ICT Cyber Security Assessor
Tender ID: 568859
Tender Details
Tender Description
This Tender is invited by the Issuer.
The Agency is seeking to engage a suitably qualified and experienced Seller to undertake a cyber security risk assessment for the Survey.
The purpose of undertaking this assessment is to enable the Agency to obtain an Authority to Operate for the Survey, in accordance with the DEWR External ICT Services Authorisation Policy and Risk Management Framework
Context
The Seller will be briefed on the Agency context and their governance model, approach to risk and overarching compliance requirements at an enterprise and system levels.
The engagement will comprise the assessment of ICT systems and security documentation relating to Roy Morgan’s systems that will be used in the delivery of the Survey. This may include but not be limited to the following documentation and artefacts:
- Threat Risk Assessments (TRA)
- Continuous Monitoring Plan (CMP)
- Disaster Recovery Plan (DRP)
- Backup Recovery Plan (BRP)
- System Security Plan (SSP)
- Security Risk Management Plan (SRMP)
- Incident Response Plan (IRP)
The Seller will be required to enter a binding Non-Disclosure Agreement with Roy Morgan before being granted access to sensitive and commercial in confidence information.
The Agency recently conducted an internal assessment and issued an Interim Authority to Operate to enable the Dress Rehearsal phase of the Survey to be completed.
The next critical phase of the Survey is the Man Wave which is scheduled to commence in February 2025. Consequently, the Agency requires the assessment to be completed by 29 November 2024 to allow sufficient time for internal approval processes to be undertaken before the Main Wave commences.
The Seller’s nominated resource will need to be available for the entire duration of the project.
Key Deliverables and Acceptance
The Seller will be required to provide the following Key Deliverables.
- A rigorous ICT cyber security risk assessment that satisfies these requirements;
- A comprehensive written report prepared in accordance with the Agency’s framework and templates.
- A completed System Security Plan Annex (SSP-Annex) in the relevant format published on the: Information Security Manual (ISM) | Cyber.gov.au website.
The Agency may accept or reject any recommended deliverables in accordance with the Master Agreement.