Identity and access management

Report: 12
Date: 21 February 2008
By: Director of Information on behalf of the Commissioner

Summary

This report is to ask members for approval to proceed with procurement action for the solution components of the Identity and Access Management (IAM) Programme.

A. Recommendations

Members are invited to:

Approve the commencement of procurement action for a “chip-and-PIN” technology identity and access management solution (option 3) through competitive tender via the DoI Development Services Framework.

B. Supporting information

1. Introduction

The Identity and Access Management (IAM) Programme aims to enhance and simplify MPS security by joining up identity management and access control, by enhancing security governance and by enforcing better security through improved processes and technology. IAM aims to ensure that the right people have access to the right buildings, areas, systems and information. Currently, identity and access management in the MPS is not sufficiently “joined-up”, and is potentially open to abuse. Much of the technology in use will soon be obsolete and governance and enforcement is not as strong as it should be. This programme presents an opportunity to strengthen existing controls giving us a robust security infrastructure based on current technology. The current building access system is also not sufficiently equipped to meet business needs as higher volume and integration requirements emerge. In addition, IAM is a mandatory requirement for retaining the accreditation of the tactically deployed single sign-on (SSO) initiative. The IAM Programme will give the MPS the means to fully control and audit access to MPS buildings, systems and information.

2. Solution Options

The options for the MPS IAM programme to address these limitations are:

• Option 1: Do nothing and maintain business as usual;
• Option 2: Enhance identity and building access using passive RFID card technology. Leave systems access as it currently is;
• Option 3: Use “Chip-and-PIN” technology combined with RFID1 technology to enhance and simplify building and systems access control;
• Option 4: Use “Chip-and-biometric” technology combined with RFID1 technology to enhance and simplify building and systems access control.

3. Recommendation

Option 3 is recommended, since it provides best value for money. Option 3 enables migration to option 4 should the technology become sufficiently mature and such strength of authentication become a requirement. Full funding for this programme will be provided through the DoI Capital Plan subject to prioritisation. Ongoing costs will be funded by DoI through “Project-into-Service” (PINS). It is expected that the OCU’s will accommodate a 30-minute CBT training module and limited other activities as an opportunity cost. The IAM rollout will align with the Property Services Department (PSD) Estate Strategy, and not duplicate or provide funds for work that is covered by the PSD Estate Strategy. See exempt Appendix 1 for the option analysis and costs.

4. Benefits

The cashable benefits of the recommended solution are expected to be from the following sources:

• Reduction in support operational costs
• Reduced system maintenance costs (economy of scale savings).

Together with non-cashable benefits of:

• Reduced risk of a physical and computer attack;
• Improved management information, audit and tracking of users;
• Improved quality of IAM information;
• Reduced re-keying of IAM information;
• Retention of SSO accreditation;
• Saved staff time and improved accessibility to authorised staff.

IAM will also deliver services to other MPS and national projects because it will be the method by which user access will be granted to all MPS and national systems in the future. The new Police National Database is one example.

5. Outcome

The recommended option will deliver best value for money in Identity and Access Management by:

• Issuing an all-in-one warrant card or identity pass to provide identification and access, replacing all existing cards;
• Providing clear guidance on desirable behaviour through clear governance and processes;
• Introducing joined-up use of processes and information for access control;
• Introducing up-to-date technology that is flexible and capable of providing for the MPS’s foreseeable security requirements;
• Providing appropriate audit trails.
• Allowing access to national systems that would otherwise increase the cost of each implementation.

6. Implementation Plan

The implementation of IAM comprises a number of stages:

• Stage 1: Requirements, Plan and Cost finalisation and Approval (February 2008);
• Stage 2: Sourcing, Procurement and Implementation preparation (September 2009);
• Stage 3: Construction of central systems, pilot Implementation and main implementation preparation (April 2009);
• Stage 4: Completion of full site implementation/infrastructure rollout (End 2011).

7. Further Approval

At the completion of the procurement exercise a further report will be submitted to members in order for them to consider award of contract.

C. Race and equality impact

Individuals requiring additional assistive technology to gain access to building or systems as a result of the change delivered by the IAM Programme will be provided with these by the IAM Programme.

D. Financial implications

1. The table in exempt Appendix 1 shows a comparison of the costs and benefits of the options considered.

2. The Identity and Access Management programme will align with the PSD Estates Strategy to achieve the most efficient change for building access management.

E. Background papers

None

F. Contact details

Report author: Roger Saint, Head of ICT Infrastructure Development & Estates Support, MPS

For more information contact:

MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18

Send an e-mail linking to this page

Feedback