Security and Systems Audit Services

The Vendor is required to provide a comprehensive security and systems audit of its existing avigilon unity surveillance and avigilon access control manager (ACM) infrastructure.
- This audit aims to:
•    Assess the overall health, performance, and configuration of the system.
•    Identify potential security vulnerabilities, both cyber and physical.
•    Ensure compliance with relevant organizational policies, industry standards, and regulatory requirements.
•    Provide clear, prioritized recommendations for remediation, optimization, and future system enhancements.
- All locations have varying levels of surveillance and access control systems, all monitored at a central location.
- System Size:
•    Approximate Number of Cameras: 2800 streams, approximately 2000 units
•    Approximate Number of Access Points/Doors: 1600
•    Approximate Number of Users (ACM): 5 Super Administrators / ~3,200 identities
- Network Topology: 
•    The security system operates on a segmented network with dedicated VLANs for surveillance and access control traffic. 
•    All sites are connected with a 100 GB fiber wide-area network.
- Integration Points: 
•    The Avigilon system is currently integrated with:
•    AD Collaboration to pull users from AD to ACM (SSO user account integration not presently enabled; we only add accounts )
- Surveillance System
1. Hardware Assessment:
•    Review of Unity server and NVR health, including CPU, RAM, disk I/O, storage utilization, and RAID configurations.
•    Evaluation of camera health, connectivity, and performance (e.g., firmware versions, network stability, image quality, focus, field of view, dead pixels, IR functionality).
•    Assessment of network infrastructure dedicated to surveillance, including switch health, bandwidth utilization, PoE status, and effectiveness of network segmentation.
2. Software Configuration Audit:
•    Verification of Unity software version compatibility, patch levels, and adherence to Avigilon's recommended update cycles.
•    Review of recording settings (retention periods, resolution, frame rates, compression algorithms) against organizational requirements and storage capacity.
•    Audit of user management and permissions, focusing on role-based access control (RBAC), strong password policies, and identification of inactive or unnecessary accounts.
•    Evaluation of event management and alarm configurations, including setup, notification paths, and rule effectiveness.
•    Review of data storage and archiving strategies, including redundancy and accessibility.
•    Validation of integrations (e.g., with ACM, alarm systems) for proper functionality and secure communication.
•    Cybersecurity specific to Unity: review of secure communication protocols, open ports, use of default credentials, and remote access configurations.
•    Assessment of Avigilon Cloud Services integration and configuration.
3. Performance Analysis:
•    Analysis of network bandwidth consumption by Unity streams and overall system latency.
•    Evaluation of storage capacity planning and current utilization trends.
•    Testing of system responsiveness under various load conditions.
•    Throughput testing to ensure adequate performance for live viewing, recording, and playback.
- Access Control System
1. Hardware Assessment:
•    Review of ACM panel health, firmware, and network connectivity.
•    Assessment of reader health and functionality, including read range and reliability.
•    Evaluation of door hardware integrity, including locks, sensors (DCM, REX), and power supplies.
•    Assessment of all hardware monitoring systems (e.g., Life Safety Power) health, firmware, and network connectivity.
2. Software Configuration Audit:
•    Verification of ACM software version compatibility and patch levels.
•    Audit of the user database management, including provisioning, de-provisioning processes, and data synchronization with external systems (e.g., HR database).
•    Review of access levels, schedules, and holiday configurations for accuracy and adherence to policy.
•    Evaluation of badging procedures, card reader security (e.g., card formats, encryption standards), and credential management.
•    Review event logging and audit trails for completeness, accuracy, and appropriate retention.
•    Validation of integrations (e.g., with HR systems, Unity, alarm systems) for proper functionality and secure communication.
•    Cybersecurity specific to ACM: review of secure communication, database security practices, use of default credentials, and remote access.
3. Policy and Procedure Compliance:
•    Cross-reference current access control policies and procedures with system configuration and usage.
•    Verify compliance with "least privilege" principles for all users and roles.
•    Audit of door states (locked/unlocked) against programmed schedules and expected operational status.
•    Review of emergency lockdown procedures, including testing (if feasible and approved).
- Network and Cybersecurity Aspects
1. Network Architecture Review:
•    Comprehensive review of network segmentation, firewall rules, and routing policies affecting the security systems.
•    Verification of VLAN configurations and isolation.
•    Assessment of IP address management practices for security devices (e.g., static vs. DHCP).
2. Vulnerability Assessment & Penetration Testing (VA/PT): (Proposers should specify if this is an optional add-on or included in the base proposal.)
•    Execution of external and internal vulnerability scans targeting all security system components (servers, NVRs, ACM panels, cameras, and workstations used for security monitoring).
•    If approved by the Organization, the controlled attempted exploitation of identified vulnerabilities is used to assess actual risk.
3. Cyber Hygiene:
•    Review of operating system and application patching procedures and schedules for all security system components.
•    Assessment of antivirus/Endpoint Detection and Response (EDR) solutions deployed on security servers and workstations.
•    Evaluation of logging and monitoring practices, including integration with Security Information and Event Management (SIEM) systems and log retention policies.
•    Review of backup and disaster recovery procedures for system configurations and critical security data.
•    Assessment of data encryption in transit and at rest.
4. Physical Security of Servers/Equipment:
•    Assessment of physical access controls to critical security system infrastructure (e.g., server rooms, IDF closets, control rooms).

- Contract Period/Term: 1 year
- Questions/Inquires Deadline: September 02, 2025