The Inland Revenue has specified in the contract that Capgemini should ensure all its processes meet the BS7799 security standard. Dave Evans, the Revenue's head of security, plans to use this as leverage with Revenue managers to move the department itself onto BS7799.
The Revenue decided to stick with the concise security clauses which formed the basis of the EDS contract and to place the same emphasis on partnership in its relationship with the new consortium. But the invitation to tender contained much more detail about security, specifying not only what security targets should be met, but also how.
"We focused on how governance was to be set up, including the creation of a high-level security board," said.
A security evaluation team was set up which developed criteria to assess the bids.
What was remarkable from all the bids was how frequently documentation dealing with security made promises that were not included in the separate business plans that were submitted, Evans said.
Each stage of the IT work now goes through a review, which includes an analysis of the security systems in place.
The Revenue has also ensured that there is a process for vetting and approving subcontractors to ensure their work meets government security guidelines.
The Office of Government Commerce is analysing the lessons learned from the EDS contract, both good and bad, and will pass them on to other departments in the form of better guidance, Evans said.