Cyber Security Audit and Review

⁠⁠⁠This RFP seeks to engage the services of an experienced and qualified cyber security firm to conduct an audit and review of the University technology systems, architectures, processes and practices against a reputable industry standard such as NIST Cyber Security Framework, ISO 27001 or AS 27001.

The goal of this engagement is not to gain certification against the recommended standard, but to undertake a comparative analysis of the University's cyber security posture relative to the standard. This will establish a credible and realistic direction and targets to achieve sustainable improvements in cyber security over time.

The deliverables expected from the engagement is a master cyber security plan that includes identification of capability gaps (Technology and Resources), assesses and prioritizes risk and resolution plans, appraises costs and recommends improvements that are achievable within a defined timeframe, with a focus on immediate returns. The master plan will be a living document that evolves over time which underpins the ongoing strengthening of the University's cyber security posture and direction.

This RFP is looking towards the consultant as the security expert to propose an appropriate security methodology, engagement scope and approach for conducting the review. The audit and review must be technology agnostic. Note: Successful consultants will not be eligible to bid on any technology projects resulting from this engagement.

Longer-term, the University will undertake an annual cyber security reviews to measure the progress of existing action plans and the ongoing health of the security program by re-engaging the preferred consultant over the 3 year partnership with University, with the goal of maintaining momentum on its cyber security program. Re-engagement of the consultant may also include specific security consultancy on operational and project matters that are external to the specific cyber-security program.