Information concerning published Ransomware Playbook: FOI release
- Published
- 22 February 2021
- Directorate
- Safer Communities Directorate
- FOI reference
- FOI/202000093852
- Date received
- 1 October 2020
- Date responded
- 28 October 2020
Information request and response under the Freedom of Information (Scotland) Act 2002
Information requested
Information relating to the published Ransomware Playbook found here on the Scottish Government’s Website:
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Ransomware+Playbook+v2.3.pdf (www.gov.scot)
- All previous versions of the playbook, including drafts, created for Scottish Government - the current version is 2.3.
- The initial date the contract tender was published for the work to be carried out.
- A copy of the original briefing sheet/requirements sheet or tender which was published to prospective organisations .
- The method or process used to identify NCC Group as the organisation best suited to fulfil the requirements.
- The first date NCC Group were contracted to deliver this.
- The date of final engagement from NCC group on this.
- The total cost for the document to be produced, this should be broken down into costs for NCC group (with any copy of invoices covering breakdown of costs), the costs of associated expenses for all people involved in the creation of the document.
- Any other organisations who applied for the contract
- Their names
- Their estimated costs
- Their estimated timeframes
- Reason for non-selection.
- All emails relating to this document currently held by Scottish Government where the ransomware playbook is referenced by name or as an email attachment including all previous versions of the document.
- Any detail on how many times this playbook has been utilised and any recorded notes or documents created whilst using this playbook - for example the use of it during a live cyber incident.
Response
1: All previous versions of the playbook, including drafts, created for Scottish Government - the current version is 2.3.
Versions have been included as per items 3 to 13 in the schedule at 2.4 below.
2: The initial date the contract tender was published for the work to be carried out.
The procurement contract was placed on the Lot 3 of the DPS Procurement framework on 17th October 2018.
3: A copy of the original briefing sheet/requirements sheet or tender which was published to prospective organisations out.
The ITT as published is attached as per item 2 in the schedule at 2.4 below.
4: The method or process used to identify NCC Group as the organisation best suited to fulfil the requirements out.
The Scottish Government utilises open public procurement frameworks which provides the most appropriate and transparent method of identifying a suitable service provider is to carry out a competitive tendering process, which will be open to other potential organisations to bid on, with an interest in our proposed requirements. The assessment criteria used to evaluate each bid is laid out within the procurement process.
5: The first date NCC Group were contracted to deliver this out.
Contract was signed by the NCC Group on 24th January 2019.
6: The date of final engagement from NCC group on this.
The contract with the NCC Group was concluded in July 2019.
7: The total cost for the document to be produced, this should be broken down into costs for NCC group (with any copy of invoices covering breakdown of costs), the costs of associated expenses for all people involved in the creation of the document.
The link provided within the applicants email refers to the Generic Ransomware Playbook which was produced from a Ransomware Playbook produced specifically for the Scottish Public Sector consumption as part of a wider procurement Incident Management and Improvement project which ultimately produced a number of resources including a series of Playbooks which were published on the Scottish Government website.
The Generic Ransomware Playbook was produced by removing the Scottish Public Sector Specific content thus making it a viable playbook for other sector such as the private and third sector. This was done by a member of the Cyber Resilience Unit and not by the NCC Group who were contracted to provide the original contract from which this template derived. There are no costs associated with the production of this playbook from the original Playbook.
With regards to the parent document which resulted in the production of the Ransomware Playbook as part of the contracted work the costs cannot be disaggregated from the wider project delivery.
8: Any other organisations who applied for the contract
- Their names
- Their estimated costs
- Their estimated timeframes
- Reason for non-selection.
| Tenderer | Est Costs | Est Time Frame | Reason for non selection |
| KPMG | £260,000 | Within the time frame specified in the ITT |
The successful tenderer was considered to offer the best value for money following an evaluation of each tenderer’s price-quality ratio |
| Scott Moncrieff | £268,460 | ||
| Cyber Security Scotland | £292,220 | ||
| BSI | £296,100 |
9: All emails relating to this document currently held by Scottish Government where the ransomware playbook is referenced by name or as an email attachment including all previous versions of the document.
Emails relating to the Ransomware Playbook are contained as per item 14 in the schedule at 2.4 below.
10: Any detail on how many times this playbook has been utilised and any recorded notes or documents created whilst using this playbook - for example the use of it during a live cyber incident.
The cyber incident Playbooks was one of a number of documents and templates which were made available to the Scottish Public Sector for their consideration of use. These were also published on the Scottish Government website.
The Generic Ransomware template to which the applicant has specifically referred to was one of 5 which were drawn from parent playbooks produced for the Scottish Public Sector and adapted for use beyond the public sector through slight adjustments to remover the public sector specific references.
The generic playbooks were published onto the Scottish Governments website where they are available for use by any organisations that finds value in them and are designed to be adapted so as they can be fit for use by others.
We do not have any information on the use or uptake as this was not part of the projects aim.
The table below represents the documentation produced as a result of this FOI request.
| Item No | Description | Release | Reason not to Release |
| 1 | FOI Response report | Yes | |
| 2 | Cyber – Procurement – ITT – testing and Exercising – Schedule 1 Specification – Oct 2020 | Yes | |
| 3 | TEMPLATE – Ransomware Playbook – V2,0 | Yes | |
| 4 | Scottish Government – Ransomware Playbook – V2.1 | Yes | |
| 5 | Scottish Government – Ransomware Playbook – V2.2 | Yes | |
| 6 | Cyber – Incident response – Generic Ransomware Playbook – V2.1 | Yes | |
| 7 | Cyber Incident Response – Generic Ransomware Playbook – V2.1 | Yes | |
| 8 | Cyber Incident Response – Generic Ransomware Playbook – V2.3 | Yes | |
| 9 | Cyber Incident Response – Generic Ransomware Playbook – V2.3 A | Yes |
Due to the size of the files we are unable to upload the documents referred to above. If you wish to consider, please contact us at the address below and we will be happy to provide.
About FOI
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.
Contact
Please quote the FOI reference
Central Enquiry Unit
Email: ceu@gov.scot
Phone: 0300 244 4000
The Scottish Government
St Andrews House
Regent Road
Edinburgh
EH1 3DG
There is a problem
Thanks for your feedback