Security is a critical aspect of any government system that handles (uses, stores, processes and/or transmits) classified information. Before a system can go live, the appointed government accreditor must approve it.
For new systems, as the prime contractor running the project, you are probably responsible for information security, which means you need to determine a plan and resources. You may need to prepare an approach for your response to a customer’s Invitation to Tender, or at the start of the delivery phase.
If you have an in-house information security team, you can respond at any stage – pre- or post-contract award. If you don’t have an in-house team, or you need an extra level of skill or experience, or you want to bring an independent perspective to the project, you may prefer to work with a specialist third party.
As information security increases in importance, customers may make it an inherent part of the specification and evaluation process. So, having a robust approach from both a business and project perspective should enable you to build competitive advantage – it could make the difference between winning and losing a contract.
Where the customer hasn’t put focus on information security, it may be tempting to ignore or trade it off in favour of lower cost. However, treating it seriously early on can put you in a stronger position. As you enter the delivery phase, a well-defined and budgeted approach can save you money as there will be no risk of you having to fund resources from your contingency.
It’s also worth remembering that delayed or failed accreditation can lead to late payment of invoices and, potentially, contractual conflict – another reason to make sure you are well-prepared and resourced.
Ascentor brings information security resources and an independent perspective to your project. Our CESG Certified Professional (CCP) consultants have worked on complex and highly sensitive defence, security and government projects, so have the necessary skills and experience.
As security advisors to your project, we can help at the bid or delivery stage. You may be required to submit a Security Management Plan with your proposal, we can create this for you and help with defining the high-level security design. During delivery we can manage your accreditation activities and help you design and build a secure solution. This will include activities and deliverables such as an information assurance development plan; a threat and vulnerability assessment; a technical risk assessment; technical security requirements; technical security design or build; attendance at PDR and CDR; and the Security Aspects of the Design document.
We will work with your team, located on- and/or off-site as appropriate, using workshops and interviews to determine the requirements and optimum approach. We will deliver appropriate and timely accreditation documentation and architectures or designs in accordance with relevant policies and requirements (for example, JSP440 and JSP604 for MOD).