search

jac-uk / documentation

We are currently updating our documentation and bringing it together in one place. Here.
https://jac-uk.github.io/documentation/
MIT License
0 stars 0 forks source link

Penetration Test #67

Open Franceswog opened 2 months ago

Franceswog commented 2 months ago

Background

In JAC digital, it is essential to ensure the security of our digital infrastructure is up to date. Our previous Penetration Test was conducted in 2021, hence a new test is due to take place. This test is crucial for assessing and enhancing our security measures, safeguarding sensitive data, and reducing the risk of cyber threats. We have partnered with MOJ to conduct this test. Once the DPIA and ITHC documents are finalized, along with payment, MOJ security team will proceed with the test. The test will focus on four key digital sites: Apply, QT, Assessment, and Admin. The results, including any vulnerabilities, will be thoroughly documented, and recommendations for improvement will be provided to enhance our security posture.

User Story

As the digital team, I would like assurance that our digital platform sites are secure and resilient against cyber threats. As the Digital team, I would like to be able to identify and prioritise vulnerabilities in the digital platforms to improve overall security. As a user, I want to trust that my personal information (data) is secure and protected from cyber threats.

Benefit(s) to user (if not already clear from User story)

Feeling confident in the platform's security practices, knowing personal information is actively protected from cyber threats.

Acceptance Criteria

Ticket champion

Frances

nickaddy commented 2 months ago

@Franceswog I've amended the acceptance criteria - just to clarify, this ticket is about organisation and delivery of the pen test; the findings - if there are any gaps identified - will spawn additional tickets to cover the remedial work. I've also moved it to In Progress (because it is :grinning:)

As you move forward with this work, please update this ticket to keep us all in the loop.

Franceswog commented 2 months ago

ITHC Scoping Document is now complete and emailed to BSi for review. BSi pre-sales experts are currently reviewing the document and thereafter would issue a statement of work to allow us raise a PO.

Franceswog commented 2 months ago

I will meet online with Chitti from BSI tomorrow to discuss the submitted ITHC scoping doc . The meeting needs to take place before BSI can raise a proposal for this project. I have also invited Tom to join us as a Developer to answer any technical questions.

Franceswog commented 2 months ago

Josh Koh Is aware of the upcoming pen test. Once the statement of work and necessary info are available , Josh will set up the company as a supplier and afterwards a purchase Order will be raised.

Franceswog commented 1 month ago

The meeting with Chitti was productive. He sought clarification on the URLs utilized within the platform, such as admin and super admin. Tom provided technical insights, particularly regarding QT, assessors, and super admins. Chitti committed to reviewing the ITHC document and will provide feedback by next Tuesday regarding cost and timeline. He assured us that the statement of work will be prepared by then. Additionally, Chitti mentioned discussing with his seniors the possibility of proposing an annual contract to test our applications for three years, with the option for renewal thereafter.

Franceswog commented 1 month ago

Chitti shared an update stating, the proposal is going through its final approval stage and once approved the proposal will be emailed to me.

Franceswog commented 1 month ago

We have received the proposal from BSI (14th May), which is currently being reviewed by @MattHowley , @nickaddy and Rob, Once approved, the statement of work will be completed and sent to Josh and Oluwatoyin Owojori to raise a PO. BSI has advised that the next available date to start the pen test is July 1, 2024. The test is expected to take approximately 4 to 6 weeks to complete.

Franceswog commented 1 month ago

In addition to the previous update, we have 20 days from when the proposal was received, however, this is not enforced strictly, should we need more time from the procurement / finance team, BSI will be happy to update the proposal if need be. An email has been sent to Josh and Oluwatoyin OwoJori informing them we are now in receipt of the SOW. Rob Aldridge will be catching up with Josh Koh today to discuss finance for the Pen test.

Franceswog commented 2 weeks ago

The Statement of Works (SoW) is ready to be signed and currently with MOJ commercial team. However, it is on hold due to the purdah period. We can only proceed after the pre-election period and MoJ Finance have signed off the spend. Oluwatoyin Owojori from MOJ commercial will be in touch once the SoW has been signed and approved after the pre-election period. Imran from BSI has been informed of the delay thus an email has been sent to him to seek an approval for an extension.

nickaddy commented 2 weeks ago

@Franceswog You seem to have made it clear that we are ready to proceed, but can you please underline that we wish to proceed as soon as the pre-election period has passes and MoJ Finance have signed off the spend? It's unlikely that will take place by the end of the month, so I'd suggest that you ask Imran if he can seek approval for an extension, if that is required.

Franceswog commented 2 weeks ago

Imran from BSI has agreed to extend the proposal validation date to the end of July due to the purdah period and until the SoW has been signed and approved.