not apply to this engagement.
2. Is having SC clearance a pre-requisite for this position?
It is preferred that the candidate already has SC clearance. If not currently held, the candidate must be willing to undertake the SC clearance process. This DOS requirement made it clear that SC clearance is required then suppliers are required to pay and arrange for that security clearance themselves to become eligible and compliant to perform the contract.

We can however arrange for special dispensation to allow suppliers to begin their contract and allow them onsite whilst the security process is underway.
A caveat to this is that the suppliers contract would be terminated if SC clearance was not granted.
3. Can a candidate with DV clearance be considered for this role?
Yes, DV clearance is higher than SC clearance and SC clearance is higher than BPSS clearance
4. Can you please specify which software development or coding skills are needed for this role? e.g. Java, C++, .Net, Ruby on rails etc.
At GDS we mostly use a mixture of Ruby, Python and Java. Knowledge of at least one would be necessary and understanding more would be helpful. We'd consider someone without certifications if they had sufficient appropriate experience.
5. What is the lead time for feedback once the application is submitted?
Depending on the volume of bids received at the outset, we would aim to get back to suppliers within 5 days to let them know if they have been successful at getting through to the next stage. If unsuccessful, feedback would also be provided
6. Can more than one candidate per supplier be submitted for this role?
No, only one candidate can be submitted by each supplier for the role
7. What are the other expenses which will be paid?
"Expenses would be paid if, for example, travel to a site other than GDS' premises outside the M25 is required.
Expenses will need to be authorised in advance by the Programme, and also need to be in line with Cabinet Office T&S Policy"
8. Is occasional remote working allowed?
Yes, occasional remote working will be allowed upon negotiation with the supervising manager.
9. What technologies will the consultant work on or should have experience with? Please give detail.
At GDS we mostly use a mixture of Ruby, Python and Java. Knowledge of at least one would be necessary and understanding more would be helpful. We'd consider someone without certifications if they had sufficient appropriate experience.
10. Which certifications or training are needed for this role?
At GDS we mostly use a mixture of Ruby, Python and Java. Knowledge of at least one would be necessary and understanding more would be helpful. We'd consider someone without certifications if they had sufficient appropriate experience.
11. What is the total number for positions open for this role?
One Position.
12. Is there any travel involved in this role and will the travel expenses be paid?
Expenses would be paid if, for example, travel to a site other than Aviation House or the new Aldgate premises outside the M25 is required.
This would need to be pre-authorised in advance by the Programme, and expenses would need to be in line with Cabinet Office T&S Policy.