Documents

Security Audit RFP

Description
Request for Proposal Network Security Assessment February 13, 2012 Region 5 Network Security Assessment Request for Proposal (rev. 02/10/2012) Introduction The Counties of Region Five Homeland Security provide Information Technology services to internal departments, citizens and businesses with a focus on providing a secure, protected network infrastructure dedicated to the protection, reliability, and availability of the County’s data. We are looking for a Service Provider to help determine th
Categories
Published
of 5
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Share
Transcript
  Request for ProposalNetwork Security Assessment February 13, 2012 1  Region 5 Network Security Assessment Request for Proposal (rev. 02/10/2012) Introduction The Counties of Region Five Homeland Security provide Information Technology services tointernal departments, citizens and businesses with a focus on providing a secure, protectednetwork infrastructure dedicated to the protection, reliability, and availability of the County’sdata. We are looking for a Service Provider to help determine the maturity of the County’sinformation security program, while providing expert technical insight that will assist us inimproving efficiency and security in the future.The Counties are soliciting proposals from qualified independent service providers with securityassessment experience sufficient to perform a Network Security Audit and VulnerabilityAssessment in accordance with the specifications outlined in this document. This assessmentshould be based on industry standards and best practices as described by the Computer SecurityInstitute (CSI) and the SANS Institute. Deliverables from the assessment must include: a findingsdocument to include any non-compliant network vulnerabilities; a risk analysis listing the priorityof each risk or vulnerability identified (i.e. high/med/low) and a roadmap document outliningtechnologies and best practices that the Counties should focus on to improve its security model. RFP Submission All quotes must be submitted in both electronic and print formats (please include ten copies).Please include the srcinal Scope of Work document, a Statement of Work as described below,the pricing breakdown worksheet, and a signed signature page.Van Buren County on behalf of Region 5 Homeland Security Planning Board will acceptproposals and bids from Monday, February 13, 2012 and will close the RFP on March 16, 2012.The bid opening will be at the Van Buren County Sheriff’s Office on March 19, 2012 at 10:00a.m. Region 5 Homeland Security Board retains the right to accept or decline any proposal or bid. Thebid award will be determined by what best meets the needs and interest of the Region 5Homeland Security Board.Sealed proposals will be accepted no later than 5:00PM on March 16, 2012, at the Van BurenCounty Sheriff’s Office, 205 S. Kalamazoo St, Paw Paw, MI 49079.Any questions may be directed in writing to Brigitte Vegter via;E-mail: brigittev@vbco.orgPlease submit questions by February 24, 2012 so that we have time to addressthem before the RFP’s are due. All questions will be answered by March 5,2012, via email attachment.  Request for ProposalNetwork Security Assessment February 13, 2012 2  Vendor Requirements The service provider must submit an executive summary, which outlines its proposal, includingthe proposed general management philosophy. The executive summary shall, at a minimum,include an identification of the proposed project team, the responsibilities of the project team, anda summary description of the services proposed. Highlight any aspects of the proposal whichmake it superior or unique in addressing the needs of the Counties. The vendor should alsoprovide sample reports similar to the ones expected to be delivered (see list of deliverablesbelow).The service provider must submit a Statement of Work and proposed timeline, that describestasks associated with the services including the vendor and Counties’ responsibilities along withthe deliverables for each task of the project. Any County responsibilities identified shouldindicate the required skills needed. The service provider must have Computer Information Security Audit (CISA) certifiedsecurity experts (or equivalent certifications) with an onsite presence.The service provider must provide 3 former customers as references for which similarservices were performed (preferably local government).   Scope of Work Each county should be considered a separate project with its own deliverables and point of contact.The vendor will perform a Network Security Audit and Vulnerability Assessment review that willaddress the following areas of the Participating Counties infrastructure: 1.   Edge Securitya.   Perform ping sweep and port scan of external IP addressesb.   Perform vulnerability scan of all external IP addressesc.   Review configurations of demilitarized zone (DMZ) including access listsd.   Review ingress and egress firewall policiese.   Review network address translation rules for publishing internal systemsf.   Verify firewall inspection layer - application layer / stateful inspectiong.   Determine if reverse proxy is in place for inspecting encrypted traffic and pre-authenticationh.   Determine if any unified threat management is configured for the edge securityi.   Review current auditing policies and practice for edge security devices  Request for ProposalNetwork Security Assessment February 13, 2012 3 2.   Network Securitya.   Review switch configurations to determine if network segmentation configured betweennetworksb.   Determine if any internal firewalls are in place between workstations and serversc.   Determine if encryption is configured to protect internal communicationsd.   Review wireless security settings to validate security measures in placee.   Validate port security and whether or not network ports are active by default and if portsecurity enforces based on MAC addressf.   Determine if any network intrusion detection or prevention systems are providingnetwork scanning3.   Systems Securitya.   Perform ping sweep and port scan of internal IP addressesb.   Review all servers and select workstations(see appendix A) in the environment todetermine if the following configurations have been made or security measures are inplacei.   Have any unnecessary services been disabled?ii.   Is an existing patch management solution in place to ensure the latest operatingsystem security updates are installed?iii.   Review the auditing policies and procedures in place for each systemiv.   Does each system have an updated Endpoint protection application installed toprovide for:1.   Anti-malware2.   Host IDS/IPSv.   Are host based firewalls enforced and centrally managed on each endpoint?vi.   Is the local Administrators group membership restricted to privileged accounts?vii.   Are local Administrator and Guest user accounts renamed or disabled?viii.   File shares1.   Are default file shares still enabled?2.   What share permissions are configured 4.   Access Managementa.   Review the methods of authentication currently in placeb.   Review domain group membership for high privilege groupsc.   Determine policy for using separate accounts for user level access and privileged accessd.   Review the current password policy enforced on the domaine.   Perform password auditing for existing user passwords on the domainf.   Review remote access methods and security  Request for ProposalNetwork Security Assessment February 13, 2012 4  Deliverables    A findings Assessment document that details and demonstrates all threats andvulnerabilities that are identified. A risk and severity level will be assigned for threatsand vulnerabilities identified.    A risk analysis listing of recommendations based on risk severity, probability, cost, andscope of work. This should also include recommendations that address policy orprocedural vulnerabilities.    A Security Roadmap that lists the technology recommendations for the next 3-5 yearsand includes a strategic direction in support of the Counties’ security infrastructure. Pricing The EMHSD Region 5 is requesting a fixed price quote for all eight individual projects as well asa grand total. Pricing MUST include all aspects of the Project. Service providers should providea summary sheet including approximate hours per task per county, based on the requirements andterms set forth in the Scope of Work. Pricing must be all-inclusive and cover every aspect of theProject, with the total cost for each county listed. Evaluation Criteria The project award will be determined by consensus of the County IT representatives. Factors tobe considered will be; demonstrated competence in network security assessment/audit, ability tohandle a project of this size, references, examples of completed projects, cost.

EB-11-V31-I3-P212

Apr 29, 2018

Csr

Apr 29, 2018
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x