NZEA IT Security Services
Tender ID: 573947
Tender Details
Tender Description
This Tender is invited by the Issuer.
The Net Zero Economy Authority (NZEA) is due to become a statutory agency in early 2025.
NZEA currently sit within PM&C. NZEA have engaged a managed service provider (MSP) to build a dedicated NZEA IT network.
To safeguard sensitive information and ensure compliance with regulatory standards such as the Australian Government Information Security Manual and the Protective Security Policy Framework the NZEA requires the services of an IT Security Advisor (ITSA). This ITSA would ideally work 3-4 days a week pre-transition, while NZEA still sit within PM&C, and then 2 days a week post transition. The ITSA will need to work closely with the MSP to ensure that what they are building is compliant with WoAG cyber security rules.
Please see below for the services NZEA require:
IT Security Advisor Statement of Work
1. Working with our managed service provider (MSP) to deliver the Authority to Operate (ATO) for the NZEA Protected cloud environment.
2. Within the first 1-2 weeks of commencement complete a gap analysis between what the MSP is delivering and what is required for ATO.
3. Work approx. 3-4 days a week before go-live (mid Feb 2025) and 1-2 days per week post go-live.
4. Respond promptly to cyber incidents outside of nominated days.
5. Provide advice on Penetration testing.
6. If needed, NZEA will require ongoing access to penetration testers to test NZEA systems.
7. On-going part time IT Security Advisor (ITSA) services covering:
1. Risk Assessment and Management
- Conduct risk assessments to identify vulnerabilities in the agency’s IT infrastructure.
- Analyse potential threats, including cyber-attacks, data breaches, and insider threats.
- Develop risk management plans to mitigate identified vulnerabilities.
2. Security Policy Development and Compliance
- Create, implement, and maintain security policies, procedures, and standards that align with industry best practices and regulatory requirements (e.g., ACSC Essential Eight, ISO 27001, PSPF 2024, ISM and the Australian Privacy Act)
- Ensure the agency complies with relevant laws, such as the Australian Privacy Act, and standards for data protection and privacy.
- Conduct regular policy reviews and updates to adapt to evolving threats and technologies.
3. Advising on Security Solutions and Best Practices
- Recommend and advise on security technologies, tools, and best practices to enhance the agency's security posture.
- Provide guidance on secure practices, including secure coding, data handling, and user authentication.
4. Incident Response and Management
- Develop and implement incident response plans for handling security breaches or cyber-attacks.
- Lead or participate in response efforts when incidents occur, including investigation, containment, and recovery.
- Perform root-cause analysis after incidents and suggest improvements to prevent recurrence.
5. Monitoring and Threat Intelligence
- Oversee continuous monitoring of the agency’s network and systems to detect suspicious activities or potential breaches.
- Use threat intelligence to stay updated on emerging threats and vulnerabilities, incorporating this information into security strategies.
7. Security Awareness and Training
- Develop and deliver security awareness programs to educate employees on recognizing and preventing cyber threats.
- Encourage a security-focused culture within the agency through ongoing education and training.
7. Collaboration and Stakeholder Engagement
- Collaborate with internal and external stakeholders, such as government bodies, industry peers, and cybersecurity organisations.
- Act as a liaison between IT and non-technical teams to ensure security measures align with business objectives without disrupting operations.
8. Audit and Reporting
- Conduct or coordinate regular audits to assess the effectiveness of security measures.
- Prepare reports on security posture, incidents, and risk management efforts for senior management or regulatory bodies.
9. Other IT Security duties as required.
10. Skills and Qualifications
- It is expected that the IT Security Advisor will have a strong background in cybersecurity, with certifications such as CISSP, CISM, or CISA, and experience with security frameworks. Familiarity with government guidelines like the Australian Cyber Security Centre’s Essential Eight is essential.
- The IT Security Advisor must hold an active AGSVA recognised NV1 at a minimum.
EVALUATION CRITERIA*****
Criteria
Sellers must provide a response to each criterion. There is a 3000 character limit for each response.