Audits of Enterprise Applications Systems and Information Technology

The Vendor is required to provide in audits of enterprise applications systems and information technology (IT) processes.
- Required determine whether contractors’ employment policies assure employment opportunities are available to all citizens without regard to race, color, religion, national origin, marital status, handicap, sex, sexual orientation or gender identity, or age.
- The specific enterprise applications and IT processes include but are not limited to the following:
•    Business Continuity Planning and Disaster Recovery Planning
•    Incident Response Management
•    Virus Protection Program
•    Ransomware Readiness / Vulnerability Assessment
•    Endpoint Security/ Change Patch Management
•    Cloud Security Assessment
•    Network Security Assessment (WAN, LAN and Wireless Networks) External (Perimeter) Vulnerability Assessment and Penetration Tests
•    Network Security Assessment (WAN, LAN and Wireless Networks) Internal Vulnerability Assessment and Penetration Tests
•    Physical and Environmental Data Center Security
•    Software License Compliance (Licensing Posture)
•    eMINTS Tax System
•    Workday Human Resources and Financial Management System
•    Agency Time Keeping System
•    Enterprise Artificial Intelligence Usage
•    Mark43 Records Management System
•    Security Badging System
- Review the backup, recovery, and restoration process of all critical applications, systems, and cloud computing
•    Review backup recovery, and restoration procedures
•    Review appropriateness of administration (including segregation of duties)
•    Assess procedures for monitoring backup and recovery procedures
•    Assess use of off-site storage and / or virtual back up processes
•    Assess frequency and adequacy of data backup processes
•    Review and assess agency it disaster recovery plan to ensure it meets best practice guidance, and is adequately designed to recover critical applications in a timely manner
•    Ensure disaster recovery plan is appropriately updated and reflective of government's current operating environment
•    Assess the results of the latest disaster recovery test to ensure recommended action items have been completed, or a plan has been developed to complete action items
•    Assess the appropriateness of the disaster recovery plan's sponsors
•    Assess whether the disaster recovery plan is appropriately aligned with government’s business continuity plan
- Incident Response Management
•    Assessment of effectiveness of incident management processes, policies, procedures, and governance
•    Review of standards, guidelines, and procedures
•    Review of implementation and governance of activities
- Virus Protection Program
•    Assessment of effectiveness of virus protection processes, policies, procedures, and governance
•    Review of standards, guidelines, and procedures
•    Review of implementation and governance of activities
- Ransomware Readiness / Vulnerability Assessment
•    Measure effectiveness of current controls
•    Identify weaknesses
•    Deliver actionable remediation
- Endpoint Security / Change Patch Management
•    Assessment of effectiveness of Endpoint Security / Change Patch Management processes policies, procedures, and governance
•    Review of standards, guidelines, and procedures
•    Review of implementation and governance of activities
- Cloud Security Assessment
•    Measure effectiveness of current controls
•    Identify weaknesses
•    Deliver actionable remediation
- Network Security Assessment (WAN, LAN and Wireless Networks) External (Perimeter) Vulnerability Assessment and Penetration Tests
•    Assess Internet presence:
•    Identify public IP space;
•    Identify all running services on each system
•    Identify all vulnerabilities on each device, system or server
•    Review results of initial scans with agency personnel;
•    Perform penetration activities based on feedback from agency project manager;
•    Review results with agency project Management.
- Enterprise Artificial Intelligence Usage
•    Policies and Procedures Review
•    General Controls Review
•    Assessment of Risk
•    Data Quality.