Penetration Tester

One of our Federal government clients is seeking to engage Penetration Tester.

Role: Penetration Tester

Location of work: Canberra / Sydney / Remote

Length of contract: 03 Months

Contract extensions: Possible extension

Security Clearance: Australian Citizen (client intend to process NV1 security clearance after onboarding)

Overview:

We are seeking a penetration tester to assist with the refresh of our interim Authority to Operate department for 2024. This is a crucial step as we prepare for another IRAP assessment to gain full department. Engaging an experienced cyber security penetration tester will help us identify and remediate any security vulnerabilities, ensuring our systems meet the stringent requirements of the IRAP.

The requirements of the engagement include:

• Test Scope: Identifying targets and test types based on threat modelling.
• Test Objectives: Pinpointing the penetration testers’ targets, determining the type of testing required, and gauging what success looks like.
• Attack Sources: Testing from both internal and external sources to the Department.
• Test Schedule: Establishing a timeline for the testing activities.
• Test Cases: Informed by industry guides.
• Rules of Engagement: Outlining permitted and disallowed activities during testing.

The Penetration Test Report should include:

• Executive summary
• Scope
• Constraints and Assumptions
• Findings – Outcomes (positive or negative), Vulnerabilities, and Issues
• Recommendations

At a high level, the test scope will focus on penetration testing of the BuyICT platform only.

The vendor should be aware that BuyICT operates off the ServiceNow platform.

Any person working on this engagement will be required to sign a non-disclosure statement and the seller will need detail how they will ensure the security and confidentiality of our data during the testing process.

Applicants must have provided evidence to demonstrate at a minimum (or the equivalent of):

• five (5) years of Technical ICT experience
• two (2) years of information security experience securing Cloud SaaS using the Australian Government Information Security Manual (ISM) and supporting publications

Key duties and responsibilities

The duties of the engagement include:

• Test Scope: Identifying targets and test types based on threat modelling.
• Test Objectives: Pinpointing the penetration testers’ targets, determining the type of testing required, and gauging what success looks like.
• Attack Sources: Testing from both internal and external sources to the Department.
• Test Schedule: Establishing a timeline for the testing activities.
• Test Cases: Informed by industry guides.
• Rules of Engagement: Outlining permitted and disallowed activities during testing.

The Penetration Test Report should include:

• Executive summary
• Scope
• Constraints and Assumptions
• Findings – Outcomes (positive or negative), Vulnerabilities, and Issues
• Recommendations