Key problem/s

The National Gallery of Australia ("the Gallery") is seeking to mature its cyber security posture by addressing gaps in protection, detection and response capabilities, and move from largely manual processes to proactive, automated, and repeatable patterns. Our near-term goals include:

• improved protection, monitoring, detection, response, and remediation capabilities to better protect the Gallery's information assets and technology systems
• improved coverage of security fundamentals, including continuous asset discovery, vulnerability discovery and remediation, and attack surface management, and
• improved visibility of cyber security risks, continuous verification of security control effectiveness, and improved reporting capabilities.

The Gallery aligns its cyber security practices to the Australian Government Protective Security Policy Framework (PSPF) and Information Security Manual (ISM), prioritising security controls from the Australian Signals Directorate's "Essential Eight".

The users and their needs

The Gallery is Australia’s national visual arts institution dedicated to collecting, sharing and celebrating art from Australia and the world. We use a wide range of ICT infrastructure and business systems to support the delivery of our vision to be the international reference point for art in Australia, inspiring all people to explore, experience, and learn.

We are seeking information from suppliers of managed cyber security services about the capabilities they offer, recommendations on prioritisation and progressive delivery of capabilities, and information about the value proposition of their service offerings.

Capabilities under consideration include but are not limited to:

• Asset and vulnerability discovery, logging, monitoring, and alerting
• security information and event management (SIEM)
• security orchestration, automation, and response (SOAR)
• Security Operations Centre (SOC) capabilities, including managed detection, alerting, response, and remediation or escalation, and
• Internal and external attack surface management.

The Gallery operates a hybrid ICT environment which includes:

• On-premises and cloud-hosted servers and network infrastructure
• On premises and cloud-hosted / Software-as-a-Service (SaaS) applications and business systems
• End-user devices (laptops, workstations, etc.), and
• Managed & unmanaged mobile devices (phones, tablets, etc.).

We welcome suppliers' recommendations for relevant services and capabilities not listed above that would achieve the Gallery's cyber security goals, provided that they are cost-effective and fit-for-purpose. Solutions that are able to be delivered or expanded in a phased approach as resources and funding permit are desirable.

The Gallery may use responses received from suppliers to inform a future request for quotation (RFQ) for managed cyber security services if suitable capabilities are identified.

Work already done

The Gallery's ISD team, working with our MSPs, has made significant progress in implementing our Cyber Security Strategy and delivering milestones on the strategy roadmap. However, there are still gaps in the implementation and effectiveness of security controls, verification, and assurance, and many cyber security processes are largely manual, labour intensive, and reactive rather than proactive.

Technical/business constraints

The Gallery's Information Services Division (ISD) operates a small IT team that provides business enablement services including Service Desk, business-as-usual (BAU) services (routine and out-of-band patching, break/fix, etc.), server and application support, and project-based ICT services and support to all Gallery business units. The IT team is supplemented by two managed service providers (MSPs) whose responsibilities are split between network and infrastructure services. A demonstrated ability for suppliers to be able to effectively work with MSPs as required, including coordinating or escalating remediation activities, is desirable.

The Gallery uses the Microsoft M365 and Azure platforms to deliver a range of core business functions, including productivity, collaboration, and communications. The Gallery has a Microsoft A5 license, however some licensed Microsoft services would require storage or usage charges that may not be cost-effective for the Gallery to deploy. Suppliers may choose to leverage existing or licensed M365 and Azure capabilities where it would yield operational or cost benefits, however this is not a requirement and the Gallery welcomes innovative solutions.

The Gallery has an existing managed SIEM capability (FortiSIEM), including an on-premises log collector. Suppliers may choose to leverage existing capabilities where it would yield operational or cost benefits, however this is not a requirement.

The Gallery uses the HaloITSM platform to deliver IT Service Management and Service Desk capabilities. An ability for proposed solutions to integrate with this system is preferred.

The Gallery uses a wide range of on-premises and cloud-hosted / SaaS business systems to deliver our ambitious strategic objectives. Solutions that offer a longer-term pathway to monitoring and managing the Gallery's internal and external attack surface are desirable.

Response format

• References
• Relevant case study
• Presentation

Key dates/ milestones

Responses to this RFI may be used to inform and refine requirement for a future RFQ. If suitable solutions are identified and funding can be secured, the Gallery is likely to release an RFQ in Q4 of 2025.