Request for Proposal INFORMATION SECURITY ASSESSMENT SERVICES RFP #12-680-004. Addendum 1.0



Similar documents
Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

REQUEST FOR PROPOSAL (RFP) # HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014

RFP No C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST

Response to Questions CML Managed Information Security

PHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015

Chapter 1 The Principles of Auditing 1

1. How many user roles are to be tested in Web Application Penetration testing? Provide the approx. no. of input fields in the web application?

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

CONTENTS. PCI DSS Compliance Guide

Please note that in VISA s vernacular this security program for merchants is sometimes called CISP (cardholder information security program).

PCI Requirements Coverage Summary Table

Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015

HIPAA SECURITY RISK ANALYSIS FORMAL RFP

Vendor Questions and Answers

Building Energy Security Framework

Payment Card Industry Self-Assessment Questionnaire

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Client Security Risk Assessment Questionnaire

Network and Security Controls

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Using a VPN with Niagara Systems. v0.3 6, July 2013

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

Why a Reverse Proxy with My Instant Communicator for mobiles??

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Network Security Guidelines. e-governance

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Retention & Destruction

The Protection Mission a constant endeavor

Unified Threat Management, Managed Security, and the Cloud Services Model

PCI Requirements Coverage Summary Table

A Decision Maker s Guide to Securing an IT Infrastructure

Network Segmentation

1B1 SECURITY RESPONSIBILITY

Today's security needs in networking

Critical Controls for Cyber Security.

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Sygate Secure Enterprise and Alcatel

1.0 Purpose of Solicitation

How To Protect Your School From A Breach Of Security

RAP Installation - Updated

SANS Top 20 Critical Controls for Effective Cyber Defense

PCI within the IU Enterprise

CITY AND COUNTY OF DENVER AUDITOR S OFFICE REQUEST FOR PROPOSAL FOR PROFESSIONAL AUDITING SERVICES. Additional Information.

Connecting an Android to a FortiGate with SSL VPN

Network Security Administrator

Using a VPN with CentraLine AX Systems

13 Ways Through A Firewall

ICT budget and staffing trends in the UK

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Global ediscovery Client Data Security. Managed technology for the global legal profession

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

RAS Associates, Inc. Systems Development Proposal. Scott Klarman. March 15, 2009

APPENDIX 8 TO SCHEDULE 3.3

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Recommended IP Telephony Architecture

ICANWK406A Install, configure and test network security

Security Management. Keeping the IT Security Administrator Busy

THE BLUENOSE SECURITY FRAMEWORK

Enterprise Computing Solutions

Developing Network Security Strategies

QUESTIONS & RESPONSES #2

This chapter covers the following topics:

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Best Practices for Securing IP Telephony

NETWORK SECURITY (W/LAB) Course Syllabus

Securing end devices

CCNA Cisco Associate- Level Certifications

CTS2134 Introduction to Networking. Module Network Security

Lucent VPN Firewall Security in x Wireless Networks

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Security. TestOut Modules

ICT budget and staffing trends in Healthcare

INFORMATION TECHNOLOGY ENGINEER V

After reviewing all the questions, the most common and relevant questions were chosen and the answers are below:

Information Technology Security Guideline. Network Security Zoning

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

SECURITY. Risk & Compliance Services

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Network System Design Lesson Objectives

Section 12 MUST BE COMPLETED BY: 4/22

How To Secure A Voice Over Internet Protocol (Voip) From A Cyber Attack

Case Study for Layer 3 Authentication and Encryption

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

MCTS Guide to Microsoft Windows 7. Chapter 14 Remote Access

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

Information Security Services

Put into test the security of an environment and qualify its resistance to a certain level of attack.

Print4 Solutions fully comply with all HIPAA regulations

8. Firewall Design & Implementation

Enterprise Governance and Planning

Transcription:

Request for Proposal INFORMATION SECURITY ASSESSMENT SERVICES RFP #12-680-004 Addendum 1.0 ISSUE DATE: February 23, 2012 Receipt of this addendum should be acknowledged on the Proposal Form. Inquiries have been received in response to RFP #12-680-004. The questions and responses follow. 1. Let me know if you would accept City and County references from the State of Colorado or many of the fortune 1000 accounts we have done business with. 1.3.3 Qualified companies shall have references to include K-12 school districts of, at least, similar size to Poudre School District. Your company would not meet the requirements. 2. What is the expected period of performance for this contract? That would be whatever duration you expect the discovery process and final report production to be based on the scope and an organization of our size. Anything outside the scope of the initial assessment and testing would be negotiated separately. 3. How many of the 60 physical locations will we be assessing? Main hub site, plus a representative sample of 2-3 school sites. 4. Will we be reviewing baseline builds of the 45,000 student/client devices? How many? The number of client devices (20,000) listed in Attachment A includes student and staff devices. We provide this information only to give proposers an idea of the size of our organization. It is not expected that anything other than a small sample be investigated. We expect the proposer to determine the sample size based on their experience with other organizations. 5. How extensive a review are you requesting for policies/procedures (i.e. how many?) A review of applicable formally defined Information Technology Board Policies, such as Acceptable Use, and informal ones such as password policies. Provide in your proposal a recommendation of the common policies and procedures to review based on organizations of similar size and industry. 6. Are all of the IP addresses in the two IPV4 Class B s listed in this external? If not, how many external IPs are needing to be scanned? There are 197 hosts in the two Class B subnets. We request an external scan to be performed to determine how many are externally accessible.

7. Is there expected to be a focused audit against each of the regulatory bodies mentioned below (i.e. a separate focus on HIPAA as opposed to SOX, etc.)? 8. Under regulatory compliance (1.4.2, 11 th bullet) are you looking for audits of the environment specifically to those standards, or are you looking for the findings/recommendations to be specifically targeted to meet those regulations? Regarding etc., did you have anything else in mind or would that be up to the proposing firm to suggest? 9. Regarding 1.4.2 and 1.4.3 are those duplicate, or is the requirement under 1.4.2 looking to identify vulnerabilities based solely on architecture, operations, and governance? Section 1.4.2 refers to items that are assessed based on architecture, operations and governance. Section 1.4.3 requests separate penetration testing and scans. 10. Regarding 1.4.2, is that a different subset of systems in scope than what is referred to under the following request for vulnerability assessment and penetration testing (1.4.3)? The systems to be tested in vulnerability scanning/penetration testing are a subset of the systems to be analyzed by the overall assessment. 11. Regarding the vulnerability scans and penetration testing (1.4.3) - Out of the two class B s, how many servers/devices are live on the network? 197 12. Is there a budget for this project? If yes, can you please provide us with the budget? A specific budget has not been set aside, but could be allocated based on the responses and available funds. 13. On which specific compliance regulations does PSD request assessment? 14. Does PSD have an in-house vulnerability assessment system? If so, would the system and/or trending data be available for use in testing and analysis? 15. Are all the workstations listed in the RFP part of the scope or does that number include student computers that connect to PSD's network and systems? The number of client devices (20,000) listed in Attachment A includes student and staff district-owned devices. We do not allow personal student devices to connect to our network. We provide this information only to give proposers an idea of the size of our organization. It is not expected that anything other than a small sample be investigated. 16. If the devices in the RFP are included in the scope of work, would PSD be interested in employing a sampling approach (or statistical sampling method such as bootstrapping) to reduce the number of devices that must be assessed and therefore the cost? 17. Does PSD use a systems management solution (e.g. SMS, Altiris, Marimba, BigFix) that has an agent on the workstations and servers? SCCM. 18. Does PSD have a network management system? We employ HP Procurve Manager and Netscout Performance Manager.

19. Does PSD anticipate any challenges with performing the vulnerability assessment remotely using a VPN connection to the network? We have the capability to provide a VPN connection to your firm. Operability may depend on what operations are being performed over that connection. 20. Are all of the 60 PSD sites reachable from a central location on the network such as the main hub of the network? 21. Does PSD maintain Access Control Lists in their network that limits any network traffic or protocols to/from each of the 60 sites? (i.e., does PSD perform any ingress or egress filtering to the sites across the WAN) 22. Does PSD want the offeror to provide both internal and external assessments? 23. Can we do most of the work remotely or do you require on site for the work? Most work could be done remotely. Some on-site interaction would be expected. 24. From The statement of work section 1.4.2, do you require a complete vulnerability assessment of each device listed in Appendix A or a sampling of the a. All 99 Servers located in remote sites? b. All 20,000 client devices? c. All application and Database servers? We do not expect testing of the entire client population. Some statistical sampling method is acceptable; the level of which we expect the vendor to propose. 25. Could you please describe the network infrastructure (network diagram preferred) for size and scoping: How many firewalls and what type? Number of firewalls is listed in Attachment A. Details of make and model will not be provided at this time. 26. How many routers, what model and, briefly, what is the primary purpose (head-end)? That level of detail will not be provided at this time. 27. Please describe the switching infrastructure, nomenclature and models (core, distribution, access, layer 3 routing at core? chassis based core, and distribution, 3560s at access?) That level of detail will not be provided at this time. 28. Please describe the load balancing environment, type, purpose, and method (public websites, round robin) traffic shaping in use? That level of detail will not be provided at this time. 29. Wireless infrastructure - WISM based, discrete APs, encryption in use? Multiple SSIDs, type model and auth methods in use? We have a homogenous wireless solution covering the entire enterprise. Multiple SSIDs, encryption. Other details will not be provided at this time. 30. Voice and PBX Is IP telephony in use, and on segmented networks, vendor type? IP telephony is in use. Stand alone PBX? Type and features (voicemail, agent group, paging, etc.)

31. Are modems still in use for remote access/support of systems? 32. Do you wish to include war dialing as a testing method of your DiD blocks? You may propose that activity. 33. What remote access methods are in use (SSL VPN, IPSEC VPN, Citrix)? SSL, IPSEC. 34. How many servers are in use, (physical, virtual) at how many sites? What OSs are in use? See Attachment A. Windows 2003/2008. Some Linux. 35. What web-based applications are exposed to the Internet? Do you wish to test the applications for vulnerabilities as well? (Testing web applications is a larger endeavor than simple vulnerability scanning) We are not asking for specific web application testing. 36. Is multifactor authentication in use? What type? (Smart cards, secure ID) 37. What IPS/IDS technology is in use? Is it actively monitored by a security team or managed service? IPS/IDS functionality exists in firewalls. 38. Is the school district using log correlation and SIEM tools? What type? 39. How many databases are in use? What type? See Attachment A. SQL, Oracle. 40. Is the district using SAN replications technologies over the network (TDMF, etc.)? 41. Are you using a standards framework, such as NIST or ISO, for policy and operational structure? Do you wish for us to evaluate against a standards framework, such as ISO 27001/2? Not using. Propose what you think is best. 42. How many endpoints are in use processing confidential or sensitive data, non-sensitive devices? Not available. 43. Are mobile devices used in the environment processing sensitive data or on sensitive networks? How many and what type (mobile devices are becoming an increasingly targeted attack vector)? Unknown. 44. Is a full scope HIPAA, CIPA, FERPA compliance assessment of interest to you, or are you looking for a brief compliance assessment? 45. Are all systems to be tested reachable over the networks from a central location? If not, how many physical locations will need to be visited and how many IP addresses are reachable per location? Is there segmentation between the sites or is it a flat network? Yes, all are reachable from our central location.

46. The RFP lists 20,000 Client devices (desktops, laptops, mobiles) but only 3,289 staff. Is some percentage of the client devices used by students? The number of client devices (20,000) listed in Attachment A includes student and staff district-owned devices. We do not allow personal student devices to connect to our network. We provide this information only to give proposers an idea of the size of our organization. It is not expected that anything other than a small sample be investigated. 47. Are all of the 20,000 client devices owned and/or under the control of PSD? See answer to question 46 above. 48. We see the 25 Public Web application Servers. How many public facing IP addresses are there? Approximately 36. 49. What are the mobile devices to be tested? We employ laptops running Windows XP, Windows 7, Mac OSX, Android and IOS. 50. How many of the client devices are expected to be tested? Full testing or sampling? If sampling, what level is desired? We do not expect testing of the entire client population. Some statistical sampling method is acceptable; the level of which we expect the vendor to propose. 51. Will testing be allowed 7x24 during the testing period, or will testing be restricted to certain hours/days? Testing could be done at any time. We would expect there to be some coordination with the vendor on timing before implementation. 52. How many hosts are expected to be alive on the two IPV4 class B subnets (131,068 possible)? Is there a list available of these hosts, or do we need to scan to detect them? There are 197 live on the two subnets. 53. Wireless testing are we looking for rogue wireless access points? If so at how many facilities / how many square feet? Do you have a list of approved wireless devices? We have a homogenous wireless solution that does have the ability to detect rogue devices. We don t expect you to do expansive detection, but you may propose to do evaluate that aspect of our environment. 54. Wireless testing what are the security features of the wireless network, and are we looking to crack these? We do expect an analysis of the wireless network environment. We are not asking for attempts to crack the security. 55. Is social engineering desired? Social engineering may be an aspect of security you propose to evaluate. We are not asking for any active testing based on social engineering. 56. Will testing be performed as authenticated or non-authenticated users of the network? Propose the methods you think are best. 57. Will web application testing be performed as an authenticated or non-authenticated user, or one round or each? Propose the methods you think are best. 58. For the access, authentication, and identity management component of the testing, are we expected to crack passwords to determine compliance with policies? Not necessarily, but we are asking for assessment of the security of our password and authentication passwords and policies.

59. Vulnerability scanning and penetration testing seems to be a separate item listed at 1.4.3, but it is typically a key component of the testing requested at 1.4.2. Please clarify the separation. Section 1.4.2 refers to items that are assessed based on architecture, operations and governance. 1.4.3 requests separate penetration testing and scans. 60. What level of compliance testing do you want performed around HIPAA, CIPA, FERPA, etc.? Is this full assessment, or awareness of these regulations during the other testing, or something in between? If this is more than just our awareness, please clarify etc. 61. What are the operating systems / types of the clients, servers, databases and network equipment? We have Windows XP, Windows 7, Mac OSX, Windows Server 2003/2008, SQL and Oracle. HP Procurve. 62. Please expand / clarify 1.4.2 voice systems (PBX) and phone (fax and modem) lines. Is war dialing desired to find open modems? Is a list of numbers available? Yes, that could be proposed and we can provide our dialing plan. 63. Are phone systems traditional analog / digital PBX or Voice over IP (VOIP)? Our phone systems are IP-based, VOIP-capable, but include analog and digital capabilities. 64. Should we assume that IT is aware of false positives frequently identified in the PSD environment and can IT facilitate a prompt review of these items? 65. Please provide an approximate range of the total number of vulnerabilities identified during previous tests and the approximate percentage that were deemed to be false positives. Information not available. 66. Will we be testing the functionality of the IDS (i.e. will we have to use stealth scanning techniques to determine which traffic is identified by the IDS and which is not?) 67. Is the IDS configured to automatically block access for what is deems as an attack? If yes, will it be disable for our testing / will we be whitelisted? 68. Is the management of any part of the environment outsourced? 69. Is an analysis of firewall, router and/or DMZ architecture included? 70. Will review of border router and/or firewall rules be included? 71. Is management of the IT function centralized or decentralized? Centralized. 72. Does the PSD have a written vulnerability management program that outlines identifying, evaluating, and mitigating vulnerabilities?

73. How long after Patch Tuesday is the organization 100% patched? Cannot answer at this time. 74. How many IT personnel are there? 35 75. Would you like us to review the physical security of the data center and work areas? 76. Are there any IP addresses that are sensitive or risky (i.e. systems that should not be tested because the platform is unstable or has known issues? Not known at this time.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information