Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015

Transcription

1 Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015 UPDATE HISTORY: 10/21/ /30/ /5/2015

2 Questions submitted by Proposers All proposers should reference the following list of questions that arose during the Draft SOW Review process. This list will be updated with new questions and answers as needed, sorted by date with the most recent appearing first. Added 11/5/2015: 1. Q: Does the city subscribe to certain information security frameworks for informing security policy and controls implementation and management? If so, please identify such frameworks. Please also identify federal, state, or other policies and controls and any related regulations. Are they readily available for review as part of the assessment? If the maturity assessment is the evaluation of IT security policies, controls, regulations, and their measure of effectiveness as compared to specifications of certain federal, state, or other policies, procedures, regulations and/or industry frameworks (such as NIST CSF), then please indicate the quantity of and breadth of those policies, controls, regulations, and industry frameworks. A: We are relying on the security assessment consultant to identify federal and state regulations and/or industry frameworks applicable to the City, and to assess our compliance with them. 2. Q: Will the outsourced IT Provider s staff be part of the assessment and available for interviews? A: Yes, they will be available during the assessment. 3. Q: Is there an internal information security team? If so, how many members? A: The City outsources IT security to our partner SIGMAnet who provides all computer and network system support. There is no City-only (what we would consider internal ) security team. 4. Are there any third parties vendors that need to be included as part of the assessment. If so, please describe. 5. Is there risk management committee or group (formal or informal)? Please briefly describe.

3 6. Is there a structured risk management program that includes a method for assessing risk? Please briefly describe. Added 10/30/2015: 1. Q: We need some more clarification regarding the Hardware Resilience Testing. Is this a firewall review? Or is it a pen test that includes routers, switches, firewalls, and servers? Please provide more context around desired testing and types of devices in scope. Do you want exploitation? A: The latter a safe penetration test. We don t want our systems brought down, but do want the configurations reviewed and tested. No exploitation. 2. Q: How many IP addresses are in scope for the internal network pen test? A: 1/24 3. Q: How many IP addresses are in scope for the external network pen test? A: 9/24 4. Q: Is social engineering strictly electronic? If so, how many users are in scope for testing? If in-person social engineering is desired, how many locations are in scope? A: We are open to suggestions for social engineering testing from the proposers, based on their experience. 5. Q: Please provide us with a total number of employees and total number of locations, and we can provide a suggestion off of that. A: The City employs 64 full-time staff, an equal number of part-time staff, and a variable number on-site contractors. Approximately staff access the City s computers each day. There are also two supervised computer training rooms open to the public. The City has three staffed locations. [Answered in the RFP] Added 10/21/2015: 1. Q: In Appendix D Section C Project Proposal Evaluation Criteria states: Proposals will be evaluated using three (3) sets or criteria but only lists two (2). Please confirm the third criteria. A: This statement in the RFP refers to Appendix D, C.2: Qualitiative Evaluation, which looks at the following 3 criteria: a. Expertise and Experience

4 b. Scope of Work c. Allocation of Resources Added 10/20/2015: 1. Q: Are there any databases in scope and if so what types? A: Yes. The City has three Windows database servers and a total of six SQL databases. 2. Q: Are there internally developed applications in scope? 3. Q: Are there specific types of regulations that have to be met such as California SAM, HIPAA, ISO/IEC 27001, or NIST , Revision 4? A. The City manages limited PII for employees, and none for residents and other constituents. Proposers should reference any relevant regulations. 4. Q: How many externally-facing systems are in scope of the vulnerability assessment scanning and penetration testing activities? A. Yes, one externally facing /24 IP range to be scanned. 5. Q: Is social engineering in scope and if so, what forms of social engineering are requested - spear phishing? Phone-based attacks? Impersonation? USB stick drops? What is the sample size for each technique? A: Yes social engineering is in scope. The proposers should suggest one or more methods and sample size. 6. Q: Is there a minimum/maximum amount of references city wants proposer to list? A: There is no upper or lower limit. The RFP asks for all references of similar work performed within the last five years. 7. Q: The first bullet of the Summary of Scope of Work, mentions social engineering test. What type of social engineering test is the City expecting spear phishing? Phone-based attacks? Impersonation? USB stick drops? Sample size for each technique and is it limited to City Hall staff only or will staff from the other locations be included? A: Social Engineering is in scope including staff from all facilities. We request the proposer s recommendation based on experience with similar organizations. We have previously conducted an spear phishing test.

5 8. Q: How many network devices are in scope for the infrastructure testing? A: Please refer to the revised table in the RFP Section 5: Scope of Work 9. Q: Does the City want us to test for susceptibility to Denial of Service attacks? The City web site is hosted by Civic Plus and testing the City web site is out of scope. 10. Q: Is wireless penetration testing in scope? If yes, how many networks are in scope? A: Yes, each facility has WiFi and there are a total of six SSIDs. 11. Q: How many servers in total does the City have? (Please breakdown physical vs virtual.) What Operating Systems are in use? A: Please refer to the revised table in the RFP Section 5: Scope of Work 12. Q: How many IT staff are there and what are their positions? A: There is one full-time position: IT Manager. The City outsources its IT functions. Please see the RFP Section 5: Scope of Work for details. 13. Q: How many end users are there? A: There are about 120 system users. See the RFP Section 5: Scope of Work for additional detail. 14. Q: What is the City s expected start date? A: The City expects to have the Agreement executed no later than March 7, 2016 and wishes to start as soon as possible after that date. 15. Q: When does the City require the final report to be delivered? A: The City requires the Assessment final report to be delivered within 90 days of executing the Agreement. 16. Q: Should the vendor budget for presentation meetings to City Council? If yes, how many meetings? A: There are no plans for presentation to City Council, only to to City management staff.

6 17. Q: Is the focus of the Hardware Resiliency Testing deliverable to validate compliance of configurations with current policy, or to identify vulnerabilities in, and attempt penetration of, weaknesses in device configurations? A: To identify vulnerabilities in, and attempt penetration of, weaknesses in device configurations 18. Q: Is the focus of the Identity Management Assessment deliverable to locate sensitive data in systems or to assess the adequacy of current identity management practices? A: To assess the adequacy of current identity management practices. 19. Q: Is the focus of the Password Testing deliverable to determine compliance with current password policies or to attempt to crack as many weak passwords as possible? A: Both 20. Q: Is the Security Policy Testing and IT Security Governance deliverable limited to City Hall policies only? A: City Hall policies apply to all three City sites. Other sites only need to be tested to the extent applicable. 21. Q: Does the City expect the executive summary/outbriefing to be conducted in person or will a remote web conference be acceptable? A: The City requests the final report to be conducted in person to facilitate discussion, with any follow-up discussions to be conducted by phone or internet conference. If proposers desire an exception it can be discussed during the interview. 22. Q: What is the City s budget for this project? A: The City s budget for this project is $30,000.