RFP # 5797 11/7/2012
INFORMATION SECURITY SERVICES:
Network Vulnerability Assessment / Penetration Testing
REQUEST FOR INFORMATION SECURITY SERVICES
RFP NO. 5797
Macomb Community College Information Security:
Network Vulnerability Assessment - Penetration Testing Program
MACOMB COMMUNITY COLLEGE
WARREN, MICHIGAN
PROPOSALS DUE NO LATER THAN
Wednesday, December 19, 2012 at 2:00 p.m.
Submit Proposal To:
Macomb Community College
Dennis Costello
Purchasing Department
14500 E. Twelve Mile Road
Warren, MI 48088-3896
(586) 445-7308 – Phone (586) 445-7366 – Fax
1. PROJECT OVERVIEW
Rather than bid and execute a single, large scale (comprehensive) information security vulnerability assessment, the College has adopted a strategy which separates this task into smaller, more manageable pieces, each targeting specific areas of information security.
Given the rapid pace of infrastructure change planned at Macomb over the next three years, the College seeks to adopt a multi-year penetration test strategy that includes more frequent smaller, focused assessments instead of a single, annual testing methodolgy. The frequency of these assessments will be initially based on need, system change or compliance concerns from which regular testing schedules as part of an overall vulnerability management improvement program can be developed.
The services for this specific RFP will be focused on vulnerability assessment and penetration testing of external and internal information assets. The results of the security services will assist Macomb Community College in identifying weaknesses and exposures in existing defenses as well as assist with a prioritized risk-based mitigation strategy.
2. PUBLIC STATEMENT
Macomb Community College (MCC) is the second largest community college in Michigan serving more than 43,000 degree-credit students. MCC also offers pre-college programs, continuing and professional education programs, customized workforce training and many cultural and community service programs.
3. TOPOLOGY STATEMENT
Communications and Networking
· 100% Cisco Gigabit Ethernet backbone
· Over 225 actively managed network devices in approx 65 locations across four (4) campuses including 62 stacks of 203 individual switches.
· 90 VLAN segments
· Dedicated fiber plant between buildings. Dedicated redundant fiber between South and Center campuses. Leased fiber connects other campus and outreach locations.
· Systemax Gigaspeed copper cable from MDF/IDF to office and classroom locations; about 9,000 total drops.
· Cisco 802.11 b/g wireless network of 186 access points are deployed in the public areas. This system is targeted for upgrade in 2013.
· Cisco IP telephony system. Includes Unity voice mail, CER, and Informacast paging application.
· Approximately 90 network servers in a mixed-mode Active Directory environment running Windows 2003 (some) and Windows 2008 (primary). Servers provide a wide array of services. Examples include web servers, print servers, network control servers, storage servers and application servers.
· Internet connection is through a dedicated (and redundant) 1 Gb fiber connection to the MERIT backbone. Macomb provisioning is currently capped at 140 Mb. Bandwidth shaping is accomplished with an Exinda bandwidth shaping device.
Business Applications
· Datatel Colleague system used for Finance, Human Resource, Payroll and all Student records sub-systems, such as Admissions, Grading, Registration, etc.
· Job posting and candidate processing is handled through a hosted application (People Admin).
· Datatel systems run on a Unidata database system. A separate SQL datastore is used for reporting applications.
· Web services are provided through several servers (all web services are hosted inside of MCC owned datacenters). www.macomb.edu provides general college information to the public. Datatel’s Webadvisor system provides registration and student records access to students, our intranet site provides college information to its employees. Ungerboeck’s EBMS web server provides information to Conference & Events clients. The site www.macombcenter.com provides information for performing arts patrons.
Other
· Classroom mediation and presentation systems of various age and feature sets supported by Extron and Crestron control systems.
4. RECEIPT OF PROPOSALS
To be considered for acceptance, all vendors wishing to bid must adhere to the following schedule:
Questions from vendors due / Date: November 16, 2012Answers disseminated to vendors / Date: November 30, 2012
Final proposals due / Date: December 19, 2012
Proposals must be mailed, delivered, faxed or e-mailed by 2:00 p.m. EST time on the Final due date posted above. Proposals should be submitted to:
Dennis Costello, Purchasing Administrator
Macomb Community College
14500 E. Twelve Mile Road, Warren, MI 48088(Mailing Adress)
Fax: (586) 445-7366
E-mail:
Proposals submitted via email, should not include any zipped or executable files as these will be blocked by the College’s security system and may not be considered as received on time.
Proposals must be signed by an individual with authority to enter into a binding contract and the authority of the individual signing must be stated thereon.
5. INQUIRIES
Inquiries pertaining to this RFP are to be directed to:
Contractual Questions:
Dennis Costello, Purchasing Administrator
(586) 445-7308 or
Scope of Services Questions (email contact only):
Michael Zimmerman, CIO
Responses to clarifications will be shared with all organizations that were invited to submit a proposal. MCC will not be bound by any oral responses.
6. PROPOSAL RESPONSE FORMAT
Responses should be submitted in electronic format to the contact listed above in Section 5. Acceptable electronic formats include Microsoft Word or PDF, although Microsoft Word formatting is preferred. Responses should address all of the numbered items listed below:
6.1 Define your services including applicable methodology and approach. Refer to the project scope located in Section 9 for full details. Include sample deliverables or reports as needed.
6.2 Provide a company overview including core services and products.
6.3 Include qualifications of consultant(s) who will be assigned to the project. Include a brief narrative or biography illustrating:
6.3.1 The candidate’s overall experience as a consultant or contractor specifically related to the scope of services defined in this document and experience with information security practices specific to comprehensive community colleges.
6.3.2 Education and certifications. For this engagement, the primary project consultant must be qualified with CISSP, CISA, CISM, and/or GIAC certifications; those assisting the consultant need not meet the same requirements but shall have education/experience which directly correlates to the scope of services.
6.4 References – The RFP response shall include three customer references which must also include institutions of higher education. Provide examples and or references of similar work performed at other institutions of higher education. Macomb Community College expects organizations who respond to be highly qualified and to have experience with network security practices, processes, and assessment. Vendors are expected to have experience in completing projects of similar complexity and quality. Vendors must have information security and security testing (vulnerability assessment and penetration testing) as a core competency and product offering. Bid responses will be closely scrutinized for evidence of experience closely related to the requirement set forth in the Scope of Services section of this document.
6.5 Provide a sample of the services contract for review.
6.6 State bid type: Fixed bid or hourly rate (time & materials) contract. State fee for described services, providing a cost breakdown for each component of the proposed services were applicable. Clearly identify any reimbursable expenses.
6.6.1 Hourly (time and material) proposals must include a good faith estimate of costs based upon the scope of work defined and the vendors experience with similar assignments. Vendors will not be contractually bound to good faith estimates.
7. CONTACT PERSON
Please identify by name, telephone number and e-mail address, the person or persons whom the College can address questions to during the evaluation of proposals.
8. AWARD OF PROPOSAL
The College may award a contract based upon the initial proposal without further discussion of such proposals. Accordingly, each initial proposal should be submitted with each respondent’s most favorable fee and service capabilities.
The College will award a contract to the one firm which it believes offers a proposal that is in the best overall interest of the institution.
9. SCOPE OF SERVICES
The purpose of this project is to provide an overall vulnerability management program which consists of three years of vulnerability assessment and security testing services to help evaluate the effectiveness of technical and operational controls at MCC. MCC expects most phases of this project to incorporate (where applicable) periodic and predictable vulnerability scanning as well periodic blind real-world testing approach that mimics a traditional network attack at the host and server level for both external and internal facing information assets. All tests will be managed using a vulnerability management approach using industry best practices.
For the purposes of segmenting engagements, web application testing and social engineering will not be included for this particular test. However, web servers and the technical infrastructure that supports web applications shall be scanned for technical vulnerabilities. Exhaustive logic flaw and other deep level web testing exposure efforts should not be included in this scope. Testing services should incorporate methodologies that will help test technical defenses throughout the organization. The college is not only looking for proactive vulnerability scanning throughout the environment, but also focused pen testing which will help inform defensive activities.
The goals and definitions of a successful vulnerability management program should be included as part of the proposed methodology. However, goals should be relative to higher education and include real-world examples of how the findings can be tied to strategic and tactical planning for MCC stakeholders. Examples include (but are not limited to):
· Vulnerability scanning best practices
· Remediation guidance (including taking into consideration college resources)
· Schedule of penetration testing exercises (which should include, but not limited to):
o Help validate firewall and router ACL
o Gaining unauthorized access
o Exposure of PII (Personally Identifiable Information)
o Theoretical (or real) damages to the organization
Denial of service is NOT considered a goal for tests covered by any contract resulting through a bid award from this RFP. Purposeful outages to any system is to be avoided entirely.
Vendors are expected to provide an efficient approach which blends scanning and testing activities across network devices and servers. Workations are not in scope for this test. Vendors should consider this sampling approach when determining frequency of scanning activities across the three year lifecycle of this project. Over a 12 month period, at a minimum, all assets shall have been scanned.
9.1 Contract term: 36 months commencing March 1st, 2013
9.2 External Penetration Testing: Network level reconnaissance, vulnerability assessment and penetration testing of external facing systems at MCC. Vendor will use a black box testing methodology on an agreed-upon subset of discoverable assets on a quarterly basis. Vendor will assist MCC with determining appropriate assets given system change since the last test. MCC will provide the possible range of IP addresses.
9.3 Internal Penetration Testing: Periodic and quarterly network level reconnaissance and penetration test of internal facing systems at MCC (unauthenticated). Vendor will use a black/gray box testing methodology on all discoverable assets. MCC will provide the chosen vendor access to a local network drop. Vendors should propose several best practice testing activities including tests or tools that help MCC determine validity of firewall ACL within the campus environments.
9.4 Periodic vulnerability scanning: Vendors will determine a reasonable approach for vulnerability scanning and remediation within the MCC environment based on input from MCC and the resources available at the College. Scanning and testing activities should be integrated into an overall high level approach to helping improve defensive activities and assisting management stakeholders with planning future security activities. No more than 400 IP’s per periodic audit is a reasonable threshold upon which biders can build their proposals.
9.5 Deliverables: Vendors should describe their report document structure including sample deliverables. At minimum, report documents should contain the following:
9.5.1 Vulnerability management process. This includes approach and process for all major activities for the three year lifecycle of this project.
9.5.2 Executive summary of findings for management stakeholders for each phase of the project.
9.5.3 Detailed deliverable report including: detailed findings for each phase, criticality rankings of discovered vulnerabilities, screen shots and/or proof-of-concept for penetration test results and recommendations for remediation.
9.5.4 Estimated cost associated with remediation of discovered vulnerabilities. Include estimated resource costs (hours, hourly rates, etc) as well as any proposed capital expenditures.
9.6 Remediation Assistance: Vendors shall include in their proposals the cost for a block of 50 hours which can be used by the College as needed for remediation support over a 12 month period.
9.7 Optional - Remediation Tools: Vendors may submit proposed methodologies, tools, processes or services in order to help MCC address remediation or risk-based decisions that will address weaknesses in the final reports. Please specify your approach including any solutions that MCC may use to help with efficient remediation. Specify whether implementation, configuration and execution of such is on a fixed price basis or time & materials.
Page 9