Department awards contract of potentially four years to KPMG which, in the coming months, will work to support efforts to improve governance, training, and use of data to inform decisions
The Home Office has signed a £2m-plus deal intended to bring greater “maturity” to its approach to cyber risk across the organisation.
As of last week, the department entered into an initial two-year engagement with KPMG. The agreement, which can be extended for two further periods of 12 months each, covers the provision of eight discrete packages of work.
According to the text of the contract, these workstreams will be respectively dedicated to: embedding cyber risk management and governance across the Home Office; establishing a baseline of the necessary people, training offerings, and culture; developing cyber risk capacity; addressing the needs of arm’s-length bodies and agencies; automating risk management and controls; improving – and then maturing the risk-management framework; and developing a model for data and reporting.
Related content
- Home Office and BEIS first departments under the microscope in pilots of new independent cyber audits
- EXCL: Government red team security unit to test departmental defences with hostile reconnaissance
- Four things we learned at the PublicTechnology Cyber Security Conference
The objectives the Home Office hopes to achieve during the lifespan of the contract include “maturing a consistent governance structure across projects, programmes, business areas and portfolios… [and bringing] Home Office business areas and portfolios into alignment for managing cyber risk”.
The supplier will also be expected to “provide a clear and coherent strategy for enhancing cyber risk culture, quickly and effectively across the Home Office, [as] siloed working practices and key non-cyber business objectives have resulted in fragmentation”.
The automation workstream will focus, in particular, on the Home Office’s estate of ServiceNow technology, and where the department hopes to “enhance the level of capability that the current ServiceNow instance provides for cyber risk management”.
For the last of the eight deliverables set out in the agreement, the contract says: “This workstream is intended to deliver a data model that provides outputs in support of a focused presentation of information to cyber risk management stakeholders. The delivery partner is expected to identify and design an enhanced management Information capability providing management with key metrics to steer decision making in support of managing cyber risk, aligned to identified business criticalities, [and] present threat-driven information.”
The deal is valued at £2.4m, inclusive of VAT.