Embed Size (px)
Citation preview
Addendum #2
Purchasing Services AOC 200
4202 East Fowler Avenue Tampa, Florida 33620
(813) 974-2481
Web Address: http://usfweb2.usf.edu/purchasing/purch2.htm
September 22, 2014
Invitation to Negotiate No.
15-09-GC
Entitled:
Information Technology Security
Assessment and Remediation Services
Opening Date:
October 01, 2014 at 3:00 p.m.
Addendum No. 2 All vendors review the following changes/additions/clarifications to Invitation to Negotiate (ITN) No. 15-09-GC Information Technology Security Assessment and Remediation Services to be addressed in submitted proposals: USF Responses to Vendor Questions for ITN 15-09-GC
1. In terms of the overall Invitation to Negotiate, we require a standard commercial limitation of liability provision to be included. Will this bid condition render our proposal non-responsive? The Limitation of Liability is a provision that will be negotiated during the contract process.
2. On page 8 of the Invitation to Negotiate document, it specifies "Completion of all required responses in the correct format." as part of the Selection Criteria. Can you provide insight into what format looks like? I do not see it documented in the ITN document.
3. You are correct we did not provide a proposal format for this ITN; given the broad Scope of the ITN vendors can take a free form approach in their proposals. Page 8-9, Lot 2 - Remediation. Since this portion of services will be dependant on the outcome of the security assessment. What type of response is USF looking for on this piece? Is USF simply looking for confirmation
Addendum #2
that the service vendor has the capabilities to address all of the items that are listed in bullet points and to provide what the hourly rate would be for these services?
4. Correct. A description of the breath of service the company provides as well as hourly rate.
5. In order to be able to accurately estimate the level of effort required to complete Lot 1 tasks, please provide the following additional information:
Lot 1 – SECURITY ASSESSMENT
a. Is USF interested only in external (from the Internet) assessment or do you also expect internal vulnerabilities to be tested?
External and internal vulnerabilities are expected to be identified.
b. Will additional information about the USF network and data centers be provided to the winning bidder (“white box” testing) or does the scope include network discovery and digital footprint development (“black box” testing)?
Additional information will be provided to the winning bidder.
c. Can all (or some) required tests be performed remotely from the vendor’s site?
Yes
d. Does USF desire the vendor to attempt to exploit discovered vulnerabilities?
A Penetration Test would be desired in order to verify that vulnerabilities are not false positives. This Pen Test must be coordinated with operations.
e. Is the intent of USF to conduct vulnerability assessment of all live hosts or a sampling of them?
All live hosts within the scope of work must be tested.
f. Please explain the meaning of “Possible Hosts”.
“Possible Hosts” is a reflection of the available addressing space within the area of scope. Not all addresses are occupied.
g. Is web application testing in-scope? If so can you provide the number and type of applications to be assessed?
An assessment of all web servers found is part of the scope. A number cannot be provided, since it will involve many different types of applications.
h. The solicitation references interviews with staff to determine compliance. Is there a compliance standard the USF needs to show compliance with? Are management and operational controls also in-scope along with technical controls?
Compliance to USF System policies and IT procedures. Both are posted on USF IT web site.
Lot 2 – REMEDIATION
6. The bullet list in the ITN (page 8) pretty closely corresponds to the 16 control families defined in the NIST SP 800-53. While we believe that this is the right approach to establishing and maintaining reliable security posture for USF IT, we wanted to point out that only a small part of required information will result from the Lot 1 activities. Does USF expect additional gap analyses to come from other sources of information?
Addendum #2
A larger scope would present challenges with resource contention. If this ITN is successful we could expect more ITNs focused on particular controls, budget permitting, at a later date. 7. Describing proposed approach for remediation of all 16 control families would be very extensive, depending
on the expected level of details. Please define the desired contents of the proposal response for Lot 2. Lot 2 response should contain a description of the breath of service the company provides as well as hourly rate.
In Lot 1 the ITN indicates:
8. Gain a better understanding of potential Data Center network vulnerabilities that may be visible from the Internet.
a. Based on requirements noted it also appears that you are seeking to perform an Internal Vulnerability
Assessment and not sure an External Penetration Test. Can you confirm that you are seeking for an Internal Vulnerability/Penetration Test as well as an External Penetration test? Confirmed.
9. Evaluate the security associated with the web applications hosted by IT within the data center network that
are used by USF faculty, staff and students
b. Do you have a number of how many web applications are in scope?
No, Inventory is not kept on the number of web applications.
In REQUIREMENTS of Lot 1:
10. The security Assessment should include a technical, configuration-level, end-user security and security process assessment. a. In this step are you seeking to review the specific configurations of several systems or just the process?
(e.g. user access provisioning process vs. end user configuration for PeopleSoft HRMS?) The expectation is that configuration issues on end point, application, or database server will come to surface with the vulnerability assessment.
11. Review existing infrastructure software configurations. b. Do you have a listing of the different types of infrastructure under the scope of the assessment (e.g.
Windows, Linux, AS/400 etc.)? The listing will be provided to the winning bidder.
c. What type of access will be provided to perform the tests. No credentials? Regular User Credentials? Administrator Credentials?. We recommend performing both unauthenticated and authenticated testing. Our tests will provide the results with the different approaches.
Credentials will be provided for this assessment.
In REQUIREMENTS In Lot 2:
12. Rates and fees required to implement the Vendor’s solution. (Note it is understood that a fixed fee may be negotiated after conclusion of the Security Assessment described in Lot 1). a. With regards to the fee requirements as indicated, until Phase I/ Lot 1 is performed it is difficult to
ascertain the price for Phase II/Lot 2. Are you then looking for our hourly rates for different levels of staff we have and the specific items in which we usually assist for remediation (e.g. Infrastructure configuration, Patch Management etc).
Addendum #2
Correct. We are looking for hourly rates for the different levels of staff in specific items in which you usually assist for remediation.
13. Is there a process to become approved as a bidder for this ITN, or is this open to all bidders? This Invitation to Negotiate is open to all bidders.
14. Page 7/25, item 6: Interview key staff members to determine current level of compliance. We see no standard of practice or regulatory requirement denoted in the ITN; does “compliance” refer to compliance with the University’s internal policies, or is there a preferred standard against which you would like employee behavior compared?
Compliance refers to University of South Florida system policies, and other applicable regulatory compliance issues that may apply to the higher education environment, such as FERPA.
Our team want to respond to this opportunity, however, would like to ask – whether ‘Lot 1’ (phase 1) of this project is:
15. Completely onsite, or Onsite + Offsite both? On-site and off-site.
16. Are the web applications you wish to evaluate all available on the public Internet or are all or some of them only available on the University’s internal network?
Some applications are only available inside USF addressing space.
17. Are the “live hosts” listed in the table on page 7 all external IPs?
No. Some of the live hosts listed on the table are only accessible internally.
18. How many individual web applications should be included in the scope?
All web applications found in the scope range.
19. Are you looking to evaluate web applications from an anonymous only or from both an anonymous and authenticated (user level) standpoint?
Anonymous use only.
20. How many analog phone lines do you have documented?
Not in scope.
21. Is your primary goal to evaluate your level of protection against an external hack/breach?
Correct.
22. Are you only interested in identifying vulnerabilities associated with an outside/external attack?
No. We are also interested in internal vulnerabilities.
23. Are your email systems internal or hosted by an external provider?
Both.
24. Approximately how many users (employees that you train) have email and Internet access?
About 13,000 employees.
Addendum #2
25. Do you currently utilize two-factor authentication for any remote connections to the data center network?
We have limited deployment of two factor authentication
26. Do you utilize a web content filtering system to prevent users from going to malicious websites?
No
Lot 1 – Security Assessment
Evaluate the security associated with web applications hosted by Information Technology within the Data Center network that are used by the University of South Florida faculty, staff, and students.
27. Please provide the number of web applications in scope. Determining the number of applications is part of the assessment
28. Please identify the top three web applications in use. Ellucian Banner, Peoplesoft, and Canvas.
29. Is the University’s expectation that the security assessment will encompass the practices of all student, facility and other users of the IT enterprise as well as the Data Center hardware, software and applications? No. The primary focus should be data center hardware software and applications.
30. When did the University conduct its most recent IT security assessment? Is a copy of that assessment available for review? Such a comprehensive assessment was never performed.
31. How many Data Centers does the University current operate and maintain?
a. Are the Data Centers located on the Tampa Campus and the Winter Haven Campus?
Correct.
32. Does the University currently maintain IT policies and standards regarding the security of its robust IT environment? If so, can a copy of these policies/standards or at a minimum a list of the various security policies in place (general, network and server, application, other) be provided?
Yes.
33. Approximately how many servers and applications are currently hosted by the University at each Data Center?
The number of servers is listed under live hosts in the ITN. Inventory of applications is a potential result of this assessment.
34. Can the University provide an estimate and location of the number of key staff members expected to be interviewed to determine the current level of compliance?
About 20 staff members
35. Is the University’s expectation that weekly reviews conducted with the Director of Information Security or other designated representatives are to be conducted in person, or via phone/online presentation media?
Either option would be fine.
36. How many web applications are in scope for the assessment?
Addendum #2
The first goal of the assessment is to identify all web applications in the range scoped.
37. What are the operating systems for the servers in scope for the assessment? A variety of OS, from Unix to Windows.
38. Have previous vulnerability and/or PEN testing been performed? If so will those results be made available to the selected vendor? Yes, targeted assessments were made. No, they will not be available.
39. Are all IT functions handled in-house or are any outsourced?
a. If outsourced – to whom?
All IT functions in the scoped range are performed in house.
40. Is the data center in a University of South Florida managed facility or a colo facility? Per ITN, one data center in at USF Tampa, the other in a colo facility in Winter Haven.
a. If colo, does the City of West Palm’s IT organization manage the infrastructure? No.
41. Has a risk assessment and/or security assessment been previously conducted?
a. If Yes, when?
Risk Assessment was performed last in 2012.
42. Does the IT organization have documented policies and/or standards around: security policy, vulnerability
management, system hardening (e.g. servers, workstations, and security devices), account control and access, security incident response, application secure coding, change management, incident management, logging and monitoring, wireless standards, backup and data retention, and data classification? All policies are posted on the IT web site, http://www.usf.edu/it/about-us/policies-and-standards.aspx
43. Is there a security awareness program in place? Yes.
44. Does the University of South Florida store any credit card information?
a. If Yes, have you filed a SAQ D with your processor?
i. If Yes, when was that filed?
Not part of the scope of this assessment
45. Is there a documented BCP/DR plan?
a. If Yes, are there annual DR tests conducted?
Yes. Tests conducted yearly on certain applications.
46. When do you expect the decision around the winning proposal to be made?
This will depend on the number of proposals we receive, that said Our intent at this time is to make an Intent to award decision on or around October 7, 2014, as stated in the updated Event Schedule (see Addendum #1).
Addendum #2
47. Is there an approved budget for this project? If yes, what is the budget?
No, there is no approved budget.
48. May an out of state company submit a bid on this project - ahead of it being registered to do business in the state of Florida?
Yes, out of state companies may bid this project, we do not believe that there are any state licenses or certifications needed for this type of service. 49. How many total IP addresses are being tested?
a. External: ?
Please see ITN scope
50. How many of the IP addresses are “live”?
a. External: ?
Please see ITN scope
51. Does the client want potential vulnerabilities included in the report?
a. Include/Exclude (Potential vulnerabilities are generally those identified based only on OS or service versions that cannot be confirmed without local access to the host)
No
52. Are there special considerations for timing and time of day for testing?
a. Note that there is an additional cost for after hours work.
Yes.
53. Is an IDS/IPS/WAF in place that will interfere with testing?
a. Test with IPS in place?
b. White-listed through IPS?
c. Dual test with IPS in place and white-listed? No to all
54. What is the production status of the target environment?
a. Production / Testing / Development
All of the above
55. Are any of the targets owned by, managed by, or located on a third-party’s network (such as a shared hosting provider or collocation facility) No.
a. If “Yes” inform the client that they will be required to provide written authorization to test from the third party prior to testing.
56. Would the client like to include a retest where we can verify whether or not their remediation efforts were successful up to 30 days after the original test? Not necessary.
a. Note that a retest will add to the cost of the project.
Addendum #2
57. Should the assessment include internal systems as well?
a. If so, how many addresses?
b. Will work need to be conducted on site?
Yes. Most of the datacenter addresses will only be accessible internally. Work on site is optional. Number of addresses listed on ITN.
58. Should the assessment over best practice ISMS? (27001) Up to the vendor.
59. Size of organization? 13,000 employees
60. Should the assessment over best practice Controls framework? (27002) No.
61. Should war-dialing or war-driving be conducted?
a. War dial range of DIDs?
c. WLAN scan locations? Up to the vendor
62. Should Social Engineering be included?
a. Identify types of engagement (Phishing, physical entry, call pretexting, etc).
Up to the vendor to propose
63. Is manual validation of results required, or simple scanning?
Manual validation of critical exposures is necessary to rule out false positives.
64. Should specific applications be vulnerability tested?
a. If yes, how many applications, will user, admin levels need testing?
No
Scenario-Base Pen Test
65. How many total scenarios will be performed?
The number is unknown, and is dependent on the results of the Black Box Assessment.
66. For each scenario what role will the attacker be?
a. Anonymous hacker (internet)
b. Anonymous hacker (network)
c. Rogue employee (internet)
d. Rogue employee (network)
All.
67. For each scenario what is the primary objective of the attacker?
e. Gain access to specific data
f. Gain access to any data
Addendum #2
g. Gain access to specific systems
h. Gain access to any system
Any of the Objectives above will be satisfactory but the ultimate objective would be to gain access to restricted data, especially PII.
68. For each scenario how much time (not to exceed) should be spent testing? Vendor to propose.
69. For each scenario which attack vectors will the client allow?
i. Network Layer Attacks
j. Application Layer Attacks
k. E-mail Phishing
Yes to all.
70. For each scenario when does the client want the testing conducted?
Timing will be discussed post bid.
Application Pen-Test / Vulnerability Assessment
71. How many total non-browser based application will be tested? Unknown
a. External:
72. How many total protocols will be tested? (FTP, HTTP, HTTPS, etc..) All common protocols
a. External:
73. How many total applications are being tested? All applications found within scope.
a. External:
74. How many total login systems are being tested? All systems in scoped range
a. External:
75. How many total test accounts will we be provided with? None
a. External:
76. How many total static pages will we be testing? Unknown
a. External:
77. How many total web scripts will we be testing? Unknown
a. External:
78. How many total functions will we be testing? Unknown
a. External:
79. How many Users access these applications? How is authentication and authorization managed?
Number of users varies per application. Access through local auth or SSO.
Addendum #2
80. What is the size in bandwidth of your external connectivity? How many ISPs provide this bandwidth? Are they load balanced? If so How? 100GB, local balanced.
81. Are there addresses/servers that are business sensitive and should be avoided during testing?
Tests must be scheduled.
82. What database technologies are used in support of these applications?
Oracle, MySQL, and MS SQL
83. What validation of penetration is requested? (capture of files, placement of files, account creation, Screen capture of privilege escalation, etc.)
Any type of validation will suffice.
The following questions for Lot 1:
84. Under requirements for Lot 1, USF states “5. Interview key staff members to determine current level of compliance”. Against what regulations or standards would the assessor be evaluating compliance? How many key staff members are responsible for the implementation and management of compliance requirements in scope?
About 20 staff members. Policies listed:
http://www.usf.edu/it/about-us/policies-and-standards.aspx
85. In the introduction of Lot 1, USF states “Evaluate the security associated with web applications hosted by Information Technology…”. Can USF provide any information around the number of web applications hosted or the platforms/technologies involved?
Part of the goal of the assessment is to determine the number of web applications being hosted.
86. With regard to web application testing, will the assessor be provided credentials to perform authenticated testing against any of the web applications? No.
87. Can USF provide names and version numbers of software packages that they request the vendor to perform configuration reviews of (for instance, operating systems, database platforms, web servers, etc.)? Yes.
88. In the deliverables section of Lot 1, USF mentions compromise by dial-up access.
89. Is a dial-up security assessment (aka. War Dial) to be included in the scope? If so, can USF provide the number of Direct Inward Dial (DID’s) numbers to be included in the testing?
Dial up access no longer available.
90. “Can USF provide names, version numbers and quantities of software packages that they request the vendor to perform configuration reviews of (for instance, operating systems, database platforms, web servers, etc.)? Yes.
Questions regarding Lot 2, Remediation:
91. For the purposes of this response, for Lot 2, is USF just looking for a statement of capabilities with regard to the possible in-scope remediation areas to be included in the RFP response?
That is correct
92. Is there any significant compliance dates that any identified vulnerabilities would need to be remediated by?
Addendum #2
There is no date for remediation. Report must be issued prior to 12/31/2014.
93. Can you provide the number of full time employees and job titles for the following:
a. Organization wide? 13,000+
b. If applicable - current internal audit, IT audit or risk department? 10.
c. Current internal IT department staff? 300+
94. When was the last IT risk assessment completed and by whom? If, in the last three years, were there any results that would significantly impact our approach?
Last assessment performed by IT Security in 2012. No impact.
95. Is administration of systems centralized or de-centralized? Centralized
96. In relation to the external IT infrastructure:
a. How many external (Internet facing) IP addresses does USF have/own that should be considered as in-scope for external testing? Listed on ITN
b. How many websites are running from the USF’s infrastructure? Part of deliverable list.
c. Please list the number of different operating systems and web servers (i.e. IIS, Apache, etc…) that are running. All “live hosts” obviously run an OS, from Linux to Windows, from Oracle to MySQL, from IIS to Apache.
d. Please describe the Internet facing systems/applications run by USF that are hosted on in-house systems. Part of deliverable.
e. Please list any Internet facing systems that are conducting some form of e-commerce. Unknown
f. Please describe each form of remote access provided to staff, IT, and/or vendors. Direct connect, Remote Desktop, or VPN
g. Are there any hosted applications (not on your infrastructure) that should be considered in- scope for this assessment? No.
97. Please list the number of active directory domains in operation. 4 Under scope.
a. Please describe any (centralized) authentication mechanisms in place. SSO using Shiboleth or JASIG and ADFS.
98. Please describe the number of in-house servers, including their operating systems.
Most live hosts under scope are servers.
a. How many are virtualized? Majority.
a. What is the virtualization technology in use? vmware
99. How many desktops, laptops, and other peripheral systems are on the internal network?
Out of scope.
Addendum #2
a. What different operating systems are in use for desktops and laptops?
100. Please describe the number of business applications that are considered Commercial off the Shelf (COTS), including their operating systems. Unknown.
101. Please describe the number of business applications that are considered internally developed/maintained/programmed. Specific number unknown.
102. What third-party service providers are currently being utilized from an IT perspective?
Out of scope.
a. Infrastructure only providers?
b. Data storage/processing/management providers?
103. Can the two locations be tested centrally? Yes.
a. Connection type between location and available bandwidth? Redundant 10G.
104. How many mobile devices with network access? Specific number unknown.
a. Is there a BYOD policy in place?
Policies are around data assets, independent of method of access.
105. Any specific compliance requirements (HIPAA, PCI, etc.) that we need to meet? FERPA
106. Is wireless networking used? If so, how many WAPs are in use?
Yes. Specific number disclosed to winner of bid.
107. Evaluate the security associated with web applications hosted by Information Technology within the Data Center network that are used by the University of South Florida faculty, staff, and students. We need to understand how many and complexity, unless USF wants a complete “black box” assessment of WebApps. Are we treating the applications as “hosts” or performing WebApp-specific testing (OWASP, authenticated?).
Black box test is desired, with performance of webapp OWASP testing. REQUIREMENTS 108. Review existing infrastructure software configurations. White box? If so, what type of devices and how many? Or, is this assuming we are just evaluating based on the results of a vulnerability assessment? Based on results of assessment. 109. Interview key staff members to determine current level of compliance. Compliance against what framework? ISO, NIST? USF System policies and standards, http://www.usf.edu/it/about-us/policies-and-standards.aspx 110. Also, selecting the same vendor for LOT#2, remediation, typically diminishes the “unbiased” opinion of the 3rd-party assessment. Can we opt-out from performing LOT#2, to maintain the integrity of our work? That would be acceptable. 111. Are you requiring that the vendor be pre-registered to do business in the State of Florida (prior to contract award)? No.
112. Would you like to receive pricing for Lot 2 with this proposal or will that be after Lot 1 is awarded and scope is determined?
Addendum #2
We would like to receive general pricing for lot 2 with this proposal.
113. Is it desirable to have a penetration test performed in-line with the vulnerability assessment (e.g. active attempts at exploitation)
No. Pen test would ideally be made post assessment.
114. Do the in-scope USF data centers follow any specific regulatory guidelines that will be assessed? (e.g. PCI, HIPPA, GLBA, etc)
Yes, USF Policies and standards, http://www.usf.edu/it/about-us/policies-and-standards.aspx
115. Does USF currently strive to adhere to any IT service management or operational standards? (e.g. ITIL, COBIT, ISO27001, etc)
We are audited under COBIT by our internal assessment team.
116. How many networked applications are in-scope, and in what languages and platforms are they developed and hosted? (e.g. LAMP, ASP.Net, Java) Black box testing is desired.
117. What is the primary in-scope network equipment manufacturer? (e.g. Cisco, Palo Alto) Cisco
118. What is the primary in-scope client manufacturer? (e.g. Dell, HP) Varies. Primarily Dell.
119. Are there any mainframe sustems used in the in-scope datacenters? No.
120. Does being awarded in Lot 1 exclude vendor from providing products or services in Lot 2?
No, as long as vendor submits answers to both lots.
121. Does winning Lot 1 preclude us from working on Lot 2?
No, award of Lot 1 does not exclude a vendor from lot 2. 122. What is the definition of 'possible' hosts and 'live' hosts?
Potential hosts on subnets versus actual connected hosts.
123. What is the source of the disparity so we can determine the likelihood of discovering more 'live' hosts during the project?
See previous response.
124. What is the mix/count of operating systems in use at the data centers? (e.g. windows, unix/linux, mainframe (Z OS, CMS, ...)
Windows and Unix (Linux primarily)
125. Which network infrastructure vendors are prominent in the environment (e.g. Cisco, Juniper, Brockade, ...)
Cisco
126. Which network firewall vendors are prominent in the environment? (e.g. Cisco, Fortinet, Cyberguard, StoneSoft, ...)
Juniper
127. Which types of web and app servers are prominent in the environment? (e.g. IIS, Apache, WebSphere, ...)
Apache and IIS.
Addendum #2
128. Which types of database platforms are prominent in the environment? (e.g. Oracle, MS SQL, Postgres, MySQL, ...)
Oracle, MySQL, and MS SQL.
129. What type of access / identity management systems are prominent in the environment? (e.g. IBM/Tivoli, ActivIdentity, BMC, ...)
AD and ADFS, homegrown IdM.
130. Does the environment employ and operate its own certificate authority and if so, what type, (e.g. Microsoft, Entrust, ...) No.
131. How many people are involved in daily operations of each data center?
Unclear on definition of “involved.” About 10-20 with physical access.
132. How many people are dedicated resources within the security team?
Dedicated resources to Data Center? None
The University of South Florida is interested in conducting a security assessment that will allow it to:
● Gain a better understanding of potential Data Center network vulnerabilities that may be visible from the Internet.
● Evaluate the security associated with web applications hosted by Information Technology within the Data Center network that are used by the University of South Florida faculty, staff, and students.
133. We need to understand how many web applications and the complexity of the applications. (e.g. how many web pages, how many data fields?) Black box testing, numbers not available.
134. Or do you want a complete “black box” assessment. Correct
135. Are we treating the applications as “hosts” (as outlined in your hosts chart) or performing WebApp-specific testing? Performing specific tests.
REQUIREMENTS
• Conduct a comprehensive security vulnerability assessment against the Data Center (Tampa Campus and Winter Haven) for the University of South Florida. The security assessment should include a technical, configuration-level, end-user security and security process assessment.
136. Confirming that no physical security assessment is to be completed (access procedures, video cameras, etc) Confirmed, beyond the scope at this time.
• Review existing infrastructure software configurations.
137. Is this a request to perform a white box assessment (Looking at application code) ? If so, what type of devices and how many?
No white box assessment needed. Configuration assessment based on standard practice on applications found. For instance, Oracle DB files, etc.
• Identify configuration-level threats and risk exposure to specific vulnerabilities
Addendum #2
138. Should we assume the device count to be equivalent to the count is your statement 2 above? Device count listed under “live hosts” on ITN.
• Perform vulnerability tests to ensure design and configuration integrity. • Interview key staff members to determine current level of compliance.
139. You request an assessment for compliance, but do not state what compliance regulations you are being measured against?
USF System Policies and Standards, http://www.usf.edu/it/about-us/policies-and-standards.aspx
140. How many staff exist which would require assessment? About 20 staff members to interview.
• Inventory and develop an improvement/remediation plan for implementing solutions to overcome the gaps found.
141. Statement: Planning on a phase II remediation project may eliminate an unbiased approach unless stated that provider of phase I assessment will not be awarded phase II remediation. This will provide you a truly unbiased approach without the hope of obtaining additional business. Understood. Vendors may recuse themselves from lot 2.
142. Is the service provider awarded the contract in Lot 1 for the assessment services eligible to also provide the remediation services in lot 2? In other words, is the vendor selected for Lot 1 Assessment precluded from bidding on Lot 2 Remediation or can the same vendor provide both? Vendor awarded lot 1 is also eligible for lot 2.
143. On page 2 of 29 of the ITN under General Conditions, item #6, that reads,” ADDITIONAL TERMS AND CONDITIONS: No additional terms and conditions included with the ITN response shall be evaluated or considered and any and all such additional terms and conditions shall have no force and effect and are inapplicable to this ITN. If submitted either purposely through intent or design or inadvertently appearing separately in transmittal letters, specifications, literature, price lists or warranties, it is understood and agreed the general and special conditions in this ITN solicitation are the only conditions applicable to the ITN and the vendor's authorized signature affixed to the vendor acknowledgement form attests to this.
a. Does this mean that if a vendor takes an exception or clarification to anything stated in the ITN General Terms and Conditions will mean automatic disqualification from the ITN process? No, it means that unless noted all terms and conditions stated in the ITN document will be in force. If a vendor has an exception they should note this in their response and we will consider the exception, and try to find an acceptable compromise for all parties.
b. Will taking exception to anything stated in the rest of the document mean automatic disqualification from the ITN process? No, it will not.
144. On page 23 of 29 under “Required Forms to be submitted with proposal”, included in the list is, “Any vendor’s boiler plate contract agreements”. Verizon’s boiler plate agreement will include our own terms and conditions which are written for the products and services we offer.
a. Is this in conflict with the University’s ITN General Conditions noted on page 2 of 29?
This is a common occurrence, your standard agreement will need to vetted through USF general counsel, and any conflicts will be negotiated.
b. Is the University willing to negotiate the terms and conditions stated in the vendor’s boiler plate contract? Yes.
145. Can you clarify “end-user security” and “security process” areas that you want included in the assessment?
Addendum #2
a. Are these areas just related to the Vulnerability Management Program or part of an entire information security program? Security and processes directly related to Data Center operations and maintenance.
b. Is the scope of the assessment from an end-user and security process only related to only the data center? Only data center and associated operators.
c. Is there a specific control framework that you would like to be assessed against?
NIST Security Framework.
146. Can you provide any guidance on the number of “key stakeholders” that will need to be interviewed as part of the assessment process? About 20 staff members.
a. Are these subject matter experts (SME’s) with respect to the specific security related controls that should be included in the assessment? SMEs within their area of operation. For instance, DBAs, ERP application support director, etc.
b. What locations are these stakeholders located? Tampa
c. What compliance standard are you looking to assesses against (internal policy, external regulatory mandate, etc.) USF System Policies and Standards, http://www.usf.edu/it/about-us/policies-and-standards.aspx
147. Should the vulnerability assessment be performed from within the internal network segment(s) at each datacenter, from the Internet, or both? Both
148. If External testing over the Internet is desired, what is the size of the Internet-facing subnets, and how many live hosts are accessible over the Internet? Listed under Possible Hosts and Live Hosts
149. How many web applications are available on the live hosts? How many of these are available over the Internet? Black box testing required.
150. If Internal testing is desired, is travel to each Data Center required or can the testing be performed from a single Data Center? From a single data center
151. How many web applications are hosted by Information Technology within Data Center? Black box testing required.
152. Is the scope number of hosts from Lot 1 going to remain the same for lot 2? Not necessarily, since vulnerabilities found on 1 may not apply to all hosts under scope in 1.
153. Can you provide a breakdown of types of possible and live hosts and estimated number of each type? No, but the majority will be Windows servers, followed by Linux and Solaris.
154. For Lot 2, is USF looking to purchase solutions for all of the selected areas? If so, do responses need to include pricing for all potential solutions for selected areas? Potential remediation solutions with general cost for each area is desired.
155. How many layer 3 devices are within the scope of this project? Data to be provided to winning bid.
o What Types of Layer 3 Devices? Primarily Cisco
156. Does USF have any automated asset discovery tool to perform hardware and software inventory? Partially deployed
Addendum #2
157. Is Access Control referencing the need for a Network Access Control Solution? That could be a potential control to be implemented.
158. Is there a Configuration Management Database in place? Partially deployed.
159. Is there anything in place for network monitoring? Juniper Firewall.
160. Does USF currently own a Vulnerability Scanner? Yes.
161. Does USF currently own a malware defense system for email? Yes.
162. Does USF use anything for File Integrity Monitoring? No.
163. Does USF have anything in place for DLP? No.
164. Does USF have anything in place for Identity and access management? Yes, homegrown.
165. Does USF have any data classification already in place? Some.
166. Reference is made to vulnerability assessment. Does this specifically include the execution of penetrations testing? Or is it only for vulnerability scans, Thanks? Assessment should be a precursor to pen testing.
167. Also how many applications are in scope for the assessment, thanks again? This is a black box assessment.
168. Are internal networks to be included in the project scope? Yes.
169. Are the original proposal, 2 copies and digital copy to be enclosed in one envelope or 4 separate envelopes for delivery? All copies may be contained in the same envelope.
170. Is migration of existing assets to more easily secured physical locations off campus a remediation consideration? Yes.
171. The General Conditions state that no exceptions will be considered. Section 15, Right to Negotiation states that negotiations could include but are not limited to price and the terms and conditions of this ITN. Can the vendor include exceptions to the ITN terms and conditions in its proposal response, or is this an “as-is” bid with no exceptions allowed?
No, it means that unless noted all terms and conditions stated in the ITN document will be in force. If a vendor has an exception they should note this in their response and we will consider the exception, and try to find an acceptable compromise for all parties.
172. Section 2, Lot 1, Selection Criteria includes “Completion of all required responses in the correct format.” The ITN does not include a prescribed proposal format. Please clarify.
This was stated in error, given the broad Scope of the ITN vendors can take a free form approach in their proposals.
173. It is understood that the Intent to Award is October 7, 2014. What is the anticipated contract start date?
Our intent is for the work to start promptly after an award decision is made.
174. Regarding the Web Applications to be assessed, how many applications are there and what are those applications? We also need to identify the complexity of each application by determining: This is to be a black box assessme
• Number of pages per app
• Number of users per app
Addendum #2
175. Due to the nature of the services requested, is a Vendor permitted to mark portions of its Proposal as confidential that relate to its proprietary processes and trade secrets? Yes, to the extent allowed by Florida Statute 119.
176. System Penetration – to reduce costs we typically conduct vulnerability scans on all systems in scope but only perform penetration testing on a subset of critical systems. How many of the following systems would you identify as critical and desire to have penetration testing performed on: Systems designated for pen testing would be identified after vulnerability assessment.
a. Tampa Data Center – 898 Active hosts
b. Winter Haven Data Center – 95 active hosts
177. System Penetration –we typically conduct penetration testing systems from both inside and outside the firewall. How many of the following systems would you like to be tested: Pen testing systems TBD after initial assessment.
a. Tampa Data Center –
i. External
ii. Internal
b. Winter Haven Data Center –
i. External
ii. Internal
178. Web Application Penetration Testing – How many of the following systems host web applications that you desire to have web application penetration testing performed on: This is a black box test.
a. Tampa Data Center –
b. Winter Haven Data Center –
179. Database Assessment – How many of the following systems are database servers that you would desire to have database assessments performed on: Black box test.
a. Tampa Data Center –
b. Winter Haven Data Center –
180. Please provide a list of IT and facilities (or other) groups/teams that you would like have participate in the IT Security Process interview:
a. ISO
b. Networking
c. Systems and Storage
d. Operations
e. Identity and Access Management
181. How many Web applications require security assessment? This is a black box test.
Addendum #2
182. How many web servers require Security Assessment? All under scope.
183. How many databases are there in both Data Centers? This is a black box test .
184. For the possible host, how many Servers (windows based/Linux based), Routers, Switches, Printers, Laptop and Desktops are there on both locations? Most listed under “live hosts” are servers.
185. Has a security assessment been performed previously on these data centers? Yes.
186. If yes, who is the incumbent? We do not currently have a security assessment firm.
187. Will the response to this ITN determine award for both Lot 1 and Lot 2?
Both phases will be awarded based on the evaluation of the proposals submitted.
188. Can the same offer or receive award for both Lot 1 and Lot 2? Yes
189. Is our assumption correct that we only need to provide pricing for Lot 1 scope of work, because the level of effort for Lot 2 cannot be determined before the Security Assessment? General cost estimate for lot 2 on potential services provided by the vendor is expected.
190. Who is the executive sponsor(s) for this project? Assessment mandated by Internal Audit.
191. Will USF provide the selected consultant with a project liaison or coordinator to assist with the coordination, planning, and communications of this project? Yes
192. Does the scope of this engagement include USF St. Petersburg, USF Sarasota-Manatee, and/or USF Health? No
193. May firms bid on Lot 1 only (Security Assessment)? Yes
194. Does USF prefer firms that bid on both Lots 1 and 2? USF has no preference.
195. What does USF anticipate for the approximate start date and duration of Lot 1 services (Security Assessment)?
We expect to start promptly after an award determination is made, and completed in an expedient manner, the duration will be determined through the evaluation process and negotiation.
196. Has USF conducted a data classification process (using FIPS PUB 199, for example) for information and information systems? Not in detail.
a. If not, is the physical and logical location of all confidential information (PCI, PHI, PII, FERPA, etc.) documented? Yes.
197. Has USF completed a formal Risk Assessment? Yes.
198. How many IP addresses are within scope for the external penetration test? TBD by initial assessment.
199. How many web applications are in use and are they included in the scope of testing? This is a black box testing.
200. Does USF prefer the selected consultant to perform black box, gray box, or white box penetration testing for the Lot 1 project (Security Assessment)? Black box.
201. Does USF utilize any third-party, cloud-based solutions? If so, will these be included in the scope of the Lot 1 project (Security Assessment)? Out of scope.
Addendum #2
202. Regarding Lot 1 (Security Assessment): Does USF have a preferred assessment methodology to be used (for example: NIST, SANS, ISO etc.)? NIST Security Framework.
203. Regarding Lot 1 (Security Assessment): In the “Introduction” on page 7 of the ITN, what is meant by the “three main methods”? Please provide additional detail. Confidentiality, Integrity, and Availability.
204. Regarding Lot 1 (Security Assessment): What level of physical security does USF want assessed? Minimal.
205. Regarding Lot 1 (Security Assessment): Are there any regulatory requirements that USF is looking to meet, for example, PCI, FERPA, HIPAA, etc.? USF System policies and standards, http://www.usf.edu/it/about-us/policies-and-standards.aspx
206. For Lot 1 (Security Assessment), does USF want the selected consultant to assess the approach to business partner connectivity, or to assess how specific business partners access the USF network? NO.
a. How many business or other partners are within scope?
207. Does USF develop custom web applications? If so, how many? Yes. Number unknown.
208. Has USF had any security assessments or penetration tests performed in the past? Assessments are performed monthly. Results not available.
a. If yes, how recently were these conducted?
b. If yes, will the results be made available to the successful bidder?
209. Regarding Lot 1 (Security Assessment), How many of each of the following are included in the scope of this project? If an exact number is not available, please provide a best estimate. Most of the “live hosts” are servers. This is a black box assessment.
a. Servers
b. Networks
c. Firewalls (include brand and description, if possible)
d. Routers
e. Switches
210. Will prospective bidders be provided with the answers to all questions submitted? Yes.
211. Does USF have a budget estimate or range for Lot 1 of this project (Security Assessment) that you can share? If yes, please provide detail. No.
SIGNATURE PAGE TO FOLLOW
Addendum #2
Note: Please note receipt of this addendum by signing and returning with your proposal response.
__________________________________________ Authorized Signature & Date
__________________________________________ Print Name
__________________________________________ Company Name
