Publication - FOI/EIR release

Information concerning published Ransomware Playbook: FOI release

Published: 22 Feb 2021

Information request and response under the Freedom of Information (Scotland) Act 2002

Published:
22 Feb 2021
Information concerning published Ransomware Playbook: FOI release
FOI reference: FOI/202000093852
Date received: 1 Oct 2020
Date responded: 28 Oct 2020
Information requested

Information relating to the published Ransomware Playbook found here on the Scottish Government’s Website:
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Ransomware+Playbook+v2.3.pdf (www.gov.scot)

  • All previous versions of the playbook, including drafts, created for Scottish Government - the current version is 2.3.
  • The initial date the contract tender was published for the work to be carried out.
  • A copy of the original briefing sheet/requirements sheet or tender which was published to prospective organisations .
  • The method or process used to identify NCC Group as the organisation best suited to fulfil the requirements.
  • The first date NCC Group were contracted to deliver this.
  • The date of final engagement from NCC group on this.
  • The total cost for the document to be produced, this should be broken down into costs for NCC group (with any copy of invoices covering breakdown of costs), the costs of associated expenses for all people involved in the creation of the document.
  • Any other organisations who applied for the contract
    • Their names
    • Their estimated costs
    • Their estimated timeframes
    • Reason for non-selection.
  • All emails relating to this document currently held by Scottish Government where the ransomware playbook is referenced by name or as an email attachment including all previous versions of the document.
  • Any detail on how many times this playbook has been utilised and any recorded notes or documents created whilst using this playbook - for example the use of it during a live cyber incident.
Response

1: All previous versions of the playbook, including drafts, created for Scottish Government - the current version is 2.3.

Versions have been included as per items 3 to 13 in the schedule at 2.4 below.

2: The initial date the contract tender was published for the work to be carried out.

The procurement contract was placed on the Lot 3 of the DPS Procurement framework on 17th October 2018.

3: A copy of the original briefing sheet/requirements sheet or tender which was published to prospective organisations out.

The ITT as published is attached as per item 2 in the schedule at 2.4 below.

4: The method or process used to identify NCC Group as the organisation best suited to fulfil the requirements out.

The Scottish Government utilises open public procurement frameworks which provides the most appropriate and transparent method of identifying a suitable service provider is to carry out a competitive tendering process, which will be open to other potential organisations to bid on, with an interest in our proposed requirements. The assessment criteria used to evaluate each bid is laid out within the procurement process.

5: The first date NCC Group were contracted to deliver this out.

Contract was signed by the NCC Group on 24th January 2019.

6: The date of final engagement from NCC group on this.

The contract with the NCC Group was concluded in July 2019.

7: The total cost for the document to be produced, this should be broken down into costs for NCC group (with any copy of invoices covering breakdown of costs), the costs of associated expenses for all people involved in the creation of the document.

The link provided within the applicants email refers to the Generic Ransomware Playbook which was produced from a Ransomware Playbook produced specifically for the Scottish Public Sector consumption as part of a wider procurement Incident Management and Improvement project which ultimately produced a number of resources including a series of Playbooks which were published on the Scottish Government website.

The Generic Ransomware Playbook was produced by removing the Scottish Public Sector Specific content thus making it a viable playbook for other sector such as the private and third sector. This was done by a member of the Cyber Resilience Unit and not by the NCC Group who were contracted to provide the original contract from which this template derived. There are no costs associated with the production of this playbook from the original Playbook.

With regards to the parent document which resulted in the production of the Ransomware Playbook as part of the contracted work the costs cannot be disaggregated from the wider project delivery.

8: Any other organisations who applied for the contract

  • Their names
  • Their estimated costs
  • Their estimated timeframes
  • Reason for non-selection.
Tenderer Est Costs Est Time Frame Reason for non selection
KPMG £260,000 Within the time frame specified in
the ITT
The successful tenderer was considered to offer the best value for money following an evaluation of each tenderer’s price-quality ratio
Scott Moncrieff £268,460
Cyber Security Scotland £292,220
BSI £296,100

9: All emails relating to this document currently held by Scottish Government where the ransomware playbook is referenced by name or as an email attachment including all previous versions of the document.

Emails relating to the Ransomware Playbook are contained as per item 14 in the schedule at 2.4 below.

10: Any detail on how many times this playbook has been utilised and any recorded notes or documents created whilst using this playbook - for example the use of it during a live cyber incident.

The cyber incident Playbooks was one of a number of documents and templates which were made available to the Scottish Public Sector for their consideration of use. These were also published on the Scottish Government website.

The Generic Ransomware template to which the applicant has specifically referred to was one of 5 which were drawn from parent playbooks produced for the Scottish Public Sector and adapted for use beyond the public sector through slight adjustments to remover the public sector specific references.

The generic playbooks were published onto the Scottish Governments website where they are available for use by any organisations that finds value in them and are designed to be adapted so as they can be fit for use by others.

We do not have any information on the use or uptake as this was not part of the projects aim.

The table below represents the documentation produced as a result of this FOI request.

Item No Description Release Reason not to Release
1 FOI Response report Yes  
2 Cyber – Procurement – ITT – testing and Exercising – Schedule 1 Specification – Oct 2020 Yes  
3 TEMPLATE – Ransomware Playbook – V2,0 Yes  
4 Scottish Government – Ransomware Playbook – V2.1 Yes  
5 Scottish Government – Ransomware Playbook – V2.2 Yes  
6 Cyber – Incident response – Generic Ransomware Playbook – V2.1 Yes  
7 Cyber Incident Response – Generic Ransomware Playbook – V2.1 Yes  
8 Cyber Incident Response – Generic Ransomware Playbook – V2.3 Yes  
9 Cyber Incident Response – Generic Ransomware Playbook – V2.3 A Yes  


Due to the size of the files we are unable to upload the documents referred to above. If you wish to consider, please contact us at the address below and we will be happy to provide.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.

Contact

Please quote the FOI reference
Central Enquiry Unit
Email: ceu@gov.scot
Phone: 0300 244 4000

The Scottish Government
St Andrews House
Regent Road
Edinburgh
EH1 3DG