DATA SECURITY ASSESSMENT REQUIREMENTS QUESTIONNAIRE RESPONSE GUIDANCE, EVALUATION AND MARKING SCHEME CROWN TRAVEL SERVICES REFERENCE NUMBER RM1081



Similar documents
OPEN PROCEDURE INVITATION TO TENDER FOR

CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH

Anglo American Procurement Solutions Site

Annex A: Pre-Qualification Questionnaire Core Questions

GOVERNMENT HOSTING. Cloud Service Security Principles Memset Statement.

To join Achilles UVDB, visit call +44 (0) or

INVITATION TO TENDER (ITT) Consultancy Support for Oracle Configuration Controls Governor Implementation TENDER REFERENCE: RMP 6140

Info sheet : Considering labour standards in the procurement process

Security Annex for 2FA Additional Terms for Two Factor Authentication Service

AUDITOR GUIDELINES. Responsibilities Supporting Inputs. Receive AAA, Sign and return to IMS with audit report. Document Review required?

Derbyshire Trading Standards Service Quality Manual

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

SQAS Guidelines March 2011

Procurement Policy Note Use of Cyber Essentials Scheme certification

Contents. Version 1.4 June PCS-Tender Supplier Response Guide

Service Definition Document

SUFFOLK COUNTY COUNCIL PROCUREMENT RULES. Version 2 Jan Page 1 of 19

Asset Support Contract Model Service Information. Annex 25 Integrated Asset Management

esa-star Registration User Manual

23. The quality management system

LEAD PROVIDER FRAMEWORK CALL OFF TERMS AND CONDITIONS

CLICK TO OPEN FOOD AUTHENTICITY FIVE STEPS TO HELP PROTECT YOUR BUSINESS FROM FOOD FRAUD

The IFA is also available within the Civil 2015 Qualification ITT in the etendering system.

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version)

Title: Rio Tinto management system

a) To achieve an effective Quality Assurance System complying with International Standard ISO9001 (Quality Systems).

Internal Audit Quality Assessment Framework

IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems

Committees Date: Subject: Public Report of: For Information Summary

Maturity Model. March Version 1.0. P2MM Version 1.0 The OGC logo is a Registered Trade Mark of the Office of Government Commerce

Extended Request for Quotation (RFQ) for. Provision of Delivered Catering Service

Transport for London. INVITATION TO TENDER FOR BRIDGE DESIGN CONSULTANCY SERVICES ITT REF: TfL/90711 PUBLICATION DATE: 13 FEBRUARY 2013

HKCAS Supplementary Criteria No. 8

Joint Bidding Guide. 9. Opportunity Assessment. prepared for Leaders of Potential Consortia and Bid Managers

RISQS FAQs. About RISQS. services provided by

Complying with the Records Management Code: Evaluation Workbook and Methodology

Electronic Tender Management System Quick User Guide Supplier

PM Governance. Executive Team ADCA ADCA

BCS Foundation Certificate in Information Security Management Principles

Private Certification to Inform Regulatory Risk-Based Oversight: Discussion Document

PROCUREMENT & LOGISTICS DEPARTMENT

Contact address: Global Food Safety Initiative Foundation c/o The Consumer Goods Forum 22/24 rue du Gouverneur Général Eboué Issy-les-Moulineaux

EARSC Guideline Document. EARSC EO Industry Certification Scheme

Andrew Bratt, Assistant Director Human Resources, Resources and Quality Assurance

Security Annex for Firewalls Additional Terms for Firewall Service

North American Development Bank. Model Prequalification Document: Prequalification of Contractors

Information Security Policies. Version 6.1

CEF Energy model grant agreement

Service: Contract Management (Software as a Service)

Supplier & Contract Management System (SCMS)

London Local Authorities Business Continuity Guidance for Suppliers & Contractors

Client information note Assessment process Management systems service outline

CODE GOVERNANCE COMMITTEE CHARTER. 1 Functions and responsibilities of the Code Governance Committee

COMMISSION REGULATION (EU)

Resilience and Cyber Essentials

VICTORIAN GOVERNMENT DEPARTMENT ENVIRONMENTAL MANAGEMENT SYSTEM MODEL MANUAL

How to do Business with the London. Borough of Sutton

HM Treasury. Corporate Financial Advice. Invitation to Tender: Investment Advisory Services. Contract reference: HMT 1230.

CABINET. 24 March 2015

Supplier prequalification Document

INTERNATIONAL COMMERCIAL AGENCY AGREEMENT TEMPLATE

Growth Through Excellence

Australian Transport Council. National Standard for the Administration of Marine Safety SECTION 5

ABSTRACT. The Guidelines Section F is related to the Purchasing requirements of NSQ100 (Chapter 7.4). Summary

CONTRACTS STANDING ORDERS (CSOs) 2015 / 2016 CSO

CITY UNIVERSITY OF HONG KONG

Procurement Guide Once you have found the required document, double click and it will upload onto the screen.

Security Annex for Firewalls Additional Terms for Firewall Service

Page 5. The Adult Social Services and Health Committee. The Strategic Director of Adult Social Services, Housing and Health

UNICEF s Quality Assurance System for Procurement of Micronutrient Powders (MNP)

EXAMPLE NAME OF PROCUREMENT CONTRACT NUMBER

Points to Note on Preparing Marking Scheme for Tender Evaluation

ACG Commissioning Guideline

Supplier Guidance on using Procserve

Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide

General Rules for the certification of Management Systems

INDEPENDENT REVIEW PANEL

INTERNAL QUALITY AUDITS

Information Integrity & Data Management

Delivering e-procurement Local e-gov National e-procurement Project Overarching Guide to e-procurement for Schools

OLB certification process for Forestry Companies GP01

Transcription:

DATA SECURITY ASSESSMENT REQUIREMENTS QUESTIONNAIRE RESPONSE GUIDANCE, EVALUATION AND MARKING SCHEME CROWN TRAVEL SERVICES REFERENCE NUMBER RM1081 ATTACHMENT 2 1

SECURITY QUESTIONNAIRE RESPONSE GUIDANCE, EVALUATION AND MARKING SCHEME 1 INTRODUCTION 1.1 This document provides an overview of the methodology which will be adopted by the Authority to evaluate your response to each question set out within the Security Questionnaire. It also sets out the Marking Scheme which will apply. For the avoidance of doubt, references to you in this document shall be references to the Potential Provider. 1.2 The defined terms used in the ITT document (Attachment 1) shall apply to this document. 2 OVERVIEW 2.1 The Security Questionnaire is broken down into the following sections: SECTION A MANDTORY QUESTIONS 2.2 If you fail to provide a response to any applicable question of the Security Questionnaire, your Tender may be deemed to be non-compliant. If a Tender is deemed to be non-compliant, the Tender will be rejected and excluded from further participation in this Procurement. 2

SECTION A MANDATORY QUESTIONS [SECQA1] SECURITY Please indicate by selecting either option YES or NO, that in the event you are awarded a place on the Framework Agreement, you will or will not, unreservedly deliver in full, all the mandatory Service requirements as set out in Framework Schedule 20 Data Security Management. YES - You will, unreservedly deliver in full, all the Data Security requirements as set out in Framework Schedule 20 Data Security Management. NO - You will not, or cannot, deliver in full, all the Data Security requirements as set out in Framework Schedule 20 Data Security Management. AQA1 Response Guidance This is a PASS/FAIL question. If you cannot or are unwilling to select YES to this question, you will be disqualified from further participation in this Procurement. You are required to select either option YES or NO from the drop down list associated with this question. Providing a YES response means the Potential Provider will, unreservedly deliver in full, all the Data Security requirements as set out in Framework Schedule 20 Data Security Management. If the Potential Provider selects NO (or does not answer the question) to indicate that they will not, or cannot, deliver in full, all the Data Security requirements as set out in Framework Schedule 20 Data Security Management, then the Potential Provider will be disqualified from further participation in this Procurement. Marking Scheme PASS FAIL Evaluation Guidance The Potential Provider has confirmed that they will, unreservedly deliver in full, all the Data Security requirements as set out in Framework Schedule 20 Data Security Management. The Potential Provider has confirmed that they will not, or cannot, deliver in full, all Data Security requirements as set out in Framework Schedule 20 Data Security Management. OR The Potential Provider has not selected either YES or NO. 3

[SECQA2] SECURITY RESPONSE MATRIX To enable the Authority to assess the Data Security levels you will be able to provide under this Framework Agreement, you must download, populate, save and upload the following Attachment in accordance with the instructions provided in the Response Guidance: Attachment 16 Data Security Response Matrix Please select either option YES or NO to confirm that you have: a) downloaded Attachment 16 - Data Security Response Matrix from the esourcing Suite b) completed Attachment 16 - Data Security Response Matrix in line with the Response Guidance; c) saved the completed details; d) uploaded your completed Attachment 16 - Data Security Response Matrix into the esourcing Suite by attaching it to question SECQA2 and entitled [insert your company name] _SECQA2 Please note: No additional attachments should be submitted with a Tender unless specifically requested by the Authority - please refer to Attachment 1 Invitation to Tender paragraph 5.5 [SECQA2] Response Guidance To respond to this part of question SECQA2, you must download Attachment 16 Data Security Response Matrix. The Potential Provider must read the following before completing Attachment 16 Data Security Response Matrix: a) Framework Agreement Schedule 20 Data Security Management b) Security Assurance Process/Framework CTS Ref 003 Annex 2 of Framework Schedule 20 Data Security Management. This document describes a range of potential assurance processes which a Potential Provider could use to provide evidence regarding the secure implementation of controls. If the Potential Provider is awarded a Framework Agreement under the lotting structure of this Framework Agreement, the Authority will request that the Supplier delivers what they have stated in Attachment 16 Data Security Response Matrix regarding the type and nature of assurance process(es) that will be used to verify the implementation of all security controls. Where the assurance process is defined then a Potential Provider can reference this process. A Potential Provider could propose different assurance processes for consideration by the Accreditor. c) Security Principle Control Matrix CTS Ref 005 Annex 1 of Framework Schedule 20 Data Security Management - Attachment 12. This document describes the security objective and controls against which the Potential Provider shall be expected to state the compliance of the service implementation. The controls are deliberately described to be Potential Provider agnostic. If the Potential Provider is awarded a Framework Agreement under the lotting structure of this Framework Agreement, this definition shall be used as the basis for validating the solution is able to operate securely and also to derive the assurance process they are proposing to use to verify the implementation in Attachment 16 - Data Security Response Matrix. d) Attachment 17 - Data Security Response Matrix Example. This document is to provide the Potential Provider with an example how to complete Attachment 16 - Data Security Response Matrix. Potential Providers must provide a response in Attachment 16 Data Security Response 4

Matrix against each Implementation Objective(s) (as listed in Table 1 below) for: a) Commitment to Satisfy the Implementation Objective(s); b) Assurance Activities Undertaken; and c) Proposal Detail Table 1 Implementation Objective(s) 1.1 Data in Transit Protection: Contracting Body and Service 1.2 Data in Transit Protection: Within the Service 1.3 Data in Transit Protection: Between the Service and other Services 2.1 Physical Location and Legal Jurisdiction 2.2 Data Centre Security 2.3 Data at Rest Protection 2.4 Data Sanitisation - Retention Period 2.5 Data Sanitisation - Contracting Body Onboarding and Offboarding 2.6 Data Sanitisation - End of Life 2.7 Physical Resilience and Availability 3 Separation Between Tenants 4.1 IA Risk Management Processes 4.2 IA Organisational Maturity 5.1 Configuration and Change Management 5.2 Vulnerability Management 5.3 Protective Monitoring 5.4 Incident Management 6.1 Service Contracting Body 7 Secure Development 8 Supply Chain Security 9.1 Authentication of Contracting Body(s) to Management Interfaces 9.2 Separation of Contracting Body(s) to Management Interfaces 9.3 Secure Contracting Body Support 10 Identity and Authentication 11 External Interface Protection 12 Secure Service Administration 5

13 Audit Information for Tenants When the Potential Provider has inserted all the relevant details into Attachment 16 Data Security Response Matrix and saved the details, the Potential Provider must upload the completed file into the esourcing Suite, by attaching it to question SECQA2. The Potential Provider is required to select either option YES or NO from the drop down list associated with this question to confirm that it has followed these instructions and uploaded a completed Attachment 16 Data Security Response Matrix to question SECQA2. Attachment 16 Data Security Response Matrix will be incorporated into the Framework Agreement as follows: Attachment 16 will become Annex 6 in Framework Schedule 20 Data Security Management The Data Security Stage evaluation comprises of two Data Security Assessment Stages, Data Security Assessment Stage A and Stage B. Data Security Assessment Stages Data Security Assessment Stage A Commitment to Satisfy the Implementation Objective(s) Data Security Assessment Stage B Assurance Activities Please note: No additional attachments should be submitted with a Tender unless specifically requested by the Authority. Please refer to Attachment 1 Invitation to Tender paragraph 5.5 Marking Scheme Data Security Assessment Stage A Commitment to Satisfy the Implementation Objective(s) Evaluators will assess each response in respect of Assessment Stage A - Commitment to Satisfy the Implementation Objective(s) using the following criteria: 6

Data Security Assessment Stage A - Commitment to Satisfy each Implementation Objective(s) Assessment Stage A Marking Scheme FULLY PARTIALLY NON-CONFORMANT NOT APPLICABLE Evaluation Guidance The proposed solution addresses every aspect of the Implementation Objectives, implementing one of the control options specified in the Security Principle Control Matrix CTS Ref 005 (Annex 1 of Framework Schedule 20 - Attachment 12) The proposed solution addresses some of the Implementation Objectives. The Potential Provider has a credible plan in place to address the remainder. The proposed solution does not meet the Implementation Objective. The Implementation Objective is not relevant to the proposed solution. The Potential Provider must produce credible evidence to demonstrate this assertion. Data Security Assessment Stage B Assurance Activities Evaluators will assess each response in respect of Assessment Stage B - Assurance Activities Undertaken using the following criteria: Data Security Assessment Stage B Assurance Activities Assessment Stage B Marking Scheme Evaluation Guidance FULLY PARTIALLY The Potential Provider asserts that they shall undertake all relevant assurance activities defined in the Security Assurance Process / Framework CTS Ref 003 (Annex 2 of Framework Schedule 20) and the Security Principle Control Matrix CTS Ref 005 (Annex 1 of Framework Agreement Schedule 20 - Attachment 12) The Potential Provider asserts that they shall undertake some of the assurance activities defined in the Security Assurance Process / Framework document (Security Assurance Process / Framework CTS Ref 003, Annex 2 of Framework Schedule 20) at least one type of assurance has been provided. The Potential Provider has failed to undertake or commit to NON-CONFORMANT undertake any assurance activities defined in the Security Assurance Process / Framework document (Security Assurance Process / Framework CTS Ref 003, Annex 2 of Framework Schedule 20) Overview of Data Security Assessment Final Mark Evaluators will asses the mark awarded for Data Security Assessment Stage A and Data Security Assessment Stage B for each Implementation Objective(s) and will award a Final Mark of PASS or FAIL as detailed in Table 4 below: 7

Assessment Stage A - Mark Commitment to Satisfy the Implementation Objective(s) Assessment Stage B Mark Assurance Activities Final Mark PASS/FAIL FULLY FULLY PASS FULLY PARTIALLY PASS FULLY NON-CONFORMANT FAIL PARTIALLY FULLY PASS PARTIALLY PARTIALLY PASS PARTIALLY NON-CONFORMANT FAIL NON-CONFORMANT FULLY FAIL NON-CONFORMANT PARTIALLY FAIL NON-CONFORMANT NON-CONFORMANT FAIL NOT APPLICABLE FULLY PASS NOT APPLICABLE PARTIALLY PASS NOT APPLICABLE NON-CONFORMANT FAIL To proceed to the Selection Stage evaluation, Potential Providers must achieve a PASS for ALL Implementation Objective(s) as listed in Table 1 in accordance with the Table 4 above. Potential Providers who receive a FAIL for one or more Implementation Objective(s) as listed in Table 1 in accordance with the Table 4 above will be deemed as having failed in this procurement and the Tender rejected and disqualified from further participation. 8

See worked examples in the tables below: Worked Example 1 - Potential Provider A has achieved a PASS for ALL Implementation Objective(s) and will proceed to the Selection Stage evaluation Please note: this is a worked example for illustrative purposes only. Potential Providers should not constitute this as an answer. Potential Provider A Implementation Objective(s) Data Security Assessment A Commitment to Satisfy the Implementation Objectives Data Security Assessment B Undertake Assurance Activities Final Mark Data in Transit Protection: Contracting Body and FULLY FULLY PASS 1.1 Service 1.2 Data in Transit Protection: Within the Service FULLY FULLY PASS Data in Transit Protection : Between the Service FULLY FULLY PASS 1.3 and other Services 2.1 Physical Location and Legal Jurisdiction FULLY PARTIALLY PASS 2.2 Data Centre Security FULLY PARTIALLY PASS 2.3 Data at Rest Protection PARTIALLY FULLY PASS 2.4 Data Sanitisation - Retention Period PARTIALLY PARTIALLY PASS 2.5 Data Sanitisation - Contracting Body FULLY PARTIALLY PASS Onboarding and Offboarding 2.6 Data Sanitisation - End of Life PARTIALLY FULLY PASS 2.7 Physical Resilience and Availability PARTIALLY PARTIALLY PASS 3 Separation Between Tenants PARTIALLY PARTIALLY PASS 4.1 IA Risk Management Processes NOT APPLICABLE FULLY PASS 4.2 IA Organisational Maturity NOT APPLICABLE PARTIALLY PASS 5.1 Configuration and Change Management PARTIALLY FULLY PASS 5.2 Vulnerability Management PARTIALLY PARTIALLY PASS 5.3 Protective Monitoring FULLY PARTIALLY PASS 5.4 Incident Management PARTIALLY FULLY PASS 6.1 Service Contracting Body PARTIALLY PARTIALLY PASS 7 Secure Development PARTIALLY PARTIALLY PASS 8 Supply Chain Security NOT APPLICABLE FULLY PASS 9.1 Authentication of Contracting Body(s) to NOT APPLICABLE PARTIALLY PASS Management Interfaces 9.2 Separation of Contracting Body(s) to FULLY PARTIALLY PASS Management Interfaces 9.3 Secure Contracting Body Support PARTIALLY FULLY PASS 10 Identity and Authentication PARTIALLY PARTIALLY PASS 11 External Interface Protection PARTIALLY PARTIALLY PASS 12 Secure Service Administration NOT APPLICABLE FULLY PASS 13 Audit Information for Tenants NOT APPLICABLE PARTIALLY PASS 9

Worked Example 2: Potential Provider B has received a Final Mark of a FAIL for one or more Implementation Objective(s) and the tender will be deemed as having failed in this procurement and the Tender rejected and disqualified from further participation in the procurement. Please note: this is a worked example for illustrative purposes only. Potential Providers should not constitute this as an answer. Potential Provider B Implementation Objective(s) Assessment A Commitment to Satisfy the Implementation Objectives Assessment B Undertake Assurance Activities Final Mark PASS/FAIL 1.1 Data in Transit Protection: Contracting Body and FULLY FULLY PASS Service 1.2 Data in Transit Protection: Within the Service FULLY FULLY PASS 1.3 Data in Transit Protection: Between the Service and FULLY FULLY PASS other Services 2.1 Physical Location and Legal Jurisdiction FULLY PARTIALLY PASS 2.2 Data Centre Security FULLY PARTIALLY PASS 2.3 Data at Rest Protection PARTIALLY FULLY PASS 2.4 Data Sanitisation - Retention Period PARTIALLY PARTIALLY PASS 2.5 Data Sanitisation - Contracting Body Onboarding and Offboarding FULLY NON- CONFORMANT 2.6 Data Sanitisation - End of Life PARTIALLY FULLY PASS 2.7 Physical Resilience and Availability PARTIALLY PARTIALLY PASS 3 Separation Between Tenants PARTIALLY NON- CONFORMANT FAIL 4.1 IA Risk Management Processes NON- CONFORMANT FULLY FAIL 4.2 IA Organisational Maturity NOT APPLICABLE PARTIALLY PASS 5.1 Configuration and Change Management PARTIALLY FULLY PASS 5.2 Vulnerability Management PARTIALLY PARTIALLY PASS 5.3 Protective Monitoring FULLY PARTIALLY PASS 5.4 Incident Management PARTIALLY FULLY PASS 6.1 Service Contracting Body PARTIALLY PARTIALLY PASS 7 Secure Development PARTIALLY PARTIALLY PASS 8 Supply Chain Security NOT APPLICABLE FULLY PASS 9.1 Authentication of Contracting Body(s) to Management Interfaces NOT APPLICABLE PARTIALLY PASS 9.2 Separation of Contracting Body(s) to Management Interfaces FULLY PARTIALLY PASS 9.3 Secure Contracting Body Support PARTIALLY FULLY PASS 10 Identity and Authentication PARTIALLY PARTIALLY PASS 11 External Interface Protection PARTIALLY PARTIALLY PASS 12 Secure Service Administration NOT APPLICABLE FULLY PASS 13 Audit Information for Tenants NOT APPLICABLE PARTIALLY PASS FAIL 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information