Project title: Information Systems Assessment Programme

Background

As a consequence of the strategic defence review initiated by the 2010 coalition government the UK Ministry of Defence (MOD) undertook a comprehensive review of all its agencies to identify the most appropriate future model of ownership. At the time DSG (Defence Support Group), responsible for all maintenance and repair of the Armed Forces wheeled and tracked vehicles as well as providing repair and testing of electronic components, was a trading fund agency within DE&S (Defence Equipment & Supply) organisation of the MOD. A ministerial decision was made to sell DSG on the commercial market supported by a guaranteed level of contractual cover to ensure continuity of service.

After a period of competitive marketing among those expressing interest a pre-qualification questionnaire was used to down select up to five potential commercial partners. Ultimately four potential suppliers were identified and all raised the matter of the secure MOD information Systems they would require access to.

In response, the MOD ran a technical consultancy services competition to appoint someone to conduct a comprehensive review of the Information Systems in use at DSG. RED Scientific Ltd supported by AMDS Consultants Ltd won the competition and work started in June 2014. We were responsible for all information systems assurance support throughout the sales process requiring that we:

  • Establish our credibility with all four potential providers as well as DSG, Boeing Defence UK, the UK MOD’s accreditation authorities and their internal information technology suppliers.
  • Conduct a comprehensive strategic and technical review to assess the information technology landscape affected by the sale and the risks third-party access to UK MOD information systems presented to national security, Government procurement and contractual delivery.
  • Define, evaluate and cost a range of potential options, mitigations and external solutions to address any issues identified.
  • Develop an implementable compliance project which was subsequently contracted for in January 2015.

Work Completed

The work programme had the components described below and was paid against delivered milestone reports addressing the topics covered. Milestones were delivered on time and were recognised by the MOD customer for the quality of the material, the breadth of coverage and the readability.

Information Assurance
  • Technical audit of the information technology landscape affected by the sale
  • Strategic and tactical risk assessment and mitigation
  • Options development, planning and implementation costs with supporting business cases
  • Compliance programme development
Procurement Support
  • Subject matter expert services to the acquisition team in DE&S as well as MOD headquarters
  • Technical appraisal of supplier plans and structures
  • Recommendations on financial and non-financial Key Performance Indicators and output measures
Stakeholder Management
  • Establishing working arrangements and rapport with DSG
  • Engaging with 3rd Party suppliers of information systems support to the UK MOD
  • Management of expectations among internal MOD suppliers
  • Close liaison with MOD accreditation authorities and system owners

 

Issues Addressed

A number of aspects of the sale raised issues that had to be addressed either directly or by influencing and managing the stakeholder community. Among the primary matters of concern were:

  • The prospect of the sale raised a number of problems with the DSG community where we had to address concerns over the purpose, impact and consequences of the structural assessment we were undertaking. At the outset, we chose to agree with the customer what we could and could not discuss and took on an obligation to relay any concerns about the sale back to DE&S.
  • The availability of data on the information systems used within the agency was a major element of the work undertaken. There were over 600 discrete systems, well over 2000 inventory items to be catalogued and over 100 diverse processes to be reviewed.
  • Subsequent to the assessment of the technical landscape it became clear that some 40 information systems were critical to the delivery of any contract post-sale and therefore access to them had to be authorised by the system owners
  • In some cases, access was not granted by the owners and consequently we had to develop options for access authorities and messaging services to enable the new commercial owners to receive the required information.

Outcomes Achieved

All of the contracted milestones were delivered on schedule and prior to writing the content and coverage were agreed with the DE&S customer and their key stakeholder in MOD headquarters.

In addition to the contracted reports we provided extensive support to the acquisition process and regular point brief ahead of major meetings within the customer organisation. Lastly, we also provided specific material in support of the developing Risk Management and Accreditation Document Set that formed an integral part of the information supplied to the winning commercial partner.

The feedback from the customer was excellent indicating that we had met and exceeded his expectations in respect of the strategic and technical reports we produced and the flexible, responsive and effective support we provided throughout sales process.

Lessons Learned

Key Lessons:

Summarised below are the principle lessons from the project. By its nature certain of the lessons and findings from the project cannot be published on an open forum. Consequently, the lessons are generic.

  • Complexity, technological maturity and diverse ownership structures of information systems can create process inefficiencies and require careful stakeholder engagement
  • Agreeing content and coverage in advance with both clients and stakeholders encourages positive receptions for technical reports
  • The level of acceptable risk should be assessed prior to any procurement programme
  • Information technology landscape should be assessed early in any procurement process