Environment department signs a deal for professional services firm to conduct ‘immersive’ simulation exercises, intended to test its entire command and control response structure and uncover any necessary remedial actions
The Department for Environment, Food and Rural Affairs has signed a deal to test its response to major cyber incidents by running simulation exercises of two crises.
On 23 October, the department entered into a five-month contract with KPMG, according to newly published commercial documents.
The deal, which is valued at £70,000, covers the provision of the services firm’s 4D Insight (4Di) product, an “immersive” service which is intended to allow companies and public bodies “conduct threat-led cyber incident response exercises – tailored to your organisation – that will enable you to take proactive measures to improve your resilience and respond confidently to future cybersecurity incidents”.
According to the procurement notice, the contract was awarded as the “Defra Business Continuity team seeks support from a supplier to support them performing two crisis-management exercises involving Gold, Silver and Bronze command teams and using the virtualised simulation service” offered by KMPG.
The Gold-Silver-Bronze structure referred to in the document is a common model for large organisations in responding to major incidents and threats.
- How GovAssure is bringing ‘rigour and objectivity’ to departments’ cyber credentials
- Cyber Essentials: Updated government procurement policy advises ‘alternative controls’ are required to secure legacy tech
- ‘Crisis manager and public voice of government’ – National Cyber Security Centre seeks new CEO
Gold teams, often comprised of senior managers, sit at the top of the structure and hold overall strategic responsibility for directing incident response. Underneath them, silver teams are intended to operate tactically, ensuring that response plans are communicated, understood, and carried out. Bronze teams, meanwhile, lead front-line operational response.
According to KPMG product guidance, the 4Di service can assist organisations in “getting ready to manage and respond to ‘low-probability, high-impact’ events, the consequences [of which] can range from service downtime to and revenue loss to reputational damage, large fines and increased public scrutiny”.
“We will use threat-modelling and cyber-intelligence to develop a realistic simulated attack on your organisation, following workshops with key personnel,” the guidance adds.
The attack exercise is delivered from a cloud-hosted platform and, following its execution, KPMG staff will “immediately… hold a hot debrief to reflect on performance and lessons learned [and] will then analyse all data collected through 4Di and develop a detailed report with insights, strengths, weaknesses and remediation actions… [which] will enable you to take immediate action to improve your cyber-resilience”.