Industrialisation of My1Login Platform

This decision seeks approval to proceed with the procurement and further implementation of a Single sign-on platform. A proof of value pilot based on My1Login technology has completed successfully and we are now looking turn this into an enterprise scale solution. This is in support of the MPS Cyber Security Strategy.

The Deputy Mayor for Policing and Crime is recommended to:

1. Approve Capital expenditure of £1,271,200 (£1,131,200 in 2020/21 and £140,000 in 2021/22) to cover the industrialisation of My1Login. This includes the purchase of work of the SIAM, AMS, Network and Hosting Towers to implement My1Login and the 3rd party work to test and remediate the applications being moved to My1Login. The requirements are within the scope of the above contracts. This will be funded from the MOPAC approved Digital Policing Capital Budget.

2. Approve Project Revenue expenditure of £58,000 (£38,000 in 2020/21 and £20,000 in 2021/22) to cover an IT Health Check and the decommissioning of the old infrastructure. This will be funded from the MOPAC approved Digital Policing Project Revenue Budget.

3. Approve ongoing Revenue expenditure of £272,000 in 2020/21 and £1,097,000 per annum thereafter to cover Business As Usual costs of licencing and support. This will be funded from the MOPAC approved Digital Policing Revenue Budget.

1. Introduction and background

1.1. The MPS published the Cyber Security Strategy externally in late 2019, which focused on a number of key themes revolving around protecting data, reinforcing identities, inspecting network traffic and training preparedness. These are borne out from the need to protect the organisation from external threats and from those emanating from within. The Strategy focuses on providing approaches and outcomes in meeting the perceived and actuated threats.

1.2. Traditionally Policing operated from closed environments within its own boundary with only essential egress of services to other Police / Criminal Justice partners. The boundary controls robust as they are generally kept external threats at bay. Over time and more so today through mobility and accessing external services (e.g. Cloud, Collaboration etc.) these closed environments have opened up and data is now accessible on the move. While the landscape is changing the threat exposure is greater, organisations evolve and so do threats.

1.3. My1Login will provide a strategic SSO capability. It will replace the ActivIdentity product which the MPS currently uses but which is old, out of support, known to cause configuration and security issues and which does not support modern authentication protocols (e.g. SAML). It will also be used to provide SSO across existing ADFS applications and will provide a SSO capability for future new applications.

2. Issues for consideration

2.1. This information is contained in the restricted section of the report.

3. Financial Comments

3.1. £1, 271k of Capital expenditure for the industrialisation of the preferred SSO Solution will be funded from the MOPAC approved Digital Policing Capital Budget.

3.2. £58k of Project Revenue costs will be funded from the MOPAC approved Digital Policing Project Revenue Budget.

3.3. £272k Year one Ongoing Revenue costs (Year 2 onwards: £1,097k) will be funded from the MOPAC approved Digital Policing Revenue Budget. As SSO technology supports the MPS Cyber Security Strategy, investment of ongoing costs has been factored into the medium term financial plans for Digital Policing.

4. Legal Comments

4.1. Paragraph 4.8 of the MOPAC Scheme of Delegation and Consent provides that the Deputy Mayor for Policing and Crime (DMPC) has delegated authority to approve business cases for revenue or capital expenditure of £500,000 or above.

4.2. The Mayor’s Office for Policing and Crime (MOPAC) is a contracting authority as defined in the Public Contracts Regulations 2015 (the Regulations). All awards of public contracts for goods and/or services in excess of £189,330 shall be procured in accordance with the Regulations. This report confirms the proposed requirements can be purchased through the ATOS and Tower contracts as they are within their respective scopes. On that basis it is compliant with the Regulations.

5. Commercial Issues

5.1. This will be procured though the existing contractual relationships with Towers contract for DXC and SIAM.

5.2. Four potential strategic SSO solutions were shortlisted. Following evaluation of each solution My1Login was deemed to be the most suitable solution for the MPS as it met the business requirements.

5.3. The remainder of this information is contained in the restricted section of the report.

6. GDPR and Data Privacy

6.1. There are no GDPR issues arising from this request.

6.2. The MPS is subject to the requirements and conditions placed on it as a 'State' body to comply with the European Convention of Human Rights and the Data Protection Act (DPA) 2018. Both legislative requirements place an obligation on the MPS to process personal data fairly and lawfully in order to safeguard the rights and freedoms of individuals.

6.3. Under Article 35 of the General Data Protection Regulation (GDPR) and Section 57 of the DPA 2018, Data Protection Impact Assessments (DPIA) become mandatory for organisations with technologies and processes that are likely to result in a high risk to the rights of the data subjects.

6.4. The Information Assurance and Information Rights units within MPS will be consulted at all stages to ensure the project meets its compliance requirements.

6.5. The project does not use personally identifiable data of members of the public, so there are no GDPR issues to be considered.

7. Equality Comments

7.1. There are no equality or diversity issues arising from this request.

8. Background/supporting papers

8.1. Report.