Security Assessment Services

The Gallery requires Security Assessment Services and will select a partner who can

• Develop System Risk Management Plans for one or two of the Gallery’s business systems (as agreed).

Development of the SRMPs will include:

• Systems risk analysis;
• Document discovery;
• Discovery workshops;

Security documentation, including:

• System Overview Document (for business system assessments);
• Security assessment report;
• Plan of action and milestones;
• Continuous monitoring plan; and
• System Security Plan Annex.

Suppliers must undertake penetration testing of the Gallery’s ICT environment and produce a report identifying any gaps or exposures. Penetration testing will be conducted on targeted services and are to be negotiated with the Gallery based on priority and in line with threat pathway assessment findings.

Suppliers may recommend either combining deliverables or additional services and deliverables if they believe it represents best practice in alignment to scope.

Estimated start date: Monday, 15 December 2025

Initial contract duration: 6-months

Extension term: Not applicable

Location of work: ACT

Working arrangements: Hybrid

Additional budget information: 50k ex GST