Request for Proposal INFORMATION SECURITY ASSESSMENT SERVICES RFP #12-680-004 Addendum 1.0 ISSUE DATE: February 23, 2012 Receipt of this addendum should be acknowledged on the Proposal Form. Inquiries have been received in response to RFP #12-680-004. The questions and responses follow. 1. Let me know if you would accept City and County references from the State of Colorado or many of the fortune 1000 accounts we have done business with. 1.3.3 Qualified companies shall have references to include K-12 school districts of, at least, similar size to Poudre School District. Your company would not meet the requirements. 2. What is the expected period of performance for this contract? That would be whatever duration you expect the discovery process and final report production to be based on the scope and an organization of our size. Anything outside the scope of the initial assessment and testing would be negotiated separately. 3. How many of the 60 physical locations will we be assessing? Main hub site, plus a representative sample of 2-3 school sites. 4. Will we be reviewing baseline builds of the 45,000 student/client devices? How many? The number of client devices (20,000) listed in Attachment A includes student and staff devices. We provide this information only to give proposers an idea of the size of our organization. It is not expected that anything other than a small sample be investigated. We expect the proposer to determine the sample size based on their experience with other organizations. 5. How extensive a review are you requesting for policies/procedures (i.e. how many?) A review of applicable formally defined Information Technology Board Policies, such as Acceptable Use, and informal ones such as password policies. Provide in your proposal a recommendation of the common policies and procedures to review based on organizations of similar size and industry. 6. Are all of the IP addresses in the two IPV4 Class B s listed in this external? If not, how many external IPs are needing to be scanned? There are 197 hosts in the two Class B subnets. We request an external scan to be performed to determine how many are externally accessible.
7. Is there expected to be a focused audit against each of the regulatory bodies mentioned below (i.e. a separate focus on HIPAA as opposed to SOX, etc.)? 8. Under regulatory compliance (1.4.2, 11 th bullet) are you looking for audits of the environment specifically to those standards, or are you looking for the findings/recommendations to be specifically targeted to meet those regulations? Regarding etc., did you have anything else in mind or would that be up to the proposing firm to suggest? 9. Regarding 1.4.2 and 1.4.3 are those duplicate, or is the requirement under 1.4.2 looking to identify vulnerabilities based solely on architecture, operations, and governance? Section 1.4.2 refers to items that are assessed based on architecture, operations and governance. Section 1.4.3 requests separate penetration testing and scans. 10. Regarding 1.4.2, is that a different subset of systems in scope than what is referred to under the following request for vulnerability assessment and penetration testing (1.4.3)? The systems to be tested in vulnerability scanning/penetration testing are a subset of the systems to be analyzed by the overall assessment. 11. Regarding the vulnerability scans and penetration testing (1.4.3) - Out of the two class B s, how many servers/devices are live on the network? 197 12. Is there a budget for this project? If yes, can you please provide us with the budget? A specific budget has not been set aside, but could be allocated based on the responses and available funds. 13. On which specific compliance regulations does PSD request assessment? 14. Does PSD have an in-house vulnerability assessment system? If so, would the system and/or trending data be available for use in testing and analysis? 15. Are all the workstations listed in the RFP part of the scope or does that number include student computers that connect to PSD's network and systems? The number of client devices (20,000) listed in Attachment A includes student and staff district-owned devices. We do not allow personal student devices to connect to our network. We provide this information only to give proposers an idea of the size of our organization. It is not expected that anything other than a small sample be investigated. 16. If the devices in the RFP are included in the scope of work, would PSD be interested in employing a sampling approach (or statistical sampling method such as bootstrapping) to reduce the number of devices that must be assessed and therefore the cost? 17. Does PSD use a systems management solution (e.g. SMS, Altiris, Marimba, BigFix) that has an agent on the workstations and servers? SCCM. 18. Does PSD have a network management system? We employ HP Procurve Manager and Netscout Performance Manager.
19. Does PSD anticipate any challenges with performing the vulnerability assessment remotely using a VPN connection to the network? We have the capability to provide a VPN connection to your firm. Operability may depend on what operations are being performed over that connection. 20. Are all of the 60 PSD sites reachable from a central location on the network such as the main hub of the network? 21. Does PSD maintain Access Control Lists in their network that limits any network traffic or protocols to/from each of the 60 sites? (i.e., does PSD perform any ingress or egress filtering to the sites across the WAN) 22. Does PSD want the offeror to provide both internal and external assessments? 23. Can we do most of the work remotely or do you require on site for the work? Most work could be done remotely. Some on-site interaction would be expected. 24. From The statement of work section 1.4.2, do you require a complete vulnerability assessment of each device listed in Appendix A or a sampling of the a. All 99 Servers located in remote sites? b. All 20,000 client devices? c. All application and Database servers? We do not expect testing of the entire client population. Some statistical sampling method is acceptable; the level of which we expect the vendor to propose. 25. Could you please describe the network infrastructure (network diagram preferred) for size and scoping: How many firewalls and what type? Number of firewalls is listed in Attachment A. Details of make and model will not be provided at this time. 26. How many routers, what model and, briefly, what is the primary purpose (head-end)? That level of detail will not be provided at this time. 27. Please describe the switching infrastructure, nomenclature and models (core, distribution, access, layer 3 routing at core? chassis based core, and distribution, 3560s at access?) That level of detail will not be provided at this time. 28. Please describe the load balancing environment, type, purpose, and method (public websites, round robin) traffic shaping in use? That level of detail will not be provided at this time. 29. Wireless infrastructure - WISM based, discrete APs, encryption in use? Multiple SSIDs, type model and auth methods in use? We have a homogenous wireless solution covering the entire enterprise. Multiple SSIDs, encryption. Other details will not be provided at this time. 30. Voice and PBX Is IP telephony in use, and on segmented networks, vendor type? IP telephony is in use. Stand alone PBX? Type and features (voicemail, agent group, paging, etc.)
31. Are modems still in use for remote access/support of systems? 32. Do you wish to include war dialing as a testing method of your DiD blocks? You may propose that activity. 33. What remote access methods are in use (SSL VPN, IPSEC VPN, Citrix)? SSL, IPSEC. 34. How many servers are in use, (physical, virtual) at how many sites? What OSs are in use? See Attachment A. Windows 2003/2008. Some Linux. 35. What web-based applications are exposed to the Internet? Do you wish to test the applications for vulnerabilities as well? (Testing web applications is a larger endeavor than simple vulnerability scanning) We are not asking for specific web application testing. 36. Is multifactor authentication in use? What type? (Smart cards, secure ID) 37. What IPS/IDS technology is in use? Is it actively monitored by a security team or managed service? IPS/IDS functionality exists in firewalls. 38. Is the school district using log correlation and SIEM tools? What type? 39. How many databases are in use? What type? See Attachment A. SQL, Oracle. 40. Is the district using SAN replications technologies over the network (TDMF, etc.)? 41. Are you using a standards framework, such as NIST or ISO, for policy and operational structure? Do you wish for us to evaluate against a standards framework, such as ISO 27001/2? Not using. Propose what you think is best. 42. How many endpoints are in use processing confidential or sensitive data, non-sensitive devices? Not available. 43. Are mobile devices used in the environment processing sensitive data or on sensitive networks? How many and what type (mobile devices are becoming an increasingly targeted attack vector)? Unknown. 44. Is a full scope HIPAA, CIPA, FERPA compliance assessment of interest to you, or are you looking for a brief compliance assessment? 45. Are all systems to be tested reachable over the networks from a central location? If not, how many physical locations will need to be visited and how many IP addresses are reachable per location? Is there segmentation between the sites or is it a flat network? Yes, all are reachable from our central location.
46. The RFP lists 20,000 Client devices (desktops, laptops, mobiles) but only 3,289 staff. Is some percentage of the client devices used by students? The number of client devices (20,000) listed in Attachment A includes student and staff district-owned devices. We do not allow personal student devices to connect to our network. We provide this information only to give proposers an idea of the size of our organization. It is not expected that anything other than a small sample be investigated. 47. Are all of the 20,000 client devices owned and/or under the control of PSD? See answer to question 46 above. 48. We see the 25 Public Web application Servers. How many public facing IP addresses are there? Approximately 36. 49. What are the mobile devices to be tested? We employ laptops running Windows XP, Windows 7, Mac OSX, Android and IOS. 50. How many of the client devices are expected to be tested? Full testing or sampling? If sampling, what level is desired? We do not expect testing of the entire client population. Some statistical sampling method is acceptable; the level of which we expect the vendor to propose. 51. Will testing be allowed 7x24 during the testing period, or will testing be restricted to certain hours/days? Testing could be done at any time. We would expect there to be some coordination with the vendor on timing before implementation. 52. How many hosts are expected to be alive on the two IPV4 class B subnets (131,068 possible)? Is there a list available of these hosts, or do we need to scan to detect them? There are 197 live on the two subnets. 53. Wireless testing are we looking for rogue wireless access points? If so at how many facilities / how many square feet? Do you have a list of approved wireless devices? We have a homogenous wireless solution that does have the ability to detect rogue devices. We don t expect you to do expansive detection, but you may propose to do evaluate that aspect of our environment. 54. Wireless testing what are the security features of the wireless network, and are we looking to crack these? We do expect an analysis of the wireless network environment. We are not asking for attempts to crack the security. 55. Is social engineering desired? Social engineering may be an aspect of security you propose to evaluate. We are not asking for any active testing based on social engineering. 56. Will testing be performed as authenticated or non-authenticated users of the network? Propose the methods you think are best. 57. Will web application testing be performed as an authenticated or non-authenticated user, or one round or each? Propose the methods you think are best. 58. For the access, authentication, and identity management component of the testing, are we expected to crack passwords to determine compliance with policies? Not necessarily, but we are asking for assessment of the security of our password and authentication passwords and policies.
59. Vulnerability scanning and penetration testing seems to be a separate item listed at 1.4.3, but it is typically a key component of the testing requested at 1.4.2. Please clarify the separation. Section 1.4.2 refers to items that are assessed based on architecture, operations and governance. 1.4.3 requests separate penetration testing and scans. 60. What level of compliance testing do you want performed around HIPAA, CIPA, FERPA, etc.? Is this full assessment, or awareness of these regulations during the other testing, or something in between? If this is more than just our awareness, please clarify etc. 61. What are the operating systems / types of the clients, servers, databases and network equipment? We have Windows XP, Windows 7, Mac OSX, Windows Server 2003/2008, SQL and Oracle. HP Procurve. 62. Please expand / clarify 1.4.2 voice systems (PBX) and phone (fax and modem) lines. Is war dialing desired to find open modems? Is a list of numbers available? Yes, that could be proposed and we can provide our dialing plan. 63. Are phone systems traditional analog / digital PBX or Voice over IP (VOIP)? Our phone systems are IP-based, VOIP-capable, but include analog and digital capabilities. 64. Should we assume that IT is aware of false positives frequently identified in the PSD environment and can IT facilitate a prompt review of these items? 65. Please provide an approximate range of the total number of vulnerabilities identified during previous tests and the approximate percentage that were deemed to be false positives. Information not available. 66. Will we be testing the functionality of the IDS (i.e. will we have to use stealth scanning techniques to determine which traffic is identified by the IDS and which is not?) 67. Is the IDS configured to automatically block access for what is deems as an attack? If yes, will it be disable for our testing / will we be whitelisted? 68. Is the management of any part of the environment outsourced? 69. Is an analysis of firewall, router and/or DMZ architecture included? 70. Will review of border router and/or firewall rules be included? 71. Is management of the IT function centralized or decentralized? Centralized. 72. Does the PSD have a written vulnerability management program that outlines identifying, evaluating, and mitigating vulnerabilities?
73. How long after Patch Tuesday is the organization 100% patched? Cannot answer at this time. 74. How many IT personnel are there? 35 75. Would you like us to review the physical security of the data center and work areas? 76. Are there any IP addresses that are sensitive or risky (i.e. systems that should not be tested because the platform is unstable or has known issues? Not known at this time.