Over the last few years the government has introduced a number of measures to open up the way that it does business and to make sure that smaller UK firms are in the best position to compete for contracts. The G-Cloud framework and associated CloudStore is at the forefront of this shift, with a target of 25% of government spend now channeled specifically to small and medium-sized enterprises (SMEs) by next year.
Not only is this providing SMEs with the opportunity to increase services for the public sector, but it is also providing greater levels of flexibility, innovation and cost savings to the government. But change cannot happen overnight and a number of larger system integrator contracts will not come to an end for a further five years or more. However, in support of government initiatives such as ‘digital by default’, SMEs are increasingly supporting government service delivery.
An increasingly complex security landscape
My journey in developing Facewatch actually started in trying to solve a problem for the customers of the oldest wine bar in London, (my family’s bar) Gordon’s Wine Bar. I was frustrated that my customers were frequently the victims of petty crime and I was keen to support the police who found it difficult to solve these types of incidents. Facewatch’s cloud software enables businesses to upload information they have from their CCTV cameras, as well as witness reports, directly to the police from any internet enabled device.
We now work with a number of large police forces to enable crime reporting and have also provided a mobile app for the Met Police and others which enables the public to identify images of suspects by postcode. However, to increase our relationship with the police, there are a number of hurdles which we have had to overcome in the process; the most notable of which is technology and security.
Due to the nature of data managed by the police force including highly sensitive personal details, a number of infrastructure considerations and information security classifications have to be met by any external partner employed. Each security classification indicates the sensitivity of information and the related range of security controls appropriate for managing the information risks involved. Through the G-Cloud framework these levels are still labelled IL1, IL2 and IL3, although a transition is currently being made to official, secret and top secret.
Facewatch itself currently operates at IL2/ISO27001 which allows our main users – the businesses and monitoring stations – to upload content onto the system including images and CCTV video footage, directly through the internet. This also enables police to submit digital evidence files quickly and easily through to the courts on Facewatch – reducing bureaucracy and saving time.
However this level of security, while already extremely high, does not meet the IL3 classification which requires enhanced security to protect sensitive personal information including addresses and criminal records on police databases. This is also a common requirement for Central Government departments and some agencies, meaning that this has, until recently, held some smaller businesses back from providing services to the public sector.
Overcoming technical challenges
To increase our work with the police force, we knew that the Facewatch application had to become IL3 accredited, but it was an incredibly daunting task. IL3 demands enhanced security levels including segregated data, systems and processes, secure IT systems and databases, combined with encryption, enhanced physical security and higher levels of personnel screening.
We would need to demonstrate to the government that our application itself was IL3 accredited, as well as the supporting physical infrastructure. This involves producing key documentation for RMADs – which demonstrates that we meet the UK Government’s very strict and specific accreditation requirements towards the governance of information systems. However, by working with Sungard Availability Services, which has a fully accredited IL3 government cloud platform, we will be able to greatly speed up the IL3 accreditation of Facewatch and enable many of our partners to join the IL3 cloud service.
Sungard AS has committed to lead us through the entire accreditation processes for our application and ultimately this will enable us to achieve this much faster and will enable us to get on with building relationships with the police forces and developing the capabilities of our product. Without Sungard AS’s support this could all have taken significantly longer and we would not have a platform that would enable us to provide an App Store for the police market which is one of our goals.
We are still going through the process at the moment, but once complete, we can demonstrate that our application can run on an IL3 platform and is fully IL3 certified. And because we are using a cloud-based platform from Sungard AS, we can scale up our solution across multiple police forces, which allows greater access and sharing of our applications and information across multiple police forces, as well as more regular, free updates to the software for the police to use.
We will also be able to create an IL2 (for citizen facing requirements) to IL3 bridge environment, meaning that highly sensitive data collected through our applications will meet the IL3 security classifications.
What did seem like quite a daunting task has turned into an exciting business opportunity for us because we found the right provider and benefitted from consultancy and support. I hope that other SMEs can see how technical hurdles can be overcome with the right support – enabling them to reach a much wider market whilst also ensuring that the government has access to more innovative and secure services.