Govt asks industry for help to stem security breaches

Privacy and security breaches lead Department of Internal Affairs to set up special-purpose security panel

IT security firms have been asked to put themselves up for membership of a special-purpose panel to provide security services across all of government.

The move is partly in response to a number of recent incidents involving privacy and security breaches at government agencies, commissioning agency the Department of Internal Affairs says.

It sees the panel arrangement as a way of ensuring more consistency in security "skills and techniques" provided to agencies.

"The government has a declared objective to raise the standards of security and privacy practice and behaviour across the public sector," DIA says in a request for proposal for the services. The envisaged panel of specialist information security and privacy suppliers will make it easier for agencies to "source high quality specialist assistance in an easy to access manner", it says.

To date, agencies have sourced ICT security services either from individual providers or as part of an existing panel arrangement for other ICT supplies. "As a number of the existing panels are nearing the end of their term and to ensure agencies can rely on a consistent and highly qualified set of specialist skills and techniques, DIA is establishing the [specialist security] panel with a number of additional service options," DIA says.

These "additional service options" provide another dimension of flexibility in future arrangements based on the panel. Potential suppliers are given the option of undertaking to provide one or more of a number of initially proposed services, but "once the panel is established, DIA will be keen to engage with the wider market to explore and agree any changes or additions to the initial service options," the RFP says.

"Such change may also be made as required, based upon agency feedback on the relevance of the service options, as standards of security and privacy practice mature or other events dictate."

An all-of-government request for provision of security services marks a new openness in the membership of supplier "panels". After an initial panel has been formed, new potential suppliers will be allowed to put themselves up later to join the panel.

Usually in the past, once supplier panels are formed, they have been restricted for the contract period to only those members initially appointed.

The new open-style panel follows a major reform of government procurement. ICT industry organisations have for some time been pressing for increased openness of panels (Computerworld, December 17, 2012).

The openness of the panel is made clear in a paragraph in Section 10 of the RFP: "A process will also be supported that will allow interested suppliers to join the Panel after it has been established," it says.

"Should this occur, the same evaluation criteria will be used as for this RFP document. It is expected that this will be via a standing Notice that is made continuously available on GETS that allows interested suppliers to respond on an ongoing basis. This is referred to as an 'open' panel and is supported by the Government Rules of Sourcing that have recently been approved by Cabinet. It is planned that DIA will evaluate any requests from interested suppliers to join the Panel each quarter, if required, for efficiency reasons."

The initially requested set of expertise areas are: Risk management, assessment and assurance; security governance, architecture and design; security consulting and review; certification and assurance; source code and application review; network and application security testing; and computer forensics, investigation and security incident response.

Provision of such services in a coordinated way through a panel should help achieve some of the "key elements to lifting information security and privacy practices and standards across the public sector", DIA says. These key elements include: "Implementing security and privacy practices as an integral part of an agency's overall risk management activity; setting expectations on the standards required for information security and privacy that are effective, achievable and enduring in the short term; and providing assistance and monitoring performance in lifting standards as appropriate and needed."

The sourcing of security services is classed as a "common capability ICT (CC-ICT) procurement". This means DIA will enter into an agreement with the chosen members of the panel. "Eligible agencies can then sign up to a Security Services Subscription Agreement with the service provider(s) to purchase services made available under the CC-ICT Agreement(s)."

The panel's services will be available to a large group of agencies including public service departments, Crown entities, state-owned enterprises. the NZ Defence Force, the Police, the SIS, the Clerk of the House of Representatives and the Parliamentary Service, as well as local authorities.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachgovernmentDepartment of Internal Affairs

More about Provision

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stephen Bell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts