EL2 Senior Security Expert - RFQ-19737


The Senior Security Expert will provide services as a senior information and cyber security analyst, to oversee the technical implementation and delivery of a suite of priority cyber security services to Services Australia and its partners, including the Australian Signals Directorate (ASDs) recommended service offerings. This role is required to have in-depth knowledge of specific ICT security models to provide expert advice on the creation and operational maintenance of system roles, access authorizations, and security profiles and promote the development and exploitation of ICT security knowledge. The Senior Security Expert will be working in a small team overseen by Agency project management.

Primary Technologies: MS-Office productivity applications, MS endpoints (server and desktop Operating Systems) and endpoint security controls associated with ASDs

Essential Eight, DNS and other network protocols of interest to Cyber operations, Hostbased Intrusion Detection / Prevention Systems (HIDS/HIPS), Wintel, Linux and other mid-range platforms, secure network and gateway service technologies.

The Senior Security Expert Key Tasks/Duties may include some or all of the following:

  • Implement security/access management policies and procedures.
  • Plan and implement security policies and procedures.
  • Ensure security regulations are observed at all times and ICT teams follow methodology.
  • Review scheduled security reports to track and report on compliance.
  • Perform complex risk assessments to identify high-risk access privilege assignments and segregation of duties conflicts.
  • Monitor and manage change requests to ensure that ICT systems are under change control.
  • Provide expert technical advice, support and recommendations on security best practices.
  • Manage alignment of cyber security controls with corporate level information and cyber security requirements.
  • Assess cyber security/access management policies and procedures.
  • Assess and report on cyber security policies, procedures and controls relating to the project and services.
  • Oversee validation activities for cyber security projects to completion.
  • Provide expert technical advice, support and recommendations on GRC best practices in relation to government information and cyber security policy, threat and risk management frameworks.
  • Proactively share knowledge and expertise as the cyber security GRC subject matter expert, and provide assistance and mentorship to less experienced colleagues.
  • Document a range of technical / risk assessment documentation and reports including (but not limited to):

a. Security Risk Assessments (SRA).

b. Threat and Risk Assessments (TRA).

c. Statements of Applicability (SoA).

d. Security Risk Management Plans (SRMP).

e. Privacy Impact Assessments (PIA).

  • Negotiate, engage and manage relationships with other service providers to build security services and related project delivery capability.
  • Collaborate with a broad range of internal and external stakeholders to achieve project outcomes.
  • Encourage innovation, continuous improvement and manage and support change.
  • Core responsibilities include:
  • Deliver a range of technical / risk assessment documentation and reports relating to the delivery of cyber projects including (but not limited to):

a. Security Risk Assessments.

b. Threat and Risk Assessments.

c. Statements of Applicability.

d. Security Risk Management Plans.

e. Privacy Impact Assessments.

  • Provide leadership, direction, and oversight for GRC services and activities to support the projects.
  • Manage the assessment and reporting of information and cyber security risks, governance and compliance controls with regard to systems, processes, procedures, tools and techniques utilized by the services.
  • Provide leadership on GRC system and process management at the organizational and business levels.

Estimated start date Monday, 21 August 2023

Initial contract duration 5 Months

Extension term 6 months

Number of extensions 2

Location of work ACT, QLD, SA, VIC

Working arrangements: The contractor will be required to attend and undertake their work at a client’s office in one of the nominated capital cities for a minimum of 3 days per week. The client will consider flexible working arrangements including a 32 hour four day week once these requirements are met.

Security clearance Must have Baseline


Mandatory Criteria

1. Demonstrated experience and success delivering governance, risk and compliance documentation including SRA, TRA, SoA, SRMP and PIA, using Federal Government information security policy (i.e. Information Security Manual, Protective Security Policy Framework) and the ACSCs Cyber Security principles and guidelines and recommended service offerings.

Weighted Criteria

1. Demonstrated experience in supporting the delivery of strategic, contemporary cyber security solutions.

2. Demonstrated knowledge of industry Cyber Security frameworks, best practices and standards.

3. Demonstrated knowledge of industry public cloud best practices and standards.

Adelaide, SA

Australian citizenbaseline clearancebaseline security clearancecybersecurity principlesGRCinformation systems security principlesProtective Security Policy Frameworkpublic cloud platformsSecurity Risk Management PlanStatement of Applicability (SOA)Threat management