IT Security Assessments and Incident Response Services

The Vendor is required to provide to establish standardized Vulnerability Management/Penetration Testing and Incident Response Services contract(s), by various lots, to support the ongoing needs of “Units”, to include political subdivisions and higher education.
- Exclusions
• Cellular phones, smartphones, or other mobile telecommunication devices All voice-over-IP (VoIP) endpoints, including but not limited to physical desk phones, softphones, and related services
• Any services or infrastructure provided by third-party telecommunications carriers
• Staff augmentation / temporary staffing services
• Ongoing Maintenance and Support
• Ongoing Managed Services
• Software Development or coding of any type
• Support that is awarded and contracted for through other state term contracts
• Any bundle that includes one or more of the above-listed offerings and services
• Services available through other Statewide Contracts
- services are expected to support compliance with statewide information security policy requirements, as well as other statewide policies, standards, programs, and services related to IT Security Assessments and Incident Response Services
- Vulnerability Assessments and Penetration Testing
• Vulnerability Assessments and Penetration Testing Services may be performed onsite or via remote access provided by the units. Internal testing scenarios will be agreed upon prior to the start of the assessment, and may include testing focused on desktops, servers, critical infrastructure, DMZ segments, and other units assets, with approval and coordination with the target units.
- Key Vulnerability Assessment services include:
• Assessments for known critical or high vulnerabilities that represent would, if present in UGU environments, represent an immediate threat to units cyber security
• Technology-specific assessments (such as Active Directory assessments) targeting known exploitable critical or high vulnerabilities
- Key Penetration Testing services include:
• Host identification and service discovery – Identification of open TCP and UDP ports for the IP addresses in-scope for the project.
• External penetration test and vulnerability identification for in-scope internet facing systems and devices
• Internal penetration testing and vulnerability identification for in-scope internal devices and services
• Selective vulnerability exploitation – In conjunction with units personnel, determine the exploitability of selected vulnerabilities utilizing techniques that are not prone to disrupt network services.
• False Positive Analysis – Analysis of the findings for false-positives to ensure the accuracy of the results
• Development of detailed and executive summary reports discussing high-level risks, comparative analysis, root cause analysis, detailed findings matrix for tracking each vulnerability, and a technical explanation of each vulnerability.