Closed jacobwoffenden closed 4 months ago
I have scheduled a meeting on May 8th with the Security Consultancy Team to discuss the possibility of conducting an internal Penetration test.
As EM has set aside a budget to perform an ITHC on AP's ingestion service to ensure its security. We will not be seeking approval from the SIRO (Senior Information Risk Owner) for the ITHC. Our goal is to proceed with the testing to ensure that both EM and external suppliers have confidence in the security of AP's ingestion service. Once we receive the ITHC scope and requirements from EM, we will incorporate them into the penetration test scope definition for AP's ingestion service. We will then make arrangements for testing and provide a quote to EM so they are aware of the cost. Can you please update Jonny on this information?
We had a meeting with the EM team and we agreed to conduct an ITHC on the entire AP Ingestion Service. I have already filled out and submitted the ITHC Request form, which is currently in the queue. I will provide an update once I hear back from the team. I have included the information from the ITHC request form to give an idea of the expected time frame.
The ITHC workflow process can be divided into three main phases, each with its own timeline. The duration of each phase is largely influenced by the size, maturity, and complexity of the intended, as well as resource availability. Here's a high-level overview of the phases and their approximate timelines:
Phases: 1: Commercial scoping, proposal, and planning phase - 5 weeks 2: Execution phase - 3 weeks 3: Reporting phase - 2 weeks
Relates to this issue #4251
I have created a draft ITHC scoping document for AP Ingestion Service and sent it to @jacobwoffenden and @julialawrence for review. https://docs.google.com/document/d/1-L87jI_NDqCtgdSROWUFxcQXw4-yc9xG/edit
@tjemideGH I can't access this document
@jacobwoffenden Try again. But take your time to review. https://docs.google.com/document/d/1-L87jI_NDqCtgdSROWUFxcQXw4-yc9xG/edit?usp=sharing&ouid=106002549709771706983&rtpof=true&sd=true
ITHC Scoping document has been submitted for review.
The ITHC scoping document has been submitted for review.! See the email from BSI below.
The process is as follows.
BSI Provide the proposal, and If you are happy to proceed, then BSI requires the SoW form to be signed by both parties and the PO to be provided before we can lock in the testing.
The lead times are usually around 4 weeks from the time the PO is received.
If you have any queries about the approval and PO process, Oluwatoyin.Owojori1@Justice.gov.uk or MoJ commercial should be able to assist you.
Best Regards, Imran Lodhi (CISMP) Digital Trust, Consulting Services, BSI
We had the scoping call with BSI on Friday the 21st. The BSI draft scope will be reviewed and confirmed this week.
BSI has returned the SOW. I have forwarded the SOW to EM for their review and confirmation of their intention to proceed.
EM is scheduled to meet with the Supplier on the 28th of June. After the meeting, they will follow up with the next steps.
EM has conducted a program meeting and needs to review the program to determine the next steps. They have requested AP to pause the Health Check.
User Story
As an Analytical Platform Product Engineer I expect an ITHC to be performed on my service before it goes live So that I can be confident that the service is secure
Value / Purpose
No response
Useful Contacts
@jacobwoffenden @gary-h9
User Types
Product Engineering
Hypothesis
If we perform an ITHC Then we can remediate any issues that need remediation
Proposal
Engage with 🐼 CyberSec to facilitate an internal ITHC
Additional Information
This stream of work is active, but wasn't tracked as an item of work
Slack channel for coordination https://moj.enterprise.slack.com/archives/C0712P31EG3
Definition of Done