Penetration and Vulnerability Testing for New Systems and IRAP Assessment

⁠⁠⁠The Department of Education (DoE) require the delivery of accreditation against the Information Security Manual (ISM) for the following DoE ICT systems:

a. Tertiary Collection of Student Information (TCSI) system - a education provider centric API data collection platform with self-service reporting capability for providers and departmental staff using largely Microsoft Azure and Power BI; and

b. Student Entitlement Management System (SEMS) - an entitlement calculation capability with a portal for education providers, students and departmental staff to access their loan entitlement.

This engagement must include:

a. IRAP assessment against the Statement of Applicability of the TCSI and SEMS systems;

b. Vulnerability Assessment of the TCSI and SEMS systems (STAGING and PRODUCTION environments);

c. Penetration Testing of the TCSI and SEMS systems (STAGING and PRODUCTION environments); and

d. Security code review of selected components of the TCSI and SEMS systems.

The provider is expected to provide up to 3 months of support. During this time the Department may request minor updates or enhancements to the documentation based on changes to the platform.