Skip links and keyboard navigation

For government agency options have changed in line with the November 2024 Machinery of government (MoG). For more information, see our MoG change guide.

System and email hardening

Vulnerability management service

Learn how cyber vulnerabilities can be detected and managed through this service.

The Vulnerability Management Service offered uses Rapid7 InsightVM software solution. It collects, analyses and visualises data streams of cyber security vulnerabilities within your internal or external facing ICT systems and infrastructure.

The Vulnerability Management Service includes scanning and health checks through 2 key features:

Vulnerability Scanning

The Rapid7 InsightVM Security Console is an on-premises vulnerability scanner and management software solution.

It allows you to:

  • identify risk in your environment, organise and categorise your devices, and prioritise remediation.
  • implement it to suit your organisation’s ICT environment and align with your vulnerability management processes.

There are 2 architecture models available:

Dedicated delivery model

For larger agencies with diverse ICT infrastructure who prefer to host and manage their vulnerability scanning functions in-house.

Shared-infrastructure model

Suited for the cyber security needs of smaller agencies with limited ICT resources. The shared approach allows for system support functions to be managed externally while providing useful vulnerability threat intelligence as vulnerability reports for action.

Vulnerability Health Check

The Vulnerability Health Check analyses the Rapid7 InsightVM console configuration and vulnerability data collected and fine-tunes vulnerability scanning parameters to ensure effective use of the system. A Vulnerability Health Check Report is provided annually and 3 months after the initial installation. This health check allows for any necessary changes and improvements.

This service is provided by the Queensland Government Cyber Security Unit in conjunction with a managed service provider

Optional vulnerability management scanning tools

Application and cloud vulnerability management tools are available as add-ons, if required. Contact the Vulnerability Management Service team at vmsservices@cyber.qld.gov.au.

Identifying vulnerabilities help you plan and prepare for patch installation to correct security problems, obsolescence and vulnerabilities within your operating systems, software and infrastructure.

The implementation of Rapid7 InsightVM vulnerability scanning console, along with the Vulnerability Health Check service, provides coverage of non-managed and unauthorised devices on networks.

It aims to identify common misconfigurations and detect weaknesses such as SQL Injection vulnerabilities, expiring certificates, default passwords and common OWASP application issues.

Technical benefits include:

  • Visibility across internal and internet facing systems, applications, and infrastructure.
  • Intelligence on vulnerable software and infrastructure with recommendations for correct patching and priorities including assessment of risk.

Using this service enables Queensland Government to meet their obligations as specified under the Information and cyber security policy (IS18) and improve cyber maturity.

The following eligible agencies and related bodies can access this service at no cost:

  • Queensland Government agencies
  • statutory bodies
  • local government
  • government owned corporations.

The application process for this service has 2 steps. The first step you need to do is review your existing environment for you to complete the second step of the application.

Step 1: your preparation

To help with you application have your agency determine the following:

  • the estimated number of internal assets within scope – an asset is defined by workstations, servers and network devices such as switches, routers and firewalls.
  • the estimated number of publicly facing assets such as websites, VPN portals, webapps.
  • if your infrastructure (virtual machines) is hosted within the Queensland Government QCloud managed by CITEC or some other hosted environment.
  • do you also host infrastructure in the public cloud? i.e. Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS).
    • if so, what hypervisor do you use? For example: Vmware, HyperV
  • if your upstream firewall or internet is hosted or managed by CITEC.
  • identify officers who will access the InsightVM Live Dashboard, including:
    • technical officers
    • executive officers, for example CIO and/or CISO.

Step 2: complete the application

Complete the Vulnerability management service application to start onboarding this service.

If you need support or want to discuss the details of this service, contact the Vulnerability Management Service team at vmsservices@cyber.qld.gov.au

Find more InsightVM: Vulnerability Management information on service features and capabilities, including the Rapid7 Training Academy you will have access to with this service.

Last updated:
14 March 2025