Provision of a Governance Risk Compliance Tool

Descriptions

FCDO are looking to a third party to introduce and implement a new GRC tool to be used by ICSU for information security risk management and assurance activities. The tool will be used to record all risks above risk appetite, track actions and communicate with risk owners and action owners. The tool will be used to record all FCDOs systems and services, their assurance status, outstanding tasks and send reminders to users for system reviews.Functional requirements (for the tool)•Centrally capture information security risks, security vulnerabilities, audit findings, regulatory obligations and other issues across technology infrastructure•Centrally capture a set of IT systems and services and their assurance status•A mechanism for reporting to colleagues as well as up to board level•Up to 50 users (but should be scalable) with varying access requirements (e.g. those reviewing risks, those reviewing assurance)Non-functional•Tool platform should be subject to a recognised security certification (ISO/IEC 27001:2013 / Cyber Essentials or equivalent)•Minimum of SC clearance for all individuals accessing sensitive FCDO information and data•Tool vendor must have an annual IT Health Check performed by a certified CHECK company•Support multi-factor authentication and single sign on•Compliant with data protection legislation•Documented threat management processes and tools•Ability to integrate with FCDO incident management processes and procedures•Follows NCSC good cloud security principles and guidance (https://www.ncsc.gov.uk/collection/cloud-security)•Named UK data centre, with all processing capability and call centre support within UK and EU•Return To Operation (RTO) time should be no more than 24 hours and Return Point Objectives (RPO) time no more than 1 hourImplementation & Training•Bidders will be asked to demonstrate a minimum viable product (MVP) as part of any procurement and be potentially able to deploy into a live environment within 3 months of contract•Throughout implementation, the tool platform should be tailored as appropriate for the business needs of the FCDO•Capability to supply end-to-end training on the tool platform, including train the trainer and comprehensive documentationMaintenance, support, system updates•Provide support for end users•Ensure the platform is kept up-to-date, patching should be maintained at N-1