IT System

The Vendor is required to provide IT systems and subsystems described in section four and their supporting infrastructure, databases, interfaces, and data flows.
- Project initiation and confirmation of scope
•    Schedule and conduct formal kickoff meetings with the division, designated stakeholders, and representatives from the departments managing the IT systems in section four. 
•    Develop and document a detailed project work plan, including milestones, deliverable timelines, and resource assignments, in collaboration with division representatives and the departments managing the in-scope applications. 
•    The work plan should include dates for onsite work. 
•    Define and document communication protocols, escalation paths, and project management tools to be used throughout the project. 
•    Identify and document key risk factors, including infrastructure, vendor interfaces, data flows, database structures, and monitoring processes (intrusion detection system and intrusion prevention system (IDS/IPS), incident response), in consultation with IT and business stakeholders from the relevant departments. 
•    Ensure all assessment activities are aligned with the requirements of institute center and cis controls. 
•    Obtain written approval of the finalized work plan and communication protocols from division prior to commencing substantive assessment activities.
- Asset identification and classification
•    Conduct interviews and workshops with system owners and IT staff from the responsible departments to identify all in-scope assets (hardware, software, databases, interfaces, data flows). 
•    Perform onsite and remote reviews of system inventories, network diagrams, and asset management records specific to these applications and their supporting environments. 
•    Classify each asset based on sensitivity, business impact, and regulatory requirements, referencing the institute controls. 
•    Document asset ownership, criticality, and classification in a structured asset register for each application and ITs department. 
•    Develop and submit data flow diagrams for all critical applications and supporting infrastructure. 
•    Identify and document any gaps in asset inventory or classification.
- Risk assessment methodology
•    Document a risk-based assessment methodology aligned with institute center and cis controls, tailored to the three in-scope applications and their departments. 
•    Define and document risk criteria, ranking, and prioritization methods to be used throughout the engagement. 
•    Conduct risk identification workshops with stakeholders from the department’s responsible departments to capture potential threats and vulnerabilities. 
•    Rate and prioritize risks, documenting rationale and supporting evidence for each risk rating. 
•    Obtain written approval from division for all risk assessment tools and methodologies prior to commencing assessment activities.
- Threat and vulnerability assessment
•    Identify potential internal and external threats through interviews, threat intelligence review, division and analysis of prior incidents, in collaboration with the departments managing the in-scope applications. 
•    Develop and document a “rules of engagement” for penetration testing, including scope, timing, and notification protocols.
•    Perform external and internal penetration tests on state and supporting infrastructure using both automated and manual techniques, with prior written authorization from division. 
•    Tests should have minimal impact on production systems, unless otherwise agreed to by division
•    Conduct comprehensive vulnerability scans of all relevant systems, databases, and network components using industry-standard tools and methodologies aligned with institute center and cis controls. 
•    Validate identified vulnerabilities through manual testing and exploitation (where authorized). 
•    Document detailed findings, including risk ratings, supporting evidence, and recommendations. 
•    Develop a prioritized remediation plan and timeline for all findings.
- Network architecture and security assessment
•    Review and document current network architecture, including segmentation, demilitarized zones (DMZS), and cloud components, as they relate to the in-scope applications and their departments.
•    Evaluate network design, segmentation, and access controls for the in-scope applications and their supporting environments. 
•    Evaluate and review system configurations, firewalls, IDS and IPS, DMZS, and cloud infrastructure security, in addition to access controls through configuration reviews and sample testing. 
•    Assess cloud infrastructure security measures and remote access mechanisms used by the departments managing the applications. 
•    Test for compliance with state security architecture standards, institute center, and cis controls. 
•    Document findings and provide recommendations.
- Application security assessment
•    Review authentication, authorization, and session management mechanisms for each application. 
•    Test for common vulnerabilities using automated and manual methods. 
•    Assess secure coding practices and configuration settings. 
•    Validate input validation and error handling controls. 
•    Document findings and provide recommendations.
- Database security review
•    Review database access controls, encryption, and audit logging for databases supporting the three in-scope applications. 
•    Validate backup and recovery procedures for critical datasets. 
•    Assess compliance with institute controls. 
•    Document findings and provide recommendations.
- Identity and access management (IAM) review
•    Interview IAM owners and relevant IT staff from the departments managing the inscape applications. 
•    Review user provisioning, de-provisioning processes, including periodic access re-certifications. 
•    Assess privileged access management controls and related workflows. 
•    Evaluate authentication mechanisms such as MFA and SSO. 
•    Document findings and provide recommendations.
- Data protection and privacy
•    Review encryption practices, including algorithms and key management, for data associated with the three in-scope applications. 
•    Validate data classification, lifecycle management (retention, archival, destruction), and privacy controls. 
•    Review data destruction processes and compliance with state policy and referenced standards. 
•    Document findings and provide recommendations.
- Cloud security assessment
•    Review identity and access management configurations for cloud environments supporting the in-scope applications. 
•    Assess network segmentation and firewall rules in cloud environments. 
•    Validate encryption and data residency controls. 
•    Document findings and provide recommendations.