Digital Transformation Agency

Security Threat and Risk Assessment

Important dates

Opportunity ID
Deadline for asking questions
Thursday 25 May 2017 at 5PM (in Canberra)
Closing date for applications
Thursday 1 June 2017 at 5PM (in Canberra)
Thursday 18 May 2017


Write a summary of your brief

The purpose of this assessment is to identify and analyse the risks to which the Govpass System Operator is exposed. Further, this assessment identifies and documents risk control measures that have been put in place, and, where appropriate, makes recommendations for further risk reduction

What is the latest start date?
How long is the contract?

Where can the work take place?
New South Wales
Who will the specialist work for?
Digital Transformation Agency
Budget range

About the work

Why is the work being done?

At the DTA, we are building and testing new technology that will make it easier for everyone to prove who they are when using government services online. This is part of our Govpass project, which will allow more government services to be made available online and accessed in a safe and secure way.

Currently in its beta stage of development, Govpass will offer users quick and simple options to prove who they are.

Users will be able to prove themselves by having an accredited organisation vouch for them, such as a government agency, or in the future, even their own bank.

The work is to be concluded by 30 June 2017

What's the key problem you need to solve?

The scope of this Security Threat and Risk Assessment is limited to physical, technical and legal risks associated with the Govpass system

Describe the users and their needs

Users will be able to prove themselves by having an accredited organisation vouch for them, such as a government agency, or in the future, even their own bank.

What work has already been done?

Who will the work be done with?

You will be working with the DTA's Identity, policy, development and security teams

Any additional relevant information?

What phase is the work in?

Work setup

Where will the work take place?

Surry Hills Sydney

What are the working arrangements?

Preference is for the work to be onsite

Is security clearance required?

Minimum Requirement is a current Australian Government Baseline Clearance

Additional information

Additional terms and conditions


Threat and Risk Assessment (TRA) Methodology

This TRA has been conducted using the four stage methodology described below:

• establish the context;

• identify threats and risks;

• assess risks; and

• determine security control objectives in order to reduce risks to an acceptable level.

Establish Context

Establishing the context of the TRA involved several steps, specifically:

• defining the objectives for the contracted services;

• defining the scope of the solution; and

• identifying the acceptable risk threshold.

Identify Threats and Risks

Identification of the security threats and risks involved the initial identification of risk by:

• identifying the component assets of the systems and services within the scope;

• establishing the threats to which the assets are potentially vulnerable; and

• describing the nature of each risk. A risk is defined as being where a threat applies to an asset.

Assess Risks

Assessing the risks is the process used to describe and categorise risks in terms of threat likelihood and consequence. The DTA categorisation matrices are used for consistency. Selection of likelihood and consequence values is subjective in nature, but represents a consistent approach to measuring risk.

Security Risk Controls

Once risks were defined and described, a series of risk controls were determined to reduce/mitigate the identified risks to an acceptable level. The risk controls represent systems that are (or will be put) in place in order to obtain formal certification.

Standards and Guidance

There are a number of relevant standards and guidance with which security controls should comply. These documents do not necessarily identify mandatory security controls, but provide guidance as to how security controls that are selected should be implemented.

These documents include:

• Information Security Manual;

• Protective Security Policy Framework; and

• Govpass Information Security Policy.


The approach taken when performing this TRA is to:

• Identify the issue being reviewed;

• liaise with internal stakeholders as necessary;

• develop an initial draft TRA;

• develop the initial draft report and circulate for comment;

• resolve any issues through discussions and research; and

• update to a final draft TRA.

This TRA is considered to be an essential requirement before the Govpass System Operator makes a decision to accredit the system into production.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate sellers’ technical competence.

Essential skills and experience
  • ICT security expertise with the Australian Government.
  • Competent understanding of the Australian Government Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF)
Nice-to-have skills and experience

How sellers will be evaluated

How many shortlisted sellers will you evaluate?
Proposal criteria
  • Technical solution
  • Approach and methodology
  • Estimated timeframes for the work
  • Value for money
Cultural fit criteria
Work as a team with our organisation and other suppliers
Payment approach
Fixed price
Assessment methods
Written proposal
Evaluation weighting

Technical competence

Cultural fit


Seller questions

Seller questions
Seller question Buyer answer
1. Is this strictly a 2 week contract? No, the submission closes 1 June and the assessment is dune 30 June 2017.
2. Can you confirm if all members of the Tenderers proposed team need to have NV1 security clearance. Minimum Requirement is a current Australian Government Baseline Security Clearance
3. If we want to submit a couple of consultants at different charge rate. How do we do that ? I would recommend you put the hours and rate for each consultant and create a total price.
4. Are you able to share your budget for this engagement? Each response will be evaluated on the following criteria: Technical solution Approach and methodology Estimated timeframes for the work Value for money

Interested in this opportunity?

Before you can apply for this opportunity, you need to:

  1. Register to join the Marketplace.
  2. Submit a case study and pricing and check your documents are up-to-date.
  3. Request an assessment of your chosen case study.