The National Gallery of Australia ('NGA’, ‘Gallery’) is Australia’s national visual arts institution dedicated to collecting, sharing and celebrating art from Australia and the world. We utilise a range of ICT business systems to support the delivery of our mission.

The Gallery requires the services of a provider to conduct a security assessment on the Gallery's Electronic Document Records Management System (EDRMS), and to develop an organisational cyber security assurance plan.

This project is intended to produce a high-quality security assessment for the Gallery that include actionable recommendations to ensure both secure outcomes and alignment with the Australian Government Information Security Manual (ISM).

Key Deliverables and Acceptance

Systems are required to be assessed in alignment with guidance from the Australian Government Information Security Manual (ISM), the Australian Government Protective Security Policy Framework (PSPF), and NIST Guide for Conducting Risk Assessments (NIST SP 800-30 Rev.1)

Required services include:

A. Business system security assessment (EDRMS – integrated Content Manager and Teams) Deliverables will include, at minimum:

1.Document discovery;

2.Discovery workshops;

3.System security documentation aligned to the Australian Government Information Security Manual (ISM), including:

a. System security plan (ref. ISM Control: ISM-0041)

b. System security plan annex (ref. ISM Control: ISM-0041)

c. Cyber security incident response plan (ref. ISM Control: ISM-0043)

d. Continuous monitoring plan (ref. ISM Control: ISM-1163)

e. Security assessment report (ref. ISM Control: ISM-1563); and

f. Plan of action and milestones (ref. ISM Control: ISM-1564);

4. Security assessment briefing to senior exec.

B. Organisational cyber security assurance plan

Deliverables will include, at minimum:

1. A cyber security assurance plan appropriate to providing assurance to governing bodies, detailing;

a. The NGA’s overall approach to undertaking internal reviews, penetration tests, and external audits

b. Activities to be undertaken, including any mandatory or recommended processes or documentation required

c. A recurring schedule for each activity

2. Assurance plan briefing to senior executives

Suppliers may recommend either combining deliverables or additional deliverables if they believe this represents best practice.

The buyer may accept or reject any recommended deliverables in accordance with the Master Agreement.

Validity Period

Your response remains valid for a period of up to six months from the opportunity closing datetime.

Conditions of Participation

Sellers must adhere to the below requirements. Responses marked noncompliant against these requirements may be excluded from the evaluation process:

• Supplier staff conducting security assessments must hold a current AGSVA Negative Vetting Level 1 (NV1) security clearance; and
• Supplier staff conducting this work must have a minimum of 3 years’ experience in conducting similar security assessments.

Estimated start date: Monday, 31 March 2025

Initial contract duration: 3 months

Extension term: Not applicable

Location of work: ACT

Working arrangements: Hybrid