Australian Electoral Commission

AEC System Security Review and Testing

Important dates

Opportunity ID
Deadline for asking questions
Sunday 9 July 2017 at 5PM (in Canberra)
Closing date for applications
Thursday 13 July 2017 at 5PM (in Canberra)
Thursday 6 July 2017


Write a summary of your brief

The AEC is seeking an independent holistic security review of the systems that are responsible for delivering the planned 2018 (or 2019) Federal Election (FE18). The security testing needs to identify any vulnerabilities in the systems and provide recommendations on how they can be addressed.

What is the latest start date?
How long is the contract?

The contract is expected to run for 1 to 3 months.

Where can the work take place?
Australian Capital Territory
Who will the specialist work for?
Australian Electoral Commission
Budget range

About the work

Why is the work being done?

As part of the preparation for the 2018 (or 2019) Federal Election (FE18) the AEC is seeking an independent holistic security review of the systems that are responsible for delivering the event. The security testing needs to identify any vulnerabilities in the systems and provide recommendations on how they can be addressed.

The security review and testing is to be conducted at an agreed time during August 2017. All work (including provision of a substantive draft report) is to be completed by no later than 31 August 2017.

What's the key problem you need to solve?

The security review and testing needs to identify any vulnerabilities in the AEC's systems and provide recommendations on how they can be addressed.

The security review is to comprise two components: an active compromise attempt, and a review of security monitoring.

The active compromise attempt is to include attempts to breach system security from external (Internet) locations and from within the AEC network (a normal privileged user account will be supplied).

The review of security monitoring is to allocate ten person days to reviewing and remediating the existing Splunk 6.5 security monitoring configuration prior to the active compromise attempt, and then subsequently review the alerts, logs and dashboards on Splunk to determine the effectiveness of the monitoring solution.

A respondent may quote on either or both of the components.

Scope of Work:

The Respondent must develop a Proposal to meet the AEC’s requirements as described in this Statement of Requirements document. The Respondent must obtain the AEC Contact’s sign off prior to commencing work on the services.

The security review is to be conducted at an agreed time during August 2017. All work (including provision of a substantive draft report) is to be completed by 31 August 2017.

The Respondent should clearly outline all AEC responsibilities (including attendance at meetings, availability of key personnel and timeframes for review of draft report) in order for the target timeframe to be met.

The scope of the penetration testing includes the following:

■ Detect known and unknown vulnerabilities in the underlying operating system

■ Limited application layer testing

■ Firewall and ACL testing (at the server level)

■ Administrator privileges escalation testing

■ Password compromise testing

■ Network equipment security controls testing

■ Database security controls testing

Describe the users and their needs

Rules of Engagement:

The Rules Of Engagement (ROE) are designed to ensure that all parties understand clearly the objectives and expectations of the assessment. In particular the ROE ensure the Respondent understands what needs to be assessed, when it will be assessed and how the AEC requires the assessment to be conducted. The ROE also ensures that both parties clearly understand the methodology used by the Respondent and the risks associated with this testing.

These ROE also outline the framework for conducting the testing. The testing consists of multiple stages during which various security assessment tools and techniques are directed at a target. Based on results from these tools and techniques and upon completion, the successful Respondent will provide a report that assigns an overall rating of application and operating system security.

The first stage of testing will be performed external to the AEC ICT environment.

The second stage of testing will be performed via a standard user account within the AEC ICT environment. An AEC user account and a workstation will be provided to the tester, in accordance with the agreed project schedule.

The third and final stage of testing will be performed from within the AEC ICT user LAN environment, and be conducted from the tester’s own laptop with the tester’s own tools installed. The tester will be required to certify ahead of commencing the test that no malicious activity will be performed by the tester, and that the tester’s laptop has been scanned with appropriate malware detection tools prior to connection to the AEC LAN.

Rules of Engagement Criteria:

A list of criteria set for the conduct of the testing to be carried out has been created with further clarification to be undertaken prior to acceptance of quotation and commencement of work. To obtain a copy of the Rules of Engagement Criteria please email

What work has already been done?

Who will the work be done with?

The work will be managed by the AEC's IT Security Team, with assistance as required by system owners.

Any additional relevant information?

System Overview:

The AEC relies on multiple systems to successfully deliver a Federal Election. These systems work together to provide the infrastructure necessary to both directly deliver an election, and to provide corporate back-office support for staff involved in the election. The systems required to be tested are as follows:

1. The AEC Corporate Production Network. This is a Windows 7 Desktop and Laptop environment, with Windows Server 2013 providing Windows AD functionality. Note that the Desktop and Laptop fleet are currently being updated to a Windows 10 SOE, therefore the testers may be provided with both Windows 7 and in-development Windows 10 SOE systems.

2. The AEC Wireless Network. This is a segregated 802.11 WiFi network.

3. The AEC Email Gateway. This is a Microsoft Exchange based email system, with all incoming and outgoing email traversing the AEC’s upstream email provider, DHS. AEC also performs email scanning and filtering in addition to what the upstream provider performs.

4. The AEC public web presence. This is a collection of static and dynamic web hosts with functionality that includes:

a. voters checking/updating their personal enrolment details;

b. voters applying for postal votes;

c. political parties submitting financial returns and donation disclosures; and

d. a live virtual tally room displaying progressive results during an election.

The AEC public web servers are Microsoft IIS servers, hosted on Amazon AWS under a fully managed service provision arrangement with SMS Management Technology.

5. The internal AEC web front-end to the (mainframe based) Electoral Roll management system. This is a JBoss / Tomcat based system used by internal AEC employees to manage the Electoral Roll and to manage imaged copies of paper enrolment forms.

6. The internal AEC Electoral Roll management system. This runs on a shared IBM Mainframe, with RACF access control.

7. The internal AEC Election Management system. This is a Linux based system that manages the election itself, including polling place management and vote count tabulation.

8. The internal AEC Polling Officials recruitment and payroll system. This comprises two subsystems, one that manages the recruitment and employment of 80,000 casual employees for the election, and the other that handles payments to these casual employees.

9. The public access terminals. This is a web based front end to the Electoral Roll that allows members of the public to search and view the Electoral Roll from within AEC offices.

What phase is the work in?

Work setup

Where will the work take place?

AEC National Office, 50 Marcus Clarke Street Canberra City

What are the working arrangements?


Is security clearance required?

Key personnel will require Negative Vetting 1 clearance.

Additional information

Additional terms and conditions

The Supplier must respect the strict political neutrality of the Customer and not associate the Customer in any way with any political activity that it undertakes. Where required by the Customer, the Supplier must ensure that its Specified Personnel or Subcontractor sign a declaration of political neutrality in such a form as may be Notified by the Customer.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate sellers’ technical competence.

Essential skills and experience
  • Must have extensive experience in conducting security reviews.
  • Must use a proven review methodolgy.
  • Key personnel undertaking the services must have a Negative Vetting 1 clearance.
Nice-to-have skills and experience
  • Demonstrate previous experience in conducting penetration tests for Government organisations.
  • Demonstrate an understanding of systems used within the Autrslian Electoral system
  • Demonstrate ability to access appropriate testing tools

How sellers will be evaluated

How many shortlisted sellers will you evaluate?
Proposal criteria
  • Approach and methodology
  • How the approach or solution meets user needs
  • Estimated timeframes for the work
  • Value for money
  • Experience of nominated personnel
Cultural fit criteria
  • Work as a team with our organisation and other suppliers
  • Transparent and collaborative when making decisions
Payment approach
Fixed price
Assessment methods
  • Written proposal
  • Work history
  • Reference
Evaluation weighting

Technical competence

Cultural fit


Seller questions

No questions have been asked or answered yet.

Interested in this opportunity?

Before you can apply for this opportunity, you need to:

  1. Register to join the Marketplace.
  2. Submit a case study and pricing and check your documents are up-to-date.
  3. Request an assessment of your chosen case study.