Attachment A STATEMENT OF WORK


[PDF]Attachment A STATEMENT OF WORK - Rackcdn.com10ba4283a7fbcc3461c6-31fb5188b09660555a4c2fcc1bea63d9.r13.cf1.rackcdn.com...

2 downloads 244 Views 401KB Size

Attachment A STATEMENT OF WORK 

Objectives. 

General  The goal of this project is to procure a qualified entity Contractor to perform a detailed security assessment of Commonwealth of Pennsylvania enterprise level information technology assets



Specific  The Office of Administration, Enterprise Information Security Office (OA/EISO) has need for an analysis of its current enterprise network security posture in an effort to discover security vulnerabilities and reduce risk to the Commonwealth. .

 Nature and Scope of the Project. The Enterprise Information Security Office (EISO) is responsible for a number of security functions within the Commonwealth which includes:  Security Governance - Evolve Information Security policies and architecture, integrated with the Commonwealth’s Enterprise Architecture Governance process.  Security Policies - Prescribe policies and procedures relating to technology topics such as data encryption, privacy roles and assessments and acceptable use policies.  Security Assessment Framework - Verify proper configuration of systems, accuracy of documentation, skills of staff members, and to determine gaps between an organization’s current and desired practices.  Enterprise Security Technologies - Ensure that agencies are using and deploying security technology and products such as antivirus, content filtering, and network intrusion prevention solutions in a consistent manner.  Security Awareness Program - Ensure that users are familiar with information technology security best practices, policies, procedures and standards as well as the importance of protecting confidential and sensitive information As a result of these duties and responsibilities the EISO is looking to procure a qualified entity Contractor to perform a detailed security assessment of Commonwealth of Pennsylvania enterprise level information technology assets.

The Contractor will develop assessment reports and deliver them to the Commonwealth Chief Information Security Officer (CISO) and other appropriate management. The reports will identify strengths as well as gaps between Commonwealth practices and best practices and identify risks to the confidentiality, integrity and availability of data and services. OA/EISO may use the results of the assessment to validate and, if necessary, improve the security policies, processes and controls which are currently in place. 

Requirements. 

The Contractor shall have a minimum of 5 years’ experience in IT network systems design and network security design; direct project experience in the area of network security assessments for at least 3 customers (references must be provided), one of the projects must be for a large scale enterprise design (10,000 or more users).



At a minimum, the Contractor must have a certified ethical hacker certification to perform the penetration tests.



Once the project team members have been established, no changes to the project team members may occur without prior approval from the CISO.



All raw data from any test will be the property of the Commonwealth. All data, deliverables, and records residing with the Contractor will be returned to the Commonwealth no later than June 30th 2014. Contractor copies of all data, deliverables and records shall be destroyed in the manner and on the timeline directed by the Commonwealth, and a certification shall be made in writing as to their destruction.

Information Handling  This project will require handling of sensitive and confidential information. The selected Contractor shall prevent access to, copying of and/or distribution of such information except as necessary and permitted for work on this project. The selected Contractor is responsible for proper disposal (i.e. shred, surrender) of both hard and electronic working copies of such sensitive and confidential information during work on this project, as well as any remaining information upon the completion of the project. The Contractor must certify in writing to the disposal of sensitive and confidential information. The requirements of this provision will survive the termination of the Purchase Order and the contract. 

A draft of all deliverables shall be submitted to the CISO no later than June 23, 2014 for review and approval.



The Contractor shall comply with the Information Technology Policies (ITP’s) issued by the Office of Administration, Office for Information Technology (OA-OIT). ITP’s may be found at:

http://www.portal.state.pa.us/portal/server.pt?open=512&objID=416&PageID=210791&mode=2

All proposals must be submitted on the basis that all ITPs are applicable to this procurement. It is the responsibility of the Contractor to read and be familiar with the ITPs. Notwithstanding the foregoing, if the Contractor believes that any ITP is not applicable to this procurement, it must list all such ITPs in its technical submittal, and explain why it believes the ITP is not applicable. The Issuing Office may, in its sole discretion, accept or reject any request that an ITP not be considered to be applicable to the procurement. The Contractor’s failure to list an ITP will result in its waiving its right to do so later, unless the Issuing Office, in its sole discretion, determines that it would be in the best interest of the Commonwealth to waive the pertinent ITP.  

All work for this project must be completed by June 30, 2014.

Tasks. 

Security Assessment The Contractor shall perform a security assessment based on industry standard best practice guidelines such as ISO 27002 or NIST. The scope of the assessment will be limited to areas of OA/OIT which provide enterprise services to the Commonwealth agencies. The Contractor shall perform the following activities: 

Analyze the external footprint of the Commonwealth network to determine how the network looks to external entities with the goal of finding all Commonwealth IT assets that are exposed to the internet.



Using the external footprint of the Commonwealth network, perform an external vulnerability scan on all IT assets found. It is estimated that there will be about 1500 discoverable assets. All scans must be performed in such a manner that meets the requirements of ISO 27002 or NIST. Scans must be coordinated with the EISO and must not impact production capabilities of systems and networks.  The scanner will be the property of the contractor.  All scans will be performed from an external location.  Discover all open ports on each discovered asset and the service running on the open port.  Perform vulnerability tests that are applicable to each target host based on the information gathered for the host.  If the asset contains a web application, crawl through all discoverable pages in the web application performing the appropriate vulnerability

checks. Vulnerability checks will include but not be limited to: cross-site vulnerability checks (persistent, reflected, header, browser-specific) and SQL injection vulnerabilities (regular and blind). Sensitive content checks may include but not be limited to social security number and credit card numbers. 

Perform external penetration testing on the top ten most vulnerable sites that were identified in the external security scan. The penetration test should follow the guidelines of NIST SP800-115. The focus of the exploitation will be on establishing access to the system by bypassing security restrictions. The Contractor may use the penetration tool with which they have the most experience.



Perform a wireless security assessment and penetration test at 1 Technology Park and 5 Technology Park. The wireless security test will follow the guidelines contained in NIST SP800-115.

B. Deliverables associated with the Security Assessment tasks include: 1. Final Reports. The Contractor shall create the following reports that describes the result of the security assessment in terminology that will be meaningful to management and others generally familiar with the subject areas. 

A report documenting all assets found from the external scan. The report will contain a list of all vulnerabilities found within each asset including the potential impact of those vulnerabilities to the Commonwealth. Describe in detail the severity of the vulnerability ( i.e. critical, severe, high medium, low) and the remediation options related to each vulnerability. All vulnerability report information must be presented in a word document and an excel spreadsheet. Supplying only unprocessed raw output from the vulnerability scanner or the penetration tool is not acceptable.



A report of all assets that contain web applications and a list of pages that were crawled during the scan.



A report documenting the procedure and results of the penetration test. Describe in detail the severity of the vulnerability ( i.e. critical, severe, high medium ,low) and the remediation options related to each vulnerability





A report documenting the procedure and results of the wireless penetration test. Describe in detail the severity of the vulnerability ( i.e. critical, severe, high medium ,low) and the remediation options related to each vulnerability.



A high level executive report that will show a summary of findings, conclusions and recommendations for remediation. The Report will be in a power point format and delivered by the contractor in a meeting with executive management.



All reports and supporting documentation; e.g., flow-charts, forms, questionnaires, working papers must be provided in electronic format (CD or DVD) including the final reports and raw data from vulnerability scans, penetration testing tools. Ten printed copies of the high level executive report will also be delivered to the CISO.

Reports and Project Control. The Contractor shall provide project management services throughout the life of the purchase order. The Contractor shall provide the following: 

 



Task Plan. The Contractor shall update and maintain its proposed work plan. Identify the work elements of each task, the resources assigned to the task, the time allotted to each element and the deliverable items to be produced. Include a PERT or GANTT chart display should be used to show project, task, and time relationship. Weekly Status Meeting. The Contractor shall prepare for and lead a weekly status meeting with the CISO. The weekly status report described in IV-5.c shall serve as the agenda. Weekly Status Report. The Contractor shall create and submit a weekly progress report covering, at a minimum, activities completed in the reporting period, activities scheduled for the upcoming reporting period, issues and recommendations. This report should be keyed to the work plan the Contractor developed in its proposal, as amended or approved by the Issuing Office. Issue Identification Report. The Contractor shall provide an “as required” report, identifying problem areas. The report should describe the issue and its impact on the overall project and on each affected task. It should list possible courses of action with advantages and disadvantages of each, and include Contractor recommendations with supporting rationale.



Definitions

Information technology (IT) assets are the processes, procedures, systems, infrastructure, data, and communications capabilities that allow each agency to manage, store, and share information in pursuit of its business mission, including but not limited to: • Applications. • All data typically associated with IT systems regardless of source (agency, partner, customer, citizen, etc.). • All data typically associated with IT systems regardless of the medium on which it resides (disc, tape, flash drive, cell phone, personal digital assistant, etc.). • End-user authentication systems. • Hardware (voice, video, radio transmitters and receivers, mainframes, servers, workstations, personal computers, laptops, and all end point equipment). • Software (operating systems, applications software, middleware, microcode). • Infrastructure (networks, connections, pathways, servers, wireless endpoints). • Services (data processing, telecommunications, office automation, and computerized information systems). • Telecommunications hardware, software, and networks. • Radio frequencies. • Data computing and telecommunications facilities.