IT Security Assessment Services

The Vendor is required to provide comprehensive third-party cybersecurity assessment that will thoroughly review the current state of its entire information technology infrastructure and security to identify vulnerabilities in its systems, policies, controls and practices; and develop a prioritized road map of activities with a clearly defined set of actions to mitigate and remediate the risks identified.
- The assessment is to include, but not be limited to:
1. VAPT (vulnerability assessment and penetration testing) including the following special purpose networks and segments:
•    PCI-DSS
•    SCADA ICS
•    Traffic control system network
•    Phone and voice communications network (VoIP)
•    Badging (access) system
•    CCTV video surveillance network
•    HVAC building automation network (separate systems at 2 locations)
•    TV station broadcast network
•    Server management network (out-of-ban and administrative interfaces)
•    Printer network
•    Wireless security assessment
2. Risk assessment
•    Develop a prioritized road map of activities with a clearly defined set of actions to mitigate and remediate the risks identified utilizing industry best practice methodologies to ensure a standardized risk mitigation approach that will offer the highest risk reduction potential.
3. Information security program assessment
•    Information security program assessment will be used to determine the maturity and effectiveness of the city’s information security program.
- The city in conducting this assessment include but are not limited to the following:
•    Test for susceptibility to advanced persistent threats (APTS) such as social engineering or phishing vulnerability, viruses, malware, Trojan horses, botnets and other targeted attack exploits such as ransomware. 
•    Evaluate the city’s current threat posture including antivirus and intrusion detection and prevention (IDP) capabilities. 
•    Identify physical security vulnerabilities by attempting access to computing hardware and sensitive information using social engineering techniques. 
•    Perform PCI security compliance and risk assessment; provide remediation steps to meet compliance requirements. 
•    Review wireless network system components for security vulnerabilities, validating system specific configurations and known exploits. 
•    Perform vulnerability assessment of the city’s SCADA network. 
•    Validate system-specific configurations and review for known exploits. 
•    This includes firewalls, switches and routers, Microsoft active directory and file servers, web servers, wireless routers, VPN, cisco VoIP and office 365 email. 
•    Assess the city’s external and internal network security and architecture. 
•    Vulnerability scanning and penetration testing are required as part of this assessment. 
•    The awarded vendor will supply all tools necessary to perform required tests. 
•    The city has two physical data centers, operating as production and disaster recovery locations. 
•    The overall engagement will be managed by the vendor, with a defined scope, schedule and budget. 
•    Project activities will be appropriately managed, and project risks and task progress will be formally communicated. 
•    The city will assign a project manager to act as a focal point for vendor communications.
- Provide the following information only to the awarded vendor after receiving a signed non-disclosure agreement (NDA):
•    Additional system, network and security infrastructure information
•    List of employees on security team.
•    Temporary privilege right and access to the systems until the project is completed.
•    Endpoint platform information
•    Patch management platform information
•    E-commerce application information
•    Asset management platform information
•    Any access to city network and systems, either remotely or physically, will be mutually agreed upon
•    Risk management information
•    Application information and platform
•    Detail of address and location of the city buildings
•    Additional information about city business partners
- The topics covered in the review:
•    Access, authorization and authentication control
•    Logging and auditing practices
•    Incident handling practices
•    Internet usage acceptable use
•    Security awareness practices
•    Application development practices
•    Password practices
•    It administrator practices
•    Server configuration practices
•    System and data prioritization practices
•    Assess tracking practices
•    Patch management practices
•    Software licensing practices
•    Computer system acceptable use
•    Anti-virus practices
•    Remote access practices
•    Risk assessment practices
•    Infrastructure configuration practices
•    Network communications practices
•    Third party access practices
•    Encryption practices
•    Data backup practices
•    Physical security practices
•    Network architecture
•    Database access techniques.