Strategic Cyber Security Partnership in Central Government

BACKGROUND

The Department for Transport (DfT) and their agencies employ over 18,000 staff nationwide, working to support the transport network that fuels the UK’s businesses and gets people and goods travelling around the country. They plan and invest in transport infrastructure to keep the UK on the move.

In early 2022, the UK Government published their 2022-2030 Cyber Security Strategy stipulating that Public Sector organisations are required to align to the National Cyber Security Centre Cyber Assurance Framework (NCSC CAF).  This direction meant that DfT, as well as all other Public Sector bodies, needed to align to NCSC CAF and flow down the requirements to their Supply Chain, however they lacked the expertise to deliver a programme of work such as this.

OUR WORK

Being the trusted partner

tmc3 were commissioned to support the DfT’s £17m Security Improvement Programme (SIP), working with them as their Strategic Partner to deliver a number of Security initiatives, which included conducting a Cyber Security Risk and Maturity Assessments, against NCSC Cyber Assessment Framework (NCSC CAF) and Centre for Internet Security Controls.

As subject matter experts, our approach is centred around agility and flexibility. We supported the DfT SIP by delivering security resources, technologies, policy documents and processes, rapidly onboarding our team of security professionals to engage across the organisation and technology functions (IT Ops, Cyber Ops, Cloud, End User Compute, Architecture etc). Working on Authority systems and IT, we conducted gap analysis’, complex risk assessments and design reviews against critical services and systems. Our use of the NCSC CAF, NIST CSF, ISO27001 and DPA 18 highlighted a number of areas of good practice, and gaps in DfT’s compliance. Utilising these frameworks, our assessments and reporting, we provided DfT with a better understanding of potential threats and weaknesses within their systems and infrastructure.

Alongside this we provided services in Information Management and Security Architecture to bolster DfT’s internal resource and ensure that Business as Usual tasks remained on track alongside the SIP.

We worked in partnership with the DfT senior leadership team, to identify which issues, gaps and weaknesses, were considered ‘Quick Wins’, ‘High Return on Investment’, ‘Nice to Have’s’ and ‘Strategic’. This enabled us to prioritise and implement appropriate measures to mitigate these risks and provide assurance that cyber threats were being effectively managed. Following joint agreement on direction, our team then supported the DfT by delivering a number of high-profile projects, as well as providing all necessary policies, standards and processes, which supported the remediation.

Our delivery included:

A 24/7x365 Security Operations Centre and Managed Detection and Response
A Third Party Supplier Assurance Process across 10k suppliers
Identity and Access Management solution
A review and remediation against all Third Party Applications
A Security Architecture and Information Security Management Function
An Information Security Management System, aligned to ISO27001 and NIST

DID IT WORK? THE RESULTS

Our work enabled DfT to comply with the UK Governments 2022-2030 Cyber Security Strategy and GovAssure Audit in 2023 and was cited as a good example for other departments to follow, enhancing their reputation across Government. We helped to save DfT over £100k in licensing costs, onboard new staff quicker and better handle their cyber workload. Due to our successful delivery and partnership, DfT have requested that we support them in expanding their security support and capability, across the 24 DfT Agencies. Our work with DfT was awarded Security Project of the Year in the Public Sector category of the Computing Security Awards 2023.

Customer Feedback

“tmc3 … expertise was fundamental in shaping our requirements for procuring a Security Operations Centre, enabling us to find the right partner to deliver this. Their insights have been invaluable … because they understood our context and the outcome we were after. I would thoroughly recommend tmc3 as a service provider.”tmc3 supported DfTc on the Security Improvement Programme, by supplying multiple resources across the DfT Functions. Their expertise was fundamental in shaping our requirements for procuring a Security Operations Centre, enabling us to find the right partner to deliver this. They have also worked with us on two other key security deliverables over the last 12 months covering supplier assurance and a baseline assessment against the cyber assessment framework. Their insights have been invaluable in shaping these because they understood our context and outcome we were after. I would thoroughly recommend tmc3 as a service provider.

Department for Transport  Head of Cyber and Information Security, Digital Service

TOUCH

Cyber Security Consultancy

Cyber Security Consultancy Complexity is here to stay. You need a cyber security partner that understands. More about this Service

TOUCH

Secure Development Lifecycle

Secure Development Lifecycle Produce and deploy better quality and secure software faster. More about this Service

TOUCH

Data Protection Consultancy

Data Protection Consultancy Reduce privacy risks whilst unlocking the value of personal data. More about this Service

At a glance

BACKGROUND

OUR WORK

Being the trusted partner

DID IT WORK? THE RESULTS

Customer Feedback

Talk to us about your cyber security needs

Our Services

Find Out More