Integrated Risk Management, Vulnerability Response, Development and Implementation

Description

Summary of work The Department’s Adaptive Security Programme focus is on improving security controls across Digital Services to reduce the residual risks associated with a Cyber-attack. A decision was taken in January 2022 to select ServiceNow’s Security Operations platform as a core set of controls, Security Incident Response and Integrated Risk Management were initially purchased with a base capability implemented. This was later extended to include Vulnerability Response capability Over a period of 9-12 months, the successful ServiceNow Elite status partner, will: - Provide demonstrable evidence of multiple successful VR, SIR and IRM implementations in large scale, complex organisations - Provide consultancy and hands-on-deployment for the design and configuration of new features, enhancements and fixes to the VR, SIR and IRM modules, including integration with existing security tools and resources including but not limited to Tenable IO, Wiz, Splunk ES, Sentinel, GitLab, XSOAR, Mandiant, MISP, Tanium, Ansible Tower. - Provide consultancy and hands-on-deployment for the design and configuration of enhancements to the IRM, SIR and VR modules and additional workspaces such as; Configuration Compliance, Application VR, Container VR, SBOM, Security Posture Control, Threat Intelligence Security Centre. - Enhance the VR, SIR and IRM modules by providing Subject Matter Expert (SME) ServiceNow Product Implementation Specialists for VR, SIR and IRM. The implementation specialists will configure data and promote code into the Production instance, through the DWP ServiceNow SDLC in line with internal DWP platform governance, including provision of regression pack. - The successful partner will also supply architects, consultants, hands-on-deployment specialists, including their own Project Management, for the design and configuration to ensure the most effective and efficient implementation delivers early value realisation over several outcome-based milestones. (Milestones will be determined in a subsequent Statement of Work) - The successful partner will ensure that Knowledge Transfer, of design, development, or process, is delivered to both internal Security process teams and DWP Place (ServiceNow platform) Product teams. The successful partner will provide relevant training and training materials during the implementation or enhancements. Where the supplied staff will work No specific location (for example they can work remotely) Why the work is being done The Department’s Adaptive Security Programme is focussed on improving security controls across Digital Services to reduce the residual risks associated with a Cyber-attack. A decision was taken in January 2022 to select ServiceNow’s Security Operations platform as a core set of controls, Security Incident Response and Integrated Risk Management were initially purchased with a base capability implemented. The next phase was to extend this capability in-line with ServiceNow’s capability model (Foundation, Crawl, Walk, Run and Fly) to extend the capability around SIR, IRM and build in the ServiceNow Vulnerability Response module, allowing us to conduct more automated system driven monitoring and mitigation for security vulnerabilities. Following a phase of work to mature the 3 security modules in line with the ServiceNow capability model, additional support is required to achieve automation and orchestration of workflows between the 3 modules and the wider ServiceNow platform. Currently the Vulnerability Management, Security Incident and Monitoring, and Security Risk Management processes are disconnected. Enhancements to each of the 3 modules will enable more efficient and collaborative efforts to detect, respond and recover from Cyber-Security events. Visibility of compliant and non-compliant security controls when carrying out incident response or vulnerability analysis will allow for a more accurate and coordinated approach to applying remediation efforts. As we migrate more of our IT infrastructure into Public Cloud environments, this alters the requirements in terms of security controls that must be applied. Therefore there is a need to apply increased focus to vulnerabilities that sit outside of physical IT infrastructure, such as Applications, Containers, Serverless, SBOM’s. Enrichment of exploit potential of each of these security vulnerabilities by utilising threat intelligence feeds will enable advanced insight into our attack surface. Increased visibility and intelligence of security vulnerabilities in these environments will require patch orchestration and automation (SOAR) tooling and workflows to enable swifter remediation due to their ephemeral nature. Enhanced dashboards and workspaces that enable the correlation of various vulnerability data sources and the ability to progress remediation activities through coordinated workflows such as through the Major Security Incident Management process is required. Following the integration of SIEM data into the SIR module, we require the ability to ingest security alerts with additional sightings that may exist within the SIEM or other supported data sources, to enable more efficient analysis of security incidents within the platform. This will supplement the number of other security data sources we have matured and require integration with the module (such as Wiz, Sentinel, Splunk ES). As we mature our Threat Intelligence operational procedures to increase awareness of susceptibility to specific threat scenarios or actors, ability to centralise this data within the SIR module is required. This will enable the correlation of multiple Threat Intelligence feeds against internal and external risk profiles providing a more insightful view on our attack surface and assist with our response and recovery activities via case management. In line with the ServiceNow capability model we require enhancements to the existing IRM module to enable real time tracking of compliance to security framework safeguards and controls. This will require enhancements to the workflows that exist within the platform and integration with one or multiple separate data sources (such as Tanium, Wiz) that can automate the collection of data and metrics that will measure control effectiveness and compliance. To demonstrate enterprise adherence to these security controls, development of advanced dashboards and performance analytics are required. The introduction of further security framework citations including the configuration of indicators will enable us to provide assurance against each of those, increasing our overall security posture. Integration with the wider ServiceNow platform is essential to enable the full potential of the security modules. Development of functionality that enables low code/no code development will enable delivery and user teams to generate business requirements efficiently into working solutions. ServiceNow Generative AI capabilities enable user teams to operate with greater effectiveness within the platform, with the ability to prioritise investigation and remediation activities as well as performing automated searches across various platform tables to suggest solutions to complex security tasks. These features will enable DWP to respond and adapt to the Cyber-Security landscape, empowering Security professionals to quickly make risk-based decisions within a single platform. The business problem Specialist ServiceNow security subject matter expertise is required to allow us to get the most simple, effective automated VR, SIR and IRM solutions out of the licences previously purchased. The DWP Place Product team do not have the required knowledge or experience of the security modules. Securing the SME services will ensure that we get the implementation right first time and in the shortest timeframe. Integrated, automated vulnerability response is required to handle the ever-increasing cyber security threats to our Digital Estates in line with the reduction of residual risks associated with a Cyber-attack on DWP services. There is also a need to improve understanding, monitoring and capture of the Cloud Estate. The ServiceNow SIR, VR and IRM modules allows us to address these challenges. The risk of extending the capability of VR, SIR and IRM in SecurePlace relates to the manual nature of the activities and the probability that our staff cannot keep pace with volumes of activities and the increasingly sophisticated and diverse nature of threats. The manual processes are slower and therefore lend the possibility of exploits and attacks being successful. Enhancing each of the 3 modules in recognition of each of the other’s capabilities, as well as empowering each of the operational teams utilising them on a daily basis, enables the SecurePlace service to act as a hub for the wider Cyber-Security Eco-System. This ensures we are in the best possible position to identify, respond and recover from any potential security risk, as opposed to disconnected security tools and functions. DWP Place Product team do not have the knowledge, experience, or resources to undertake the activities in house. The people who will use the product or service User type: Vulnerability Response User Definition: As a VR user I need to manage cyber security software vulnerabilities, remediate, or apply compensating controls. User type: Security Incident Response User Definition: As an SIR user I need to manage cyber security alerts and events to determine is a cybersecurity incident and resolve if they are. User type: Integrated Risk Management User Definition: As a IRM user I need to manage cyber security risks across all DWP digital security using a controls-based approach aligned to the CISv8 Critical Security Controls. Which phase the project is in Live Existing team The primary team the supplier will be working with is the Digital Security SecurePlace team, who’s primarily responsibility is providing services to DWP that utilise the ServiceNow SecOps and IRM modules. This includes multiple Business Analysts who work with the business users to understand requirements for the Security services, technical leads to design workable solutions, as well as delivery management to progress the work through the delivery pipeline and create plans in alignment with the product roadmap. The team is headed up by a Service Owner who engages with the wider Digital Security and Cyber Resilience Centre (CRC) teams to ensure the product and service works in alignment with all other workstreams as part of the Adaptive Security Programme. The supplier will be required to occasionally work with business stakeholders across the various security teams to help understand and refine requirements. They will also work closely with the DWP Place Platform team whose broad responsibility is to maintain the uptime and integrity of the wider ServiceNow platform; a capability that includes delivery management, governance mechanisms (including SDLC standards), architecture, system administration. Address where the work will be done It is anticipated that the majority of the work will be performed remotely. Where work is required to be completed on-site, this could be at the Corporate Hubs listed below. Blackpool - Peel Park, Brunel Way, Blackpool FY4 5ES Manchester – 2 St Peter’s Square, Manchester, M2 3AA. Working arrangements The supplier can carry out their roles from whichever location allows them to do so the most effectively. This can largely be covered by home working, although occasional visits to DWP on-site Hubs will be required to participate in Discovery type activities. Security and vetting requirements Security Check (SC) Latest start date 16 May 2024 Expected contract length Contract length: 0 years 10 months 0 days Optional extension: 0 years 5 months 0 days Special terms and conditions special term or condition: DWP's enhanced security schedule - please see attachments special term or condition: DWP Offshoring Information - please see attachments Budget Indicative maximum: £1215000 Indicative minimum: The contract value is not specified by the buyer Further information: Optional 5 month extension £1,500,000 Contracted out service or supply of resource? Contracted out service: the off-payroll rules do not apply Terms and acronyms Term or acronym: VR Definition: Vulnerability Response Term or acronym: SIR Definition: Security Incident Response Term or acronym: IRM Definition: Integrated Risk Management Term or acronym: SME Definition: Subject Matter Expert Questions and Clarifications 1. Please can you confirm if indicated values are inclusive of VAT or pre-vat. The indicated values (£1,215,000) are inclusive of VAT. The extension value should read £750,000 inc VAT. Last Updated : <strong>18/04/2024</strong> 2. Does the Authority have a current incumbent provider of Service Now Security Operations capabilities? Yes there is currently an incumbent in place. Last Updated : <strong>18/04/2024</strong> 3. Is it a mandatory requirement for the supplier to be a ServiceNow elite partner? Yes, due to our maturity of the SecOps and GRC/IRM modules we require the selected supplier to have Elite Partner status to ensure they have the necessary knowledge and experience in delivering these advanced capabilities. Last Updated : <strong>19/04/2024</strong> 4. Some of the integrations may need customisations, we assume DWP will be open to these designs? Whilst we operate with an OOTB-first approach, we understand and accept that in edge-case scenarios custom designs are necessary to achieve our business outcomes Last Updated : <strong>19/04/2024</strong> 5. Can you explain DWP's deployment process please? What are the gateways from dev to production? a. Dev - Primary environment for development, operating environment for developers working on new features, enhancements, and bug fixes. b. Test - This is a dedicated test instance that allows migration/promotion and story-level testing (QA Testing). c. Pre-Prod - Primary environment for User Acceptance Testing. d. Prod (Live) - Production environment operating the live service. e. Training - Primary environment for training and education. Is also used to test patching and upgrading process. Last Updated : <strong>19/04/2024</strong> 6. What is the responsibility split between the DWP team and service provider? a. The selected suppliers primary responsibility will be the design, build and implementation of features and enhancements of the SecOps and GRC/IRM ServiceNow modules, in alignment with the DWP Place SLDC standards. This includes engagement with the customer team and wider business stakeholders to help discover and refine requirements, as well as perform product demos and Show and Tells. Attendance to workshops and discovery sessions will be require to help the customer team in defining a product roadmap in alignment with the ServiceNow capability roadmap. A working knowledge of available integrations and plugins with other products (security and other) is also required to enable the solution as the central function within our broader Adaptive Security Programme. b. The customer team will provide the necessary governance frameworks to enable the selected supplier to carry out these activities, including the previously noted SDLC standards. A core team including BA and Delivery resource will work alongside the supplier to manage business users/stakeholders and drive business requirements. All required ServiceNow modules and licenses will be procured and managed via the central DWP Place team. Last Updated : <strong>19/04/2024</strong>