QUESTIONS & RESPONSES #2



Similar documents
PHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015

RFP No C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST

Critical Controls for Cyber Security.

Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015

Client Security Risk Assessment Questionnaire

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

INCIDENT RESPONSE CHECKLIST

Professional Services Overview

Response to Questions CML Managed Information Security

Attachment A. Identification of Risks/Cybersecurity Governance

HIPAA SECURITY RISK ANALYSIS FORMAL RFP

Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

REQUEST FOR PROPOSAL (RFP) # HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

ADDENDUM #1 REQUEST FOR PROPOSALS

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

VULNERABILITY & COMPLIANCE MANAGEMENT SYSTEM

Four Top Emagined Security Services

After reviewing all the questions, the most common and relevant questions were chosen and the answers are below:

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Vendor Risk Assessment Questionnaire

Enterprise Computing Solutions

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

How To Manage Your Information Systems At Aerosoft.Com

Jumpstarting Your Security Awareness Program

CITY AND COUNTY OF DENVER AUDITOR S OFFICE REQUEST FOR PROPOSAL FOR PROFESSIONAL AUDITING SERVICES. Additional Information.

SANS Top 20 Critical Controls for Effective Cyber Defense

Chapter 1 The Principles of Auditing 1

Department of Management Services. Request for Information

Vendor Questions and Answers

NERC CIP VERSION 5 COMPLIANCE

SECURITY. Risk & Compliance Services

Goals. Understanding security testing

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Spooks in the Machine

OCIE CYBERSECURITY INITIATIVE

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Altius IT Policy Collection Compliance and Standards Matrix

The Importance of Cybersecurity Monitoring for Utilities

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN

About This Document. Response to Questions. Security Sytems Assessment RFQ

VML INSURANCE PROGRAMS REQUEST FOR PROPOSALS STRATEGIC TECHNOLOGY PARTNER FOR MEMBERS

Hosted SharePoint: Questions every provider should answer

Request for Proposal INFORMATION SECURITY ASSESSMENT SERVICES RFP # Addendum 1.0

Enterprise Information Technology Security Assessment RFP Answers to Questions

Solving the Desktop Dilemma

External Supplier Control Requirements

Simplifying Security & Compliance Innovating IT Managed Services. Data Security Threat Landscape and IT General Controls

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services

The Protection Mission a constant endeavor

Stephen Coty Director, Threat Research

A Decision Maker s Guide to Securing an IT Infrastructure

White Paper. April Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

Defending Against Data Beaches: Internal Controls for Cybersecurity

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Cybersecurity Strategy

Network Segmentation

Industrial Security for Process Automation

Assessing the Effectiveness of a Cybersecurity Program

Looking at the SANS 20 Critical Security Controls

Virtualization and Cloud Computing

Security Policy for External Customers

PCI Requirements Coverage Summary Table

Patching & Malicious Software Prevention CIP-007 R3 & R4

I n f o r m a t i o n S e c u r i t y

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

CompTIA Security+ (Exam SY0-410)

Cloud Courses Description

Information Security for the Rest of Us

Security Information and Event Management (SIEM) Hardware & Software RFP #

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

IT Networking and Security

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Checklist for Vulnerability Assessment

Modular Network Security. Tyler Carter, McAfee Network Security

Utility Modernization Cyber Security City of Glendale, California

IBM Security Strategy

Security Management. Keeping the IT Security Administrator Busy

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Digital Pathways. Penetration Testing

BMS Consulting LLC Portfolio, partners and benefits

RFP # Provide Information Security Assessment and Penetration Testing Due August 11, 2015 at 2:00PM (CST)

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

1B1 SECURITY RESPONSIBILITY

ACME Enterprises IT Infrastructure Assessment

F G F O A A N N U A L C O N F E R E N C E

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

University of Pittsburgh Security Assessment Questionnaire (v1.5)

THE TOP 4 CONTROLS.

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

CONTENTS. PCI DSS Compliance Guide

IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT Conference- July 2015 MIKE.ZUSMAN@CARVESYSTEMS.COM

1. Perimeter Security Dealing with firewall, gateways and VPNs and technical entry points. Physical Access to your premises can also be reviewed.

Attacks from the Inside

Logging In: Auditing Cybersecurity in an Unsecure World

Transcription:

QUESTIONS & RESPONSES #2 RFP / TITLE 070076 IT Cybersecurity Assessment and Plan CONTACT Michael Keim, CPPB, Sr. Contract Adminstrator EMAIL procurement@portoftacoma.com PHONE NUMBER 253-428-8608 SUBMITTAL DUE DATE Monday, February 23, 2015 @ 4:00 P. M. Q&A ISSUE DATE Thursday, February 12, 2015 PROPOSER QUESTIONS PORT RESPONSES While the Port mentions the inclusion of areas B.a to B.e under Scope of Services, is it also expected that the Consultant review and assess other aspects of the Port s cyber security posture such as system patching, data backup, incident response, disaster recovery, segregation of duties, physical security of the data center, etc.? Is vulnerability assessment scanning and penetration testing expected to be performed on the Port s network perimeter, internal systems, and wireless networks? If vulnerability assessment scanning and penetration testing is expected to be performed, please indicate the number of external targets, internal targets, and wireless networks. The Port understands "targets" to mean IP addresses and as such, the following information is provided: internally we have private class A, B, and C. Externally we have class B and C. How many servers does the Port manage? Please indicate physical vs. virtual. How many end users are there? 230 How many IT staff are there? 15 See previously posted Question - Answer 1, line 11; http://portoftacoma.com/contracts/procurement/070076/itcybersecurity-assessment-and-plan

What is the number of workstations supported? 258 What is (are) the server operating system(s) utilized at the Port? What are the major applications in use at the Port? Is social engineering expected to be part of this assessment? (Please indicate what type of testing is desired: spear phishing, phone-based, physical penetration testing, etc.) MS Windows 2008 & 2012 The Port is a Microsoft shop for both servers and workstations. This means the Port utilizes email, unified communications, SQL, IIS, CRM, and GP. There are a number of exception we also use IBM Maximo and GIS. Email phishing & phone-based. Do you want any web applications assessed? How many nodes are in scope? 1000+ Will the assessment be done from an internal or Both external perspective or both? Does the Port of Tacoma currently have asset management/asset tracking capability? If yes, We are a typical business utilizing the Microsoft product stack please describe the format (e.g., spreadsheet, for both the servers and workstations. database, software application, etc.) Will the Port of Tacoma authorize the utilization of the successful offeror s IT asset discovery/asset Possibly, it is open for discussion. inventory application to facilitate cyber security analytics? Will port of Tacoma require and authorize net security penetration testing or similar network Possibly, it is open for discussion. scanning service(s)? What is the desired level of complexity for assessment? Are red-team probes and attacks or simulations desired? What is the scale of their system? Can you provide a system diagram to outline the scope? Who is the current vendor who has done the IT Cybersecurity Assessment and Plan from the past? Who manages the current IT Department? Could you please tell me what the current costs are for this solicitation and how can I obtain a copy of the contract? Please confirm contract period of performance end date 9/19/2016 or 9/19/2015. This project has a fixed cost, not to exceed $100K. It is in the Port's interest to achive the best valued assessment for our money. This information will be provided to the selected Consultant. There is no current vendor nor has this work been done in the past. This question has no bearing on the Scope of Work or other details contained in this RFP. Please read the RFP - Background Section regarding current costs for this solicitation. There is no current nor previous contract for this work. 2016

Port Text: All policies shall be issued by a company having an A. M. Best rating of A:VI or better. Exception: Professional Liability insurance is maintained through ABS Boiler & Marine Insurance No waiver or exception to the Port's insurance requirements will Company ( ABS BMIC ), a Vermont insurer. As a be granted. captive insurer owned by our ultimate parent company, parent company (and our company) is not rated by A.M. Best or any other rating agency. Therefore, we need to take an exception to this effect. Port text: Each insurance policy shall be endorsed to state that coverage shall not be suspended, voided, canceled or reduced in coverage or limits except after 45 days prior written notice has been given to the Port. Exception: Our underwriters will not endorse our policies in such a fashion; a decision over which we have no control. Remedy: Consultant will provide the Port with any notice of cancellations or material changes in the policies in accordance with policy terms. In regards to the IT Cybersecurity Assessment and Plan RFP you posted, we were wondering if you had reverse engineering malware and/or exploits in mind as part of this RFP? No waiver or exception to the Port's insurance requirements will be granted. Please read Q&A #1, Line 15 found on the Port's website: http://portoftacoma.com/contracts/procurement/070076/itcybersecurity-assessment-and-plan How many and what type of firewalls are in place? Five, Palo Alto Is administration of systems centralized or decentralized? Centralized How many external (Internet facing) IP addresses We have six external facing subnet and yes include it in the does Port of Tacoma have/own that should be scope. considered as in-scope for external testing? How many websites are running from the Port of None, a third party vendor hosts the website. Tacoma s infrastructure? Please list the number of different operating Windows 2008 & 2012 OS. Primarily an IIS shop with on systems and web servers (i.e. IIS, Apache, etc ) that exception with one IBM application using Apache. are running. Please describe the Internet facing Currently, only I-Pro. This will not be available to check as it systems/applications run by Port of Tacoma that are owned by a third party, is proprietary and is locked-down. hosted on in-house systems. Please list any Internet facing systems that are None conducting some form of e-commerce. Please describe each form of remote access Microsoft TMG and UAG is used for remote access. provided to staff, IT, and/or vendors

Are there any hosted applications (not on your infrastructure) that should be considered in-scope None for this assessment? How many Wireless Access Points are in use? 14 Is just a review of configurations or active penetration test on the wireless network desired? If The latter and the minimum of three locations. the latter, how many locations will need to be tested for the wireless penetration test? How many separate wireless networks are there? 2 How many data centers are to be tested? 1 How many internal IP addresses are active? Or in See question 13. general, how many subnets are in use? Do you have any SCADA or industrial control None systems that are used and would be in scope? Are there any special security clearances needed No particular clearances necessary. U.S. citizenship is strongly or citizenship requirements to perform the work? encouraged. Are there any specific instructions: 1.) restrictions 2.) limitations on what percentage of the work can be performed remotely or on premise. How many servers, switches, OS s, Virtualization, applications and security devices are in scope? Traditional IP, Ddos. UC Unified Communications, Communications network based, T-dos, What are the product vendors of the network infrastructure: switches, routers, firewalls, Unified Threat Management platforms, Intrusion Detection, VPN, RDP, Web Application Firewalls, and or other security devices, or APT tools. This will help to determine the best tools for the assessment. Is Encryption in use, type, full disc, database, file, email, are HSM s in use, has PKI or RMS, CAC cards, IAM in use? What types of Applications Are in Scope? Are there any bespoken mobile or Web applications or custom applications, databases? Is physical security assessment included in the SOW, and or social engineering of staff or other 3rd party vendors that may have access? Are there any other framework(s) or compliance guidelines that the security assessment should be measured against NIST//SSI? Are there any other Compliance Measurements for consideration: NERC- CIP, CJIS, (PCI, SOX, Federal, State, Local privacy or security laws, etc) *The SOW only recognizes the NIST framework as outlined in the specific Executive Order. Restrictions and limitations will be determined once a vendor is selected. 140 servers, 67 switches, 5 firewalls, Microsoft OS, Hyper-V, Lync for the UC. Cisco = switches, routers, and wireless. Firewalls = Palo Alto. We are a Microsoft shop = TMG, SQL Email and the like. No PKI or RMS Email, IIS, SQL, and Lyn. No custome apps. This is the expertise the Port is wanting the vendor to guide us in. What else should be considered?

Is anything outsourced to a 3rd party or to a cloud provider, do we need to notify any other parties or obtain permissions to conduct any assessments? We are just starting to work with Microsoft Office 365. External Vulnerability//Internal//Wireless//How many IP Ranges are in scope? How many physical points of presence will need to be visited for the wireless portion of the assessment? Is detection of rogue wireless access points in scope for the project? How many firewalls and types of firewalls are inscope for the configuration validation? Is there an expectation that this project will include a review of firewall rules? How many operating systems and database platforms are in-scope for the configuration validation? How many network segments and IP addresses are in the overall environment? Are there any web applications in-scope, and is there an expectation that web application scanning will be performed? Are any third parties, hosted, or outsourced components in-scope? Are there any SCADA (supervisory control and data acquisition) or similar types of systems or networks in-scope? Will reference questionnaires be subject to public disclosure? If so, will the description of services and reference name and contact information be subject to public disclosure? See question 49 3 to 5 is sufficient. Since there are 14 WAPs it is expected. See question 53. Only four are in scope. See questions 18-19 See question 49 Web scanning to be performed. None see question 50 Please review the Section - Public Disclosure contained in Attachment A - Instructions for Proposing of the RFP. What is the size of the internal infrastructure? See questions 49 and 53 (Subnet size, number of hosts, etc.) What is the size of the external infrastructure? 6 subnets, 13 hosts (Subnet size, number of hosts, etc.) Number of routers 2 Number of firewalls 5 Number of wireless networks 2 Number of CCTV systems 1 See RFP Question - Answer 1, question 11; Number and type of servers http://portoftacoma.com/contracts/procurement/070076/itcybersecurity-assessment-and-plan You mention web servers but no specific web applications or websites for assessment. How many Less then 10. web apps or sites are you looking at for the assessment?

For the Web Application Assessment, can a brief description of the size and functionality be provided? (What is the approximate total number of Don't have a number of total pages. There are 10 web servers pages and approximate number of input/dynamic internally for such apps as SharePoint, HR, CRM, and GIS. pages (such as web forms where users input data) Externally there are only a few web apps HR and IBM Maximo. each external web application under scope supports? For the Wireless Assessment: How many locations and an approximate number of access points or size of the facility? For Social Engineering: Is this limited to email phishing or are there specific Social engineering use cases that the Port of Tacoma would like to have performed? Will the assessment be conducted during normal business hours? Is there any limitation to the hours in which scanning / penetration testing can be performed? Are you using NIST framework today? No greater than six locations. All within a two mile radius of the admin bldg. Email phishing is included in the scope. No restrictions. DHS and the Coast Guard require it. Tthe Port would like to know where it is at physically and get a road map as a result of the assessment to assist with understanding this beast. What framework are you looking to have the policies and procedures evaluated against? 800-53, ISO-27001, NIST Cybersecurity Framework, other? Initially NIST. Followed by recommendations as a result of the assessment.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information