Enterprise Information Technology Security Assessment RFP Answers to Questions

Transcription

1 Enterprise Information Technology Security Assessment RFP Answers to Questions GENERAL QUESTIONS Q: How do the goals of the security assessment relate to improving the way VEIC does business? A: Security of our and our customer s data is of critical importance to VEIC. We expect to leverage this point-in-time assessment to help inform improvements to our ongoing security-related projects and plans. Q: Please specify any previous experience receiving 3rd party assessments and whether reports and findings from those assessments will be provided to the selected vendor. A: Starting in 2013, VEIC began conducting annual security assessments s assessment focused on system and application penetration and vulnerability testing with a scope similar to the scope defined in our current RFP. VEIC does not expect to provide results from prior assessments to our selected vendor. Q: What are the expected project dates for this work? A: VEIC s goal is for the assessment to be completed by the end of September. Q: The evaluation points add to more than is this your intention? A:. Q: Can the VEIC share its budget for this project? A: This project is budgeted with funding available immediately. VEIC assumes that the received proposals will exceed the $20,000 level for which we require a formal RFP to be conducted. Q: Please clarify on-site expectations for the five physical sites. A: VEIC expects the work to be conducted either remotely or from VEIC s principle office in Burlington Vermont. Internal Penetration testing of VEIC s systems is expected to be performed from our principle offices in Burlington Vermont. Q: In reference to the below contractual requirement, will VEIC consider bi-weekly status reports and a draft report of each deliverable in lieu of interim and working documents? "CONTRACTOR will provide VEIC with intermediate work products as they are completed, including interim analyses, working drafts, and memoranda prepared for the Services." A:. Q: Are assessment activities to be executed within production environments? Vermont Energy Investment Corporation, 7/25/2014 Page 1 of 5

2 A: Both network and external app penetration and vulnerability tests are intended to be performed on our production environment. The vendor is expected to raise any concerns about negative impacts to VEIC s production systems which may be caused by planned testing. Q: Will the assessment be conducted during normal business hours? A:, unless the Vendor requests otherwise. Q: Does VEIC maintain a systems inventory? A:. PENETRATION AND VULNERABILITY TESTING Q: What are the goals for the internal and external penetration test? A: Point-in-time assessment of VEIC s current vulnerability levels. Q: Are the key decision makers and influencers partial to any particular kind of technology direction, industry recognized certifications, and/or penetration testing methodologies? A: For external application testing we assume the use of OWASP testing. Beyond that, VEIC expects to work with the vendor to select testing protocols and tools which are mutually agreeable. Q: Are the key decision makers and influencers partial to any particular kind of penetration testing software? Q: Are there any pre-approved penetration tools? A: No, our expectation is that we will discuss tools and determine timing based on any risk to business operations. Q: Is there an internal target or is the perimeter breach of VEIC the objective of the external penetration test? A: No, there is no specific internal target. Q: Can you please clarify the number of devices you expect to have tested both internally and externally? A: VEIC expects vulnerability and penetration tests to occur on up to 65 public IPs and less than 1000 internal IP addresses. Internal IP addresses scanned will include all types of physical infrastructure such as server, desktops, switches, and printers. VEIC s expectation is that automated testing would be run across all IP addresses. Q: Will penetration and vulnerability testing exclude home offices and remote workers? A:. Q: Is it possible to perform the Internal Network Penetration Testing via VPN? If not, is it possible to conduct the whole exercise from a single location? Vermont Energy Investment Corporation, 7/25/2014 Page 2 of 5

3 A: VEIC expects Internal Network Penetration Testing to be conducted from VEIC s main office in Burlington Vermont. Q: In page 1 of the RFP, under section 3 in Penetration and Vulnerability Testing, are there web applications hosted on the 100 external IP addresses and if so, do we need to test the pre-login pages for vulnerabilities? A: VEIC has no special requirements related to web application testing in relation to the internal or external Penetration and Vulnerability Testing. All special web application testing requirements are covered by the requirements stated in the External Application Penetration and Vulnerability Testing section of the RFP. Q: For internal vulnerability assessments, will scanning be executed with or without credentials? A: VEIC is expecting internal vulnerability and penetration testing to occur without credentials but would like to discuss this with the selected vendor. Q: Will network diagrams be provided for reference in the assessments? EMPLOYEE TRAINING AND SOCIAL ENGINEERING THREAT PREVENTION PROGRAM Q: Please describe what type of social engineering test is desired by VEIC, how many staff would be involved, and if this testing must occur from a specific location. A: VEIC would like to work with the selected Vendor to select the most appropriate type of social engineering test, although we have as a starting assumption that an solicitation test to VEIC staff will be performed remotely or from VEIC main office. If the vendor is able, VEIC would like to receive a list of the Vendor s standard social engineering services with the associated fee. Q: Regarding: Assist in the design of a social engineering threat prevention program to be delivered by VEIC, would this be similar to designing an incident response program and developing procedures to respond and contain social engineering incidents? A: No, VEIC would like to work with the Vendor to improve our employee awareness educational programs to include social engineering prevention training, possibly to include a regular cycle of social engineering tests. Q: Would the evaluation of the Social Engineering program be covered under the next requirement, Security Program Consulting? SECURITY PROGRAM CONSULTING SERVICE Q: Please provide additional information about the documentation available to support the security program consulting activities. Vermont Energy Investment Corporation, 7/25/2014 Page 3 of 5

4 A: VEIC expects to support the Vendor in the Security Program Consulting Service task by providing a mixture of finalized, drafted, and framework documentation which would be augmented by interviews and discussions with members of VEIC s Cyber Security Team. Q: Has a Security-related staffing plan been developed and formalized by VEIC? A: A staffing plan has been presented to VEIC s executive management team for review. Q: What is meant by (or definition) of reference to a Security Gap Analysis and Project Identification Tool? A: VEIC developed a tool and system for helping to both identify and prioritize projects to be supported by the VEIC Cyber Security Team. Q: Please clarify, Existing security application and technologies". Is this a report or software to review configuration and usage? A: Both. Q: Will the documentation for review be available for review off-site as well as on-site? A:. Q: How many security-related policies and procedures are in use today by the VEIC? A: For the purpose of this evaluation VEIC has less than 10 active policies and another in development. EXTERNAL APPLICATION PENETRATION AND VULNERABILITY TESTING Q: For each application, can a brief description of the size and functionality be provided? A: : KITT Web + KITT API + Online Rebate applications: Public facing web application (partially integrated into SiteFinity CMS with additional standalone C# MVC4 code) that allows external users to create an account and apply for rebates online. Utilizes KITT (custom internal application for project management, rebate processing, and savings tracking) web services API. Data managed via KITT Web application (C# asp.net MVC 4 SQL Server). Backend application utilized by 100+ employees. Retail Account Management Mobile Application + KITT API: ios and Android mobile application that utilizes KITT API. Used by account managers in the field who call on retailers. Developed in C# using PhoneGap. Retail Account Management Mobile Application and Online Rebate Center testing is expected to include 2 roles, a standard user role and an administrative role. In the PhoneGap version of the Retail Account Management Mobile Application, the Administrative role is not available. Q: Are any web applications in scope? If yes, how many web applications are in scope? A: : KITT Web + KITT API + Online Rebate applications: Public facing web application (partially integrated into SiteFinity CMS with additional standalone C# MVC4 code) that allows external users to create an Vermont Energy Investment Corporation, 7/25/2014 Page 4 of 5

5 account and apply for rebates online. Utilizes KITT (custom internal application for project management, rebate processing, and savings tracking) web services API. Data managed via KITT Web application (C# asp.net MVC 4 SQL Server). Backend application utilized by 100+ employees. Q: Will there be mobile application testing? A: : Retail Account Management Mobile Application + KITT API: ios and Android mobile application that utilizes KITT API. Used by account managers in the field who call on retailers. Q: What are the key programming languages the two applications are written in? A: KITT Web + KITT API + Online Rebate applications: Public facing web application (partially integrated into SiteFinity CMS with additional standalone C# MVC4 code) that allows external users to create an account and apply for rebates online. Utilizes KITT (custom internal application for project management, rebate processing, and savings tracking) web services API. Data managed via KITT Web application (C# asp.net MVC 4 SQL Server). Backend application utilized by 100+ employees. Retail Account Management Mobile Application + KITT API: ios and Android mobile application that utilizes KITT API. Used by account managers in the field who call on retailers. Developed in C# using PhoneGap. Q: Please provide the following information about the web applications that will need to be tested: Do they have login pages? Do they have file access? Do they store or use sensitive information? Do they process or store financial data Do they have search functionality Do they have file upload functionality Do they have user profiles Do they have instant messaging functionality Do they have basic messaging functionality Do they have social networking functionality No No Application includes basic functions Limited only social network share/like links. Q: What is the approximate total number of pages and approximate number of input/dynamic pages (such as web forms where users input data) each external application under scope supports? A: CMS: Hundreds of static pages, approximately 10 dynamic. Vermont Energy Investment Corporation, 7/25/2014 Page 5 of 5