This opportunity is closed for applications.
The deadline was Thursday 1 June 2017 at 5PM (in Canberra)
- Opportunity ID
- Deadline for asking questions
- Thursday 25 May 2017 at 5PM (in Canberra)
- Closing date for applications
- Thursday 1 June 2017 at 5PM (in Canberra)
- Thursday 18 May 2017
Write a summary of your brief The purpose of this assessment is to identify and analyse the risks to which the Govpass System Operator is exposed. Further, this assessment identifies and documents risk control measures that have been put in place, and, where appropriate, makes recommendations for further risk reduction
What is the latest start date?
How long is the contract?
Where can the work take place?
New South Wales
Who will the specialist work for?
Digital Transformation Agency
About the work
Why is the work being done? At the DTA, we are building and testing new technology that will make it easier for everyone to prove who they are when using government services online. This is part of our Govpass project, which will allow more government services to be made available online and accessed in a safe and secure way.
Currently in its beta stage of development, Govpass will offer users quick and simple options to prove who they are.
Users will be able to prove themselves by having an accredited organisation vouch for them, such as a government agency, or in the future, even their own bank.
The work is to be concluded by 30 June 2017
What's the key problem you need to solve? The scope of this Security Threat and Risk Assessment is limited to physical, technical and legal risks associated with the Govpass system
Describe the users and their needs Users will be able to prove themselves by having an accredited organisation vouch for them, such as a government agency, or in the future, even their own bank.
What work has already been done?
Who will the work be done with? You will be working with the DTA's Identity, policy, development and security teams
Any additional relevant information?
What phase is the work in?
Where will the work take place? Surry Hills Sydney
What are the working arrangements? Preference is for the work to be onsite
Is security clearance required? Minimum Requirement is a current Australian Government Baseline Clearance
Additional terms and conditions Methodology
Threat and Risk Assessment (TRA) Methodology
This TRA has been conducted using the four stage methodology described below:
• establish the context;
• identify threats and risks;
• assess risks; and
• determine security control objectives in order to reduce risks to an acceptable level.
Establishing the context of the TRA involved several steps, specifically:
• defining the objectives for the contracted services;
• defining the scope of the solution; and
• identifying the acceptable risk threshold.
Identify Threats and Risks
Identification of the security threats and risks involved the initial identification of risk by:
• identifying the component assets of the systems and services within the scope;
• establishing the threats to which the assets are potentially vulnerable; and
• describing the nature of each risk. A risk is defined as being where a threat applies to an asset.
Assessing the risks is the process used to describe and categorise risks in terms of threat likelihood and consequence. The DTA categorisation matrices are used for consistency. Selection of likelihood and consequence values is subjective in nature, but represents a consistent approach to measuring risk.
Security Risk Controls
Once risks were defined and described, a series of risk controls were determined to reduce/mitigate the identified risks to an acceptable level. The risk controls represent systems that are (or will be put) in place in order to obtain formal certification.
Standards and Guidance
There are a number of relevant standards and guidance with which security controls should comply. These documents do not necessarily identify mandatory security controls, but provide guidance as to how security controls that are selected should be implemented.
These documents include:
• Information Security Manual;
• Protective Security Policy Framework; and
• Govpass Information Security Policy.
The approach taken when performing this TRA is to:
• Identify the issue being reviewed;
• liaise with internal stakeholders as necessary;
• develop an initial draft TRA;
• develop the initial draft report and circulate for comment;
• resolve any issues through discussions and research; and
• update to a final draft TRA.
This TRA is considered to be an essential requirement before the Govpass System Operator makes a decision to accredit the system into production.
Skills and experience
Buyers will use the essential and nice-to-have skills and experience to help them evaluate sellers’ technical competence.
Essential skills and experience
- ICT security expertise with the Australian Government.
- Competent understanding of the Australian Government Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF)
Nice-to-have skills and experience
How sellers will be evaluated
How many shortlisted sellers will you evaluate?
- Technical solution
- Approach and methodology
- Estimated timeframes for the work
- Value for money
Cultural fit criteria
Work as a team with our organisation and other suppliers
|Seller question||Buyer answer|
|1. Is this strictly a 2 week contract?||No, the submission closes 1 June and the assessment is dune 30 June 2017.|
|2. Can you confirm if all members of the Tenderers proposed team need to have NV1 security clearance.||Minimum Requirement is a current Australian Government Baseline Security Clearance|
|3. If we want to submit a couple of consultants at different charge rate. How do we do that ?||I would recommend you put the hours and rate for each consultant and create a total price.|
|4. Are you able to share your budget for this engagement?||Each response will be evaluated on the following criteria: Technical solution Approach and methodology Estimated timeframes for the work Value for money|
Interested in this opportunity?
Before you can apply for this opportunity, you need to:
- Register to join the Marketplace.
- Submit a case study and pricing and check your documents are up-to-date.
- Request an assessment of your chosen case study.