Please respond to the high level requirements and Schedule A of the attached RFI document.

Question:
Hi

Can we please clarify the below questions please.

1. What do you use for Vulnerability Scanning and Management

2. Total number of assets (anything with an IP address)

3. Total Number of users

4. Data storage devices (SAN, File etc) and TB on each device

5. Total capacity of storage utilised across the environment

Answered on 11/Jun/2025 06:43 AM:


Refer to uploaded FILE 6 - Full Clarification List - Response

Question:
ID Requirement Type Requirement Priority QUESTION

FR2 Software The solution must have the ability to segregate users in the Office365 environment based on user name or AD context and apply controls based on that segregation. Critical The segregation of users is only done in Office365 or is a segregation of the users in our Informatica environment based on username or AD context in M365?





FR10 Software The solution should have the ability to identify and classify data based on context, not just predefined keywords or patterns. High What does GCHHS mean by "context"? Is it like, field relationships with parent table names and so on?

FR14 Software The solution has alerting and notification mechanisms for suspicious activity including anomalous data movements, exfiltration attempts, and uncharacteristic access to (PHI) Critical What does GCHHS mean by "exfiltration" attempts?

FR21 Performance The solution must have the ability to work with specific data formats used by government and health organisations. Critical What type of formats does GCHHS mean here?

Answered on 11/Jun/2025 06:43 AM:


Refer to uploaded FILE 6 - Full Clarification List - Response

Question:
1. Can HR platform be integrated with Insider Risk management?

2. Are the DLP outcomes GCHHS is looking for inclusive of 'blocking' actions or just 'audit' in this RFI response?

Answered on 11/Jun/2025 06:44 AM:


Refer to uploaded FILE 6 - Full Clarification List - Response

Question:
Q1 What is the current licensing volumes for Microsoft M365 for GCHHS (e.g. E3, E5, F3)?

Q2 What endpoint security solution is currently used at GCHHS?

Q3 Can the solution be met by multiple tools, e.g. Microsoft Purview and Microsoft Defender?



FR1 - Can you provide details of the technologies used or in scope for 'all data repositories'?

FR2 - Is segregation to be performed based on data sensitivity or segregation based on incident, e.g. quarantining?

FR3 - What standard or taxonomy is to be used for data classification?

FR4 - Is encryption required, recommended or excluded from implementation for this requirement?

FR5 - Does this tracking require reporting of data flows, or is simply the capability to perform monitoring (and relevant audit logs and real-time exports) across all platforms sufficient?

FR6 - Will GCHHS provide a feed for user data capable of ingestion by a product, or is the solution to provide the entirety of this functionality?

FR7 - Is compliance reporting intended to be control-based (e.g. compliance per control statement, compliance of data to a standard (e.g. % of files labelled, % of labelled files controlled), or a combination?

FR9 - Please provide details on which government-specific standards and regulations are in scope.

FR11 - Is there a specification on the maximum time delay in reporting that is classified as 'real-time'?

FR12 - Will GCHHS have custom requirements on PII/PHI as part of implementation, and/or tuning of 'out of the box' content matches? Is there a required accuracy level for content matching required either individually or in aggregate?

FR13 - Is this to be driven by user activities (e.g. user behaviour analysis), or proactive analysis of access rights?

FR19 - What is the selected IAM tool for GCHHS?

FR20 - Do you have further definition on activities to be queried by an API or other systems integrations in scope?

FR21 - Can you provide details of the data formats currently known, and any details of image-based formats requiring Optical Character Recognition?

FR22 - Is this required within the tool itself, or would custom reporting be capable of filling this role?

Answered on 11/Jun/2025 06:44 AM:


Refer to uploaded FILE 6 - Full Clarification List - Response

Question:
GC Hospital appear publicly to be leveraging a shared domain amongst other QLD health entities - all on health.qld.gov.au, can you confirm if GCHHS is running in a single M365 tenant, a shared M365 tenant, or across multiple M365 tenants?

If a shared tenant, do GCHHS have the ability to govern Purview, or is segregation of duties and visibility be considered?

Answered on 11/Jun/2025 06:45 AM:


Refer to uploaded FILE 6 - Full Clarification List - Response

Question:
1 Data Identification : "How is your organisation currently managing data discovery mechanisms across both structured and unstructured data? Can your tools effectively discover sensitive data types (PII, PHI) across on-premises and Azure cloud environments?



For example, you may have tools like Microsoft Purview, but how are you managing unstructured data in emails or documents across SharePoint and OneDrive?

"

2 Data Identification "At present, what mechanisms do you have in place to track, tag, and catalogue sensitive data across different geographic locations and regulatory jurisdictions? How are these updated automatically?

"

3 Data Identification "How do you plan to manage the identification of sensitive data in real-time, especially when new datasets are integrated into the your health care platform?

"

4 Sensitivity Labelling "Can your current sensitivity labelling be automatically adjusted based on business context or data usage, particularly in dynamic healthcare workflows? How does it integrate with Microsoft's Purview and other governance tools?

"

5 Sensitivity Labelling "In the current state, how do you ensure that sensitivity labels are consistently applied across various environments (e.g., cloud, on-premises, hybrid)? How do you prevent label inconsistencies during data migration?

For example, if a claims adjuster uploads a customer file from on-premise storage to Azure, how do you ensure the same sensitivity labels are applied and consistent between both environments?"

6 Risk-Based Governance "How does your current governance model prioritize data protection efforts based on risk assessments? How do you adjust governance controls dynamically based on evolving risks?

Considering your global presence, how do you prioritize protecting customer data from higher-risk regions (like those with strict regulatory frameworks) compared to others with fewer restrictions?

"

7 Risk-Based Governance "How do you ensure that data classification and protection are aligned with risk management strategies specific to where regulatory and compliance risks are critical?

e.g. In the case of policyholder information, how do you ensure that your data governance strategy specifically mitigates risks associated with handling sensitive financial data in underwriting and claims?"

8 Risk-Based Governance "Could you please elaborate more on how do you handle scenarios where business-critical data that has been classified as low-risk becomes a target for potential breaches or exploitation?

If previously low-risk data, like hospital details, becomes a target for cyber threats (e.g., fraud), how would you quickly reclassify it as high-risk and enhance protection? This could involve stronger encryption, restricted access, and increased monitoring, ensuring your risk-based governance adapts in real-time to safeguard the data.

"

9 Compliance Alignment "Could you please share your approach on how do you handle regulatory changes in real-time, and ensure that your data governance framework automatically adapts to new legal requirements?

"

10 Compliance Alignment Do you have any plan that EDH platform generates real-time compliance reports to demonstrate adherence to regional regulations and internal policies?

11 Risk-Based Governance Do cybersecurity professionals within your organization use any specific guides or frameworks for effective vulnerability prioritization in digital landscapes? – If yes , could please elaborate more about it ?

12 Proprietary Technology & AI What are the different input data types along with the format of the files? Are these images, machine readable documents, do they also include handwritten notes?

13 Proprietary Technology & AI Can you provide the Volumetric Information(# of documents, # of pages in a document, Average # of Sensitive information in a document)?

14 "Current Data Inventory and Classification Practices:

" "Current Data Inventory and Classification Practices:

Please provide detailed information about your existing data inventory and classification processes for both structured and unstructured data? Specifically, what tools or technologies are you currently using to identify, classify, and manage sensitive data across your on-premises and Azure cloud environments?

"

15 Regulatory and Contractual Compliance Requirements "Regulatory and Contractual Compliance Requirements:

What specific regulatory frameworks, industry standards, or contractual obligations does Gold Coast Specialty need to comply with regarding data protection (e.g., GDPR, HIPAA, CCPA)? Are there particular compliance priorities or deadlines we should be aware of to align our solutions effectively?

"

16 Existing Microsoft Security and Compliance Tools "Existing Microsoft Security and Compliance Tools:

Which Microsoft security and compliance solutions are currently deployed in your environment (e.g., Microsoft Purview, Azure Information Protection, Microsoft Defender for Cloud Apps)? To what extent are these tools being utilized, and are there any limitations or challenges you've encountered with them?"

17 Data Lifecycle Management Practices "Data Lifecycle Management Practices:

Please detail your current policies and controls for managing data throughout its lifecycle—including creation, storage, access, sharing, archiving, and destruction? Are there particular stages where you face challenges in applying appropriate protection measures?

"

18 Generic Please let us know which Microsoft technologies and tools you have in the environment such as purview, priva etc.

19 Generic Please share volumetrics (In terms of no. of tables, columns, No. of database, Volume etc.) on size of structured, unstructured, semi-structured data?

20 Generic Please share the architectural Diagram of the application landscape specifying application technology and Platform (On Premise, Cloud etc.)?

21 Generic Please provide the number of users for SharePoint, OneDrive, and M365 Mailbox users & number of external users if they are accessing outside of the network.

22 Generic What type of access controls currently exists in the system and are expected? How many user groups are there in the organization for which access controls needs to be in place?

23 Generic Are you using any third-party tools, such as Nintex workflows?

24 Generic What is the current DLP and Data security solution that exists?

25 Generic Please provide the existing infrastructure details of AD, Exchange, and other services.

26 Generic What are the other Microsoft security products that exist in M365 Tenant?

27 Data Classification Please describe Gold cost Specialty's data classification standard taxonomy.

28 Data Discovery Are you scanning/inventorying sensitive data today? If so, what tool(s)/solution(s) are being used for sensitive data discovery? Are you using Microsoft Purview today? Are there specific issues Gold Coast Specialty has experienced with Purview?

29 Data Protection To understand the effort needed, we'd like to understand if there is already a precedent/culture where data protections (encryptions, access control lists, blocking, warning, etc.) are enforced. Does Gold Coast Specialty enforce/block DLP policies? If nothing material has been enforced, should the vendor assume a cultural uplift with upfront executive alignment, socialization, change management, help desk enablement, etc.?

30 Security and access techniques Do you have a Data Governance Team / Structure? If so, please describe how it is structured along with roles and responsibilities, standards, processes, workflows, etc.

31 Data Governance Has the organization conducted an analysis of data risk and assessed on how the successful DG initiative must address these?

32 Data Governance Has there been any current state assessment on current platform for sensitive data management i.e. total number of sensitive data in the platforms that are being scanned and will be migrated to Azure?

33 Data Governance Has there been any severe data security risks that has been captured ex : Unauthorized access , data breaches , compliance violations in the current platforms ?

34 Data Governance Can you share the existing data platform architecture? This will help us to understand which processes /tools can be recommended.

35 Data Governance Can you please provide a list of the general regulatory or legal requirements that has been prioritized by Gold Coast Specialty for this implementation?

36 Data Governance "What mix of on-premises and cloud platforms are at play with respect to the main systems of record and existing Data Governance focused solutions (including data catalog, nd MDM)?

From a policy level, is there a data classification regime? "

37 Data Governance What are the different types of Structured and Unstructured Data that is in Scope? E.g. Database Platforms - DB , Tables , Approx Columns, Unstructured - SharePoint , Shared Drives , Virtual Desktops etc.

38 Data Governance Do you have any real-time data (inbound or outbound) as part of this solution? If yes, what are the sources / consumption systems?

39 Data Governance What is the frequency of scans that are happening in current state and the assets(Structured and Unstructured)?

41 Security and Compliance Do you have a specific process on how your organization provides credentials?

42 User Personas Are you using Active Directories for roles and access usage? Are there any localised roles and access controls outside of active directories?

43 Application Landscape What upstream and downstream applications integrate with your data platform and what technologies are used for the integrations?

44 Data base & Infra Landscape "Please provide a list of the applications and databases in scope for this effort, including:

a. Application Name

b. Database Type and Version

c. Amount of Data in Production in TBs

d. OS Type and Version

e. Is the data encrypted, if so, what type?

f. Is the data in clusters, if so, please tell us more.

g. Are there any tables to be masked with more than 10M rows?

h. Are there SLA’s associated with any of the applications to be masked? If so, please provide."

45 Record management Does Gold Coast Specialty have a retention schedule published with specific retention periods per category?

46 Email Security Is your existing mail system configured with defender for O365 for email security like phishing resistance, Encryption and protect from threats and malware? If so please provide the details

47 Device management How is your organisation currently managing the Endpoint devices like windows10/11 and mobile devices to protect from malware and cyber threats? If you have already enabled any other endpoint device management for security, please elaborate

Answered on 11/Jun/2025 06:45 AM:


Refer to uploaded FILE 6 - Full Clarification List - Response

Question:
Question 1 - FR1: is native support for sensitive data discovery across structured data types (like relational databases e.g., SQL, Oracle, SAP HANA) part of this scope or will be covered in the future? including government formats and custom file types?

Question 2 - FR3: predefined rules, patterns, and keyword matching or using advanced techniques like machine learning are mentioned, is context-based learning part of the advanced techniques?

Question 3 - FR8: in the current environment, for including data subject access requests (DSARs) and data breaches? would you be able to elaborate on the current workflows?

Question 4- FR15: For access control, would you consider enforcing access controls using encryption/tokenisation based on RBAC/ABAC so unauthorised users can’t even read the data?

Question 5 - Other than Compliance with SOCI, E8 and Queensland Government Information Security Classification Framework and requirements under the ISMS,

Any compliance or regulatory requirements you are trying to achieve/adhere to?

Answered on 11/Jun/2025 06:45 AM:


Refer to uploaded FILE 6 - Full Clarification List - Response

Question:
Area: Support & Operational Services

Related RFI Requirement (If Relevant): Describes the desired solution at a high level but does not specify delivery model

Specific Question for Clarification: Does GCHHS have a preference between a co-sourced, in-house, or fully managed service delivery model as part of the operationalisation of the proposed solution?

Answered on 11/Jun/2025 06:45 AM:


Refer to uploaded FILE 6 - Full Clarification List - Response

Question:
Area: Service Expectations

Related RFI Requirement (If Relevant): Briefly references expectations of delivery and implementation; unclear on training/support.

Specific Question for Clarification: Is GCHHS seeking assistance (either as-needed complimentary or fully outsourced) with policy/framework alignment, organisational change management (OCM), or user training during implementation, or is internal design and delivery expected?

Answered on 11/Jun/2025 06:46 AM:


Refer to uploaded FILE 6 - Full Clarification List - Response

Question:
Area: Regulatory Alignment

Related RFI Requirement (If Relevant): References alignment to ISCF, Essential 8, SOCI Act, but does not detail s.26, IS18 or IS31

Specific Question for Clarification: Are there any mandatory retention, deletion, or defensible disposal frameworks (e.g. IS18, Public Records Act s.26, IS31) that must be embedded into data lifecycle, classification and protection workflows?

Answered on 11/Jun/2025 06:46 AM:


Refer to uploaded FILE 6 - Full Clarification List - Response

Question:
Area: “Functional Requirements” + Clarification Response #2

Related RFI Requirement (If Relevant): Identifies the need to apply controls to endpoint devices; tools not listed

Specific Question for Clarification: Can GCHHS confirm what endpoint protection and Extended Detection and Response (XDR) tooling is currently deployed across the organisation (e.g. Microsoft Defender or other for Endpoint or third-party solutions)? Additionally, is this tooling expected to remain in place for the life of this agreement?

Answered on 11/Jun/2025 06:46 AM:


Refer to uploaded FILE 6 - Full Clarification List - Response

Question:
Area: Not explicitly referenced

Related RFI Requirement (If Relevant): Current DLP functionality (i.e. Microsoft licensing or other vendor solutions) is not mentioned anywhere in RFI or clarifications

Specific Question for Clarification: Could GCHHS please clarify the current Microsoft licensing tier(s) in place across the organisation — specifically in relation to Microsoft 365 (combination of E1-E5) and Azure security entitlements (e.g. Defender for Endpoint P1/P2, Purview, AIP, co-pilot etc.)?

Answered on 11/Jun/2025 06:46 AM:


Refer to uploaded FILE 6 - Full Clarification List - Response

Question:
Can the team please confirm the number of users (Microsoft licensed users) and breakdown of the 0365 licensing? EG 5000 E5 licensed users.

Answered on 11/Jun/2025 06:46 AM:


Refer to uploaded FILE 6 - Full Clarification List - Response

Question:
Hi, any news on when we will get the answers to the below questions?

Answered on 11/Jun/2025 06:47 AM:


Refer to uploaded FILE 6 - Full Clarification List - Response