The vendor is required to provide from interested act security compliance firms with documented expertise in conducting a compliance audit.
- The following security tests and audits shall be included in the agency contract with the successful proposer:
a. Agency shall require the following security audits annually:
• External only penetration testing of four firewalls and website
• Review firewall configurations, best practices
• Social engineering (phone / email / other)
• Review best practice MS office365 for security score
b. Agency shall require the following security audits every three years:
• Act security audit
• Gap analysis and policy reviews
• Internal pen testing
- Provide the following services:
• An internal and external penetration test must be conducted at all three sites. in addition, a complete risk assessment and policy review onsite with staff will be required for act hi tech compliance.
• A full act security gap analysis comparing (a) the standards and implementation specifications of the act security rule identified in subpart c of part 164 of title 45 of the code of federal regulations to (b) the current policies, procedures, and practices of agency pertaining to any information systems and databases that are used by agency to create, maintain, receive, or transmit protected health information (phi).
• A thorough and accurate risk audit of all system components, based on the nist-800-30 standards, which will include the potential risks, threats, and vulnerabilities to the confidentiality, availability, and integrity of all phi that agency creates, receives, maintains, or transmits.
• An analysis of where phi is created, received, maintained, and transmitted by agency and a report documenting the sources and flow of phi and the information sources which hosts it.
• A security vulnerability audit of all agency sites and systems that are used to create, receive, store, or transmit phi.
• The primary object of this audit is to identify vulnerabilities that can be exploited by persons (employees, contractors, others) with access to agency information systems or networks used to create, receive, maintain, or transmit phi, and to identify areas of noncompliance with the act security rule.
• Conduct social engineering to identify risks.
• Describe pricing and payment options the proposer shall provide.
• Describe alternative approaches to the requested services, where feasible, or additional services offered or recommended, which may not be specifically requested but of benefit to agency.
• Conduct external and internal network vulnerability and penetration testing annually.
• Provide pricing to conduct a thorough act and security assessment – every three (3) years.
• Proposer will investigate and provide best practices recommendations to strengthen the microsoft office 365 security score.
- A Mandatory Pre-Bid Meeting Date: April 23, 2025
- Questions/Inquires Deadline: April 28, 2025
