Penetration Testing - ServiceNow

The Australian Transaction Reporting and Analysis Centre (AUSTRAC) is seeking the services of a Seller to conduct penetration testing in support of AUSTRAC’s Authority to Operate (AtO) for the Enterprise Service Management (ESM) platform implemented on ServiceNow Protected Platform (SPP).

The testing will provide independent, risk‑driven assurance over customer‑owned and customer‑configured ServiceNow components and must comply with the ServiceNow Customer Penetration Testing (CPT) Policy and approval process.

The required testing is limited to application‑layer security testing of approved sub‑production instances and explicitly excludes ServiceNow core platform infrastructure, SaaS controls, network‑layer testing, ServiceNow‑managed integration spokes or connectors, and underlying cloud services, which are covered by ServiceNow’s internal penetration testing program and IRAP certification. Integration testing is restricted to interface endpoints and boundary‑level authentication, authorisation, and data handling within ServiceNow.

The penetration test must address the following scope areas:

• Identity, authentication, and access control, including Entra ID single sign‑on, role‑based access control, privileged access, and user lifecycle management
• ServiceNow configuration and customisations, including ACLs, business rules, UI policies, scripts, and custom scoped applications
• Application‑layer integration logic at defined boundaries, limited to authentication, authorisation, and data handling within ServiceNow
• Application‑layer logging and monitoring supporting security event visibility and SIEM integration
• Email and notification configuration, including prevention of sensitive data exposure

The following requirements are a mandatory part of the scope of work:

• All testing activities must comply with the ServiceNow Customer Penetration Testing (CPT) Policy, including prior approval, authorised testing windows, and reporting requirements
• Testing must be explicitly aligned to AUSTRAC’s System Security Risk Assessment (SRA), and proposals must demonstrate how the approach addresses SRA‑derived risk themes, including access control misconfiguration, identity integration risk, insecure customisation, integration data handling, logging and monitoring gaps, and email configuration risk
• Deliverables must be suitable for AtO decision‑making and include clear evidence, risk‑based findings, and remediation guidance

In responding to this RFQ, Sellers must:

• Explain how their proposed testing provides coverage across identity, customisation, integrations, logging, and email configuration within the constraints of the CPT policy
• Demonstrate how findings will be mapped to AtO‑relevant risks and security controls, including traceability to the System Security Risk Assessment (SRA), System Security Plan (SSP), and Detailed Level Design (DLD)
• Provide the dependencies and timeframe required for their approach including hardware, software and system access.

Any testing activities outside the above scope, or prohibited under the ServiceNow CPT Policy, will not be accepted.

Location of services: Canberra or Sydney

Clearance required: Ability to obtain and maintain Negative Vetting 1 (NV1), with an existing NV1 clearance being desirable

Suitability assessment: Key Personnel must pass an Agency Suitability Assessment before undertaking any work under this contract