How we delivered a complex, high security platform to help UK businesses protect against terrorism 

With an increased focus on the role of businesses in preparing for and responding to terrorist threats, Counter Terrorism Policing (CTP) needed to help the UK’s private sector understand what they should do.

There was a vast amount of counter-terrorism information online, but it was scattered across different websites from various organisations. CTP wanted to bring it all together in one place – an information sharing and learning platform that would help the UK improve its response to the risk of terrorism and keep people safe. 

It would need an advanced learning management system, the highest levels of security, compliance, functionality and performance, and an engaging and seamless user experience – with the minimum viable product ready for a beta launch in just six months.

---

The details

• Project type: Website / Information sharing and learning platform
• Software: Drupal, Jitsi, Matomo, ClamAV
• Industry: Public sector

Services delivered

• Strategic consultancy
• Discovery
• Design
• Development
• Hosting
• Continual improvements
• Support and maintenance

---

The challenges

Complex stakeholder needs

This project had over a dozen stakeholders, including public sector organisations like National Counter Terrorism Security Office (NaCTSO) and the Home Office, multiple delivery partners, funders, and industry figures. Each stakeholder had different priorities, governance structures, compliance and reporting needs. The project would need meticulous management to keep everyone aligned and happy.

Highest levels of security and compliance

The platform had to meet strict UK government security standards, including NCSC Cloud Security Principles and ISO 27001. The team working on it would need Non-Police Personnel Vetting (NPPV) level 3 clearance – the highest available. And standards for data confidentiality, integrity, and availability were far above a basic website.

Unmoveable deadline

An MVP (minimum viable product) needed to be ready in time for the International Security Expo. With just six months to get it ready, it was an extremely tight schedule. 

Scalability and resilience

Designing for uptime, load-balancing, redundancy, and disaster recovery was vital. The platform had to be resilient under crisis conditions and able to cope with hundreds of thousands of users during national emergencies.

Rich functionality with granular user access

The platform needed to feel simple and seamless for users, but handle complex functionality behind the scenes, including:

• a learning management system (LMS) 
• online training courses in a format called SCORM (an international standard that makes learning materials work across different LMSs), 
• forums
• live and recorded webinars
• complex workflows 
• granular user access levels
• and a messaging system to send out urgent alerts.

How we helped solve the challenges

The tech

Open source software meant we could build the platform efficiently in terms of both speed and cost. The challenge was pulling various frameworks and software into a system that would meet the stringent compliance and user needs. To meet this we used: 

Infrastructure as code

Infrastructure as code was preferable to a manual set up for this platform. For compliance, it gives better visibility on governance, automated processes, stricter policy enforcement, version control, and auditability. It also brings more consistency, scalability and efficient management, reducing human error, speeding up deployments and supporting rapid disaster recovery – all essential for a platform of this size and complexity

Drupal for the content management system

Drupal is used by governments across the globe, and a trusted partner for secure applications. Its rich ecosystem – community, wide range of open source modules, and advanced caching – was ideal to meet the security, functionality and rapid build needs for this platform.

Learning management system (LMS) from Opigno and Jitsi

Opigno is a Drupal distribution that gave us advanced LMS capabilities right out of the box. We then integrated with Jitsi to add secure and advanced video conferencing and webinar capabilities. 

ClamAV to enhance security for uploading documents and assets

Self-updating and opensource, ClamAV scans anything uploaded to the platform to make sure they are free from viruses and malware. 

Matomo for privacy-focussed analytics and custom reporting

Matomo Analytics gave full ownership and control of the data and let us host it in the UK – things Google Analytics couldn’t offer. Its advanced reporting also means stakeholders could access reports without seeing personal data. 

JSON Web Token for simple and secure user management

Drupal admins and moderators can set permissions, and control access to Drupal and Jitsi from one place. And temporary users, like guest speakers, can get the access they need for webinars without putting the wider system at risk.

The process

Meticulous and agile project management 

With multiple organisations involved, and requirements and project teams changing throughout the project, we had to keep everyone on track. Our approach included: 

• Agile processes like sprints, stand-ups, retrospectives and iterative development. To adapt quickly to changing requirements and maintain momentum. 
• Weekly activity and monthly progress reports/reviews. To give everyone clear visibility of progress and budget, and course-correct as needed.
• Diplomacy, clear communication and a huge collaborative effort. To keep the project moving and hit the launch deadline. 
• High level design document to prescribe all architecture and infrastructure, testing and a complete project roadmap. To get all stakeholders aligned and provide one source of truth throughout.
• Continuous delivery pipelines, automated testing, and tight governance over updates. To balance agility with risk control.

Meeting UX design and accessibility best practices

The platform needed to work for a range of users – from government and police to businesses and the general public. This meant meeting high accessibility standards (WCAG AA) and designing a user experience that worked for all these different groups.

We tested the structure and functionality early to make sure people could find what they needed. Because we had to test before the brand, design and content were ready, we designed tests to assess on:

• Whether the language used was clear
• How efficient people found it to navigate
• How many clicks/steps it would take people to do what they needed

Testing for usability, security, and scalability

We made sure ProtectUK could handle real-world pressures with robust testing across all critical frameworks. Unit, load, usability, integration, accessibility, and security tests validated the platform under real traffic scenarios. 

Support for every scenario

The support system needed to cater for everything from routine updates to urgent security alerts. Each scenario needed different response times and skills. And because anyone working on the system needed high-level security clearance, we couldn’t use a standard support team approach. Instead, we built a custom framework that keeps the system reliable and responsive at all times:

• Bespoke service agreements for each part – website, messaging, webinars, and analytics
• Integrating Jira to generate automated health and security alerts and automatically send requests to the right team. 
• First-, second-, and third-line support around the clock, every day of the year. 

The impact

After a mammoth collaborative effort, the MVP (minimum viable product) was ready for its beta launch at the International Security Expo in September 2022 – and received positive feedback from both the public and industry.

The platform has proven its resilience, staying stable during major events like the Queen’s funeral and the King’s coronation. And user numbers have grown steadily, rising from 10,000 at launch to over 100,000 in just nine months.

The UK now has a reliable, secure platform that helps businesses and communities prepare for and respond to terrorist threats. Exactly what Counter Terrorism Policing set out to achieve.