The Home Office has awarded consultancy KPMG a two-year, £2 million contract to deliver a series of cyber security risk maturity work packages.
The award notice states that the contract came into effect in mid-December, with options for two one-year extensions, and has a collection of eight work packages in its requirement.
First is to drive the adoption of cyber risk management across the Home Office with a consistent governance structure, bringing all the business areas and portfolios into alignment. It includes the assessment of key strategic cyber risks in critical services.
Second is to establish a baseline for people, culture and training, identifying existing cyber risk communities and establishing a more proactive culture of dealing with relevant issues. This derives from the need to replace the currently fragmented approach with a more coherent strategy across the department.
Third is to develop the cyber risk capacity, with a centralised risk management capability and an operating model for governance, risk and compliance; and fourth is to support the Home Office in extending the governance model and risk management approach across government departments and arm’s length bodies.
Automation element
Fifth is to build up the automation of risk management and controls from the existing capability on the ServiceNow platform. KPMG will develop a roadmap, identifying the required automation architecture and technical design based on defined user personas, with user interfaces and automated reporting.
Sixth is to enhance the framework for cyber risk management, maturing the cyber controls library and providing a third party risk management capability feed into the process; and seventh is to mature the risk management framework, with better reporting, quality assurance, compliance and exceptions management.
It is all rounded off with a requirement to deliver a data model without outputs to support a focused presentation of relevant information. This will include the development of key performance and risk indicators, and embedding the data model into ServiceNow.
Delivery dates for the different workstreams are at varying times over the next two years.
