Enterprise Information Technology Security Assessment RFP Answers to Questions



Similar documents
RFP No C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST

Request for Proposal Enterprise Information Technology Security Assessment

Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015

Goals. Understanding security testing

SANS Top 20 Critical Controls for Effective Cyber Defense

About This Document. Response to Questions. Security Sytems Assessment RFQ

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

ADDENDUM #1 REQUEST FOR PROPOSALS

I.T. Assurance. Letting you do what you do best... run your business

Supplier Security Assessment Questionnaire

QUESTIONS & RESPONSES #2

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN

Client Security Risk Assessment Questionnaire

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

After reviewing all the questions, the most common and relevant questions were chosen and the answers are below:

Request for Proposal for Project Server 2013, MS SharePoint 2013 Intranet Development and Mobile Application Development Services

1. How many user roles are to be tested in Web Application Penetration testing? Provide the approx. no. of input fields in the web application?

PHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015

Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Response to Questions CML Managed Information Security

Department of Children and Families (DCF) Request for Information (RFQ) #01U013DS1 HIPAA Compliance Review DCF Answers to Vendor Questions

HIPAA SECURITY RISK ANALYSIS FORMAL RFP

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

Penetration Testing. I.T. Security Specialists. Penetration Testing 1

Testing Solutions to Tackle Application Security Checkpoint Technologies SQGNE. Jimmie Parson Checkpoint Technologies

RFQ IT Services. Questions and Answers

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

SAST, DAST and Vulnerability Assessments, = 4

Payment Card Industry Self-Assessment Questionnaire

How to Grow and Transform your Security Program into the Cloud

REQUEST FOR PROPOSAL (RFP) # HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Scalability in Log Management

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

PCI Requirements Coverage Summary Table

Professional Services Overview

Response to Queries Received for RFP of Security Integrator - Tender No. 63

Critical Controls for Cyber Security.

ACME Enterprises IT Infrastructure Assessment

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

A PROVEN THREAT A TRUSTED SOLUTION MCCANN CYBER SECURITY SOLUTIONS

ecms Document Management Request for Proposal: Questions & Responses

Information Technology Security Procedures

Request for Offers (RFO) Addendum

Department of Management Services. Request for Information

Request for Resume (RFR) CATS II Master Contract. Section 1 General Information R00B

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT Conference- July 2015 MIKE.ZUSMAN@CARVESYSTEMS.COM

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

SECURITY. Risk & Compliance Services

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using a VPN with Niagara Systems. v0.3 6, July 2013

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

RFP # Provide Information Security Assessment and Penetration Testing Due August 11, 2015 at 2:00PM (CST)

THE TOP 4 CONTROLS.

1. Why is the customer having the penetration test performed against their environment?

REQUEST FOR PROPOSAL INFORMATION SECURITY PROGRAM PROVIDER

Information Technology Security Review April 16, 2012

Request for Proposals (RFP) Managed Services, Help Desk and Engineering Support for Safer Foundation

PCI DSS Overview and Solutions. Anwar McEntee

PCI Compliance 3.1. About Us

STATE OF NEW JERSEY IT CIRCULAR

Q. How many instances may I run with a license of SBS 2011 Essentials? Q. How many users can use the SBS 2011 Essentials software?...

User Reports. Time on System. Session Count. Detailed Reports. Summary Reports. Individual Gantt Charts

PCI-DSS Penetration Testing

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

CYBER SECURITY: A REPORT FROM THE TRENCHES 2015 AGC NATIONAL & CHAPTER LEADERSHIP CONFERENCE MIKE.ZUSMAN@CARVESYSTEMS.COM

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Exhibit B5b South Dakota. Vendor Questions COTS Software Set

Leader Dogs for the Blind 1039 South Rochester Road Rochester Hills, MI 48307

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

Q&A SOW for Mobile Strategy

WEBSITE CONTENT MANAGEMENT SYSTEM RFP QUESTIONS AND ANSWERS

Transcription:

Enterprise Information Technology Security Assessment RFP Answers to Questions GENERAL QUESTIONS Q: How do the goals of the security assessment relate to improving the way VEIC does business? A: Security of our and our customer s data is of critical importance to VEIC. We expect to leverage this point-in-time assessment to help inform improvements to our ongoing security-related projects and plans. Q: Please specify any previous experience receiving 3rd party assessments and whether reports and findings from those assessments will be provided to the selected vendor. A: Starting in 2013, VEIC began conducting annual security assessments. 2013 s assessment focused on system and application penetration and vulnerability testing with a scope similar to the scope defined in our current RFP. VEIC does not expect to provide results from prior assessments to our selected vendor. Q: What are the expected project dates for this work? A: VEIC s goal is for the assessment to be completed by the end of September. Q: The evaluation points add to more than 10 -- is this your intention? A:. Q: Can the VEIC share its budget for this project? A: This project is budgeted with funding available immediately. VEIC assumes that the received proposals will exceed the $20,000 level for which we require a formal RFP to be conducted. Q: Please clarify on-site expectations for the five physical sites. A: VEIC expects the work to be conducted either remotely or from VEIC s principle office in Burlington Vermont. Internal Penetration testing of VEIC s systems is expected to be performed from our principle offices in Burlington Vermont. Q: In reference to the below contractual requirement, will VEIC consider bi-weekly status reports and a draft report of each deliverable in lieu of interim and working documents? "CONTRACTOR will provide VEIC with intermediate work products as they are completed, including interim analyses, working drafts, and memoranda prepared for the Services." A:. Q: Are assessment activities to be executed within production environments? Vermont Energy Investment Corporation, 7/25/2014 Page 1 of 5

A: Both network and external app penetration and vulnerability tests are intended to be performed on our production environment. The vendor is expected to raise any concerns about negative impacts to VEIC s production systems which may be caused by planned testing. Q: Will the assessment be conducted during normal business hours? A:, unless the Vendor requests otherwise. Q: Does VEIC maintain a systems inventory? A:. PENETRATION AND VULNERABILITY TESTING Q: What are the goals for the internal and external penetration test? A: Point-in-time assessment of VEIC s current vulnerability levels. Q: Are the key decision makers and influencers partial to any particular kind of technology direction, industry recognized certifications, and/or penetration testing methodologies? A: For external application testing we assume the use of OWASP testing. Beyond that, VEIC expects to work with the vendor to select testing protocols and tools which are mutually agreeable. Q: Are the key decision makers and influencers partial to any particular kind of penetration testing software? Q: Are there any pre-approved penetration tools? A: No, our expectation is that we will discuss tools and determine timing based on any risk to business operations. Q: Is there an internal target or is the perimeter breach of VEIC the objective of the external penetration test? A: No, there is no specific internal target. Q: Can you please clarify the number of devices you expect to have tested both internally and externally? A: VEIC expects vulnerability and penetration tests to occur on up to 65 public IPs and less than 1000 internal IP addresses. Internal IP addresses scanned will include all types of physical infrastructure such as server, desktops, switches, and printers. VEIC s expectation is that automated testing would be run across all IP addresses. Q: Will penetration and vulnerability testing exclude home offices and remote workers? A:. Q: Is it possible to perform the Internal Network Penetration Testing via VPN? If not, is it possible to conduct the whole exercise from a single location? Vermont Energy Investment Corporation, 7/25/2014 Page 2 of 5

A: VEIC expects Internal Network Penetration Testing to be conducted from VEIC s main office in Burlington Vermont. Q: In page 1 of the RFP, under section 3 in Penetration and Vulnerability Testing, are there web applications hosted on the 100 external IP addresses and if so, do we need to test the pre-login pages for vulnerabilities? A: VEIC has no special requirements related to web application testing in relation to the internal or external Penetration and Vulnerability Testing. All special web application testing requirements are covered by the requirements stated in the External Application Penetration and Vulnerability Testing section of the RFP. Q: For internal vulnerability assessments, will scanning be executed with or without credentials? A: VEIC is expecting internal vulnerability and penetration testing to occur without credentials but would like to discuss this with the selected vendor. Q: Will network diagrams be provided for reference in the assessments? EMPLOYEE TRAINING AND SOCIAL ENGINEERING THREAT PREVENTION PROGRAM Q: Please describe what type of social engineering test is desired by VEIC, how many staff would be involved, and if this testing must occur from a specific location. A: VEIC would like to work with the selected Vendor to select the most appropriate type of social engineering test, although we have as a starting assumption that an e-mail solicitation test to VEIC staff will be performed remotely or from VEIC main office. If the vendor is able, VEIC would like to receive a list of the Vendor s standard social engineering services with the associated fee. Q: Regarding: Assist in the design of a social engineering threat prevention program to be delivered by VEIC, would this be similar to designing an incident response program and developing procedures to respond and contain social engineering incidents? A: No, VEIC would like to work with the Vendor to improve our employee awareness educational programs to include social engineering prevention training, possibly to include a regular cycle of social engineering tests. Q: Would the evaluation of the Social Engineering program be covered under the next requirement, Security Program Consulting? SECURITY PROGRAM CONSULTING SERVICE Q: Please provide additional information about the documentation available to support the security program consulting activities. Vermont Energy Investment Corporation, 7/25/2014 Page 3 of 5

A: VEIC expects to support the Vendor in the Security Program Consulting Service task by providing a mixture of finalized, drafted, and framework documentation which would be augmented by interviews and discussions with members of VEIC s Cyber Security Team. Q: Has a Security-related staffing plan been developed and formalized by VEIC? A: A staffing plan has been presented to VEIC s executive management team for review. Q: What is meant by (or definition) of reference to a Security Gap Analysis and Project Identification Tool? A: VEIC developed a tool and system for helping to both identify and prioritize projects to be supported by the VEIC Cyber Security Team. Q: Please clarify, Existing security application and technologies". Is this a report or software to review configuration and usage? A: Both. Q: Will the documentation for review be available for review off-site as well as on-site? A:. Q: How many security-related policies and procedures are in use today by the VEIC? A: For the purpose of this evaluation VEIC has less than 10 active policies and another 10-15 in development. EXTERNAL APPLICATION PENETRATION AND VULNERABILITY TESTING Q: For each application, can a brief description of the size and functionality be provided? A: : KITT Web + KITT API + Online Rebate applications: Public facing web application (partially integrated into SiteFinity CMS with additional standalone C# MVC4 code) that allows external users to create an account and apply for rebates online. Utilizes KITT (custom internal application for project management, rebate processing, and savings tracking) web services API. Data managed via KITT Web application (C# asp.net MVC 4 SQL Server). Backend application utilized by 100+ employees. Retail Account Management Mobile Application + KITT API: ios and Android mobile application that utilizes KITT API. Used by 10-20 account managers in the field who call on retailers. Developed in C# using PhoneGap. Retail Account Management Mobile Application and Online Rebate Center testing is expected to include 2 roles, a standard user role and an administrative role. In the PhoneGap version of the Retail Account Management Mobile Application, the Administrative role is not available. Q: Are any web applications in scope? If yes, how many web applications are in scope? A: : KITT Web + KITT API + Online Rebate applications: Public facing web application (partially integrated into SiteFinity CMS with additional standalone C# MVC4 code) that allows external users to create an Vermont Energy Investment Corporation, 7/25/2014 Page 4 of 5

account and apply for rebates online. Utilizes KITT (custom internal application for project management, rebate processing, and savings tracking) web services API. Data managed via KITT Web application (C# asp.net MVC 4 SQL Server). Backend application utilized by 100+ employees. Q: Will there be mobile application testing? A: : Retail Account Management Mobile Application + KITT API: ios and Android mobile application that utilizes KITT API. Used by 10-20 account managers in the field who call on retailers. Q: What are the key programming languages the two applications are written in? A: KITT Web + KITT API + Online Rebate applications: Public facing web application (partially integrated into SiteFinity CMS with additional standalone C# MVC4 code) that allows external users to create an account and apply for rebates online. Utilizes KITT (custom internal application for project management, rebate processing, and savings tracking) web services API. Data managed via KITT Web application (C# asp.net MVC 4 SQL Server). Backend application utilized by 100+ employees. Retail Account Management Mobile Application + KITT API: ios and Android mobile application that utilizes KITT API. Used by 10-20 account managers in the field who call on retailers. Developed in C# using PhoneGap. Q: Please provide the following information about the web applications that will need to be tested: Do they have login pages? Do they have file access? Do they store or use sensitive information? Do they process or store financial data Do they have search functionality Do they have file upload functionality Do they have user profiles Do they have instant messaging functionality Do they have basic messaging functionality Do they have social networking functionality No No Application includes basic email functions Limited only social network share/like links. Q: What is the approximate total number of pages and approximate number of input/dynamic pages (such as web forms where users input data) each external application under scope supports? A: CMS: Hundreds of static pages, approximately 10 dynamic. Vermont Energy Investment Corporation, 7/25/2014 Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information