Deliver Professional and technical ICT services to the Commonwealth

The supplier must provide professional and qualified security consultants that are able to understand the requirements and produce highly technical documentation based on the complexity of each facility MOSSPO manages.

The deliverables must be fit for the following purpose(s):

1. Assist in the Certification and Accreditation of the following ranges MOSSPO manages:
1. Multi-Influence Range (MIR)
2. Jervis Bay Telemetry Range (JBTR)
3. Mobile Missile Telemetry Range (MMTR)
2. Align with the Information Security Manual (ISM).
3. Align with the Defence Security Principal Framework (DSPF)

To achieve Cyberworthiness certification and accreditation, ICTSB requires specific documentation that needs to be produced for each facility we mange that has been listed above. The list of documentation that will form each deliverable includes:

1. Australian Cyber Security Centre Essentials 8 (ASCS 8) Statement of Applicability (SoA) System Security Plan (SSP) System Overview Document (SOD) Incident Response Plan (IRP) Security Risk Management Plan (SRMP) Detailed Design Document Risk Register Business Impact Level (BIL) Standard Operating Procedures (SOP) as required

1. Australian Cyber Security Centre Essentials 8 (ASCS 8)
2. Statement of Applicability (SoA)
3. System Security Plan (SSP)
4. System Overview Document (SOD)
5. Incident Response Plan (IRP)
6. Security Risk Management Plan (SRMP)
7. Detailed Design Document
8. Risk Register
9. Business Impact Level (BIL)
10. Standard Operating Procedures (SOP) as required

Depending on the complexity of each facility, the supplier will have to determine how many documents will be required for each facility. Some basic facilities might only require 2-3 documents whilst other complex facilities may require all the documents to achieve certification depending on the classification of information held on their respective ICT Systems.

Recommended Qualifications

 The following skill sets and or qualifications are highly desirable:

1. Endorsed IRAP Assessor
2. Two or more of the following certifications:
1. Certified Industry System Security Professional (CISSP)
2. Certified Information Security Manager (CISM)
3. ISO 27001 Lead Auditor
4. Global Information Assurance Certification (GIAC)
5. Global Information Assurance Certification Forensic Analyst (GCFA)
6. Certified Information Systems Auditor (CISA)
3. Recent experience in security assessments of ICT Systems.

As part of any outsourcing arrangement, the Director IRM is required to validate the skills/qualifications and suitability of the proposed Industry Security Professional (ISP) prior to any individual being engaged.