Only invited sellers can apply for an 'Open to one' or 'Open to selected' opportunity.

Learn more about Open to selected opportunities.

Sign in to continue

IP Australia

Security Penetration Testing and Assessment

Important dates

Opportunity ID
Deadline for asking questions
Thursday 19 October 2017 at 6PM (in Canberra)
Closing date for applications
Thursday 26 October 2017 at 6PM (in Canberra)
Thursday 12 October 2017


Write a summary of your brief

IP Australia requires a supplier with established experience in ICT Security Penetration testing and assessment. The Rights In One program is currently in its 4th Tranche to develop a new capability for the Trade Marks IP Rights business line. The supplier will provide assurance around the implemented ICT security controls.

What is the latest start date?
How long is the contract?

Until 30 June 2018 with further options to extend for 1 year at the discretions of the Buyer .

Where can the work take place?
Australian Capital Territory
Who will the specialist work for?
IP Australia
Budget range

About the work

Why is the work being done?

The RIO Program is delivering ICT capabilities based on the core Case Management framework technology, Pega, and the program's delivery model follows Agile principles and the scrum methodology. The program requires an experienced ICT security testers and penetration testers that can help ensure that the tranche being developed is secure and meets requirements set out in the ISM.

Timeframe for contract:

Oct 2017 - Procurement process to identify a Security supplier

Nov 2017 - Contract establishment and testing schedule

Nov 2017 - Penetration testing and static code analysis of search application and enviornments

Feb 2018 - Updated combined SOA, SSP and SRMP

Mar 2018 - Initial penetration testing of RIO T4 and confirmation that RIO T3 issues have been addressed.

Jul 2018 - Second RIO T4 penetration testing

Sept 2018 - Final RIO T4 penetration testing

What's the key problem you need to solve?

To ensure that the RIO programs delivers a secure and reliable system, we want to ensure that we have impartial third party testing to provide assurance to the program. We are looking for the following:

1. Detailed knowledge of ISM requirements.

2. Experience in documenting Statement of Applicability SOA, Security Risk Management Plan SMRP and SSP System Security Plans in relation to ISM.

3. Demonstrated experience with conducted internal and external penetration Security testing.

Describe the users and their needs

The program is delivering to many user groups including external customers, Trade Mark examiners, Trade Mark administrators, Quality assessors, dispute resolution, and management.

The requirement is for the supplier to ensure the integrity and the quality of our security controls through external and internal penetration testing and review of security controls.

What work has already been done?

The program has completed the following:

Tranche 1 & 2 - Feasibility phase and technology framework and partnership procurement phases.

Tranche 3 - Delivery of Pilot Case Management system and business transition for Designs IP Rights business group

Tranche 4 - Delivery of internal and external Trade Mark search and examiner supporting systems. Tranche 4 is continuing with the build of work in multiple streams and in different phases.

The supplier will be required to test the deliverable of Tranche 4. All previous reports and assessments will be made available.

Who will the work be done with?

The RIO Program which has a complete delivery team of all ICT resources required to support the Supplier.

Any additional relevant information?

What phase is the work in?

Work setup

Where will the work take place?

Discovery House, 47 Bowes St, Phillip ACT 2606

What are the working arrangements?

Onsite (Canberra office)

Is security clearance required?

Access to IP Australia is governed by a current ENTRY ONLY/RESTRICTED police check granted in accordance with IP Australia and Australian Government policy. Security clearances are normally limited to Australian Citizens Only.

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate sellers’ technical competence.

Essential skills and experience
  • Detailed knowledge of ISM requirements.
  • Experience in documenting Statement of Applicability SOA
  • Security Risk Management Plan SMRP and SSP System Security Plans in relation to ISM
  • Demonstrated experience with conducted internal and external penetration Security testing
  • Experience with Pega systems
  • Static/Source code analysis testing
Nice-to-have skills and experience
Experience with working in Federal Government departments or agencies.

How sellers will be evaluated

How many shortlisted sellers will you evaluate?
Proposal criteria
  • Approach and methodology
  • Team structure
  • Value for money
  • Technical solution
Cultural fit criteria
  • Work as a team with our organisation and other suppliers
  • Transparent and collaborative when making decisions
Payment approach
Time and materials
Assessment methods
  • Written proposal
  • Case study
  • Work history
  • Reference
Evaluation weighting

Technical competence

Cultural fit


Seller questions

Seller questions
Seller question Buyer answer
1. Can we please confirm whether IPA require the supplier's consultants to simply provide input into the accreditation artefacts (SSP, SOA, SRMP) or whether we are required to fully develop the compliance documentation from scratch? If the latter; can IPA provide any further information on the system to assess the effort involved in developing this documentation? Typically developing compliance documentation is a different skillset to penetration testing. TSS can deliver both components using combination of resources, subject to IPA's exact requirements. The RIO Trance 3 Designs (SSP, SLOA and SRMP) already exist but been to be expanded and updated to reflect the introducing of RIO Tranche 4 Trade Marks data and some new technologies being implemented as part of this Tranche. E.g. Splunk, RedHat OpenShift.

Only invited sellers can apply for an 'Open to one' or 'Open to selected' opportunity.

Learn more about Open to selected opportunities.

Log in to continue