City of Aspen - Local Government Procurement Solutions- Rocky …

City of Aspen

IT Security Audit Request for Proposal

REQUEST FOR PROPOSAL

IT Security Audit

for the

City of Aspen

Issued October 1, 2015 Proposal Due Date: November 16, 2015

REQUEST FOR PROPOSALS

Sealed proposals will be received at the City of Aspen Purchasing office 2:00pm, November 16, 2015, at which time the proposals will be opened and reviewed, for the following City of Aspen project:

IT Security Audit

The project will include, but is not limited to: ensure that reasonable protection for general and specific threats of the City's IT systems and infrastructure including testing and verifying security of information technology systems and networks; verify perimeter security controls; review security and configuration of internal infrastructure; review security of SCADA and other maintenance control systems; review security associated with web applications and websites used by the City, perform exploitation of vulnerabilities in coordination with IT staff; identify and recommend safe guards to strengthen protection of the infrastructure.

Complete proposal packages are available to download from Vendors must be registered to view the bid packages. There is no charge to register. Call 1-800-8354603 if you need assistance registering.

The City reserves the right to reject any or all Proposals or accept what is, in its judgment, the Proposal which is in the City's best interest. The City further reserves the right, in the best interests of the City, to waive any technical defects or irregularities in any and all Proposals submitted.

Pursuant to the Colorado Open Records Act, C.R.S. Section 24-72-200.1 (CORA), any and all of the documents that are submitted to the City of Aspen may be deemed public records subject to examination and inspection by third parties. The City of Aspen reserves the right, at its sole discretion, to release for inspection or copying any document, plan, specification, proposal or other writing submitted pursuant to this request.

The Proposal must be placed in an envelope securely sealed therein and labeled: "Proposal for 2015-103 IT Security Audit". The City cannot accept late, faxed, or emailed proposals.

Discussion may be conducted with responsible offerors who submit Proposals determined to be reasonably susceptible to be selected for award for purpose of clarification to assure full understanding of, and responsiveness to the solicitation requirements.

In addition to price, the criteria set forth in the Instruction to Offerors and any specific criteria listed below, may be considered in judging which Proposal is in the best interests of the City: overall proposal adherence to objectives; reputation, experience, perceived ability to deliver services; reference responses.

BY ORDER OF THE CITY OF ASPEN, COLORADO

Rebecca Hodgson, Purchasing

1

City of Aspen

IT Security Audit Request for Proposal

Table of Contents

1) Objective of IT Security Audit Request........................................ 1 2) City Technology Profile ............................................................... 2 3) Proposer Creativity..................................................................... 4 4) RFP Process ............................................................................... 4 5) Response Content ...................................................................... 5 6) RFP Assumptions ...................................................................... 6 7) Evaluation of Proposals.............................................................. 7 9) Legal.......................................................................................... 7

City of Aspen

IT Security Audit Request for Proposal

1) Objective of IT Security Audit Request

The goal of this RFP and project is to ensure that reasonable protection is in place for general and specific threats that may exist for the City of Aspen's IT systems and infrastructure, including but not limited to the following:

To test and verify the security of information technology systems and networks so as to ensure the effectiveness of deployed security measures.

Verify the perimeter security controls. Review the security and configuration of internal City of Aspen IT

infrastructure. This includes the associated networks and systems with a perspective of ensuring confidentiality, integrity and availability of data and information systems. Review the security of the City's SCADA and other maintenance/control systems. Review the security associated with web applications/websites that are used by the City of Aspen. Perform exploitation of vulnerabilities in coordination with IT staff. Identify and recommend safeguards, suited to the City of Aspen's environment, with the aim to strengthen the level of protection of the City of Aspen IT infrastructure.

The engagement will be broken into four phases:

a) External Penetration Assessment ? General Government Network To be performed external to the City of Aspen General Government Network. The scope will be public-facing websites and perimeter systems that are part of the City's general government network infrastructure. The vendor will identify vulnerabilities and potential exploits. Once identified a determination will be made if and how any vulnerabilities should be verified or exploited.

b) External Penetration Assessment ? Recreation Network To be performed external to the City of Aspen Recreation Network. The scope will be the perimeter systems that are part of the City's Recreation network infrastructure. The vendor will identify any vulnerabilities and potential exploits.

c) Internal Vulnerability Assessment ? General Government Network To be performed from inside the City of Aspen General Government Network. The scope will be an overall security assessment and review of internal systems, including but not limited to:

1

City of Aspen

IT Security Audit Request for Proposal

o Firewalls ? review firewall configurations and rules, o Switches and routers ? review overall configurations and security

settings, o Servers ? review server configurations with emphasis on DMZ and

certain enterprise-wide systems, o WLAN ? review of security for City SSID's and controllers, o End-user PCs ? overall vulnerability of PC systems, and o PCI compliance ? review of process and point of sale system in use by

certain departments.

Systems will be examined for security best practices and vulnerabilities. This phase can be done using a combination of vulnerability assessment tools and review of system configurations and security processes. This phase does not need to include any penetration of systems.

d) External Penetration and Internal Vulnerability Assessment ? Control Systems

The scope will include both an external penetration assessment as well as an internal vulnerability review of the SCADA and control systems involved with water and hydroelectric production, ice rink maintenance, and certain building automation systems.

The vendor will identify vulnerabilities and potential exploits. Once identified a determination will be made if and how any vulnerabilities should be verified or exploited.

External penetration work for the different network phases can be combined under one operation as long as reporting is separate. The reporting will include one executive summary (all phases combined OK), detailed technical reports for each phase, and prioritized recommendations for near and long term security improvements for each phase.

2) City Technology Profile

a) Core City Network ? the City network provides voice and data services to 350

Customers in 25 Departments.

b) Wireless Network ? The current wireless network is implemented in 17 of the 25 City

facilities providing 802.11b and 802.11g connectivity. We currently use 37 Cisco 1242AG access points. We have created a "guest" wireless connected to a separate Comcast Internet service. A RFP was issued in August 2015 for the replacement of our

2

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download