This procurement will select a suitably qualified and experienced vendor to undertake cyber security services to provide assurance that new applications will meet the Essential 8 and the Commission’s security posture.

Scope

The scope of the procurement will be to:

1. Conduct various types of security assessment activities. This will include but is not limited to;

a. External Asset Discovery and Penetration Testing

• will focus on publicly accessible touchpoint discovery. The objective is to determine what information can be uncovered to identify Aged Care systems and infrastructure.
• conducting external testing of the systems and infrastructure identified to determine if there are any vulnerabilities that can be exploited.

b. Internal Asset Discovery and Penetration Testing

• internal security testing will focus on identifying and exploiting vulnerabilities in the subnets, IPs, or hosts used by our systems
• pivot throughout the systems to further understand impact of variabilities
• Using dummy data, show data exfiltration

2. Provide a report on the security assessment activities undertaken and whether our implemented controls meet the required standard under the PSPF and ISO27001.

a. The report will document the findings of the assessments conducted, as outlined below and will contain:

• Executive Summary: High level outline of the results of the assessment.
• Introduction: Introduction and background behind the testing.
• Methodology: Details the approach taken and the various tests conducted.
• Summary of findings: Overview of the findings.
• Detailed Findings: Detailed findings and recommendations for mitigation. Results of the tests will be presented in tabular form. Each component will be rated as Critical, High, Medium, or Low risk. Each finding will also detail the exploit method, and a description of how the exploit can be retested.
• Critical –a critical risk that should be fixed immediately and poses a very high risk.
• High –poses a high risk and should be addressed with some urgency.
• Medium –poses a risk and should be addressed promptly.
• Low –a finding has been noted and does not currently pose a serious risk but should be addressed when practical.
• Informational –does not by itself pose a risk however should be reviewed to ensure it fits within the organisational security posture.

3. Provide a plan to outline the recommended activities to improve the Commission’s security posture over a reasonable time.

4. A debrief Session for up to 2 different audiences

5. We expect the services to be invoiced on a time and materials basis

6. Specific scope of each individual testing engagement will be agreed in writing before commencement

Estimated start date: Monday, 28 April 2025

Initial contract duration: 12 months

Extension term: 12 months

Number of extensions: 2

Working arrangements: Remote