STATEMENT OF WORK (SOW) for CYBER VULNERABILITY ASSESSMENT

Transcription

1 1.0 Introduction UTILITIES desires to contract with a CONTRACTOR to conduct an in-depth cyber vulnerability assessment and physical penetration vulnerability assessment of our IT Infrastructure as outlined in the SOW. This document provides additional information that will allow a CONTRACTOR to understand the scope of this effort and develop a proposal in the format desired by UTILITIES. 2.0 Background Colorado Springs Utilities (UTILITIES) is a four-service municipal utility serving the City of Colorado Springs and various customers in El Paso County, Colorado. UTILITIES is interested in conducting a security assessment that will allow it to: Gain better understanding of potential corporate network vulnerabilities that may be visible internally and /or externally to the organization. Determine if the current wireless infrastructure is securely configured and deployed. Evaluate the security associated with public facing web applications used by both internal and external users. Evaluate the security associated with financial and asset management systems. Determine if the current physical security is effective by conducting physical access assessments. Determine if the current cyber security is effective by conducting cyber access assessments. Determine if the current organization security awareness is effective by conducting social engineering on users internal to the organization. These activities are part of UTILITIES ongoing desire to improve security and are focused on identifying the risk level UTILITIES is currently exposed to so an appropriate response to those threats can be developed. SOW # PR Page 1 of 9 Revision 10/2007

2 3.0 Scope The scope of this engagement is for a CONTRACTOR to perform a cyber and physical vulnerability assessment of UTILITIES assets. The assessment must determine vulnerabilities from both internal and external attack vectors. Those items deemed within the scope of this effort are the following: Web Application Penetration Testing to include any customer-facing, internet applications on the UTILITIES websites Wireless Network Assessment and Penetration Testing to include 30 UTILITIES Wireless Access Points Security Assessment and Penetration Testing to include UTILITIES outside-facing firewalls and network entry points Voice over IP Assessments and Penetration Testing to include WarDriving on a random number (not to exceed 100) of UTILITIES phone numbers Social Engineering Assessments to include information gathering on a random number (not to exceed 100) UTILITIES employees Physical Security Assessments and Penetration Testing to include physical access to three (3) UTILITIES facilities at the East Service Center, Utilities Customer Service Center, and the first five (5) floors of the Plaza building occupied by UTILITIES Financial and Asset Management Application Vulnerability Assessment and Penetration Testing on 55 Unix and Intel Systems Overall Information Security Risk Assessment to include an overall Security Gap Assessment at UTILITIES following industry best practices The assessment report for each of the above requests shall identify the vulnerability assessment process, document the assessment results, and recommend actions on how to remediate or mitigate vulnerabilities. These reports should be similar to each other and where overlap occurs they may be combined. The key goal of the CONTRACTOR in reporting the assessment results is to provide actionable information. The final assessment report shall identify the vulnerability assessment process, document the assessment results, and the recommended actions on how to remediate or mitigate vulnerabilities. The assessment report needs to show how that vulnerability can or cannot be exploited by a credible adversary. SOW # PR Page 2 of 9 Revision 10/2007

3 The CONTRACTOR shall: Attend a kickoff meeting Provide a draft and final project plan (in MSWord and MSProject format) for UTILITIES review and approval, Provide a draft and final test plan (in MSWord and MSVisio format) Provide a Vulnerability Assessment Provide a draft and final assessment report (in MSWord format), with a prioritized list of findings and recommendations Provide an executive briefing or summary. (in MS Power Point) to key UTILITIES staff, with prioritized findings and recommendations at a site selected by UTILITIES Allow contractor staff performing the assessment to be available to the UTILITIES staff with interpretation and clarification of assessment report findings not to exceed 10 hours effort over a 6-month period following the delivery of the final report UTILITIES will provide CONTRACTOR with a list of assets defined prior to the start of this engagement. IT Computer Access Request Cyber security DVD Course Facility Access Request Signed Acknowledgement of Special Procedures for Security Related Projects from Team Members A portion of the assessment testing shall need to be performed at UTILITIES facilities located in Colorado Springs in El Paso County, Colorado. 4.0 Tasks, Deliverables & Schedule Start Date: November 19, 2010 Project Completion Date: December 13, 2010 PROJECT PLAN and DELIVERABLE MILESTONES CONTRACTOR shall provide a detailed project plan in electronic format including task-level content incorporating Deliverable Milestones for each task listed below: Task No. Tasks/Activity/Service Start Date Completion Date Deliver a draft project plan as part of Contractor s proposal. Finalize the project plan no later than 10 business SOW # PR Page 3 of 9 Revision 10/2007

4 days after contract award. The project plan shall contain at a minimum: Revision/change record A detailed project approach A communications plan A detailed team roster with resumes of team members, skills detail of job classification, and a copy of background check verification for each team member Weekly status reports to include work planned, work completed, and any issues meeting project schedule or deliverables A risk identification plan identifying each potential project risk as well as actions for mitigating each risk. Any mitigation plans should take into account that system recovery back to baseline/healthy status is required, and should also ensure that only a minimum number of critical user functions are impacted Plans for the Contractor staff performing the assessment to be available to the UTILITIES staff with interpretation and clarification of assessment report findings not to exceed 10 hours effort over a 6-months period following the delivery of the final report Deliver a draft project schedule with the RFP. Finalize the project schedule no later than 10 business days after Combine with for scheduling SOW # PR Page 4 of 9 Revision 10/2007

5 contract award. The project schedule shall contain at a minimum: Revision/change record. A task driven schedule with deliverable milestones identified. Resources (team members) identified for each task Specific milestone tasks for: IT Computer Access Request Cyber security DVD Course Facility Access Request Signed Acknowledgement of Special Procedures for Security Related Projects from Team Members Deliver a draft test plan as part of Contractor s proposal. Finalize the test plan no later than 10 business days after contract award. The test plan shall contain at a minimum: A complete list of testing tools employed and the versions of those tools as part of the test plan Identification of all test equipment Identify whether or not the Contractor shall need permission to make changes to UTILITIES file systems and/or system configurations to include specific responsibility for backing out these changes Perform a Vulnerability Assessment and Penetration Test. Contractor shall, at a minimum: Perform testing in a manner that maintains data integrity Permit a UTILITIES representative to watch or monitor all assessment testing purpose. SOW # PR Page 5 of 9 Revision 10/2007

6 as requested Perform External Network Vulnerability Assessment and Penetration Testing Perform Internal Network Vulnerability Assessment and Penetration Testing Perform Web Application Penetration Testing Perform Wireless Assessment and Penetration Testing Perform Voice over IP Assessments and Penetration Testing Perform Social Engineering Assessments Perform Physical Security Assessments and Penetration Testing Perform Financial and Asset Management Application Vulnerability Assessment and Penetration Testing Perform Information Security Risk Assessment Provide UTILITIES a copy of the raw testing tools output Deliver a draft assessment report no later than 10 business days after the assessment has been performed. The assessment report shall contain at a minimum, a prioritized list of findings and recommendations to remediate or mitigate any vulnerabilities. 5.0 Key Project Staffing CONTRACTOR S Key Personnel. CONTRACTORS personnel assigned to this project are considered essential to the work being performed under this SOW, therefore, prior to the substitution of any of Contractor s personnel assigned to this project, CONTRACTOR shall provide two (2) weeks notification to UTILITIES SOW # PR Page 6 of 9 Revision 10/2007

7 in writing and shall submit written justification to permit evaluation of the impact on the project. No substitutions shall be made by CONTRACTOR without the written consent of UTILITIES. 6.0 Work Performance Location: All services shall be performed locally at Colorado Springs Utilities sites within El Paso County. Hours: All work shall be performed Monday through Friday during the hours of 8:00 AM and 5:00 PM (MDT) excluding CONTRACTOR s observed holidays. Any work outside normal business hours must be coordinated and approved by UTILITIES. No work for this SOW is scoped for weekend or holiday hours. 7.0 Security CONTRACTOR agrees that all resources assigned to this Project shall adhere to all UTILITIES security rules and regulations at all times and at all UTILITIES locations. CONTRACTOR shall have an administrative security program that clearly defines protection controls and implements security background checks for those contract agencies or services providers who shall need unescorted physical or electronic access. Additional requirements that the CONTRACTOR and UTILITIES Project Manager are responsible for include: IT Computer Access Request Cyber security DVD Course Facility Access Request Signed Acknowledgement of Special Procedures for Security Related Projects from Team Members 8.0 Changes In Scope Changes UTILITIES has expended great efforts in preparing this SOW and in attempting to describe as thoroughly the requirements therein; however, it is possible that some of the requirements might have been inadvertently omitted from the SOW. If any requirements have been overlooked that relate to, or are similar to, the requirements contained in the SOW, such requirements shall be deemed incorporated by this reference into the relevant SOW # PR Page 7 of 9 Revision 10/2007

8 portion of the SOW if those additional requirements do not impact time, schedules, resource allocation, or incur additional costs. Out of Scope Changes For all requests for services that are outside of the agreed upon scope and objectives contained in this SOW, the performance of such services shall require a mutually agreed upon Amendment to the SOW. UTILITIES shall not be liable for any out of scope work or services which are performed prior to the execution of the Amendment between the parties. 9.0 Acceptance Criteria and Testing Once the Acceptance Criteria and testing has been completed for each deliverable(s), or group of deliverables, CONTRACTOR will submit a completed Acceptance Form, Attachment A to this Statement of Work, to the UTILITIES Project Manager. Upon acceptance and execution of the Acceptance Form by the UTILITIES Project Manager, CONTRACTOR shall submit an invoice to UTILITIES for payment. INTENTIONALLY LEFT BLANK Acceptance Form on next page SOW # PR Page 8 of 9 Revision 10/2007

9 Date Issued: Contract number: Task Order Number: Location of Service Delivery: Colorado Springs, CO Deliverable/ Task No Description of Deliverable: Actual Start Date Date Complete Other Comments: SOW # PR Page 9 of 9 Revision 10/2007