The vendor is required to provide two cybersecurity risks for which it may not have sufficient expertise or experience to perform the work to resolve.
- City clerk and recorder systems:
• The existing systems configurations and network used by the city clerk and recorder’s office to support the office’s systems may not be properly configured.
- Active directory
• The configurations of the city’s instance of active directory may not be properly configured. this risk affects multiple city agencies.
- Objective:
a. City clerk and recorder cybersecurity
• Conduct an assessment of the city’s current processes and procedures to ensure the city’s clerk and recorder system is secure by performing penetration testing of the systems associated with operational systems.
• In addition, review the appropriate policies and procedures are in place to guide employees in their security duties.
b. Active directory
• Conduct an assessment of the city’s active directory strategy, processes, and procedures.
• The audit will seek to discover all instances of active directory across the city (multiple agencies) and examine the controls associated with those instances on a sample basis.
• The review will need to examine the global policy objectives and trust relationships and other configurations to ensure they are properly established based on best practices and other guidance which the city may need to follow.
- Design and perform audit testing procedures to ensure the safety of the network and applications used in the instances described above.
- A unique scope for each affected agency will be agreed upon after rules of engagement are confirmed with the agency under review.
- The testing will include but will not be limited to penetration testing, configuration analysis, log examination.
- Produce a confidential workpaper which the city defines as a document that is not subject to freedom of information act requests, delivered to each affected agency, the audit committee, and auditor’s office with detailed findings and corresponding recommendations per assessment.
- The contractor is responsible for composing this report and will need to be approved by the auditor’s office representatives.
- Produce a public facing informational report per the assessments prepared by the contractor and approved by the auditor’s office representatives.
- Give a presentation to the city’s audit committee per assessment with a PowerPoint using the auditor’s office template.
- Presentation to the city’s audit committee per the follow-up workpaper with a PowerPoint using the auditor’s office template.
- Contract Period/Term: 3 years
- Questions/Inquires Deadline: May 01, 2025