📖 Analytical Platform Ingestion Service ITHC

[jacobwoffenden]

User Story

As an Analytical Platform Product Engineer I expect an ITHC to be performed on my service before it goes live So that I can be confident that the service is secure

Value / Purpose

No response

Useful Contacts

@jacobwoffenden @gary-h9

User Types

Product Engineering

Hypothesis

If we perform an ITHC Then we can remediate any issues that need remediation

Proposal

Engage with 🐼 CyberSec to facilitate an internal ITHC

Additional Information

This stream of work is active, but wasn't tracked as an item of work

Slack channel for coordination https://moj.enterprise.slack.com/archives/C0712P31EG3

Definition of Done

• [x] @tjemideGH liaise with 🐼 CyberSec
• [x] Arrange ITHC
• [ ] Remediation tickets raised from ITHC report

[tjemideGH]

I have scheduled a meeting on May 8th with the Security Consultancy Team to discuss the possibility of conducting an internal Penetration test.

[tjemideGH]

As EM has set aside a budget to perform an ITHC on AP's ingestion service to ensure its security. We will not be seeking approval from the SIRO (Senior Information Risk Owner) for the ITHC. Our goal is to proceed with the testing to ensure that both EM and external suppliers have confidence in the security of AP's ingestion service. Once we receive the ITHC scope and requirements from EM, we will incorporate them into the penetration test scope definition for AP's ingestion service. We will then make arrangements for testing and provide a quote to EM so they are aware of the cost. Can you please update Jonny on this information?

[tjemideGH]

We had a meeting with the EM team and we agreed to conduct an ITHC on the entire AP Ingestion Service. I have already filled out and submitted the ITHC Request form, which is currently in the queue. I will provide an update once I hear back from the team. I have included the information from the ITHC request form to give an idea of the expected time frame.

The ITHC workflow process can be divided into three main phases, each with its own timeline. The duration of each phase is largely influenced by the size, maturity, and complexity of the intended, as well as resource availability. Here's a high-level overview of the phases and their approximate timelines:

Phases: 1: Commercial scoping, proposal, and planning phase - 5 weeks 2: Execution phase - 3 weeks 3: Reporting phase - 2 weeks

[tjemideGH]

Relates to this issue #4251

[tjemideGH]

I have created a draft ITHC scoping document for AP Ingestion Service and sent it to @jacobwoffenden and @julialawrence for review. https://docs.google.com/document/d/1-L87jI_NDqCtgdSROWUFxcQXw4-yc9xG/edit

[jacobwoffenden]

@tjemideGH I can't access this document

[tjemideGH]

You are an editor. Try again https://docs.google.com/document/d/1-L87jI_NDqCtgdSROWUFxcQXw4-yc9xG/edit?usp=sharing&ouid=106002549709771706983&rtpof=true&sd=true

[tjemideGH]

@jacobwoffenden Try again. But take your time to review. https://docs.google.com/document/d/1-L87jI_NDqCtgdSROWUFxcQXw4-yc9xG/edit?usp=sharing&ouid=106002549709771706983&rtpof=true&sd=true

[tjemideGH]

ITHC Scoping document has been submitted for review.

[tjemideGH]

The ITHC scoping document has been submitted for review.! See the email from BSI below.

The process is as follows.

BSI Provide the proposal, and If you are happy to proceed, then BSI requires the SoW form to be signed by both parties and the PO to be provided before we can lock in the testing.

The lead times are usually around 4 weeks from the time the PO is received.

If you have any queries about the approval and PO process, Oluwatoyin.Owojori1@Justice.gov.uk or MoJ commercial should be able to assist you.

Best Regards, Imran Lodhi (CISMP) Digital Trust, Consulting Services, BSI

[tjemideGH]

We had the scoping call with BSI on Friday the 21st. The BSI draft scope will be reviewed and confirmed this week.

[tjemideGH]

BSI has returned the SOW. I have forwarded the SOW to EM for their review and confirmation of their intention to proceed.

[tjemideGH]

EM is scheduled to meet with the Supplier on the 28th of June. After the meeting, they will follow up with the next steps.

[tjemideGH]

EM has conducted a program meeting and needs to review the program to determine the next steps. They have requested AP to pause the Health Check.