Regulatory controls in technology projects: FOI release

Information requested

You asked for information regarding the presence and effectiveness of regulatory controls in technology projects delivered by and for the Scottish Government. The controls may include policies such as technology controls such as segregation of duties with approvals of change, classification of data, audit compliance with ISO27001 and Cyber Essentials as well are project controls to confirm the presence of such controls or reporting oversight to regulatory bodies like the ICO or other governmental bodies like GCHQ and CSG. You requested access to the following information:

1. Any standardised framework or methodology employed by the Scottish Government or its subcontracted bodies for the comparison of the regulatory controls in projects
2. Should such standards frameworks or methodologies exist, please provide a copy or details of the methodology used.
3. Any standardised framework or methodology employed by the Scottish Government or its subcontracted bodies for the assessment of the effectiveness of these controls in projects delivered.
4. Should such standards frameworks or methodologies exist, please provide a copy or details of the methodology used.
5. Any specific criteria or indicators used to measure the presence and effectiveness of regulatory controls in a project, with particular interest in penalty clauses associated with failure to deliver such controls.
6. Any guidelines, documentations or manuals made available to relevant stakeholders or subcontractors regarding the evaluation of regulatory controls which should be in place in projects.
7. Any reports, studies or assessments conducted by or on behalf of the Scottish Government that evaluate the effectiveness of regulatory controls and their operational impacts on projects delivered by the Scottish Government or its sub-contracted bodies.
8. A list of projects with technology components delivered for the Scottish Government which have involved regulatory controls in the last 10 years and the number of regulatory breaches and any data associated with the timescales and costs associated with the fixes associated with these breaches including fines and actions taken to sub-contracted bodies.

Response

I enclose a copy of most of the information you requested in pdf format and web links. 

While our aim is to provide information whenever possible, in this instance the Scottish Government does not have some of the information you have requested. The reasons why we do not have the information are explained in the Annex to this letter. 

We contacted you on 24 July for clarification and you have advised that you are interested in audit controls around ISO27001, Cyber Essentials, segregation of duties and classification of data. Where relevant, I have referred to these in the specific responses below and address them together here. 

IT certification or standards are considered as part of IT audits where the controls are in effect. Information Assets held by Scottish Government are recorded on the Corporate Information Asset Register and classified there with respect to UK GDPR compliance. Roles based access to systems is considered during the development of IT systems and documented in data protection impact assessments where these are required. 

1. Any standardised framework or methodology employed by the Scottish Government or its sub-contracted bodies for the comparison of the regulatory controls in projects. 

and 

2. Should such standards frameworks or methodologies exist, please provide a copy or details of the methodology used. 

Cyber Security 

I enclose the IT Security Policy which applies across the Scottish Government. 

The SCOTS Network (a shared desktop and associated network that is used by a large portion of the Scottish Government and agencies) is covered by a valid Cyber Essential Plus Certificate. 

As part of the procurement journey, the Cyber Security Procurement Support Tool (CSPST) is used and can be found here: https://www.gov.scot/publications/cyber-resilience-supply-chain-guidance/ 

The Scottish Government’s Cyber Security Unit assesses the maturity of the core technology team against the Network and Information Systems Cyber Assessment Framework, details of which can be found here: https://www.ncsc.gov.uk/collection/caf 

The Cyber Security Unit work closely with the Government Security Group with scheduled monthly catch-ups, covering topics such as GovAssure and UK Government Data Classification policies. 

Scottish Health Competent Authority 

Scottish Ministers are the Competent Authority for Health in Scotland as such they have a regulatory responsibility for oversight and enforcement of the Network and Information Systems (NIS) Regulations 2018. The aim of the NIS Regulations is to drive improvement in the protection of the network and information systems that are critical for the delivery of the UK’s essential services. 

All NHS Scotland health boards are Operators of Essential Services and therefore must comply with the standards set out in the NIS Regulations. Standards cover managing security risk, defending systems against cyber-attack, detecting cyber security events, and minimising the impact of cyber security incidents. 

The Scottish Health Competent Authority (SHCA): 

• provides support, training, and guidance on compliance requirements. 
• delivers regulatory responsibility for compliance monitoring, oversight, and enforcement of the NIS Regulations; and 
• issues penalties for non-compliance. 

The SHCA NIS Regulations audit lifecycle continues to assess health boards on a yearly basis with. A new audit supplier contract commenced at the end of January 2023. These audits are carried out against the Scottish Public Sector Cyber Resilience Framework. 

A GDPR compliance section is included in Scottish Government Contracts and supplier management is considered in Data Protection Impact Assessments involving data processors. Terms and conditions for Scottish Government contracts - gov.scot (www.gov.scot) 

Scottish Government operates a range of regulatory and administrative controls around data protection. These were audited by ICO in 2022 using the ICO standard control checklist and consensual audit approach. Scottish Government | ICO 

3. Any standardised framework or methodology employed by the Scottish Government or its sub-contracted bodies for the assessment of the effectiveness of these controls in projects delivered. 

and 

4. Should such standards frameworks or methodologies exist, please provide a copy or details of the methodology used. 

Central Government bodies in Scotland (excluding health bodies) are required to comply with the Technology Assurance Framework which is designed to reduce the likelihood of projects failing for common reasons, improve delivery and ensure that the lessons learned from previous experience are reflected and embedded in future practice. 

The Technology Assurance Framework includes: 

• independent assurance of major digital projects during the project lifecycle – I attach the checklists used for each of the assurance stages. 
• independent assessment of compliance with the Digital Scotland Service Standard for new and transformed services. The type of assessment is informed by the risk/cost profile of the service. I attach the Minimum Evidence Frameworks which set out the evidence sought through assessments for different assessment types and for both the Waterfall and Agile methodologies. 

These assurance activities will consider whether the appropriate cyber and data protection requirements have been met but do not carry out the actual assessment of compliance. Projects and services are required to comply with the requirements of the Technology Assurance Framework before progressing to the next stage. 

In addition to the Technology Assurance Framework, the Scottish Government also provides Gateway Review which is available to Central Government, Local Government and health bodies.I attach a link to the workbooks used for Gateway Reviews which are published on the Infrastructure and Projects Authority website. 

Gate Review 0 – Strategic Assessment

Gate Review 1 – Business Justification

Gate Review 2 – Delivery Strategy

Gate Review 3 – Investment Decision

Gate Review 4 – Readiness for Service 

Gate Review 5 – Operations Review and Benefits Realisation 

The Project Delivery Functional Standard sets out the expectations for the management of Portfolios, Programmes and Projects in Government. 

Major digital programmes and projects can receive independent assurance under both Technology Assurance Framework and Gateway Review processes where appropriate. 

5. Any specific criteria or indicators used to measure the presence and effectiveness of regulatory controls in a project, with particular interest in penalty clauses associated with failure to deliver such controls. 

and 

6. Any guidelines, documentations or manuals made available to relevant stakeholders or subcontractors regarding the evaluation of regulatory controls which should be in place in projects. 

The Scottish Government’s online resource tool (the “Procurement Journey”) provides guidance for public sector buyers who procure goods across the Scottish public sector. 

The Procurement Journey includes dedicated tools and support to ensure that buyers give due consideration to potential cyber risks and put in place consistent, proportionate, risk-based measures that effectively reduce the risk of Scottish public services being damaged or disrupted by cyber security issues. 

Guidance on Supplier Cyber Security embeds best practice advice from the National Cyber Security Centre and promotes a more consistent approach to the cyber security requirements placed on suppliers to the Scottish public sector. The CSPST supports all Scottish public sector organisations to implement this guidance in a consistent and proportionate way.

 

Annex – Reasons for not providing Information 

The Scottish Government does not hold the information requested 

7. Any reports, studies or assessments conducted by or on behalf of the Scottish Government that evaluate the effectiveness of regulatory controls and their operational impacts on projects delivered by the Scottish Government or its sub-contracted bodies. 

8. A list of projects with technology components delivered for the Scottish Government which have involved regulatory controls in the last 10 years and the number of regulatory breaches and any data associated with the timescales and costs associated with the fixes associated with these breaches including fines and actions taken to sub-contracted bodies. 

The Scottish Government does not have the information you have asked for because information about regulatory breaches is not recorded against projects. 

I hereby provide you with formal notice under section 17(1) of FOISA that the Scottish Government does not have the information you have requested. 

 

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.

202300365280_1

File type

16 page PDF

File size

297.5 kB

202300365280_2

File type

46 page PDF

File size

573.0 kB

202300365280_3

File type

54 page PDF

File size

674.0 kB

202300365280_4

File type

62 page PDF

File size

728.4 kB

202300365280_5

File type

54 page PDF

File size

692.6 kB

202300365280_6

File type

15 page PDF

File size

219.0 kB