Police Service Case Study

The Client

We were contracted via a Tier One service provider to deliver security architecture design services, CLAS Accreditation and CHECK penetration testing services. These services were in support of a c£400m project for the design, configuration, assurance, delivery and security accreditation of an integrated IT Facilities Management (FM) solution for a UK police service operating at the Business Impact Level 2 (Protect) and Business Impact Level 3 (Restricted).

The Challenge

To develop a solution to provide a secure means of information sharing and allocating FM work requests, tracking completion, and issuing and receiving payments between the UK police service, the solution provider and approximately twenty smaller (second tier) service providers that connect to the solution through un-trusted end points.

Our Approach

Our risk consultants were deployed into the service provider’s delivery team and employed as the service provider’s security and accreditation subject matter experts, accreditor and engagement leads.

Our approach included breaking down the project’s ultimate objective of achieving full security accreditation into individual milestones with clearly identifiable and documented criteria for achievement.

These milestones were designated as accreditation decision points (ADPs), each of which has a security critical deliverable attached (e.g. risk assessment, penetration test, or assurance plan).

These ADPs were integrated into the overall programme plan and closely aligned with the delivery schedule. By integrating them in this manner we were able to ensure both the police service and service provider’s programme management team had complete visibility of progress and was able to ensure complementary work stream activity was closely aligned.

Throughout the engagement, we operated in complete transparency with their partners and were always completely open about technical, assurance and security challenges.

In order to support open dialogue and ensure stakeholder views were fully considered, we set up and ran the project’s security working group (SWG). The SWG was the main forum for all project stakeholders to openly discuss issues, overcome challenges and ensure the delivery team clearly understood business priorities. Additionally, it served as the platform for presenting penetration test results and the mitigation actions required to ensure all vulnerabilities were appropriately addressed.

The Outcome

The solution operates through logically segregated IL2 & IL3 data repositories with redacted data sets shared between user communities. User communities have varying levels of access on a ‘need to know’ and ‘proven business requirement’ basis. The solution operates a UK cyber security standard compliant protective monitoring capability within a secure network operations centre (SNOC) designed and developed by Gemserv in conjunction with the service provider’s technical teams.

Full security accreditation of the solution was completed in accordance with the original project forecast and all eight ADPs were completed on target.

The SWG continues to operate as a means of ensuring open dialogue and transparency between the service provider and the Police Service, and the delivery of the live service continues.

The business benefits to the UK police service include:

  • Increased accuracy, granularity and reliability of management information available to the internal property services business units.
  • Improved contractor efficiency through better resource and task allocation and oversight via the centralised management of work orders and the monitoring of task completion.
  • The UK police service and service providers can now share protectively marked information across a diverse range of user communities with a varying risk level, from internalUsers working in a low risk, secure environment, to higher risk FM service providers working from untrusted end points on their local networks.

The solution is currently running at full operating capacity and will continue to deliver service in a secure and efficient manner throughout the duration of the contract.

Share this...

Share on email
Share on twitter
Share on linkedin
Share on facebook

Find out

More

Every day our teams of experts are analysing information like this, providing high-level need to know reports for our clients so they can continue to stay ahead and lead their industries.

Get an unfair advantage – subscribe to our mailing list by filling out the form opposite. You can find out how we look after your data in our Data Policy.

About the Authors

Following the most recent government guidance, we are asking all but essential staff to work remotely. Consequently, for the time being, we will no longer be hosting meetings at our London and Dublin offices, though we will continue to provide our services as normal.

Visit our Coronavirus Information page for full details of the procedures we are adhering to and who to contact if you have any questions.

We are in unprecedented times and businesses are needing to adapt faster than ever to an ever changing situation. But what does that mean in practice and what does that mean for employees?

We are launching a series of live podcasts with some of our team whose backgrounds are in IT, Security, Business Resilience and Digital Transformation. They will discuss advice and guidance for companies in the process of adapting to unprecedented changes in the way we work and live.

Following the most recent government guidance, we are asking all but essential staff to work remotely. Consequently, for the time being, we will no longer be hosting meetings at our London and Dublin offices, though we will continue to provide our services as normal.

Visit our Coronavirus Information page for full details of the procedures we are adhering to and who to contact if you have any questions.