Tender Advertisement #1388698

Implementation of the priority recommendations of the Protective Data Security Maturity Assessment completed in June 2022
This project focusses primarily on the Security Governance, ICT and Information Security actions identified within the assessment.

Security Governance
1. Establish an Information Security Management Framework
4. Develop and deliver information security training and awareness for all relevant personnel
6. Develop and test an information security incident response plan

Information Security
8. Update the Records Management Policy, including reference to information security requirements (this will also include the digitisation plan)
9. Establish an Information Asset Register
11. Develop an identity and access management policy

ICT Security
14. Develop system security plans for systems storing high-value information assets
15. Implement a formal system change management process

The project is scheduled to commence in November 2023 and to conclude/ be implemented by June 2024. Consultation will be required across various departments of Council and the consultant will be required to work closely with the Governance and Risk Department of Council
TENDERS.NET - http://www.tenders.net


Questions as at 9 October 2023
• Who are the key council participants involved in the project.
Governance and Information Management / ICT – Rebecca Smith - Manager Governance and Risk, Dannielle Kraak – Coordinator Governance, Chris Whyte - Manager ICT & Information Management and IT helpdesk and support officers.

• Have Council identified the stakeholders that would be involved in the IAR Development ?
Please see attached updated Organisational structure. Storage and management of Council information is the responsibility of all staff. This project will focus on leadership, Information Management, Governance and ICT to be part of consultation and or training.

• Can the project and order of deliverables be identified at the project initiation phase or have Council identified the order of delivery?
The order of deliverables can be identified as part of project initiation phase.

• Do Council have a budget set for the delivery of all items?
Council has a budget for the PDSP implementation within its entirety, however as this RFQ is part 1 of the broader findings Council has not given an indicative figure. This will be part of the assessment criteria based on the deliverables of the RFQ submissions.

• Is this RFQ being issued as part of the MAV Panel ? ICT Professional & Leasing Services (ES8111-2021)
No, this is a separate RFQ process.

• Is the council seeking general security awareness and training material or specific targeted training covering specific domains or capability, e.g. Incident Management Response versus Generic onboarding type awareness and training.
Yes

• Does council require training to be provided face to face or is training for upload to a learning management system?
Preferred Learning Management System

• Does the establishment of the asset register include any requirement to procure and/or deploy a technical solution?
IAR must be/or comply with the OVIC standards

• Does the establishment of an asset register require inclusion identification of all assets and population of the register?
Yes
• How many systems or individual system security plans are anticipated for the environment?
We don’t know how many systems or individual system security plans are anticipated for the environment. We need the IAR completed to identify all systems and information stores.

• Does this require implementation of technologies and software solutions to support change management, or just the processes within the council?
Processes in this point of time.