The RBA explained it currently relies heavily on a mix of manual and automated processed to enforce bank controls but believes a new IDAM environment would help “futureproof” the bank, reduce the risk of unauthorised data access, and support staff with the delivery of normal operational activities.
“Whilst these processes are acceptable in the current landscape, additional capabilities have been identified to implement more robust controls so as to future proof and make these fully effective in their intended undertakings,” the RBA said in its tender request.
“In order to realise this initiative, the IDAM project has been initiated, where the bank is seeking the supply of one or more products and related services to uplift this technology area.”
Under the IDAM project, the RBA identified that it wants to see the delivery of an identity governance and administration, hybrid identity infrastructure and password-less multi-factor authentication capabilities, privilege access management system, and customer identity access management integration.
Read also: There are 84 high-cost IT projects underway by the Australian government
According to the request for tender, the RBA wants the solutions to have a minimal on-premise footprint, but it did not specify whether it needed to be completely in the cloud, despite the fact that the bank is currently implementing a cloud-focused strategy.
The successful vendor will enter an 18-month contract, with a possible three-year contract for ongoing support.
The planned start date for the project is November 2021 with an expected completion date by April 2023.
During a round of audits last year, the Australian National Audit Office found the RBA was effective in managing cybersecurity risks and had implemented controls in line with the requirements of the Information Security Manual, including the Top Four and other mitigation strategies in the Essential Eight.
The bank’s assistant governor of corporate services Susan Woods detailed that the bank also relies on other arrangements to remain cyber resilient, including formal and not so formal training, team-bonding exercises, and holding “FedEx days” for security specialists.
“We use many different tactics from formal training to email campaigns and events like our FedEx days to try and educate and make people more aware,” she told the Joint Committee on Public Accounts and Audit last May.
“We call them FedEx days because we take a particular security challenge and within a day they have to identify, design, and implement a solution to the challenge so they tend to be small problems but nevertheless, meaningful ones, and we get people talking and thinking about the problems that we might face from a cyber perspective, and how they could deal with those.”