DATA SECURITY ASSESSMENT REQUIREMENTS QUESTIONNAIRE RESPONSE GUIDANCE, EVALUATION AND MARKING SCHEME CROWN TRAVEL SERVICES REFERENCE NUMBER RM1081

Transcription

1 DATA SECURITY ASSESSMENT REQUIREMENTS QUESTIONNAIRE RESPONSE GUIDANCE, EVALUATION AND MARKING SCHEME CROWN TRAVEL SERVICES REFERENCE NUMBER RM1081 ATTACHMENT 2 1

2 SECURITY QUESTIONNAIRE RESPONSE GUIDANCE, EVALUATION AND MARKING SCHEME 1 INTRODUCTION 1.1 This document provides an overview of the methodology which will be adopted by the Authority to evaluate your response to each question set out within the Security Questionnaire. It also sets out the Marking Scheme which will apply. For the avoidance of doubt, references to you in this document shall be references to the Potential Provider. 1.2 The defined terms used in the ITT document (Attachment 1) shall apply to this document. 2 OVERVIEW 2.1 The Security Questionnaire is broken down into the following sections: SECTION A MANDTORY QUESTIONS 2.2 If you fail to provide a response to any applicable question of the Security Questionnaire, your Tender may be deemed to be non-compliant. If a Tender is deemed to be non-compliant, the Tender will be rejected and excluded from further participation in this Procurement. 2

3 SECTION A MANDATORY QUESTIONS [SECQA1] SECURITY Please indicate by selecting either option YES or NO, that in the event you are awarded a place on the Framework Agreement, you will or will not, unreservedly deliver in full, all the mandatory Service requirements as set out in Framework Schedule 20 Data Security Management. YES - You will, unreservedly deliver in full, all the Data Security requirements as set out in Framework Schedule 20 Data Security Management. NO - You will not, or cannot, deliver in full, all the Data Security requirements as set out in Framework Schedule 20 Data Security Management. AQA1 Response Guidance This is a PASS/FAIL question. If you cannot or are unwilling to select YES to this question, you will be disqualified from further participation in this Procurement. You are required to select either option YES or NO from the drop down list associated with this question. Providing a YES response means the Potential Provider will, unreservedly deliver in full, all the Data Security requirements as set out in Framework Schedule 20 Data Security Management. If the Potential Provider selects NO (or does not answer the question) to indicate that they will not, or cannot, deliver in full, all the Data Security requirements as set out in Framework Schedule 20 Data Security Management, then the Potential Provider will be disqualified from further participation in this Procurement. Marking Scheme PASS FAIL Evaluation Guidance The Potential Provider has confirmed that they will, unreservedly deliver in full, all the Data Security requirements as set out in Framework Schedule 20 Data Security Management. The Potential Provider has confirmed that they will not, or cannot, deliver in full, all Data Security requirements as set out in Framework Schedule 20 Data Security Management. OR The Potential Provider has not selected either YES or NO. 3

4 [SECQA2] SECURITY RESPONSE MATRIX To enable the Authority to assess the Data Security levels you will be able to provide under this Framework Agreement, you must download, populate, save and upload the following Attachment in accordance with the instructions provided in the Response Guidance: Attachment 16 Data Security Response Matrix Please select either option YES or NO to confirm that you have: a) downloaded Attachment 16 - Data Security Response Matrix from the esourcing Suite b) completed Attachment 16 - Data Security Response Matrix in line with the Response Guidance; c) saved the completed details; d) uploaded your completed Attachment 16 - Data Security Response Matrix into the esourcing Suite by attaching it to question SECQA2 and entitled [insert your company name] _SECQA2 Please note: No additional attachments should be submitted with a Tender unless specifically requested by the Authority - please refer to Attachment 1 Invitation to Tender paragraph 5.5 [SECQA2] Response Guidance To respond to this part of question SECQA2, you must download Attachment 16 Data Security Response Matrix. The Potential Provider must read the following before completing Attachment 16 Data Security Response Matrix: a) Framework Agreement Schedule 20 Data Security Management b) Security Assurance Process/Framework CTS Ref 003 Annex 2 of Framework Schedule 20 Data Security Management. This document describes a range of potential assurance processes which a Potential Provider could use to provide evidence regarding the secure implementation of controls. If the Potential Provider is awarded a Framework Agreement under the lotting structure of this Framework Agreement, the Authority will request that the Supplier delivers what they have stated in Attachment 16 Data Security Response Matrix regarding the type and nature of assurance process(es) that will be used to verify the implementation of all security controls. Where the assurance process is defined then a Potential Provider can reference this process. A Potential Provider could propose different assurance processes for consideration by the Accreditor. c) Security Principle Control Matrix CTS Ref 005 Annex 1 of Framework Schedule 20 Data Security Management - Attachment 12. This document describes the security objective and controls against which the Potential Provider shall be expected to state the compliance of the service implementation. The controls are deliberately described to be Potential Provider agnostic. If the Potential Provider is awarded a Framework Agreement under the lotting structure of this Framework Agreement, this definition shall be used as the basis for validating the solution is able to operate securely and also to derive the assurance process they are proposing to use to verify the implementation in Attachment 16 - Data Security Response Matrix. d) Attachment 17 - Data Security Response Matrix Example. This document is to provide the Potential Provider with an example how to complete Attachment 16 - Data Security Response Matrix. Potential Providers must provide a response in Attachment 16 Data Security Response 4

5 Matrix against each Implementation Objective(s) (as listed in Table 1 below) for: a) Commitment to Satisfy the Implementation Objective(s); b) Assurance Activities Undertaken; and c) Proposal Detail Table 1 Implementation Objective(s) 1.1 Data in Transit Protection: Contracting Body and Service 1.2 Data in Transit Protection: Within the Service 1.3 Data in Transit Protection: Between the Service and other Services 2.1 Physical Location and Legal Jurisdiction 2.2 Data Centre Security 2.3 Data at Rest Protection 2.4 Data Sanitisation - Retention Period 2.5 Data Sanitisation - Contracting Body Onboarding and Offboarding 2.6 Data Sanitisation - End of Life 2.7 Physical Resilience and Availability 3 Separation Between Tenants 4.1 IA Risk Management Processes 4.2 IA Organisational Maturity 5.1 Configuration and Change Management 5.2 Vulnerability Management 5.3 Protective Monitoring 5.4 Incident Management 6.1 Service Contracting Body 7 Secure Development 8 Supply Chain Security 9.1 Authentication of Contracting Body(s) to Management Interfaces 9.2 Separation of Contracting Body(s) to Management Interfaces 9.3 Secure Contracting Body Support 10 Identity and Authentication 11 External Interface Protection 12 Secure Service Administration 5

6 13 Audit Information for Tenants When the Potential Provider has inserted all the relevant details into Attachment 16 Data Security Response Matrix and saved the details, the Potential Provider must upload the completed file into the esourcing Suite, by attaching it to question SECQA2. The Potential Provider is required to select either option YES or NO from the drop down list associated with this question to confirm that it has followed these instructions and uploaded a completed Attachment 16 Data Security Response Matrix to question SECQA2. Attachment 16 Data Security Response Matrix will be incorporated into the Framework Agreement as follows: Attachment 16 will become Annex 6 in Framework Schedule 20 Data Security Management The Data Security Stage evaluation comprises of two Data Security Assessment Stages, Data Security Assessment Stage A and Stage B. Data Security Assessment Stages Data Security Assessment Stage A Commitment to Satisfy the Implementation Objective(s) Data Security Assessment Stage B Assurance Activities Please note: No additional attachments should be submitted with a Tender unless specifically requested by the Authority. Please refer to Attachment 1 Invitation to Tender paragraph 5.5 Marking Scheme Data Security Assessment Stage A Commitment to Satisfy the Implementation Objective(s) Evaluators will assess each response in respect of Assessment Stage A - Commitment to Satisfy the Implementation Objective(s) using the following criteria: 6

7 Data Security Assessment Stage A - Commitment to Satisfy each Implementation Objective(s) Assessment Stage A Marking Scheme FULLY PARTIALLY NON-CONFORMANT NOT APPLICABLE Evaluation Guidance The proposed solution addresses every aspect of the Implementation Objectives, implementing one of the control options specified in the Security Principle Control Matrix CTS Ref 005 (Annex 1 of Framework Schedule 20 - Attachment 12) The proposed solution addresses some of the Implementation Objectives. The Potential Provider has a credible plan in place to address the remainder. The proposed solution does not meet the Implementation Objective. The Implementation Objective is not relevant to the proposed solution. The Potential Provider must produce credible evidence to demonstrate this assertion. Data Security Assessment Stage B Assurance Activities Evaluators will assess each response in respect of Assessment Stage B - Assurance Activities Undertaken using the following criteria: Data Security Assessment Stage B Assurance Activities Assessment Stage B Marking Scheme Evaluation Guidance FULLY PARTIALLY The Potential Provider asserts that they shall undertake all relevant assurance activities defined in the Security Assurance Process / Framework CTS Ref 003 (Annex 2 of Framework Schedule 20) and the Security Principle Control Matrix CTS Ref 005 (Annex 1 of Framework Agreement Schedule 20 - Attachment 12) The Potential Provider asserts that they shall undertake some of the assurance activities defined in the Security Assurance Process / Framework document (Security Assurance Process / Framework CTS Ref 003, Annex 2 of Framework Schedule 20) at least one type of assurance has been provided. The Potential Provider has failed to undertake or commit to NON-CONFORMANT undertake any assurance activities defined in the Security Assurance Process / Framework document (Security Assurance Process / Framework CTS Ref 003, Annex 2 of Framework Schedule 20) Overview of Data Security Assessment Final Mark Evaluators will asses the mark awarded for Data Security Assessment Stage A and Data Security Assessment Stage B for each Implementation Objective(s) and will award a Final Mark of PASS or FAIL as detailed in Table 4 below: 7

8 Assessment Stage A - Mark Commitment to Satisfy the Implementation Objective(s) Assessment Stage B Mark Assurance Activities Final Mark PASS/FAIL FULLY FULLY PASS FULLY PARTIALLY PASS FULLY NON-CONFORMANT FAIL PARTIALLY FULLY PASS PARTIALLY PARTIALLY PASS PARTIALLY NON-CONFORMANT FAIL NON-CONFORMANT FULLY FAIL NON-CONFORMANT PARTIALLY FAIL NON-CONFORMANT NON-CONFORMANT FAIL NOT APPLICABLE FULLY PASS NOT APPLICABLE PARTIALLY PASS NOT APPLICABLE NON-CONFORMANT FAIL To proceed to the Selection Stage evaluation, Potential Providers must achieve a PASS for ALL Implementation Objective(s) as listed in Table 1 in accordance with the Table 4 above. Potential Providers who receive a FAIL for one or more Implementation Objective(s) as listed in Table 1 in accordance with the Table 4 above will be deemed as having failed in this procurement and the Tender rejected and disqualified from further participation. 8

9 See worked examples in the tables below: Worked Example 1 - Potential Provider A has achieved a PASS for ALL Implementation Objective(s) and will proceed to the Selection Stage evaluation Please note: this is a worked example for illustrative purposes only. Potential Providers should not constitute this as an answer. Potential Provider A Implementation Objective(s) Data Security Assessment A Commitment to Satisfy the Implementation Objectives Data Security Assessment B Undertake Assurance Activities Final Mark Data in Transit Protection: Contracting Body and FULLY FULLY PASS 1.1 Service 1.2 Data in Transit Protection: Within the Service FULLY FULLY PASS Data in Transit Protection : Between the Service FULLY FULLY PASS 1.3 and other Services 2.1 Physical Location and Legal Jurisdiction FULLY PARTIALLY PASS 2.2 Data Centre Security FULLY PARTIALLY PASS 2.3 Data at Rest Protection PARTIALLY FULLY PASS 2.4 Data Sanitisation - Retention Period PARTIALLY PARTIALLY PASS 2.5 Data Sanitisation - Contracting Body FULLY PARTIALLY PASS Onboarding and Offboarding 2.6 Data Sanitisation - End of Life PARTIALLY FULLY PASS 2.7 Physical Resilience and Availability PARTIALLY PARTIALLY PASS 3 Separation Between Tenants PARTIALLY PARTIALLY PASS 4.1 IA Risk Management Processes NOT APPLICABLE FULLY PASS 4.2 IA Organisational Maturity NOT APPLICABLE PARTIALLY PASS 5.1 Configuration and Change Management PARTIALLY FULLY PASS 5.2 Vulnerability Management PARTIALLY PARTIALLY PASS 5.3 Protective Monitoring FULLY PARTIALLY PASS 5.4 Incident Management PARTIALLY FULLY PASS 6.1 Service Contracting Body PARTIALLY PARTIALLY PASS 7 Secure Development PARTIALLY PARTIALLY PASS 8 Supply Chain Security NOT APPLICABLE FULLY PASS 9.1 Authentication of Contracting Body(s) to NOT APPLICABLE PARTIALLY PASS Management Interfaces 9.2 Separation of Contracting Body(s) to FULLY PARTIALLY PASS Management Interfaces 9.3 Secure Contracting Body Support PARTIALLY FULLY PASS 10 Identity and Authentication PARTIALLY PARTIALLY PASS 11 External Interface Protection PARTIALLY PARTIALLY PASS 12 Secure Service Administration NOT APPLICABLE FULLY PASS 13 Audit Information for Tenants NOT APPLICABLE PARTIALLY PASS 9

10 Worked Example 2: Potential Provider B has received a Final Mark of a FAIL for one or more Implementation Objective(s) and the tender will be deemed as having failed in this procurement and the Tender rejected and disqualified from further participation in the procurement. Please note: this is a worked example for illustrative purposes only. Potential Providers should not constitute this as an answer. Potential Provider B Implementation Objective(s) Assessment A Commitment to Satisfy the Implementation Objectives Assessment B Undertake Assurance Activities Final Mark PASS/FAIL 1.1 Data in Transit Protection: Contracting Body and FULLY FULLY PASS Service 1.2 Data in Transit Protection: Within the Service FULLY FULLY PASS 1.3 Data in Transit Protection: Between the Service and FULLY FULLY PASS other Services 2.1 Physical Location and Legal Jurisdiction FULLY PARTIALLY PASS 2.2 Data Centre Security FULLY PARTIALLY PASS 2.3 Data at Rest Protection PARTIALLY FULLY PASS 2.4 Data Sanitisation - Retention Period PARTIALLY PARTIALLY PASS 2.5 Data Sanitisation - Contracting Body Onboarding and Offboarding FULLY NON- CONFORMANT 2.6 Data Sanitisation - End of Life PARTIALLY FULLY PASS 2.7 Physical Resilience and Availability PARTIALLY PARTIALLY PASS 3 Separation Between Tenants PARTIALLY NON- CONFORMANT FAIL 4.1 IA Risk Management Processes NON- CONFORMANT FULLY FAIL 4.2 IA Organisational Maturity NOT APPLICABLE PARTIALLY PASS 5.1 Configuration and Change Management PARTIALLY FULLY PASS 5.2 Vulnerability Management PARTIALLY PARTIALLY PASS 5.3 Protective Monitoring FULLY PARTIALLY PASS 5.4 Incident Management PARTIALLY FULLY PASS 6.1 Service Contracting Body PARTIALLY PARTIALLY PASS 7 Secure Development PARTIALLY PARTIALLY PASS 8 Supply Chain Security NOT APPLICABLE FULLY PASS 9.1 Authentication of Contracting Body(s) to Management Interfaces NOT APPLICABLE PARTIALLY PASS 9.2 Separation of Contracting Body(s) to Management Interfaces FULLY PARTIALLY PASS 9.3 Secure Contracting Body Support PARTIALLY FULLY PASS 10 Identity and Authentication PARTIALLY PARTIALLY PASS 11 External Interface Protection PARTIALLY PARTIALLY PASS 12 Secure Service Administration NOT APPLICABLE FULLY PASS 13 Audit Information for Tenants NOT APPLICABLE PARTIALLY PASS FAIL 10