Background

The Medicines and Healthcare Regulatory Agency (MHRA) is an executive agency of the Department of Health, which is responsible for regulating all medicines and medical devices in the UK by ensuring they work and are acceptably safe.

The Requirement

In May 2011, MHRA issued an Invitation to Quote, under the ICT Consultancy & Delivery Services framework, for a supplier to provide the services of CESG CHECK-certified consultants to perform a comprehensive IT Healthcheck, to include documentation evaluation and penetration testing of the IT systems, applications and infrastructure as well as mobile devices, that make up the MHRA business and user environments.

Bramble won the tender with its partner, Digital Assurance, a specialist information security consultancy focusing on security assessment services, information assurance consulting and security training. Work started on site in August at MHRA's offices in London and was completed within a month, on schedule.

The Approach

A full and extensive evaluation was carried out to establish the security of MHRA's computer system and operating environment network and compliance with key standards documents and best practices.

The process involved analysis of the systems for potential vulnerabilities that could result from incorrect system configuration, both known and unknown hardware or software flaws, or operational weaknesses. It included evaluation of potential risks from a remote users' laptop falling into the wrong hands, attack from someone with no network access and attack from someone who had gained access to the MHRA network.

The consultants checked for possible risks from the services offered by the 100+ servers within the MHRA environment and looked at whether someone could gather information of a sensitive nature e.g. surveys to discover passwords, or initiate a process to disrupt or compromise the organisation i.e. change user passwords, disable or create accounts etc.

A detailed report of the consultants' findings was provided, identifying potential weaknesses and areas of concern, together with recommendations for corrective actions to improve security.

Outcomes

The penetration testing was carried successfully out on the live MHRA network.

A further project for the creation of Risk Management Accreditation Document was commissioned in April 2012.

Digital Assurance was complemented on having excellent communications throughout the engagement and providing industry leading knowledge through their dynamic and flexible service.

Partner insight

Digital Assurance provides some of the most comprehensive, effective and flexible information security consultancy assessment services in the marketplace. It has delivered a number of key projects for MHRA, including an internal and external ITHC of core systems, GAP analysis of the design and implementation of their Windows 7 laptop build and an RMADS of their internal systems.

Bramble insight

Bramble Hub are specialists in helping ICT companies secure public sector contracts through UK Government frameworks. We have a large network of SMEs and niche specialists to meet all ICT requirements.

To find out more about being a Bramble Hub partner email us or phone 020 7735 0030