Page



REQUEST FOR TENDERInformation Technology Managed Service Provider (IT MSP)RFT 2020/2021 003The Australia Council for the Arts (Australia Council) is the Australian Government’s principal arts funding and advisory body. We are currently seeking the services of an Information Technology Managed Service Provider (‘IT MSP’) to administer and support the Australia Council’s technology environment.The contract will be for an initial period of three (3) years with the option of two (2), one (1) year extensions exercisable at the sole discretion of the Australia Council.This document is available until the closing date. Issue Date: Friday 18 December 2020Tender Closing Time: by Monday 8 February 2021 2:00pm AEDTLodgement Address: tenders@.au*** PLEASE NOTE THE AUSTRALIA COUNCIL WILL BE CLOSED FROM 25 DECEMBER 2020 UNTIL 8 JANUARY 2021 INCLUSIVE WITH OUR OFFICE RE-OPENING ON MONDAY 11 JANUARY 2021*** TOC \o "1-1" \h \z \u REQUEST FOR TENDER PAGEREF _Toc59192154 \h 1Lodgement of Tenders PAGEREF _Toc59192155 \h 3PART A – Conditions for Participation PAGEREF _Toc59192156 \h 4PART B – Statement of Requirements PAGEREF _Toc59192157 \h 8PART C – Response Schedules (to be downloaded separately) PAGEREF _Toc59192159 \h 34APPENDIX ONE – SLA & KPI PAGEREF _Toc59192160 \h 35APPENDIX TWO – ACA Environment Overview PAGEREF _Toc59192161 \h 38PART D - GENERAL TERMS AND CONDITIONS OF CONTRACT PAGEREF _Toc59192162 \h 39Supplier Code of Conduct PAGEREF _Toc59192163 \h 48IT Acceptable Use Policy PAGEREF _Toc59192164 \h 54IT Security Policy PAGEREF _Toc59192165 \h 62Lodgement of TendersApplications should be sent by a secure email and received by 2pm local Sydney, NSW time on Monday 8 February 2021. The application should be endorsed with the above reference number and title addressed as follows: Information Technology Managed Service Provider RFT 2020/2021 003.By email to: tenders@.auInclude email subject line: ITMSP SubmissionApplicants are to submit an original application and any supporting material by the due date; late applications will not be accepted.HAND OR POSTAL DELIVERY will not be acceptedFAXED APPLICATIONS will not be accepted.All enquiries in relation to this Request for Tender are to be emailed in the first instance. Contact details: Lassity Martin, Director ITAustralia Council for the ArtsPO Box 576Pyrmont NSW 2009Tel: +61 (0)2 9215 9000Email: tenders@.auApplicants are required to check the Australia Council website for any additional information which may be published while this RFT is open.PART A – Conditions for ParticipationA1. InvitationTenderers are invited to make an offer (Tender) that meets the requirements of this Request for Tender (RFT).This RFT is expressly not a contract between the Australia Council and the Tenderer. Nothing in this RFT or in any tender is to be construed as to give rise to any contractual obligations, express or implied.We reserve the right to stop or vary the tender process, determine a shortlist of Tenderers, negotiate or decline to negotiate with any Tenderer, negotiate with more than one Tenderer, or re-tender, at any time. We are not bound to accept the lowest priced tender or any tender.If we make a variation to the original RFT, we will take all reasonable efforts to ensure that the Addenda or supplement is given the same distribution as the original RFT.A2. Enquiries by TenderersAll enquiries by potential tenderers should be made via email in the first instance.A3. Lodgement of tendersTenders must be lodged by the Tender Closing Time shown on the cover page of this RFT. Before lodgement of tenders, the Tenderer must initial any alterations or erasures made to a tender. Late tenders will not be accepted.A4. Ownership of tender documentsAll tender documents become the property of the Australia Council on lodgement. A5. Non-ComplianceAny non-compliant tenders may be excluded from consideration. A6. Tenderers to meet costsTenderers are to meet all costs of responding to this RFT, including preparation, submission, lodgement and negotiation costs.A7. Tenderers to inform themselvesTenderers are considered to have: examined the RFT and any documents referred to in the RFT as being available;satisfied themselves as to the correctness and sufficiency of their tenders including tendered prices.A8. IMPROPER ASSISTANCE AND COLLUSIVE TENDERINGIt should be noted that the Australia Council shall exclude from further consideration, tenders which have been compiled:with improper assistance of employees, ex-employees, any consultant or adviser to the Australia Council; orin collusion with other Tenderers.A9. Draft General terms and Conditions of ContractDraft general terms and conditions of contract are attached to this RFT. These draft contract terms and conditions are intended to form the basis of any contract between a successful Tenderer and the Australia Council. Tenderers please note, the Tenderer is taken to agree to accept these Draft Terms and Conditions of Contract.Each part of this tender must be satisfactorily completed by the successful Tenderer at the sole discretion of the Australia Council. Where a part of this tender is not satisfactorily completed, the Australia Council will reserve the right to exclude the tender from further consideration. ??A10. Conflict of InterestYou must declare any actual or perceived conflict of interest that is likely to arise if your submission is the successful tender and how this conflict is proposed to be managed. Where, in the opinion of the Australia Council, the conflict of interest is one that compromises the integrity of the tender process and is unlikely to be able to be satisfactorily managed, the Australia Council reserves the right to treat your submission as unsuccessful.A11. Procurement timetableIt is proposed that the following procurement timetable shall apply. We will strive to adhere to this timetable but reserve the right to vary dates whenever necessary.DateActivity18/12/2020Request for Tender published08/02/2021Request for Tender closesWeek commencing 08/02/2021Submitted Tenders acknowledgedEligibility checkedWeek commencing 08/02/2021 Tenders evaluated by the Tender Evaluation Committee (TEC)From 16/02/2021Shortlisted Tenderers will be invited to attend an interview/meeting/demonstration By 09/04/2021Successful tender notified and contract issuedContract executed by both parties Week commencing 12/04/2021Unsuccessful tenderers notified19/04/2021Work to commenceWhere this timetable varies significantly, we will attempt to notify prospective Tenderers as soon as is practicable.A12. Security, Probity and Financial ChecksWe may, as part of the evaluation process, conduct such security, financial or probity checks as we consider necessary in relation to any Tenderer, its officers, employees, partners, related entities and nominated subcontractors. Tenderers will be expected to provide reasonable assistance to us regarding such checks, including supplying further information as we may request.Any failure by a Tenderer to assist us in conducting these checks may have an adverse impact upon the evaluation of the affected tender.A13. NotificationAll Tenderers will be informed in writing of the outcome of their submission at the earliest opportunity.A14. Confidentiality of Tenderer’s Information Tenderers should note that if successful, parts or all of their response may be included in a subsequent contract. Tenderers must identify any aspects of their response or the proposed contract that they consider should be kept confidential, including reasons. Tenderers should note that the Australia Council will only agree to treat information as confidential in cases that it considers appropriate. In the absence of such an agreement, Tenderers acknowledge that the Australia Council has the right to publicly disclose the information.A15. Tender documentsTender documents should include the following:A breakdown of the total cost of the service, with detailed costing identifying the items or services proposed, including and noting GST where applicable. If travel will be involved this should also be itemised and pany or organisation information such as corporate status, registered place of business, size, number of staff & turnover, and copies of financial statements demonstrating financial viability and insurance policies.Supporting information concerning the proposing organisation, its management structures and procedures, quality assurance procedures and demonstrated experience in the subject area of this RFT and related areas. Qualifications of the staff to be designated to the project.A risk analysis, setting out perceived potential risks, the level of potential impact of such risks and the contingencies to mitigate any potential damage resulting from such risks.Two referees to whom the Australia Council may address enquiries concerning previous experience in this area. A declaration of any partial or non-compliance with any provisions of this RFT. This includes not agreeing to any of the draft conditions of contract stating reasons and alternatives where appropriate. PART B – Statement of RequirementsB1. IntroductionThis section outlines the requirements for an IT MSP and covers the following areas:Introduction (this section) – provides the following information:About Australia CouncilProject ObjectivesCurrent IT EnvironmentSpecification of Requirements – specifies Australia Council’s user requirements for the IT managed service, including: Service RequirementsTechnical RequirementsSecurity Transition In / OutProject ImplementationUser Communication and Training Support and MaintenanceABOUT Australia CouncilThe Australia Council for the Arts (ACA, Australia Council, Council) is the Australian Government’s principal arts funding and advisory body. The organisation’s focus is on increasing the visibility of Australia's vibrant arts and culture, and recognising the evolving way that Australians make and experience art.? The Council is a champion for Australian arts both here and overseas. It invests in artistic excellence through support for all facets of the creative process and is committed to the arts being accessible to all Australians.Like all organisations the Council relies heavily on its information technology service to enable key business objectives and to create, collaborate and manage its information in a secure, performant and accessible manner. PROJECT OBJECTIVESCouncil’s primary objectives in making an approach to market for an IT MSP are as follows: Partner with an MSP that will proactively deliver high quality, stable, secure and responsive IT Services that represent value for money.Source an MSP that can work effectively with the Council and other IT suppliers including third-party Software as a Service (SaaS) partners. Secure an MSP with a depth of expertise in enterprise technologies, in particular Microsoft 365 and Azure platforms.Continue to leverage compliance, security, and automation opportunities available in the Microsoft platform offerings.Provide a reliable and appropriately performing business environment supported by foundation technology services, that is scalable to meet the Council’s needs over the life of the contract term.Scope of servicesThe scope of required services includes:Core services:Operational support and administration of the IT infrastructure environment including network, servers, Azure and the Microsoft 365 stack.End User support and provision of the IT Service Desk function.IT Service Management (aligned with ITIL best practice) including incident, problem and change management.Responsible for IT Security including access, authentication and ensuring the confidentiality, integrity and availability of Council’s data and IT services.Administration of the Microsoft Unified Communications (UC) environment including Teams telephony and voice services.IT strategy and architecture advice and thought leadership.Collaboration with third party suppliers and resolver groups to resolve incidents and problems and ensure high quality end-to-end services.As required, assist with integrations between key SaaS applications and the Microsoft platform for authentication and access management, and secure data transfers – (to provide advice, and support Azure components.)Ad hoc services:IT enhancement projects as requiredDesirable services:Expertise in Microsoft SharePoint and Teams configuration and administration.Expertise in developing and supporting Azure Web Apps.Database administration services.CURRENT ICT ENVIRONMENTThe following information provides an overview of the technology environment at Council that must be supported by the successful IT MSP, this information should allow RFT respondents to size and cost their offerings.OverviewThe Australia Council operates a hybrid, multi-cloud computing model. The bulk of Council’s technology estate is cloud-based, centralised around the Microsoft O365 and Azure platforms with line-of-business systems being predominantly vendor-hosted. On-premise footprint is lightweight in design and scope, consisting largely of services such as printing, LAN/Wi-Fi, physical access control systems, meeting room conferencing equipment and a small number of legacy solutions marked for decommissioning. This sets an important context for this approach-to-market. The preferred MSP will need to have a depth of technical competency in this service model and be able to demonstrate proficiency in managing a predominantly cloud-focused environment, including leveraging the security, compliance, service automation, and integration tools available within the O365/Azure platforms.Overview diagram is provided in APPENDIX anisational ContextThe IT service supports the following Council users with typical volumes shown ponentTotalUsers on Network120Number of Networked Sites (1 physical)1Service Desk Load (average monthly ticket volumes)140# AD Domains1# Wi-Fi Access Points17 (Meraki)Key site details are shown in the following table.Site NameTierConnectivityPyrmont Head OfficeMedium Corporate OfficePrimary Internet: 400Mb TPG fibreSecondary Internet: 100 down/ 40 up Macquarie Telecom NBN copperPrimary SIP: 10Mb Macquarie Telecom NBN copperSecondary SIP: 4G Macquarie Telecom over EthernetPyrmont Server RoomServer RoomConnected via Pyrmont Head Office Core SwitchAzure ACA-PRODAzure SubscriptionVPN to Pyrmont Head Office Firewalls over standard Azure internet connections.Technical CharacteristicsThe current technology environment that must be supported by the MSP is shown below.CategorySubcategoryPrimary DC / UsersEnd User Computing DevicesModelMicrosoft Surface Book 2 i5 (108 devices)Microsoft Surface Book 2 i7 (10 devices)Intel NUC Ultra Mini PC i5 (2 devices)User fleet118 (Surface Book)40 (Council-owned Smartphones, predominantly iOS with some Android)BYOD (with MAM restricting corporate access to 1st-party Microsoft apps only)Operating SystemWindows 10Device ManagementIntuneVPNProvides remote connectivity to Pyrmont and Azure-based resources.ServerServer count & models (on-premise)2x Dell PowerEdge R730Lease / ownedOwnedSupport statusUnder third-party support until July 2021SANModelDell Storage Compellent SCv2020 ISCSICapacity, redundancy24 x 1.2TB RAID6 (24.5TB usable)NASModelQ-NAP TS-870U-RPCapacity, redundancy8x 10TB, RAID5 (56TB usable)Virtualisation (on-premise)DCs / Clusters1 (Pyrmont)Virtual networks17Data stores6Number of Hosts2Host Memory (average)512GB (Average 100GB)Number of VMs23VM LicensesvSphere Enterprise PlusVirtualisation (Azure)DCs / Clusters1 (Australia East)Virtual networks7Number of VMs9VM Sizes5 x Standard B2s2 x Standard D4s V31 x Standard B4ms1 x Standard F4sNetworkCore switch model2x Meraki MS250-24Internet switch model2x Cisco 2960-CX 8TC-IFloor switch model4x Meraki MS210-48FPManagement switch model2x Cisco 2960VLANs12SecurityFirewall make & modelFortigate 200E UTM (including IPS)Number / load balancedTwo/YFirewall managementMSPBackup H/WTape modelHP DL360 G9 ServerHPE 1/8 G2Full image size Domain Controllers – 40Gb Print Servers – 80GBSkype DMZ – 78GBSkype Internal – 155GBCM9 – 1.1TBSyslog – 34GBGallagher – 51GBWebsites – 17.2Gb (one off)Duration to completeIncremental 15-30 minutes per jobFull 30-60 minutes per jobSoftware PlatformVeeam (for on-premise and Azure)RotationTo disk, then 1 tape/week and off-site via a 3rd-partySQL ServerDatabasesSQL Server – On-premise and Azure deploymentsVoice CommunicationsPABX (Skype for Business)Skype for Business 2015 server on-premise, Audiocodes Mediant 1000 Session Border Controller, Polycom Group SeriesIn-flight project to move to Microsoft Teams (cloud-hosted)HandsetsPolycom VVX310In-flight project to decommission handsets and move exclusively to headsets & soft clients for Teams callingPossible retention of <5 common area phones including at Reception and in the lift lobby.Server Room EquipmentUninterruptible Power SupplyAPC Smart UPS SRT 6000 with extender batteryEnvironmental MonitoringAPC Netbotz Rack Monitor 250Audio VisualEquipmentMeeting Room Booking PanelsCrestron wall panels (under third party support) – but interface with Exchange for calendaringTeams interop for Poly Group SeriesPoly RealConnect for Teams x 2 licences. The Group Series devices are under a third party support contract but the MSP will need to manage the RealConnect for Teams interface.Business System EnvironmentCouncil has line of business applications as well as other third-party providers that the MSP must be able to successfully collaborate with in order to deliver services to all Council stakeholders.Listed below is an overview of the key business system used by the various business units. Detailed service catalogue will be made available to the successful MSP to assist in service ponentSolution DeploymentFinanceCI Anywhere (Technology One)Vendor-hostedEDRMS | Document & Records ManagementMicro Focus Content Manager 9 (CM9)SharePoint Online Information Management Environment (IME)On premise (archive record store – contains historical records)O365 tenancy SaaS – configured as a compliant information repositoryPayrolliChris (Frontier)Vendor hostedHRPeopleStreme (Ascender)Vendor hostedTimesheetMitrefinchVendor hostedWeb Content Management. SystemSymphony CMS & Wordpress. In-flight project to move to DrupalHosted by Go Hosting as an IaaS offering. Future Drupal platform to be vendor-hosted (PaaS or SaaS)Data Hubs (grants reporting secure extranet)Bespoke solution leveraging Teams, SharePoint, Azure Web Apps and Power Automate solution setO365 tenancy SaaS & Azure tenancy IaaSCustomer Relationship Mgmt.SalesforceSaaSData warehousingSQL Server (VM)Azure tenancy IaaSData Reporting and VisualisationPower BI and Power BI PremiumSaaSApplication Management (Grants administration)Fluxx Application Mgmt. SystemVendor hostedOffice Productivity, Security & VoiceMicrosoft 365 E5 licensesEmail Filtering, ATP, Defender120 usersOn-site ResourcesCouncil will require the MSP to provide one onsite resource for end-user support during business hours at the Pyrmont ACA head office for the duration of this contract. The outcome required by Council is reliable, technically competent, professional and courteous service.The MSP is expected to supply other resources on-site on a needed basis.B2. SERVICE REQUIREMENTSAustralia Council expects the successful MSP to be aligned to contemporary service management processes and techniques. Industry-standard frameworks (preferably ITIL) provide best practice guidance. ITIL (or equivalent) embedded into MSP work practices is the core of clear and consistent communication and agreed expectations between ACA as a customer and the MSP.General requirements expected from the MSP include:Delivery of technology services as outlined in this requirement including on-site resources. Adherence to Council Service Level Agreements and Key Performance Indicators as outlined in Appendix 1 of this section of the RFT.Periodic analysis and review of service performance against the Services Agreement.Management of the human and other resources necessary to ensure that required workloads are handled and that service delivery objectives are met.Effective communication and liaison with Council on all issues relating to the Services Agreement.Effective collaboration with third party IT suppliers to deliver high quality, seamless end-to-end services to the Council.Planning activities related to future service delivery or computing infrastructure changes.Providing advice on the acquisition and integration of new software products and upgrades of current software.Creation and maintenance of configuration documentation for the IT infrastructure, including details of all hardware (compute, storage etc.), applications, their dependencies and locations.Facilitation of storage and disposal of surplus, redundant and expired computing equipment.Procurement Advice and SupportCouncil requires on-going advice and support in procurement decisions relating to information technology, which may include:Identifying and procuring appropriate solutions, both hardware and software.Seeking best value for money sources on behalf of Council.Analysing procurement options to optimise value for money.Executing approved procurement actions on behalf of Council.Service ManagementIn order to manage the business relationship with Council, the vendor will: Designate a Service Delivery Manager (SDM) who will act as the primary point of contact for Council representatives. The SDM will have a competent understanding of the Council’s IT environment and the services delivered by the vendor.In addition to the SDM, the vendor will designate an appropriately-qualified senior engineer to be the technical lead on the Council’s account.Provide logistics support to the provider’s service delivery team.Prepare reports to Council management as agreed in the Relationship Management Plan.Define the lines of responsibility for the individual functions of the vendor.Service Integration The vendor will be the Council’s lead IT partner. As such, the vendor will play a pivotal role in coordinating service management processes across the IT landscape – for example, managing the resolution of incidents which affect a service supported by multiple service providers.The vendor will demonstrate Service Integration and Management (SIAM) internal capability and be able to describe how they will work collaboratively with other IT partners to deliver high quality services to the Council.Service Desk, Incident Management and Request FulfilmentThe Vendor will provide, manage and operate an IT Service Desk for all Council end-users. This service must operate during core business hours from 0800 – 1800. The vendor will also provide an emergency out-of-hours service allowing end-users to report urgent issues at any time. Out-of-hours requests are expected to be infrequent.The vendor must use an appropriate IT Service Management (ITSM) toolset to log calls and support the Service Desk function. The toolset will provide a web-based interface for Council users to log and monitor the progress of their support calls as well as capability to log tickets by phone. Council’s IT management must be given access to generate relevant reports and review tickets that have been logged by Council end-users.The vendor must provide capability for internal Council resolver groups to participate in incident, problem and change management processes using the ITSM toolset.The Service Desk will provide a central management point for service requests and the incident management process and will have the following responsibilities:Receiving requests for assistance during nominated support hoursAssigning a service desk call or ticket numberDetermining with the caller, or representative, the particular nature of the request or fault and/or users and sites affectedAssigning initial priority (classification) of a request or incidentResolving the service request or incident at the time of the initial call if possible.Assigning incidents and requests to an appropriate support person for resolution be these MSP, third party or Council resources.Managing the incident rectification processReporting critical outages to DOCPROPERTY "Business Unit" \* MERGEFORMAT Council’s IT Director and/or nominated representatives via an agreed, standard process.Co-ordinating maintenance support through third parties and providing appropriate escalation to Council where the third party fails to perform in accordance with its obligations to Council.Providing rectification status reports including reporting to Council if an incident is not going to be resolved within the agreed target timeMarking incidents as resolved once a Vendor support representative reports that the case is closedMaintaining a Knowledge Base relating to Council’s systems and processes, including known errors and workarounds.Final closure of the service request or incident after a follow up call to the originator confirming satisfaction with the resolution. Service Desk operators will prioritise all calls received and attempt to resolve as many as possible without referral to a second level of support. Calls that cannot be resolved quickly by the Service Desk operator will be referred to the appropriate second level support personnel. In the case of urgent calls, support personnel are to be directly contacted as a matter of urgency.The Service Desk operator will give the requestor an estimate of the time it will take to resolve the issue and will make all effort to keep the requestor updated on progress. Upon resolution, the Service Desk operator will provide the requestor with a description of how the issue was resolved.The Service Desk will maintain supervision of the resolution process until incident closure. Incident rectification status information, including estimated completion times will be obtained from the Service Desk during the nominated support hours.Regular reporting of the Service Desk’s operation will cover call statistics, fault resolution performance or non-performance and the analysis of call data to identify common problems or other call or fault patterns.Problem Management The MSP is required to proactively analyse, coordinate and resolve problems in the IT infrastructure and supporting services. Specific tasks expected to be delivered by the vendor include: Analyse the incident register for problems that cause multiple incidentsUnderstand the root cause of multiple underlying incidentsDevelop action plans to resolve problems that cause multiple incidents.Change/Release Management The vendor will provide a secretariat function for the Council’s IT Change Advisory Board (CAB) and operate an effective change management process for all IT changes including:IT hardware of all descriptions, including fleet refresh.Operating systems software.Application software.Business productivity software.Other Service Management servicesThe vendor will provide a full set of IT service management processes aligned with industry best practice, including Service Strategy, Service Design, Service Transition, Service Operation and Continuous Service Improvement. The vendor will be able to provide documentation to demonstrate their capabilities in the ITSM space and to explain how, if successful, they will apply ITSM best practice to the Council’s IT environment.Service Transition-In / OutThe MSP is required to develop a transition-in plan and supporting methodology covering the on-boarding of Council services into the MSP’s environment, the transition-in plan must include but may not be limited to the following items:Project Management Plan including:Roles and ResponsibilitiesTechnical transition planSecurity transition planRisk Management PlanCommunication PlanChange Management PlanDetailed Gantt ChartIt is important for the IT MSP to define the approach and tools they intend to use to complete an audit of Council’s technical environment as part of transition-in. It is expected that once all relevant devices, users and components of the IT service have been identified, these will be verified with the Australia Council IT Director as to inclusion/exclusion in the managed service scope and related costs.The MSP is also required to provide a Transition Out plan, as a minimum it must include:Key ActivitiesTypical Duration & EffortInclusions/ExclusionsDivision of Responsibilities (MSP, Australia Council, New MSP)CostsTechnical Operations Management The MSP is required to coordinate all technical operations activities relating to IT infrastructure on behalf of Council, and will be expected to:Provide day-to-day administration of, and support for the IT environment.Coordinate the operational activities of the MSP’s service delivery team.Ensure formal change control procedures are in place and followed for modifications to all IT infrastructure and services.Ensure Council as-built or deployed documentation is current.Maintain and document Standard Operating Procedures relevant to the supported IT environment.Software License ManagementThe MSP will maintain a software license register, which will ensure that all software licenses, permits, registrations and consents are obtained and maintained in accordance with the relevant statutes and are consistent with the number of active users on the Council network.The MSP will ensure that licenses and registrations required remain current and will advise Council of any issues relating to software licensing. The cost of procuring software licenses will be the responsibility of Council.Sub-ContractorsThe MSP may not sub-contract any part of its obligations under the Services Agreement, without the prior written approval of Council. Notwithstanding any subcontract arrangements, the vendor will:Remain fully responsible for the servicesEnsure that all proposed sub-contractors have the necessary qualifications and experience and resources to deliver the specified services and standards and have quality systems compatible with those of the MSP.Business Continuity and Disaster RecoveryThe MSP will:Assist Council to develop and maintain IT Business Continuity Plan (IT BCP) and associated IT Disaster Recovery Plans (DRP).Update the IT BCP and DRP at least annually or whenever a major revision has been undertaken on IT services or underlying infrastructure. The IT BCP and DRP will be based on security and risk minimisation measures that ensure the achievement of service, application and equipment availability and performance requirements.Provide an IT support representative for participation in Council business continuity response team. The primary responsibility will be to discharge the responsibilities of the IT group in restoring IT services to operational levels. It is expected the MSP will provide an employee appropriately skilled to perform the tasks defined in the IT BCP and DRP.Undertake a full annual test of the IT BCP and DRP, with the support of Council.Security ManagementThe MSP will be required to provide strategic and operational security advice and comply with the Council’s IT security policies and applicable government legislation.The MSP must take a proactive, risk-based approach to IT security and will be required to contribute to the Council’s annual IT Security Plan and assign appropriately qualified technical leads to attend Security Review meetings with Council’s IT Management on a pre-agreed schedule.The MSP will be required to coordinate with third party suppliers at least annually to undertake vulnerability scanning (penetration testing) of Council’s internal and external IT systems and web applications, including tracking and remediating any vulnerabilities found.Expertise on security configuration and management in line with the following is critical:Recommended architecture and security practice with specific focus on Zero Trust methodology based on Microsoft 365 technologies to support future ways of working such as Remote work and BYODAll aspects of network security including firewalls, switches, VPN and security certificates.Australian Cyber Security Centre (ACSC) Essential Eight Australian Government Information Security ManualThe federal government’s Protective Security Policy Framework (PSPF).The MSP must comply with Australian Government protective security policies and procedures, as described in the PSPF, and adhere to any legislative or regulatory obligation under which the Australia Council operates.The MSP must be capable of configuring and managing Council’s IT systems in line with best practice security and hardening guides as provided by relevant hardware, software and application vendors.MSP resources must be pre-authorised by the Council’s Director, IT before being given access to Council’s IT systems.The Council uses Privileged Identity Management (PIM) to manage access to Microsoft platforms. The MSP must use multi-factor authentication when accessing Council systems and restrict administrative privileges for MSP resources based on user duties. Incident detection mechanisms such as security event logging and antivirus must be implemented for all IT systems. All potential security incidents must be handled appropriately following an Australia Council agreed Security Incident Response Plan.Performance MonitoringServices Agreement ReviewCouncil and the MSP will formally review the Services Agreement periodically to ensure the service provision is consistent with changing needs. The vendor will participate in formal and informal reviews of the Services Agreement and implement recommendations/changes and outcomes from these reviews in a timely manner with at least one formal review occurring quarterly.Performance StandardsService standards and performance indicators will be applied to this Services Agreement in order to report the MSP’s performance in relation to compliance with the Services Agreement. These standards and performance indicators will be monitored on a continuous basis and issues of concern will be raised for immediate action and resolution.The MSP will report on its success in meeting the specified service standards. These standards may be added to or modified from time to time by agreement with Council.Performance Reporting The obligations of both the MSP and Council management with respect to formal communications will be detailed in an agreed Relationship Management Plan.The reporting and assessment framework described below will serve as a guide to Council’s expectations.Quarterly Performance Report and ReviewThe MSP will publish or make available online a quarterly Performance Report in an appropriate graphical and descriptive format. As part of their response, the MSP should propose a format for the quarterly Performance Report.At a minimum, the report should include the following:An Executive Summary providing an overview of performance against the Services Agreement, highlighting key achievements and areas for attention.Service Desk/Incident Management summary highlighting outcomes, trends and problems, including user requests, events and incidents; aged tickets and achievement against resolution targets.Security headlines for the period, including patch status and reference to Microsoft security scores.Change management outcomes including any emergency changes.Service availabilityService lifecycle management and planning for renewal or retirement.Risk managementCost profile including additional charges levied over and above the core contract, or service credits applied.A summary of issues referred to third party suppliers for resolution, including any challenges or escalations required.Projects or any additional work on foot that is separate to the core contract.Opportunities for service improvement.The report should form the basis for a quarterly review meeting between the MSP Account Manager and the nominated Council representative. The purpose of the meeting is to ensure IT service delivery is performing as needed, identify any emerging trends or issues requiring attention as well as planning any upcoming projects or additional work items.B3. Technical RequirementsThe MSP will manage IT infrastructure applications and services - including underpinning hardware, software, integrations and Cloud platforms - to a quality standard that meets Council business requirements.Cloud applications and SoftwareServer and End User-installed software The vendor will provide support for all licensed software in terms of installation, security updates, administration and general troubleshooting. In broad terms the vendor will:Install and support all end user software applications comprising Council’s Managed Operating Environment (MOE), except as excluded in Section 5 which deals with items out of scope.Install and manage server-based applications, including liaison with third party vendors as required.Ensure installed versions are consistent with Council’s enterprise standards.Lead fault finding and problem resolution relating to software applications, including coordinating with other suppliers as needed.Harden software in accordance with vendor security guides.Ensure compliance with licensing terms.Where it is necessary to engage the services of a third-party contractor or a supplier, the MSP will assume responsibility for providing appropriate access to systems, once authorised by nominated Council business users.Software as Service applicationsThe vendor will provide support for Council’s SaaS applications as follows:Enable access from Council and BYOD devices.Configure and maintain Single Sign On functionality as requested.Facilitate infrastructure integrations such as mail relay, IP whitelisting or secure network access.Where possible, control deployment of updates to minimise impact on other Council systems.Advise on security matters.Assign licences and control licence allocation against Council entitlements.Maintain documentation about Cloud administration portals and support processes including logging tickets to third party support desks.General troubleshooting, where the root cause of an end user’s incident or problem is unclear. microsoft 365 and azureMicrosoft Azure AdministrationThe vendor will be primarily responsible for configuration and administration of the Council’s Microsoft Azure subscription including:Subscription and environment governance including cost control and consumption management; set policies across resources and monitor compliance.Monitoring of Azure workloads and services.Configure, deploy and manage Azure platform components including system documentation.Manage routing; monitor, diagnose and resolve network issues.Patch, manage and back up virtual machines and services as required.Secure Azure resources and protect against threats.Microsoft 365 Cloud Service AdministrationThe vendor will be primarily responsible for configuration and administration of the Microsoft 365 platform including the following activities:Tenant governance and licensing managementAdministrative support for the Microsoft Office applications within the E5 licence tier, ensuring software update policy is aligned with Council requirements.Service support including Azure AD identity governance and authentication, configuration of conditional access and Advanced Threat Protection, Exchange Online and Teams administrationSecurity and compliance responsibilities such as O365 access management, Security compliance management, Security incident management, certificate management and threat intelligenceService monitoringO365 backup (using third-party tools)Liaising with internal ACA resolver groups with respect to specialist SharePoint Online configuration (as shown in the following RACI)Service design, transition, operation and continual service improvement.The following RACI provides more detail about expected roles and responsibilities with respect to Office 365 capabilities.center31750RACI describing roles and responsibilities with respect to Office 365 capabilities.head office servicesEnabling services associated with third party suppliersCertain services at Pyrmont involve underpinning contracts with specialist third party suppliers. These services are detailed below. For each of these, the MSP will be expected to provide the following core enabling services:Enable user access by installing any required components on end user devices.Collaborate with third party vendors to ensure that any required interfaces to Council systems such as Active Directory or Microsoft 365 are defined, documented and correctly configured.Where required, securely enable network connectivity between client-side and server-side components or to the Internet.Patch, manage and back up any associated servers, such as the print server.Patch and manage any dedicated desktop devices.Liaise with third-party vendors to coordinate planned maintenance, patches, upgrades or support of third-party system components.Ensure service interruptions and outages are managed via the incident management process and that changes are flagged at the weekly CAB and that, as far as possible, adverse impacts of any proposed changes are minimised.Troubleshoot as needed to resolve end user incidents and problems, including liaising with third party support as required.In addition to the above list, the MSP will provide the following specific services as follows:Printing and scanning ServicesThe MSP will support print and scanning on-site at Pyrmont, including:The core enabling services listed at 3.3.1.Configure and manage a follow-me print capability.Support a guest user printing capability.Configure user devices to print and scan according to Council requirements.Building access control servicesThe MSP will support building access control at Pyrmont, including:The core enabling services listed at 3.3.1Internet ServicesThe MSP will ensure internet and related data services are supported at Pyrmont, including:The core enabling services listed at 3.3.1Correctly configure firewalls, routers, switches and associated networks so that users can access the Internet.Meeting Room servicesThe MSP will support meeting room equipment at Pyrmont, including:The core enabling services listed at 3.3.1.Administer Poly RealConnect for Teams Work with specialist AV partner to ensure all IT dependencies are met so that AV services function as required by the Council.Anti-Virus and malwareAs described elsewhere, the MSP will maintain the Microsoft Advanced Threat Protection (ATP) platform for Council’s technology estate including configuration of Microsoft Defender on end user devices and servers.The MSP will refine its administration and use of the ATP platform in line with the product suite roadmap, Microsoft recommended architecture guidance and Council IT Security policies.HardwareThe MSP will manage and support, including the installation, upgrade, commissioning, or de-commissioning, all information technology equipment owned by Council. All equipment will be maintained in such condition that maximum availability and performance is achieved, and the risk of failure is minimised. The equipment categories involved are: Desktop equipment and environment:Desktop computersLaptop computersMobile devices e.g. smart phonesNetwork equipment and cablingUninterruptible Power Supply Environmental Monitoring EquipmentServers NAS and SAN storage systemsTelephone / Communication systemAncillary equipment.Tape backup systemsManagement and support of this equipment shall include both preventative and fault resolution activities, in liaison with suppliers and maintenance contractors. The MSP will ensure that any upgrades to the infrastructure conform to the established and agreed configuration. Purchasing of all IT equipment will comply with Council’s Purchasing Policy.Managed Operating EnvironmentManaged Operating Environment (MOE) refers to a standard range of software, hardware and network devices that are tested to an agreed level of performance and interoperability.The MSP will maintain separate MOE packages for each model of End User Devices deployed within Council. The MSP will fully maximise the use of Microsoft InTune to manage end user devices.The MSP and Council will make all efforts to minimise the variation in PC and notebook models based on Council’s Information Technology Policy. Changes to the MOE may be initiated by Council in consultation with the MSP and may include non-standard software applications, later versions of or configuration changes to equipment by appropriately skilled MSP personnel or 3rd party professionals.The MSP will ensure that Council obtains the requisite number of software licenses for all MOE software. Council is responsible for the cost of all software licensing. Server & Network MonitoringThe MSP will monitor the Council IT environment and network infrastructure, equipment and systems, 24 x 7, including observed Public Holidays in New South Wales.The MSP will use systems to monitor the status of all systems, data communications and equipment within the Council IT environment including, but not limited to, the items defined in Section 1.4.2 and 1.4.3 of this RFTServer & Environment MaintenanceThe MSP will manage and support servers and associated system software. This service will include management, capacity planning and provision of relevant reports to Council, which will ensure server availability is not compromised. This will include, but will not be limited to, the following:Check server performance statistics Ensure server backups and other server functions are running correctly (minimum daily)Implement recommended Operating System (OS) patches as required in line with ACA Security Policy and once successful testing has been completedMonitor and check server disk capacity utilisation Regularly review and clear log files and report outcomesNetwork ManagementThe MSP will manage and support the infrastructure and configure the local area network (LAN). This will include, but will not be limited to, the following:Manage and monitor the operation of Council LAN including Wireless Access PointsSecurity management for Council LAN including Wireless Access PointsMonitor WAN performance statistics Ensure router and firewall configurations are centrally stored and available for configuration of spare routers and access points in the event of failureImplement recommended software patches to routers, access points and firewalls upon successful completion of testingMaintain patch panel records and patch network and telephone ports as work SecurityThe MSP will:Create user accounts and assign network permissions in accordance with Council IT Security policies.Security monitoring and alerting integrated with incident management processes.Provide a logon screen requesting users acknowledge acceptance of Council Information Technology Policies.Regularly review router and firewall log files and ensure relevant log files are retained for a sufficient period to allow analysis in the event of a security incident.The MSP will be responsible for creation of system user accounts, logins, passwords and access rights for authorised users. Council will be responsible for periodic review of its requirements for user access. The MSP will support this review by periodically reporting the user access configuration for each business application and other shared resources.Data Backup and RecoveryThe MSP will be responsible for all server back-ups, restoration of data and storage of backup media. These services will be provided in accordance with the Business Continuity Plan and associated IT Disaster Recovery Plans.The MSP will provide a backup and recovery solution that supports full, partial and incremental backup and restoration processes for data located on-premise and in Azure, and for Office 365.Third Party ManagementIf third party hardware is within warranty or is under a current maintenance and support agreement, the MSP will coordinate the supply of warranty / service by the third party vendor by logging warranty / support requests and monitoring the delivery of service by the third party vendor as per the warranty / support agreement.The MSP will use its best efforts to assist in the resolution of problems with third party hardware which is out of warranty or not subject to a third-party maintenance / support agreement. Telephony and voice servicesAustralia Council is currently transitioning its voice platform onto Microsoft Teams and would like to include support for Teams voice services as part of the MSP Service Agreement, as such a provider that is able to administer and support this platform would be highly regarded. Ideally the MSP will be competent to provide full support for Teams voice including IVR and call routing configuration. However, as a minimum the successful MSP must be able to provide initial triage and L1 support for escalation to a specialist third party vendor.The MSP will be required to perform Level 1 support and administration tasks (adds, move, changes) for the VoIP communication system. All issues above Level 1 are to be escalated to the solution vendor and the MSP is to liaise with Council and the supplier to ensure adequate resolution of all problems.B4. Other ServicesThe MSP will provide a number of other planned and periodic information technology services. These include: Periodic consultancy and advice.Special projects assistance.Where services listed here are sought by Council and requested by the respective manager, the MSP will prepare options for delivery of the required services. While it is expected that the MSP will be able to provide Council with periodic and special projects services from time to time, Council reserves the right to propose utilisation of external service providers where it deems this appropriate. In such cases, the MSP will liaise with and facilitate the work of such service providers, including transitioning completed solutions into operational support.Power Automate The Data Hubs application (secure extranet) is based on the Microsoft O365 and Power Automate platform. Any provider that has proven technical competency in this area would be highly regarded and Australia Council would be interested in exploring opportunities to consolidate administration and management of these services as appropriate.B5. Out of Scope itemsThis section identifies items that will not be directly supported by the MSP. The MSP is however responsible for managing the interactions and problem resolution with other third-party organisations.Printer, Photocopiers, Multi-Function DevicesA separate managed service agreement is in place to provide hardware and software support for this class of devices and is out-of-scope of the IT MSP except as described in Section 3.3.Building Access COntrol SystemA separate managed service agreement is in place for the access control system and is out-of-scope of the IT MSP except as described in Section 3.3.Internet ServicesA separate managed service agreement is in place for provision of a primary and secondary internet circuit at Pyrmont. The IT MSP will need to liaise with the data and networking vendor in relation to any technical issues and as described in Section 3.3.Application SupportCouncil operates a range of business applications that support Council’s operations and activities. The IT MSP will not be required to provide user application support for these systems.The MSP is required to support any server and network components or dependencies, manage access and authentication and deployment of client software associated with these applications.B8. QuotationYour quote should include a comprehensive pricing breakdown including and noting GST where applicable.Evaluation of TendersB9. CriteriaThe Australia Council will appoint a Tender Evaluation Committee (TEC) to review and select the successful tender against the following criteria.CriteriaWeightingTechnical competency of MSP30%Service Management approach and maturity of practices30%Service transition plan/approach10%Value for money30%Non weighted essential criteriaConfirmation of the ability to commence the work on 19th April 2021 Acceptance of the draft Terms and Conditions of the Contract (Part D)Evidence of all insurances required to perform the contractB10. Your submission complying with all Parts of this TenderPlease note that in this evaluation, the Australia Council may seek information and referee reports from other sources. The selection of a preferred Tenderer will be based on the most efficient outcome for the Australia Council and this involves assessing value for money and quality of service against this RFT. The cheapest option will not necessarily be the preferred option or represent the overall best value for money.PART C – Response SchedulesTenderers have been provided response schedules to complete as part of their submission in MS Word format, also available for download at: are required to provide the information requested to all items in the response schedules.If a tenderer elects to submit their responses in a different format all information submitted must clearly align to and reference the specific response schedules provided.Responses that do not conform to the above will not be considered.APPENDIX ONE – SLA & KPIThe following tables outline Council’s key performance indicators that the MSP services must enable.IndicatorCoverage HoursRequired AvailabilityMeasured byRebate for SLA breachService Availability(covers all systems and services included in the agreement)Core Hours = 0800-18007 days99.99%System availability calculated on monthly basis as per formula below.SA = (C ) – (OP) – (OU) / (C) – (OP) x 100SA = Service AvailabilityC = Core HoursOP = Outage PLANNED (during core hours)OU = Outage UNPLANNED (during core hours)All times recorded in minutes>=98.9 and <99.99 = 2% Rebate>=97.9 and <98.9 = 4% Rebate>=96.9 and <97.9 = 6% Rebate>=95.9 and <96.9 = 8% Rebate< 95.9 = 10% RebateNon-Core Hours = 1800-08007 days98%System availability calculated on monthly basis as per formula below.SA = (NC ) – (NOP) – (NOU) / (C) – (NOP) x 100SA = Service AvailabilityNC = Non-Core HoursNOP = Outage PLANNED (during non-core hours)NOU = Outage UNPLANNED (during non-core hours)All times recorded in minutes>=98.9 and <99.99 = 2% Rebate>=96.9 and <97.9 = 1% Rebate>=95.9 and <96.9 = 2% Rebate>=94.9 and <95.9 = 3% Rebate< 94.9 = 4% RebateIncident Management (Response Times and Prioritisation)The following table outlines Council’s service restoration service levels for incident management.Service SupportIncident PriorityResponse TimeTarget Restoration TimeMeasured byIncident management processes110 mins2 hoursResponse and restoration time measured from time of incident being logged by MSP, it is assumed this will align with time of MSP being notified of or detecting the incident.Incident response time for priorities 1 and 2 will be calculated from contact by an MSP resource not just an automated email notification.230 mins4 hours32 hours8 hours44 hours40 hoursThe following table provides an overview of the prioritisation rules for incidents.Incident PriorityDescription1Impact = whole of site / whole business unit or other corporate teamUnable to access key systems or services such asNetwork connectivity issuesPrint ServicesCollaboration Services unavailable Corporate systems unavailable (Finance, Grants Mgmt. etc.)No valid workaround available2Impact = whole of site / whole business unit or other corporate teamUnable to access key systems or services such asNetwork connectivity issuesPrint ServicesCollaboration Services unavailable Corporate systems unavailable (Finance, Grants Mgmt. etc.)Workaround exists3Impact = single or limited number of usersLimited access or intermittent access to systemsWork around exists4Request for a change or new service/device Back-up RestorationThe following table outlines the service levels required for restoration of back-upsBack up and RestorationCategoryRestoration TimeReportedApplies to all services within this agreementOn-site or dedicated Cloud storageCommence within 2 business hours of requestReported as part of Monthly management report and review.Report to include:Number of restore requestsNumber of success / failsRoot cause analysis and recommendations for any failed restoration attemptsReport on performance of periodic back-up and restoration testingOff-site storageCommence within end of next business dayBack-up and Restoration testingScheduled testing as agreed with Council as part of transition-in activitiesAPPENDIX TWO – ACA Environment OverviewPART D – GENERAL TERMS AND CONDITIONS OF CONTRACTDefinitions In this Contract:“Australia Council” means the Australia Council for the Arts, ABN 38 392 626 187. “Contract Price” means the total contractprice specified in Part 1, including any GST component payable unless otherwise specified, but for the purposes of the Payment clause of the General Conditions of Contract only, does not include any simple interest payable on late payments.“Contractor” means the person or company engaged to undertake the Services specified in Part 1.“Encumbrance” means a security interest as defined in section 12 of the Personal Property Securities Act 2009 (Cth).“Force Majeure Event” means an event beyond the control of any of the Parties, which prevents a Party or Parties from complying with any of its obligations under this Agreement, including but not limited to:A natural disaster such as, but not limited to, violent storm, cyclone, typhoon, hurricane, tornado, blizzard, earthquake, volcanic activity, landslide, tidal wave, tsunami, flood, damage or destruction by lightning, drought, explosion, fire;Acts of war, whether declared or not, acts of threats of terrorism, acts of civil unrest or disobedience, invasion, act of foreign enemies, mobilisation, requisition, or embargo; rebellion, revolution, insurrection, or military or usurped power, or civil war;Plague, epidemic, pandemic, outbreaks of infectious disease or any other public health crisis, including quarantine or other restrictions; act of authority whether lawful or unlawful, compliance with any law or governmental order, rule, regulation or direction, curfew restriction; Other unforeseeable circumstances beyond the control of the Parties against which it would have been unreasonable for the affected party to take precautions and which the affected party cannot avoid even by using its best efforts.“Goods and/or Services” means:the Goods, Services, or Goods and Services specified in the Statement of Work; andall such incidental Goods and Services that are reasonably required to achieve the purposes of the Australia Council as specified in the Statement of Work.“GST” means a Commonwealth goods and services tax imposed by the GST Act.“GST Act” means A New Tax System (Goods and Services Tax) Act 1999 (Cth).“Intellectual Property” means allintellectual property rights which may subsist in Australia or elsewhere, whether or not they are registered or capable of being registered.“Material” means any material brought into existence as a part of, or for the purpose of producing the Goods and/or Services, and includes but is not limited to documents, equipment, information or data stored by any means. “Moral Rights” has the same meaning given in the Copyright Act 1968.“Special Conditions” means the specialconditions attached to this Contract required by the Australia Council (if any).“Specified Personnel” means the personnel specified in the Contract to provide the Services.Provision of Services The Contractor must provide the Services to the Australia Council on the date agreed and in accordance with any instructions for the delivery of the Services specified in writing. The Contractor must promptly notify the Australia Council if the Contractor becomes aware that it will be unable to provide all or part of the Services by the relevant delivery date and advise the Australia Council as to when it will be able to do so.Any Services must be provided to the standard that would be expected of an experienced and professional contractor of similar services and any other standard specified in Part 1.Any Services must be provided free from all Encumbrances and must meet any standard specified in this contract, unless otherwise stated or agreed. Acceptance The Australia Council may accept or reject the relevant Services within 14 days after delivery of the Services or part thereof. If the Australia Council does not notify the Contractor of acceptance or rejection within the 14 day period, the Australia Council will be taken to have accepted the Services on the expiry of the 14 day period.The Australia Council may reject the Services where the Services do not comply with the requirements of the Contract. If the Australia Council rejects the Services the Australia Council may:require the Contractor to repair or amend the Services, within a period determined by the Australia Council, at the Contractor’s cost, so that the Services meet the requirements of the Contract; orrequire the Contractor to provide, at the Contractor’s cost, replacement Services which meet the requirements of the Contract, within a period determined by the Australia Council; or terminate the Contract in accordance with the Termination clause of the General Conditions of Contract.Replacement, amended or modified Services are subject to acceptance under this clause. The Contractor will refund all payments related to the rejected Services unless replacement or amended Services are accepted by the Australia Council.Title and RiskTitle to the Services transfers to the Australia Council upon their acceptance by the Australia Council in accordance with the Acceptance clause of the General Conditions of Contract. The risk of any loss or damage to the Services remains with the Contractor until their delivery to the Australia Council. InvoiceThe Contractor must submit a correctly rendered invoice to the Australia Council. An invoice is correctly rendered if:it is correctly addressed and calculated in accordance with the Contract;it relates only to the Services that have been accepted by the Australia Council in accordance with the Acceptance clause of the General Conditions of Contract;it is for an amount which, together with all previously correctly rendered invoices, does not exceed the Contract Price;it includes a purchase order number (if relevant); andit is a valid tax invoice in accordance with the GST Act.Approval and payment of an amount of an invoice is not evidence of the value of the obligations performed by the Contractor, an admission of liability or evidence the obligations under the Contract have been completed satisfactorily but is payment on account only.The Contractor must promptly provide to the Australia Council such supporting documentation and other evidence reasonably required by the Australia Council to substantiate performance of the Contract by the Contractor. PaymentThe Australia Council must pay the invoiced amount to the Contractor within 30 days after receiving a correctly rendered invoice or if this 30 day period ends on a day that is not a business day, payment is due on the next business day. The last day of this period is referred to as the “due date”.Price BasisThe Contract Price is the maximum price payable for the Services and is inclusive of all GST and all taxes, duties (including any customs duty) and government charges imposed or levied in Australia or overseas.The Australia Council is not required to pay any amount in excess of the Contract Price including, without limitation, the cost of any travel, packaging, marking, handling, freight and delivery, licences, insurance and any other applicable costs and charges.Offset If the Contractor owes any amount to the Australia Council in connection with the Contract, the Australia Council may set off that amount, or part of it, against its obligation to pay any correctly rendered invoice.Quality AssuranceUpon request by the Australia Council, the Contractor must provide the Australia Council and its nominees with access to the Contractor’s premises to undertake quality audits and quality surveillance as defined in the relevant Australian Quality Standards of the Contractor’s quality system and/or the production processes related to the Services.Insurance The Contractor must obtain and maintain such insurances, and on such terms and conditions as a prudent contractor, providing services similar to the Services contracted for, would procure and maintain and if requested, must provide the Australia Council with evidence the insurances remain in force.Indemnity The Contractor indemnifies the Australia Council, its officers, employees and contractors against any liability, loss, damage, cost (including the cost of any settlement and legal costs and expenses on a solicitor and own client basis), compensation or expense arising out of or in any way in connection with:a default or any unlawful, wilful or negligent act or omission on the part of the Contractor, its officers, employees, agents or subcontractors; orany action, claim, dispute, suit or proceeding brought by any third party in respect of any use, infringement or alleged infringement of that third party’s Intellectual Property rights or Moral Rights; in connection with the Services.The Contractor’s liability to indemnify theAustralia Council under paragraph (a) isreduced to the extent that any willful default or unlawful or negligent act or omission by the Australia Council, its officers, employees or contractors is proven to have contributed to the liability, loss, damage, cost, compensation or expense.The Australia Council holds the benefit of this indemnity on trust for its officers, employees and contractors.Approvals and ComplianceThe Contractor must obtain and maintain any licences or other approvals required for the lawful provision of the Services and arrange any necessary customs entry for the Services if relevant. The Contractor must comply with and ensure its officers, employees, agents and subcontractors comply with the laws from time to time in force in the State, Territory or other jurisdictions in which any part of the Contract is to be carried out and all Commonwealth laws and policies relevant to the Services.Conflict(s) of Interest The Contractor warrants that no conflict of interest exists, or is anticipated, relevant to the performance of its obligations under the Contract. If a conflict of that kind arises, the Contractor must notify the Australia Council immediately. The Australia Council may decide in its absolute discretion, without limiting its other rights under the Contract, that the Contractor may continue to provide the Services under the Contract.Warranties The Contractor must obtain all relevant third-party warranties in respect of the Services that the Australia Council receives in relation to the Contract. Access to Contractor’s Premises The Contractor agrees to give the Australia Council, or its nominee, all assistance reasonably requested for any purpose associated with this Contract or any review of the Contractor’s performance under the Contract. This will include, but is not limited to, access to premises, material and personnel associated with the Services and the Contract.Criminal Code Acknowledgement The Contractor acknowledges that the giving of false or misleading information to the Australia Council is a serious offence under Section 137.1 of the schedule to the Criminal Code Act 1995. The Contractor must ensure that any subcontractor engaged in connection with the Contract acknowledges the information contained in this clause.WaiverIf a party does not exercise (or delays in exercising) any of its rights, that failure or delay does not operate as a waiver of those rights.Variation No agreement or understanding varying or extending the Contract, including in particular the scope of the Services, is legally binding upon either party unless it is in writing and agreed to by both parties.Security and Safety When accessing any Australia Council place, area or facility, the Contractor must comply with any security and safety requirements notified to the Contractor by the Australia Council or of which the Contractor is, or should reasonably be, aware. The Contractor must ensure that its officers, employees, agents and subcontractors are aware of, and comply with, such security and safety requirements.The Contractor must ensure that any material and property (including security-related devices and clearances) provided by the Australia Council for the purposes of the Contract is protected at all times from unauthorised access, use by a third party, misuse, damage and destruction and returned as directed by the Australia Council.Conduct at Agency PremisesThe Contractor must, when using Australia Council provided premises or facilities, comply with all reasonable directions of the Australia Council, and act consistently with the behaviours set out in the Australia Council Code of Conduct.Contractor not to make representations The Contractor must not represent itself, and must ensure that its officers, employees, agents or subcontractors do not represent themselves, as being an officer, employee, partner or agent of the Australia Council, or as otherwise able to bind or represent the Australia Council. The Contract does not create a relationship of employment, agency or partnership between the parties.Privacy RequirementThe Contractor agrees to comply, and ensure that its officers, employees, agents and subcontractors comply, with the Privacy Act 1988 (Cth) and do (or refrain from doing) anything required to ensure the Australia Council is able to comply with its obligations under that Act.The Contractor will immediately notify the Australia Council if the Contractor becomes aware of a breach or possible breach of any of its obligations under this clause.Confidential Information The Parties agree not to disclose each other’s Confidential Information without prior written consent unless required or authorised by law, the Australian National Audit Office or Parliament.Record Keeping The Contractor must maintain proper business and accounting records relating to the supply of the Services and allow the Australia Council or its authorised representative to inspect those records when requested. The Contractor will provide any assistance and information required should the Australian National Audit Office wish to conduct an audit of the Contractor’s accounts and records.Freedom of Information (FOI) Act 1982 requirements Where the Australia Council has received an FOI request for access to a document created by, or in the possession of the Contractor or its subcontractors that relates to the Contract and is required to be provided under the FOI Act, the Contractor must promptly provide the document to the Australia Council, on request, at no monwealth Records and Archives Act 1983 Requirements The Contractor must not transfer, or permit the transfer of, custody or the ownership of any Australia Council record (as defined in the Archives Act 1983 (Cth)) without the prior written consent of the Australia Council.Moral Rights To the extent permitted by laws and for the benefit of the Australia Council, the Contractor consents, and must use its best endeavours to ensure that each author of Material consents in writing, to the use by the Australia Council of Material, even if the use may otherwise be an infringement of their Moral Rights.You agree not to exercise any Moral Rights you may have against us in respect of the following uses of the Agreement Materials: failure to identify the authorship or any content in the Material (including without limitation literary, dramatic, artistic works and cinematograph films within the meaning of the Copyright Act 1968 (Cth);materially altering the style, format, colours, content or layout of the Material and dealing in any way with the altered Material or infringing copies (within the meaning of the Copyright Act 1968 (Cth));reproducing, communicating, adapting, publishing or exhibiting any Material, including dealing with infringing copies, within the meaning of the Copyright Act 1968 (Cth), without attributing the authorship; andadding any additional content or information to the Material. NoticesAny notice or communication under the Contract will be effective if it is in writing and delivered to the postal address, or email address, or facsimile number set out in this contract.Specified Personnel The Contractor must ensure that the Specified Personnel provide the Services and are not replaced without the prior consent of the Australia Council.At the Australia Council's request, the Contractor, at no additional cost to the Australia Council, must promptly replace any Specified Personnel that the Australia Council reasonably considers should be replaced with personnel acceptable to the Australia Council.Intellectual Property and copyright licences The Australia Council will own all Intellectual Property Rights in the Agreement Materials you create as part of the Services. You assign all present and future Intellectual Property rights subsisting in Agreement Materials to us.If the Materials contain third party proprietary rights or your own previous material, you grant us an irrevocable, perpetual, non-exclusive, worldwide, royalty free licence to use, reproduce, publish, adapt and communicate all Intellectual Property Rights included as part of the Agreement Materials so that we can enjoy the full benefit of the Services provided under this Agreement. Service Levels All formal reporting will adhere to the Australia Council Style Guides, which outline the organisations accepted conventions for spelling, grammar, style, graphs and tables. The Australia Council is also committed to communicating in ‘plain English’. All reports will be written in plain, clear English, and be precise, clear, and readable. The Australia Council reserves the right to contract an editor should formal reports not meet these guidelines.AssignmentThe Contractor must not assign or subcontract any of its rights under the Contract without the prior written consent of the Australia Council.SubcontractingSubcontracting the whole or part of the Contractor’s obligations under the Contract will not relieve the Contractor from any of its obligations under the Contract.The Contractor must make available to the Australia Council the details of all subcontractors engaged to provide the Services under the Contract. The Contractor acknowledges that the Australia Council is required to disclose such information.The Contractor must ensure that any subcontract entered into by the Contractor for the purpose of fulfilling its obligations under the Contract imposes on the subcontractor the same obligations that the Contractor has under the Contract (including this requirement in relation to subcontracts).Termination The Australia Council may terminate the Contract in whole or in part if:the Contractor does not deliver any or all of the Services by the relevant delivery date, or notifies the Australia Council that it will be unable to deliver the Services by the relevant delivery date;the Australia Council rejects any or all of the Services in accordance with the Acceptance clause of the General Conditions of Contract;the Contractor breaches the Contract and the breach is not capable of remedy;the Contractor does not remedy a breach of the Contract which is capable of remedy within the period specified by the Australia Council in a notice of default issued to the Contractor; orthe Contractor:is unable to pay all its debts when they become due;if incorporated – has a liquidator, administrator or equivalent appointment under legislation other than the Corporations Act 2001 (Cth) appointed to it; orif an individual – becomes bankrupt or enters into an arrangement under Part IX or Part X of the Bankruptcy Act 1966 (Cth).Termination or Reduction for Convenience In addition to any other rights it has under the Contract, the Australia Council, acting in good faith, may at any time terminate the Contract or reduce the scope or quantity of the Services by notifying the Contractor in writing. The Australia Council can terminate this Agreement, or reduce its scope, even though you are not in default, at any time by giving you written notice on the grounds of a material reduction in our parliamentary appropriation.If the Australia Council issues such a notice, the Contractor must stop or reduce work in accordance with the notice; comply with any directions given by the Australia Council and mitigate all loss, costs (including the costs of its compliance with any directions) and expenses in connection with the termination or reduction in scope. Where the Contract is terminated under this clause, the Australia Council will be liable for payments to the Contractor only for Services accepted in accordance with the Acceptance Clause in the General Conditions of Contract, before the effective date of termination (to a maximum of the Contract Price less any payments already made), and any reasonable costs incurred by the Contractor that are directly attributable to the termination, if the Contractor substantiates these amounts to the satisfaction of the Australia Council.The Contractor will be entitled to profits for the proportion of the Services accepted before the effective date of termination but will not be entitled to profit anticipated on any part of the Contract that is terminated or subject to a reduction in scope.Force MajeureNo party shall be liable or responsible to the other party or parties, nor be deemed to have defaulted under or breached this Agreement, for any failure or delay in fulfilling or performing any term of this Agreement (except for any obligations to make payments to the other party hereunder), when and to the extent such failure or delay is caused by a Force Majeure Event. SurvivalClauses 2, 21, 22, 23, 24, 25 and 26 of the General Conditions of Contract survive termination or expiry of the Contract.Dispute Resolution For any dispute arising under the Contract:both parties will try to settle the dispute by direct negotiation as expeditiously as possible;if unresolved, the party claiming that there is a dispute will give the other party a notice setting out the details of the dispute;within five (5) business days, each party will nominate a senior representative of their organisation, not having prior direct involvement in the dispute;the senior representatives will try to settle the dispute by direct negotiation; andfailing settlement within a further ten (10) business days, either the Australia Council or the Contractor may commence legal proceedings.The Australia Council and the Contractor will each bear its own costs for dispute resolution.Despite the existence of a dispute, theContractor will (unless requested in writing by the Australia Council not to do so) continue its performance under the Contract.The procedure for dispute resolution does not apply to action relating to termination or to legal proceedings for urgent interlocutory pliance with Laws The Contractor must ensure that it and all subcontractors comply with all relevant laws in connection with the Contract including any and all of its obligations under Australian tax laws.General Data Protection Regulation (GDPR) (EU) Where required the Contractor agrees to comply with the General Data Protection Regulation (GDPR) (EU) 2016/679 and to use adequate safeguards with respect to the protection of privacy and the fundamental rights and freedoms of individuals whose personal data you process under this Services Agreement. Modern Slavery lawsIn performing the obligations under this Services Agreement, the Contractor will (and will ensure that each and any of its subcontractors will):comply with the Modern Slavery Act 2018; andtake reasonable steps to ensure that there is no modern slavery or human trafficking in the Contractor’s or subcontractors supply chains or in any part of their business. Supplier Code of ConductThe Contractor agrees to abide by the Australia Council’s Supplier Code of Conduct attached to these Terms and Conditions.Applicable LawThe laws of New South Wales apply to the Contract.Entire AgreementThe Contract represents the parties’ entire agreement in relation to the subject matter and supersedes all tendered offers (except to the extent they are incorporated into the Contract in writing) and prior representations, communications, Agreements, statements and understandings, whether oral or in writing.SUPPLIER CODE OF CONDUCTIssue No:1.0Date Issued:October 2020Updated:N/A (version 1)Scheduled Review Date:October 2022Document Status:FINALSupersedes:N/A (version 1)Prepared by:Rebecca Kenny, General CounselApproved by:The Board on 9 December 2020 INTRODUCTIONThe Australia Council for the Arts (‘the Australia Council’ or ‘Council’) is the Australian Government’s principal arts funding and advisory body. We champion and invest in Australian arts and creativity. We support all facets of the creative process and are committed to ensuring all Australians can enjoy the benefits of the arts and feel part of the cultural life of this nation.The Supplier Code of Conduct (‘Supplier Code’) sets out the standards of conduct required of a Supplier of goods and services to the Australia Council. The Australia Council requires their Suppliers to practice the highest level of ethical and legal standards when engaged to provide goods and services. Specifically, we require our Suppliers to:Comply with all relevant laws and regulations;Implement diversity and inclusion practices and procedures within their business;Respect the protection of human rights by assessing and mitigating the risks of modern slavery to ensure the people and communities working within their operations and supply chains are not adversely affected by their business decisions;Ensure their employees and any subtractors also comply with this Supplier Code; andAct responsibly and honestly, with integrity and transparency, in dealing with the Australia Council Suppliers must comply and monitor compliance with this Supplier Code, notify the Australia Council of any breaches of this Supplier Code and take reasonable steps to address, remedy and prevent reoccurrence of any breach of the Supplier Code Principles (Part 6).Breach of this Supplier Code may result in the Australia Council terminating its contractual relationship with a Supplier. PurposeThe purpose of the Supplier Code is to communicate the Australia Council’s expectations of and requirements for all Suppliers of goods and services to the Australia Council.policy statementThe Australia Council values integrity and transparency when engaging with its Suppliers and seeks to work with other likeminded persons and entities that share the same principles and values. We require our Suppliers to comply with all applicable laws and, in all cases, to, at a minimum, meet the standards and principles set out in this Supplier Code. Compliance with such laws, standards and principles is a material consideration for us in assessing our procurement processes. The Australia Council recognises the ethical and legal importance of protecting human rights and is committed to ensuring as far as possible that Council’s supply chains are free from modern slavery practices. We expect our Suppliers to share and adhere to this position. scopeThe Australia Council requires that all its Suppliers comply with, and ensure their employees, contractors, consultants and Second Tier Suppliers are advised of and comply with this Supplier Code.definitionsModern slavery for the purposes of this policy is defined under clause 6.4. Modern Slavery Act 2018 means the Commonwealth legislation enacted by the Parliament of Australia on 29 November 2018 and which commenced on 1 January 2019. Modern slavery practices are defined under Part 6.4.Second Tier Suppliers are suppliers that provide goods and services to the Australia Council’s Suppliers (defined below) Suppliers are defined as any organisation or person who provides the Australia Council with goods or services, including their subcontractors, agents, related entities and consultants.Supply chains is defined as the products and services (including labour) that contribute to the Australia Council’s own products and services. This includes products and services sourced in Australia or overseas and extends beyond direct suppliers.PRINCIPLESThe Australia Council expects Suppliers to act in an ethical and lawful manner by conducting themselves professionally and consistently with the following principles.6.1 Compliance with the lawSuppliers must ensure that they and all their Second Tier Suppliers comply with:All relevant laws in connection with any legally binding contract they enter into with the Australia Council including its terms and conditions; All applicable laws relating to bribery, corruption, money laundering, fraud, tax evasion or similar activities including, where relevant, the Australian Criminal Code Act 1995;All relevant environmental protection laws, regulations and standards; andAll relevant work, health and safety laws, industrial regulations as well as anti-discrimination laws for their employees, contractors and visitors in their workplace. 6.2 GovernanceThe Australia Council expects our Suppliers to:Have appropriate risk management and governance frameworks in place to ensure legal compliance and best practice standards are adhered to;Keep accurate records and ensure that information provided to the Australia Council is a true and accurate reflection of their operations, supply chain and business dealings;Have processes in place that encourage their employees and Second Tier Suppliers to report any non-compliance with this Supplier Code, anonymously if they prefer, and without retribution.6.3 Diversity and InclusionThe Australia Council values and supports diversity, equal opportunity and inclusion in its workplace and expects Suppliers to do the same.Suppliers must not discriminate on the basis of gender, race (including colour, descent, nationality or ethnic origin), religion, religious belief or activity, marital/domestic status, family responsibility or parental status, pregnancy, breastfeeding, age, disability, personal associations, trade union or industrial activity, political opinion, lawful sexual activity, sexual preference, gender identity or intersex status. Discrimination based on any of the above will not be tolerated by the Australia Council.The Australia Council respects and supports the legal status and importance of the culture, heritage and traditional rights of First Nations Australians, and requires its Suppliers to do the same.6.4 Human Rights and Modern SlaveryThe Australia Council is committed to adhering to the Modern Slavery Act 2018 and the protection of human rights and expects its Supplier to do the same. This includes assessing and mitigating the risks of modern slavery in the way it conducts its operations and manages its supply chains.Modern slavery practices describe the worst and most serious types of exploitation as follows:trafficking in persons – the recruitment, harbouring and movement of a person for the purposes of exploitation through modern slavery. Exploitation also includes the prostitution of others or other forms of sexual exploitation, forced labour or services, slavery or practices similar to slavery, servitude or the removal of organs;slavery – where the offender exercises powers of ownership over the victim;servitude – where the victim’s personal freedom is significantly restricted, and they are not free to stop working or leave their place of work;forced labour – where the victim is either not free to stop working or not free to leave their place of work;forced marriage – where coercion, threats or deception are used to make a victim marry or where the victim does not understand or is incapable of understanding the nature and effect of the marriage ceremony;debt bondage – where the victim’s services are pledged as security for a debt and the debt is manifestly excessive or the victim’s services are not applied to liquidate the debt, or the length and nature of the services are not limited and defined;the worst forms of child labour – involves situations where children are exploited through slavery or similar practices, including for sexual exploitation or engaged in hazardous work which may harm their health or safety, or used to produce or traffic drugs; anddeceptive recruiting for labour or services – where the victim is deceived about whether they will be exploited through a type of modern slavery.Suppliers must not engage, or be complicit in, any form of modern slavery practices. Any suspected or actual situations of modern slavery practices in the Supplier’s business or supply chain must be reported to the Australia Council as soon as possible.6.5 Second Tier SuppliersThe Australia Council expects that all Suppliers will have robust management processes in place for managing their own subcontractors so they can ensure that Second Tier Suppliers to the Australia Council operate in accordance with this Supplier Code.6.6 Dealing with the Australia Council In addition to complying with all terms and conditions of any contract entered into with the Australia Council, we require Suppliers to participate in contract performance reviews when requested and do all things reasonably necessary to protect the reputation, assets and information of the Australia Council in connection with the contract.We acknowledge that this Supplier Code cannot cover every situation or scenario and our Suppliers will also need to make judgments on their legal and ethical responsibilities. We encourage our Suppliers to engage with their contract manager in the first instance on any issues that may arise or any questions or feedback about this Supplier Code.Change historyDate Change description Reason for changeAuthorIssue no:October 2020N/A (first version)N/A (first version)Rebecca Kenny1.0 IT Acceptable Use Policy1 PURPOSE The IT Acceptable Use Policy provides guidance for all Australia Council officials, partners and service providers regarding appropriate use of Australia Council IT resources; and of the Council’s requirement that its IT resources are used in a legal, ethical and responsible manner. This policy forms part of the Australia Council’s IT Security Management Framework (ISMF), which includes the IT Security Policy, IT Security Plan and other related documents, as outlined in section 7. The purpose of the ISMF is to proactively and actively identify, mitigate, monitor and manage information security vulnerabilities, threats and risks in order to protect the Australia Council and its assets, information and data. The ISMF sets the intent and establishes the direction and principles for the protection of the Australia Council’s IT assets. This is to enable continuous improvement of Council’s security capability and resilience to emerging and evolving security threats. The Australia Council Executive Team demonstrates its commitment to IT security through the issue of this policy. The Executive Director, Corporate Resources is the owner of this policy and is responsible for the review and enforcing the controls provided within the policy. 2 POLICY STATEMENT The Australia Council for the Arts is committed to the appropriate use of information technology to support its arts funding, advisory and administrative functions. This policy defines acceptable behaviour expected of users of Council’s IT resources and services. The Council requires users to comply with its IT policies and associated requirements governing the use of IT resources and services as a condition of their use. 3 SCOPE This policy applies to all users or providers of Australia Council IT resources – including (but not limited to) temporary, permanent and casual staff; Board members, consultants and contractors; agency staff; third party suppliers; peer assessors and visitors. It covers computing, collaboration and communications resources, examples of which include mobile and fixed line telephones, audioconferencing facilities, computers, tablets, printers, email, internet access, network applications, web services and similar resources. Use of remote or cloud-based systems accessed via IT systems is also covered by this policy. Council officials and other users must accept and comply with Australia Council IT policies as a condition of use. This policy is designed to allow legitimate and optimal use of IT resources and services. This policy applies to use of Australia Council IT resources, systems and services at all times, regardless of whether such use occurs during business hours or on Council premises and applies to anyone connecting personally-owned equipment (e.g. laptops) to the Council’s network. This policy also applies to the use of information that may be accessed via the Council’s IT resources. 4 DETAILED STATEMENTS 4.1 Use of Australia Council IT resources Information technology (IT) is of critical importance to the Australia Council in the support of core business activities and communications. In recognition of this, the Council provides computing, email, internet and communication resources to Council officials to facilitate their work, in accordance with need and available resources. No one may use the Australia Council’s IT resources for private commercial, political, religious or unlawful purposes. Officials may use communication facilities for personal purposes to a limited extent as per the Australia Council’s Code of Conduct Policy, which states: Use of the telephones, including mobile devices provided by Council, and the internet for private purposes is acceptable if that use is short, infrequent and does not interfere with your work. 4.2 Legal duties when using IT resources Australia Council officials have certain duties when using Commonwealth government resources, including IT resources. These duties arise under law and policy, including Commonwealth government legislation and policy; internal Australia Council policy; contract and common law. Below is a summary of the legal and compliance duties that all Australia Council officials must carry out when using IT resources. This applies to officials when carrying out work at Australia Council premises and away from the office. 4.2.1 Duty as a ‘public official’ Australia Council officials are required to comply with the Public Governance Performance and Accountability Act 2013 (PGPA Act). Sections 25 to 29 of the PGPA Act specify that staff of government agencies, including the Australia Council, are considered “public officials” for the purposes of their employment. Officials have an obligation to act with honesty and integrity when using IT resources and government resources. Failure to do so may be a breach of the PGPA Act. As a general rule and taking a “common sense” approach, IT resources should not be used for any purpose that is illegal or in contravention of policy or guidelines. 4.2.2 Privacy All Australia Council officials are subject to the Privacy Act 1988 (Privacy Act), including when using IT resources. Officials should be aware of the Australian Privacy Principles that are part of the Privacy Act which protects individuals’ personal information. Officials should refer to the Australia Council’s Privacy Policy for further information. As part of their privacy obligations, officials should not deal with or disclose personal information, including to third parties, without the consent of the person to whom the information relates. Under the Privacy Act “personal information” means: …information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable. If in doubt about whether information could be personal information, please contact the Legal and Governance team. 4.2.3 Code of Conduct Australia Council officials are subject to the Code of Conduct during their employment at the Australia Council. The Code of Conduct requires that officials act with honesty and integrity in carrying out duties and this extends to use of IT resources. Examples of when use of IT resources will be considered a breach of the Code of Conduct include posting online or sending: ? confidential, sensitive or inappropriate information about the Council, its employees or clients; ? commercial, political or religious material; ? solicitation of donations or subscriptions to political or religious causes; ? content promoting discrimination on the basis of race, colour, national origin, age, marital status, sex, political affiliation, religion, disability or sexual preference; ? offensive material (for example, pornography, racism, sexism, obscenities, insults, sarcasm) or content that may reasonably be considered offensive, threatening or intimidating; ? defamatory statements or rumours, about individuals or organisations. 4.2.4 Confidentiality Some information received in the course of employment at the Australia Council will be considered confidential information. “Confidential information” means any information which has come to the knowledge of an employee by any means and which is given to the employee either directly or indirectly in the course of employment at the Australia Council but does not include: a. information which, at the time of disclosure, was in the public domain; or b. information which, subsequent to disclosure, enters the public domain except through breach of contract or any other obligation of confidence. Australia Council officials should consider whether information is confidential when using IT resources and make sure that confidential information is secure and safe from disclosure. 4.2.5 Crimes Act 1914 and the Criminal Code Australia Council officials are considered “Commonwealth officials” and are subject to the Crimes Act 1914 (Crimes Act) and Criminal Code Act 1995 (Criminal Code). The Crimes Act specifies at sections 70 and 79 certain offences, including disclosure of Commonwealth information or official secrets. Contravening the above legislation is an offence and officials should consider carefully any action they take relating to the disclosure of information when using Australia Council IT resources. 4.2.6 Freedom of information and Archives Act 1983 The Australia Council has obligations under the Freedom of Information Act 1982 (FOI Act) to provide information for public access. This means that information stored or used on Australia Council IT resources can be the subject of an FOI request at any time, unless an exemption applies. Information produced by the Australia Council must also be kept for specific time periods under both the Archives Act 1983 (Archives Act) and Australia Council records management policies. Information can be requested under the Archives Act by members of the public and records must be preserved accurately on Australia Council IT systems. A record, once created, may only be destroyed in accordance with records management policy and legislation. 4.2.7 Intellectual property Intellectual property may be received or created by Australia Council officials during the course of employment. This includes, but is not limited to, copyright; moral rights; Indigenous Cultural Intellectual Property; trademarks and other registrable material. Intellectual property should be treated in a secure and safe manner when using IT resources. Examples of intellectual property that may be received by Australia Council officials in the course of employment include: ? Photographs or other media created by clients of the Australia Council ? Indigenous Cultural Intellectual Property received as part of a grant application ? Material created in the course of employment at the Australia Council such as Australia Council publications ? Trademarks owned and used by the Australia Council ? Australia Council policies and procedure documents ? Media releases and communications ? Use of data and software licensed to the Australia Council Australia Council officials should be aware of their obligation to ensure infringement of intellectual property rights does not occur when using IT resources. A breach of intellectual property law could occur if Australia Council officials use material received via email or on IT resources without permission from the copyright owner. If you are in doubt about whether intellectual property rights exist, please contact the Legal and Governance team. 4.2.8 Contractors Contractors must also be made aware of obligations under this policy and relevant legislation when using the Australia Council’s IT resources. 4.2.9 Working externally Staff must be aware of their obligations when working offsite. This includes ensuring that a secure login and WiFi access is possible when using external devices. 4.3 Authorised use, access and authentication Officials and other users are authorised to use Australia Council IT resources when assigned a user account, subject to the other conditions in this policy. Authority to use IT resources is not normally granted by other means. This does not apply to public services, which do not require authentication to access. All officials must have a user account. Some IT resources are provided only for specific functions and may only be used by specifically authorised users. Users must use IT resources only in the manner intended for their role. All Council officials and other authorised users must comply with this policy and with the IT Security Policy, and all other applicable policies (see section 5: Interacting Policies). 4.3.1 Sharing accounts Users must not share their user account, password or other authentication credentials. Users must not use an account assigned to somebody else. Users must not give means to a third-party to access IT resources without approval from the Manager, IT Services. 4.3.2 Storing Council data USB mass storage devices (eg. USB “keys”) may not be used to store Council data without prior approval from the Manager, IT Services. Data may only be downloaded for legitimate business use. Data storage devices must be managed by the Australia Council. Data may not be downloaded and stored on personally-owned devices, including by forwarding Council documents to personal email accounts 4.3.3 Passwords Passwords are used to authenticate a user’s identity and protect information resources from unauthorised access. Officials and authorised users should comply with the following guidance in relation to user account security: ? Passwords must be at least 8 characters in length and should be hard for others to guess. Passphrases are recommended as they are likely to be harder for others to guess than a single word, however the most important criteria is that a password is both memorable and unique. ? Common passwords should not be used. For example, don’t use a single word (e.g. “princess”) or a commonly-used phrase (e.g. “Iloveyou”). ? Passwords should never be re-used for non-work-related purposes and should not be the same or similar to ones used on any other website, otherwise cybercriminals could steal passwords from other sites and use them to hack into Australia Council user accounts. ? Passwords must not be inserted into email messages or other forms of electronic communication. ? Passwords must not be disclosed or shared with others. 4.3.4 Multi-factor authentication Multi-factor authentication is where a second authentication method is used in tandem with a password and is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network. The Australia Council requires that multi-factor authentication is implemented for all users, and supports the following authentication methods in addition to passwords: ? Microsoft Passport on a Surface Book managed device (using a PIN or Windows Hello biometric authentication) ? Two-step verification using email, SMS or a mobile authenticator app. Biometric information is considered ‘sensitive information’ under the Australian Privacy Principles. Officials and other users electing to use biometric authentication to log in to their devices will be deemed to have consented to the collection of their biometric data for this purpose. Officials who would prefer not to use biometric authentication may opt to use a PIN instead. 4.3.5 Identity verification and security challenges When setting up a Microsoft Office 365 account for work, users will be asked to provide security information (like an alternate email address and phone number) in order to respond to security challenges and receive security notifications. This information is private to each user account and is not visible to other users or IT administrators. Officials are encouraged to keep their personal security information up-to-date as this will support identity verification in the event that passwords are forgotten or if a cybercriminal tries to take over a user account. 4.4 Monitoring use of IT Resources The Australia Council will take reasonable precautions to protect the security and privacy of its users’ IT accounts, but users should be aware that normal operation and maintenance of systems includes backup, logging of activity and monitoring of general usage patterns. In addition, Council may monitor individual usage and records in accordance with this policy. Each person who uses IT (e.g. computers, laptops, smartphones, iPads or other tablet devices etc) and IT resources (e.g. networks, hardware, software, Cloud applications etc) should be aware that, in accordance with this policy, Council monitors usage on a continuing and ongoing basis. The technology supporting IT and IT resources involves recording, back-up and monitoring of all usage (including emails, Internet, hard drives, networks etc) for technology and data security purposes (such as system back up, network performance monitoring, software license monitoring, computer asset tracking etc). Council may block or re-direct incoming email if they are deemed to be harassing or offensive to the recipient, or if emails are suspected of containing a virus or other malware. Council may also monitor and access a user’s individual records and usage where it has a reasonable basis to do so, provided that Council will, at all times, comply with applicable legislation. Information obtained may include personal information of the individual, which will be managed in accordance with privacy legislation and Council’s Privacy Management Plan. 5 DEFINITIONS Australia Council official(s) – has the same meaning as per Section 13 of the Public Governance, Performance and Accountability Act 2013 and includes Board members (when acting in their capacity as a Board Member) and all Australia Council employees, members and contractors. Cloud - In the simplest terms, cloud computing means storing and accessing data and programs over the Internet instead of from your computer's hard drive or on-premise servers. The Cloud is a metaphor for the Internet. Internet - The Internet is a massive network. It connects millions of computers together globally, forming a network in which any computer can communicate with any other computer as long as they are both connected to the Internet. Malware - software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. Multi-Factor Authentication – is an authentication method in which a computer user is granted access to a given IT system only after successfully presenting two or more pieces of evidence (known as ‘factors’) to an authentication mechanism, as follows: ? something the user knows (e.g. a personal identification number (PIN), password or response to a challenge) ? something the user has (e.g. a physical token, smartcard or software certificate) ? something the user is (e.g. a biometric value such as fingerprint or iris scan). IT – Information Technology Remote Access - refers to the ability to access an IT resource, such as a home computer or an office network computer, from a remote location. This allows Council officials to work offsite, such as at home or in another location, while still having access to a distant computer or network, such as the office network. User - A user is a person who utilises a computer, network service or other IT resource. User account – is an established technique for connecting a user and an IT service. A user account is comprised of a username, password and any information related to the user. User accounts determine whether or not a user can connect to a computer, network or other IT resource. WiFi – a facility allowing computers, smartphones, or other devices to connect to the Internet or communicate with one another wirelessly within a particular area.IT Security PolicyPurpose The IT Security Policy sets out the Australia Council for the Arts’ information security direction and is the backbone of the Council’s IT Security Management Framework (ISMF). The purpose of the ISMF is to proactively and actively identify, mitigate, monitor and manage information security vulnerabilities, threats and risks in order to protect the Australia Council and its assets, information and data. The ISMF sets the intent and establishes the direction and principles for the protection of the Australia Council’s IT assets. This is to enable continuous improvement of Council’s security capability and resilience to emerging and evolving security threats. The Australia Council Executive Team demonstrates its commitment to IT security through the issue of this policy. The Executive Director, Corporate Resources is the owner of this policy and is responsible for the review and enforcing the controls provided within the policy. Key Security roles and responsibilities are described in Appendix A. 2. Scope This policy applies to all users or providers of Australia Council for the Arts IT resources – including (but not limited to) temporary, permanent and casual staff; consultants and contractors; agency staff; third party suppliers, arts sector partners and visitors. This policy applies to all Australia Council IT assets and all devices connected to the Australia Council network, including cloud-based systems. 3. Policy Statements 3.1 Risk-based approach to IT Security Information security forms a part of the Australia Council’s broader risk management processes. The Protective Security Policy Framework (PSPF) is published by the Attorney-General’s Department and represents better practice guidance with respect to IT Security. The Australian Signals Directorate produces the Australian Government Information Security Manual (ISM). The ISM is the standard which governs the security of government IT systems. It complements the PSPF. Statement: IT suppliers and staff must take a risk-based approach to information security. Service providers must comply with Australian government protective security policies and procedures, as described in requirement GOV 12 in the PSPF, and adhere to any legislative or regulatory obligations under which the Australia Council operates. 3.2 Application Whitelisting Application whitelisting of approved/trusted programs is a mitigation strategy to prevent execution of unapproved/malicious programs. Statement: Application whitelisting must be implemented on workstations and servers to ensure that all non-approved applications (including malicious code) are prevented from executing. An application whitelisting solution must be used within standard operating environments to restrict the execution of programs, DLLs, scripts and installers to an approved set. 3.3 Application Patching A patch is a piece of software designed to fix problems with, or update, a computer program or its supporting data. This includes fixing security vulnerabilities and other program deficiencies and improving the usability or performance of the software. Application patching is an essential control to remediate security vulnerabilities that could be used to execute malicious code on systems. Statement: The latest versions of applications should be used wherever possible. Systems with ‘extreme risk’ vulnerabilities should be patched within 48 hours. Other security patches should be applied within a month following their release by vendors. 3.4 Configure Microsoft Office Macro Settings Microsoft Office Macros should be blocked from the Internet as they can be used to deliver and execute malicious code on systems. Statement: Microsoft Office macro settings should be configured to block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. 3.5 User Application Hardening Flash, ads and Java are popular ways to deliver and execute malicious code on systems. By default, many applications enable functionality that is not required by users while security functionality may be disabled or set at a lower security level. This is especially risky for key applications such as office productivity suites (e.g. Microsoft Office), PDF readers (e.g. Adobe Reader), web browsers (e.g. Microsoft Internet Explorer, Mozilla Firefox or Google Chrome), common web browser plugins (e.g. Adobe Flash), email clients (Microsoft Outlook) and software platforms (e.g. Oracle Java Platform and Microsoft .Net Framework) that are likely to be targeted by an adversary. To assist in securely configuring their products, vendors may provide security guides. For example, Microsoft provides Microsoft Office security guides as part of the Microsoft Security Compliance Manager tool. Statement: Web browsers should block Flash, ads and Java on the Internet. Any security functionality in applications should be enabled and configured for maximum security. Any unrequired functionality in applications should be disabled. Vendor guidance should be followed to assist in securely configuring their products. 3.6 Restrict Administrative Privileges Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems. Statement: Administrative privileges to operating systems and applications should be restricted based on user duties. The need for privileges should be regularly revalidated. Privileged accounts should not be used for reading email and web browsing. 3.7 Patch operating systems Security vulnerabilities in operating systems can be used to further the compromise of systems. Timely patching of operating systems is an essential strategy for limiting the extent of cyber security incidents. Statement: The latest versions of operating systems should be used wherever possible. Unsupported versions should not be used. A patch management strategy must be defined covering the patching of security vulnerabilities in operating systems, applications, drivers and hardware devices. Systems with ‘extreme risk’ vulnerabilities should be patched within 48 hours. 3.8 Multi-factor authentication Stronger user authentication makes it harder for adversaries to access sensitive information and systems. Statement: Multi-factor authentication should be used to control access to Australia Council systems and data, including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository. 3.9 Daily backups Backups are primarily a preventative measure to protect against loss of data resulting from system failure (disaster or other), virus/malware attack, system or human error. Backups are an essential control and safeguard to ensure availability of Australia Council information being stored, processed or transmitted via IT systems, and to ensure information can be accessed again following a cyber security incident (e.g. after a successful ransomware incident). Statement: Data must be backed up on a regular basis, protected from unauthorised access or modification during storage, and available to be recovered in a timely manner in the event of incident or disaster. Important new/changed data, software and configuration settings should be backed up daily, stored disconnected and retained for at least three months. Test restoration of backups should be performed initially, annually and when IT infrastructure changes. 3.10 Security Incident Management Provides preventive, corrective and detective measures, ensuring a consistent and effective approach to the management of information security incidents, including communication of events and weaknesses, such as breach of access. Well designed, understood tools and processes will help contain, preserve (legal / forensic purposes) and limit any damage resulting from a security incident. Statement: Incident detection mechanisms such as security event logging and antivirus must be implemented for all IT systems. All potential security incidents must be handled appropriately following the Australia Council Security Incident Response Plan. 3.11 User Access Management Unauthorised access to systems could enable a malicious or accidental security breach, potentially resulting in productivity, reputational or financial loss. Only authorised users should be granted access to Australia Council systems. Access to systems and the information they process, store or communicate is controlled through strong user identification, authentication and authorisation practices. Statement: All user access related requests (e.g. adding new users, updating access privileges, and revoking user access rights) must be logged, assessed and approved in accordance with the Australia Council User Access Management Process. Statement: Users must be uniquely identifiable, and use of shared non-user specific accounts should be avoided. Multi-factor authentication must be used to confirm the claimed identity of a user. Passwords must comply with standards defined in the IT Acceptable Use Policy. 3.12 Logging and Monitoring Security devices such as firewall, Intrusion detection / prevention, security event incident management, mail content filters and anti-virus all generate log data. The timely detection of information security incidents relies on comprehensive security log data being available from IT systems. Statement: Key security-related events such as user privilege changes must be recorded in logs, protected against unauthorised changes and analysed on a regular basis in order to identify potential unauthorised activities and facilitate appropriate follow up action. 3.13 Cloud Security The Australia Council is increasingly utilising Cloud solutions to deliver business solutions and functionality. This Policy explains what the Council expects of “Cloud Service Providers” to ensure all Australia Council information and system controls, and service expectations are met. All Cloud services must be assessed against compliance with the ASD ‘Essential Eight Strategies for Mitigating Cyber Security Incidents’, unless they are on the ASD Certified Cloud Services List, in which case they will be deemed already compliant. Statement: Cloud based services must only be consumed following a formalised risk assessment to identify the necessary controls to be established by the Cloud Service Provider and the Australia Council to manage security risks to an acceptable level. 3.14 IT Asset Management and Configuration Control Asset / Inventory management and configuration control is key to prudent security and management practices, providing context for all IT Security Policy statements. Without an accurate inventory, processes such as vulnerability management are difficult to implement. For example, assessment of in scope devices when responding to critical vulnerabilities, may not be captured, hence devices will remain unpatched and therefore exposed to malicious exploit. Statement: In the context of this policy, an IT asset is any Australia Council owned or managed device or service that connects to or is used by the Council in its business activities such as data link, physical device, application (including firmware), database and middleware. 3.15 Change Management The Australia Council IT Change Management process ensures stability and availability of related information technology communication systems across the organisation. It is important to maintain the security of systems when implementing changes. Statement: Any change to production information systems must be logged and assessed for security and risk impact as documented in the IT Change Management Process. The requirements, risk and impact of each request must be evaluated and the proposed risk mitigation solution must be documented and approved. 3.16 IT System Acquisition & Development IT systems (applications, databases & middleware) are susceptible to attack and therefore security controls must be embedded throughout the whole acquisition development lifecycle. Statement: Appropriate security measures must be in place during all stages of IT system development, as well as when new IT systems are implemented into the operational environment. 3.17 End User Protection End user devices are the primary gateway to Australia Council data and business applications. Implementation of appropriate information security controls is necessary to mitigate the risk of inappropriate access to data and IT systems such as malware, information disclosure or loss. Consequently, end user protection is critical to ensuring a robust, reliable and secure IT environment. Failing to do so can result in an information security incident, causing financial and/or reputational loss the Council. Statement: End user desktop computers, mobile computers (e.g., laptops, tablets) as well as portable computing devices (e.g. portable hard drives, USB memory sticks etc.) must be protected with adequate security mechanisms to prevent the unauthorised disclosure and/or modification of Australia Council data. 3.18 Network Security Network infrastructure and associated data links provide essential connectivity between internal and external systems. In order to provide mitigation against malicious activity, secure boundaries and connections need to be defined and managed in line with current security practices. Statement: The Australia Council’s network architecture must be commensurate with current and future business requirements as well as with emerging security threats. Appropriate controls must be established to ensure security of Council data in private and public networks, and the protection of IT services from unauthorised access. 3.19 IT Recovery Service availability is critical for Australia Council IT communications, infrastructure, systems and applications. This Policy ensures that processes are in place to ensure the Council’s ability to recover from system and environmental failures, and regular testing of these processes is afforded Statement: An IT Recovery Plan and relative process must be in place to enable the recovery of business critical Council services in a timely manner, to minimise the effect of IT disruptions and to maintain resilience before, during, and after a disruption.Security Roles and Responsibilities Security Role Role Description Fulfilled by Chief Information Security Officer (CISO) Security Executive A member of the Senior Executive team, responsible for the Australia Council’s protective security policy and oversight of protective security practices; sets the strategic direction for information security. The CISO is accountable for coordinating communication between security and business functions as well as managing and understanding the application of controls and security risk management processes. Executive Director, Corporate Resources IT Security Adviser (ITSA) The ITSA advises senior management on the security of the Australia Council’s IT systems. The ITSA is responsible for information technology security management across the agency, acts as the first point of contact for the CISO and external agencies on any information technology security management issues, and ensures that IT security measures and efforts are undertaken in a coordinated manner within the Australia Council. IT Services Manager Agency Security Adviser (ASA) The ASA is responsible for the day-to-day performance of security functions IaaS partner (accountable to IT Services Manager) Legislative and Government Framework Anatomy of a Cloud Certification – Australian Signals Directorate (ASD) ASD Protect: Essential Eight Explained - Australian Signals Directorate (ASD) Australian Government Cloud Computing Policy Australian Government Information Security Manual - Australian Signals Directorate (ASD) Certified Cloud Services List (CCSL) – Australian Signals Directorate (ASD) Cloud Computing Security for Tenants – Australian Signals Directorate (ASD) Cloud Computing Security guidance - Australian Signals Directorate (ASD) Information Security Management Guidelines: Risk management of outsourced ICT arrangements (including Cloud) – Attorney-General’s Department (AGD) Protective Security Policy Framework (PSPF) - Attorney-General’s Department (AGD) Protective security governance guidelines: Security of outsourced services and functions – Attorney-General’s Department (AGD) Secure Cloud Strategy – Digital Transformation Agency (DTA) Strategies to Mitigate Cyber Security Incidents - Australian Signals Directorate (ASD) ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download