Submission Title & Category
Dissemination of protectively marked security briefing and assurance material to industry in category Secure Information Sharing
Submission Overview
Provision of an IT system to replace a manual paper based system to disseminate protectively marked security briefing and assurance material to industry.
Degree of collaboration involved
Describe the nature of collaboration: this may include working with Customers, Partners and/or Suppliers. How did this collaboration enable your work?
The Situation
When the Defence Equipment & Support, Principal Security Adviser Organisation (DE&S PSyA) became the MOD provider of security assurance services to List X industry, they inherited a paper based system of providing protectively marked security briefing and assurance material to approximately 1,500 List X companies around the UK with all the inherent security risks that entailed. This system was outdated, inefficient and resource intensive. Additionally it was also unable to offer ‘real-time’ updating to companies whose outputs are vital to Defence. In late 2007 the DE&S PSyA identified that a solution was needed that would be:-
■ resource ‘light’
■ accessible by all interested parties
■ secure and able to host Government Protectively Marked information.
The Solution
DE&S PSyA were aware of the MOD's preferred collaborative working tool, the Defence Electronic Commerce Service (DECS) Collaboration Programme (DCP), provided by Capgemini, which offers a service that not only provides a secure environment they can operate in, but also enables them to give List X Industry access to information that normally only exists electronically within the MOD’s RLI boundary. A DCP workspace was developed in SharePoint that fully met PSyA requirements for all approved parties to access current security documentation and regulations from the Internet, GSI or RLI via an approved registration system.
The Result
DE&S PSyA now have a shared working environment that resolves the issues, identified earlier, in using the previous manual system:
■ up to date information is now available instantly
■ material costs have been significantly reduced
■ task is much less labour intensive
After a very successful launch and a year's running, both DE&S & industry have seen a marked improvement in information flow. Industry are now informed, via the systems email alert facility, when new or updated briefing and assurance material is published and previous versions are available for reference or recall as they are retained by the system: They are also able to provide quick feedback via the online survey facility, giving DE&S PSyA the opportunity to tailor their products more appropriately to their customers needs and engendering greater customer satisfaction. The solution has been presented to the user community at a Defence Security Standards and Assurance (DSSA) open day and a stand is intended to be hosted at a forthcoming Defence Industry Security Association (DISA) conference.
Impact of work
Describe the effect of the work undertaken – what has been the impact on business? This might include more efficient working, reduced costs, improved product quality etc.
DE&S PSyA's aim was to have a shared working environment that could be used to disseminate information, fast and efficiently and also allow List X Industry to access reference material that could be used to underpin their assurance processes. The nature of the information being carried by the shared working environment meant that DE&S PSyA were adamant that security of the site was paramount. Capgemini working in collaboration with DE&S PSyA Security Advisers designed a system of registration and accreditation that ensured that access to the site was limited to those who had a genuine need and who met MOD approval. DE&S PSyA’s limited resources have been released for other tasks as they are no longer required to provide a postal service. Security concerns inherent in dispatching protectively marked documents and CD’s to hundreds of List X companies, through the postal system, every time regulations were released or updated have been addressed. Industry now have instant access and are working to the latest available information. DE&S PSyA continues to work closely with Capgemini to increase Industry participation in the project as well as looking into the possibility of opening the workspace to other MOD areas and other Government departments.
Innovative approach Describe how your work has been innovative – what is different about the way you worked, or the product/service provided that others could learn from?
DCP is an amalgamation of COTS packages designed to provide a complete Information Management and Programme Management capability. A user coordinator access control application allows the site to be completely configurable to the user’s requirements for example, MOD and Industry can:
■ Choose to share all the data
■ Have private areas which only their own organisation can access
■ Share varying levels of data with different partners
■ Have lower levels which can be shared i.e. only commercial staff have access
■ Have read only areas
■ Hide areas so that only those with access know they are there.
To support the service a set of Service Level agreements have negotiated and there are a number of service review boards to monitor performance. Further support is provided for user registrations, account management and refresher training, workspace consultancy and user forums are offered as part of the service. Security assurance is maintained through security working groups. The funding model is based on a one off implementation fee for the design and implementation of the site and annual “seat” charges whereby therefore the cost can be shared between the MOD and its Industry partners. Capgemini have built a Help and Information site open to all users which provides updates on service issues, a questions & answers forum, hints & tips, news items, best practice ideas and online video based training. Capgemini also assist users with the Pubic Key Infrastructure process a security requirement for Internet access providing a road map and helpdesk to support the users with their dealings with the British Chamber of Commerce. Capgemini continue to work closely with DE&S PSyA and the Cabinet Office to provide on-going help and advice.
Potential for application
In other areas Describe how your work, or lessons learned from it, could be transferred to other teams or organisations for application in other areas.
The solution developed provides a secure and efficient way of sharing information up to restricted level with a number of users simultaneously, ensuring all users have access to the same information and increasing confidence in the information being received. As the solution is also independent on local infrastructure, can be tailored for a specific use and can be accessed by all collaborative parties either via the RLI, GSI or Internet, there is great potential for use in collaboration with Industry i.e. sharing best practice or utilising as the MOD single source of security advice to Industry. There are opportunities to expand the use of the existing capabilities, document management, integrated calendars, content approval and alerts and, with the upgrade to Microsoft Office SharePoint Server (MOSS 2007), exploit new features, including workflow, KPI's and business intelligence.
Ease of Implementation
Describe features of your work that assisted implementation, and how this might influence future applications.
The solution developed provides a secure and efficient way of sharing information up to restricted level with a number of users simultaneously, ensuring all users have access to the same information and increasing confidence in the information being received. As the solution is also independent on local infrastructure, can be tailored for a specific use and can be accessed by all collaborative parties either via the RLI, GSI or Internet, there is great potential for use in collaboration with Industry i.e. sharing best practice or utilising as the MOD single source of security advice to Industry. There are opportunities to expand the use of the existing capabilities, document management, integrated calendars, content approval and alerts and, with the upgrade to Microsoft Office SharePoint Server (MOSS 2007), exploit new features, including workflow, KPI's and business intelligence.
Application of past learning
Describe any examples where learning from past activities or from other teams influenced and improved your work and the impact of doing so.
DCP has a proven track record and currently has around 60 different workspaces. There is a bi-annual Joint User Forum Event (JUF) which the DCP co-ordinators are invited and encouraged to attend. The primary purpose of this event is to enable the co-ordinators to share their experiences about their collaborative working which would be of benefit to others. This takes the format of presentations, workshops and networking.
