Thoughts on British ICT, energy & environment, cloud computing and security from Memset's MD
We have now got the security process down to a slick procedure with G-Cloud, and I’m sharing that in this post. In order to offer IL3 services to Her Majesty’s Government your staff that are involved in those services (eg. systems administrators, software developers, technical architects) need to have Security Clearance (SC).
SC is a bit like a Criminal Records Bureau (CRB) check on steroids. It is done by a few specific organisations, including the Foreign & Commonwealth Office, rather than the CRB organisations and they have the access rights to dig deeper into police records and uncover things like spent convictions. Also, unlike CRB, its focus is not on protecting vulnerable individuals and minors so just wanting to sell stuff to government is good enough.
For your interest, the next step up the ladder is called Developed Vetting (DV). My ex-girlfriend had DV clearance since she was a Police National Computer clerk. In G-Cloud parlance you need DV for IL4 work and above. The process is much more involved and includes face-to-face interviews with partners, family and friends.
However, you do need a sponsoring orgniastion to get SC for your staff. In the past this has been a huge barrier to entry in government ICT since to get a sponsor you generally need to have a government customer, but to get a government customer you needed to have SC! This is one of the ways that Large Systems Integrators Inc. have stitched up the market. But no more! Now G-Cloud themselves will sponsor you for SC and even better you only have to get it done once for each member of staff, as with other security accreditations.
You also need to comply with Baseline Personnel Security Standard (BPSS), but that is just internal policies and procedures and largely comes under the category “commercial best practice”. Finally, SC is not expensive; we’re paying of the order of £100 per person. It is a bit of a paperchase though, as outlined below.
1. G-Cloud receives request for National Security Vetting from supplier
2. G-Cloud Security issues BPSS forms to supplier (a)
3. Supplier returns completed BPSS to G-Cloud Security (b)
4. BBPS forms passed to CO Personnel Security
5. G-Cloud Security issue e-Vetting registration forms to supplier
6. Supplier returns completed e-Vetting forms to G-Cloud Security (c)
1. e-Vetting forms registered onto vetting system by CO Personnel Security
1. Foreign & Commonwealth Office (FCO) Services process registration
1. FCO Services email individual applicants
1. Applicants log into the e-Vetting system to confirm their registration. (d)
1. Applicants obtain necessary evidence and complete their details on the e-Vetting system. (e)
1. FCO Security conduct Security Clearance (SC) enquiries and complete checks (f)
1. Results are passed to CO Personnel Security, whose decision is final (g)
1. CO Personnel Security discuss result with individual applicants only (h)
1. CO Personnel Vetting share the result and expiry date only with G-Cloud Security (i)
1. CO Personnel Vetting instruct CO Finance to invoice supplier
Mark was the man in charge of SC for G-Cloud but he is moving on sadly. Regardless, some valuable notes below:
a) BPSS is good recruitment practice and is an opportunity to prove the ID of your staff.
b) It is important that individuals are honest throughout the application process, i.e. include spent & unspent cautions and convictions.
c) e-Vetting registration forms allow the applicant to nominate their ‘Sponsor Agreed ID number’ (SAIN), which should be their NI or passport number.
d) There is a 2 week window for applicants to log into the e-Vetting system otherwise registration will lapse and the process will need to be re-started.
e) There is a 4 week window for applicants to complete their details on the e-Vetting system.
f) SC enquiries may take up to 2 months to complete and can include: National Security checks, CRB checks (not Disclosure Scotland), and credit reference checks.
g) CO Personnel Security apply a risk managed approach to vetting applications, which permits review of applications early in the process that is intended to be as inclusive as possible.
h) Rights of appeal are discussed with the individual if necessary.
i) Renewal process is to be confirmed.
Helen is my compliance and security manager (as well as my executive assistant and company secretary – think Tony Stark and Pepper Pots but without the personal relationship 😉 ).
* It says you need to use IE 7 or higher on a Windows machine to complete the SC form but we haven’t found this to be true.
* The most important point about filling in the SC form is honesty. If there’s something you don’t know or aren’t sure about explain in the additional information box at the end of the form.
* Guidance from FCO on address history: “We require all addresses you have lived at in the past 5 years. Even if you have lived at a property for 2 months or University addresses, we would still require them.”