Transcription
CITY OF MEMPHISREQUEST FOR PROPOSAL#52136Security Penetration TestingAddendum #2
Questions & AnswersExcept to remove vendor names and addresses, questions are provided exactly as submitted.#1SectionQ 2.4Requirements1A2Q RFP Terms &ConditionsInstructions toProposersQuestion / AnswerUnder General Requirements, the RFP lists examples of relevant industryCyber Security Certifications for proposed team members. Would the Cityaccept other relevant industry certifications, such as Certified InformationSystems Security Professional (CISSP), in place of the examples listed?YES.On pages 24 and 26, the RFP indicates that“This procurement may be subject to the requirements of Ordinance No.5114 which establishes a local preference for local businesses locatedwithin the City of Memphis. A copy of your current Memphis and ShelbyCounty Tennessee Business Tax Receipt must accompany the proposal forconsideration of this ordinance.”And that“the successful proposer, whose principal business address is located withinthe limits of the city of Memphis, will be required to submit, along with therequired insurance and other required documentation, a copy of (1) the taxexempt ruling or determination letter from the Internal Revenue Services;or (2) its current Memphis and Shelby County Business TaxReceipt/License.”Would the City consider awarding this contract to a business that is notlocated in Memphis or Shelby County?YES.2A3Q 2.4.1 ExternalNetworkPenetrationTestingAHow many Firewalls are in use?Q 2.4.1 ExternalNetworkPenetrationTestingAHow many external internet domains are in use?Q 2.4.1 ExternalNetworkWhat is the minimum about of external IPs that are anticipated beingtested?34452 in scope .1 in scope.
PenetrationTesting5ANot more than 100.6Q 2.4.2 WebApplicationPenetration TestAHow many web applications are in-scope for testing?Q 2.4.2 WebApplicationPenetration TestAHow many are hosted internally vs by a 3rd party?Q 2.4.2 WebApplicationPenetration TestAWill the testing be performed via authenticated or unauthenticated means?Q 2.4.3 NetworkSecurityAssessmentADoes the City use Microsoft Cloud / Azure for their Active Directory?Q 2.4.3 NetworkSecurityAssessmentAHow many total network segments are in place?Q 2.4.3 NetworkSecurityAssessmentAHow many active AD accounts are in use on the network?Q 2.4.3 NetworkSecurityAssessmentAHow many active devices are on the total network?Q 2.4.3 NetworkSecurityAssessmentAHow many wireless access points are in use?6778899101011111212131310.8 internally, 2 3rd Party.Unauthenticated.Yes.100 .8000 .Selected Specific subnets totaling less than 5000 active devices will beprovided.More than 30 Access points but only four (4) unique SSIDs are in scope. TheUnique SSIDs can be accessed from 2 Locations.
14Q 2.4.4 PhysicalSecurityAssessmentAHow many locations are required to test?Q 2.4.4 PhysicalSecurityAssessmentAHow many attempts are expected for this test per location?Q 2.4.4 PhysicalSecurityAssessmentAAre any methods considered “black listed” and should not be attempted?Q 2.4.5 SocialEngineeringAVishing – how many calls are required?Pre Texting – How many calls are required?18Q 2.4.5 SocialEngineeringA1919Q 3.4 PricingAWhat is the budget set for this contract?This information can not be disclosed at this stage.20Q 3.4 Pricing20ADo you have a preference for how the pricing is presented? (per hourpricing/per service pricing/etc.)NO.2121Q Section 2.4.2AHow many applications are in scope?See Response to Question 6.22Q Section 2.4.2If a traditional web application:14151516161717185.2.Yes – Public Safety Officer Impersonation.10.10. 22A23Q Section 2.4.2 Are you looking for authenticated or non authenticated testing orboth?Number of unique user profiles in scope for testingNumber of dynamic/input pages accessible to authenticated usersNumber of API endpoints in scopeUnauthenticated testing for Web applicationsN/AN/A3If a Single Page Application (SPA)
Number of unique user profiles in scope for testingNumber of unique routes handled by the SPAHow does the SPA keep state? Externally or InternallyNumber of API endpoints in scope23AN/A24Q Section 2.4.324AAre you looking to "time box" both phases of the internal testing? If yes,how long for each phase?Phases will not be “Timeboxed”.25Q Section 2.4.325A26Q Section 2.4.326A27Q Section 2.4.527A28Q 1.2 Objective28AIs the City using the penetration testing to address any specific compliancerequirements (e.g., PCI DSS, HIPAA, CMMC, etc.)?No.29Q 2.4.2 WebApplicationPenetration TestADoes the City want unauthenticated (e.g., penetrate outside it to the webapplication), authenticated (e.g., test the internal security of the webapplication), or both?See response to Question 8.Q 2.4.2 WebApplicationPenetration TestAApproximately how many web applications are in-scope for testing?293030Is Wireless in scope? Number of SSIDs Number of locationsSee response to question 13.Internal Applications: How many applications are in scope? Are you looking for authenticated or non authenticated testing orboth? Number of user profiles in scope Number of dynamic/input pages accessible to authenticated users Number of API endpoints in scope See response to question 6 See response to question 8 Details will be provided during execution N/A 3Please clarify: Social Engineering tests done internally. or is this astandalone testing scenario?Targets of Social Engineering will be internal City of Memphis staff.See response to Question 6.
der “General Requirements” on page 7, the RFP states the total testingwindow may only be 10 continuous business days. Is there an operationalor business impact that is driving this, or perhaps based on timelinesprovided by previous penetration testing firms?This was determined based on schedule of current and upcoming projects.2.4RequirementsPage 7 of the RFP states that the assessment will be conducted in fourindependent phases, however, page 8 goes on to say that it will take placein five phases. Also, Is it expected that the deliverable (penetration testingreport) will simply address each phase specifically, or that phase 1 will beconducted and completed before moving to phase 2 and so on. Can theCity of Memphis clarify their intent?Assessment, as stated on page 8, should be performed in 5 phases.Assessment can be performed concurrently. Deliverable should addresseach phase specifically. Pricing can be itemized by Phase and a total can beprovided for the entire assessment.GeneralQuestionAre the request services being conducted to fulfill the requirement of acompliance framework, such as PCI-DSS?Partly to fulfil NACHA, CJIS requirement.2.5 ReportingSection 2.5, 3h of the RFP suggests segmentation testing should beperformed to validate segmentation controls, but it was not mentionedanywhere else in the RFP. Is segmentation from every network segment,to every network segment, being requested? Or is the intent to testsegmentation controls put into place to reduce PCI-DSS scope, thussegmentation testing only needs to be performed to validate the non-CDEnetworks are properly segmented from the CDE networks?The Network Segmentation Validation is part of Section 2.4.3 in the RFP.That part of the assessment is to test security controls implemented by theCity to prevent unauthorized access to restricted networks.2.4.5 SocialEngineeringFor social engineering, will the City of Memphis be providing the targets forthe phishing/vishing/spearphishing/etc, or will the vendor be responsiblefor discovering this information on their own?The City of Memphis will provide random targets if vendor is unable toperform discovery.2.4.4 PhysicalSecurityAssessmentFor physical testing: How many locations? Are there armed guards? Will physical security assessment/on-site social engineering beconducted during or after business hours, or both?
36A37Q37A38Q38A39Q39A40Q40A 2.4.2 WebApplicationPenetrationTestWhat physical security controls have been implemented?What is the ultimate objective? (Are there specific things youwould like us to try, specific areas you would like us to attempt togain access, particular departments you would like us to focus on,etc.?)Are there any activities that are strictly prohibited?See response to question 14In some locations – YesBusiness hoursCameras, Boulders, Security Personnel, Key Card EntryObjective is to test the effectiveness of Physical Security Controlsimplemented by the City of Memphis – Details of locations will beprovided after contract is awarded.How many web applications will be tested, and what are the purposes ofeach application?See Response to question 6. Purpose of application will be provided aftercontract is awarded.2.4.2 WebApplicationPenetrationTestAre the applications Commercial Off the Shelf (COTS), or custom coded bya third party, or custom coded in house?There are COTS, custom and third party applications. Details will beprovided after contract is awarded.2.4.2 WebApplicationPenetrationTestWhat software or coding languages are used?See response to question 162.2.4.2 WebApplicationPenetrationTestHow many unique dynamic pages (pages that change based on user inputs)for each application? (e.g., an e-commerce site that sells products mayhave hundreds of dynamic pages, but each dynamic page is the sameunderlying code) For scoping purposes, only provide the number of uniquepages with dynamic content.See response to question 47, 48.
41Q2.4.2 WebApplicationPenetrationTestIs authenticated testing being requested? Authenticated testing typicallyprovides for more thorough testing, however often takes quite a bit moretime. If authenticated testing is requested, how many and what types ofuser roles would be tested? (i.e. Three - user, manager,administrator)41ASee response to Question 8.42Q Section 2.442AHow many post remediation reviews do you anticipate and what is theexpected timeline to complete the reviews?Remediation steps should be provided in the Pentest report as stated inSection 2.5 of the RFP.43Q Section 2.443AAre the five phases to take place over 10 business days? Can they runconcurrently?See response to question 32.4444Q Section 2.4.2AHow many web applications are in scope?See response to question 6.45Q Section 2.4.245ADo they have authenticated users with roles? More than a basic user andadmin?See response to question 8.46Q Section 2.4.2Is testing the authenticated portion of the apps needed?46ASee response to question 8.4747Q Section 2.4.2AHow many unique pages or "flows" make up the applications?25.4848Q Section 2.4.2AEstimated number of input forms on the applications.50.4949Q Section 2.4.3AHow many locations are in scope for the network security assessment?Assessment will be performed from a central location.5050Q Section 2.4.3AHow many datacenters are in scope for the network security assessment?1.5151Q Section 2.4.3AAre any cloud services in scope for the network security assessment?No.5252Q Section 2.4.4AHow many locations are in scope for the physical security assessment?See Response to Question 14.
5353Q Section 3ACan we submit as one document, including attachments?YES.5454QAIs the City of Memphis using Z/OS Mainframe?No.5555QAWhich enterprise security manager do you use? RACF, ACF2 or Top Secret.None of the Above.56Q56ASince we could not verify the platform that the City of Memphis is using,may we please have an extension for the application submission date?No.5757Q SOWAApproximately how many web application(s) will need to be pentested?See response to question 6.58Q SOW58AOutside of the Physical Security Assessment and some social engineeringattacks (i.e. usb key drops) can all the other phases be completed remotely?Yes. Depending on Circumstances and Restriction levels at the time ofcontract award.59Q SOW59A60Q General60A61Q Pricing61A62Q 1.1Will you be willing to negotiate further terms and conditions after bidsubmission?62ANo.63Q 1.2Is there a cybersecurity framework, like NIST CSF, that the City of Memphishas adopted as the foundation of its cybersecurity program?Is the following mandatory or preferred as a timeline for execution? "Vendorshall specify the ability to perform and complete External, Internal, WebApplication, Physical Security and Social Engineering tests within Ten (10)continuous business days."Please refer to General Requirements section of the RFP posted.Under the "General Requirements" section it states, "City of MemphisInformation Technology Security Assessment will be conducted in fourindependent phases (or City of Memphis can pick which phase is required)derived from known threats to City of Memphis." With this statement beingsaid is the expectation that the 5 phases will be all conducted in oneassessment or in phases?See response to question 32.For pricing should we price out each of the 5 phases requested as firm fixedprice line items?See response to question 32.
63AThe City of Memphis follows the NIST CSF.64Q 2.4.164APlease describe the current Internet architecture including any DMZnetworks.Will be provided after contract is awarded.65Q 2.4.165A66Q 2.4.266A67Q 2.4.367A68Q 2.4.368A69Q 2.4.3Please provide details surrounding the City of Memphis’s Internet points ofpresence.Will be provided after contract is awarded.For Web Application Penetration Testing: How many web applications are going to be included in the scope oftesting? Will both unauthenticated and authenticated testing be required in thescope of testing? For each application in scope, please provide number of dynamic pagesassociated with each application. See response to question 6 See response to question 8 Between 25-50 per applicationFor Network Security Assessment: Are all 5000 IP addresses accessible from one network location (i.e., Cityof Memphis’s central IT office)? How are remote offices interconnected? For remote-based testing, will the vendor be allowed to ship andconnect one or more of our systems onto the internal City of Memphisnetwork to perform the required testing? Yes (when specifically permitted) The City's offices are primarily connected via dark fiber. Using OSPF fordynamic routing. YESFor Network Security Assessment, please clarify the scope of the “DMZNetwork” testing: Is the vendor expected to perform network segmentation testing aspart of the scope? If so, will this be limited to “DMZ network” to Internal network testing? Yes Assessment will test Network security which includes security zones notlimited to “DMZ network” to “Internal Network”For Network Security Assessment, please clarify the scope of the “wirelessinfrastructure” testing: Please provide number of locations, number of floors, square footage ofarea to be tested. Please estimate number of SSIDs.
69ASee response to question 13.70Q 2.4.370AFor Network Security Assessment, how many USB key drops should thevendor include as part of the scope?571Q 2.4.471A72Q 2.4.572A73Q 2.4.573A74Q 2.174AAre there specific regulatory compliance standards that the City ofMemphis must comply/adhere to?CJIS, PCI-DSS, NACHA, HIPAA, FISMA.75Q 2.2 & 2.4For scheduling, the City of Memphis stated the following:For Physical Security Assessment: Please provide a count on the number of divisional offices/physicallocations to be included in the scope of testing. For physical access to the network jacks, does the City of Memphisimplement any NAC solutions. Please clarify or provide details regarding “restricted areas.” See response to question 14 Yes Restricted Areas in this context are areas within the City of Memphisthat require special access and/or protected by Law Enforcement.For Social Engineering,Phishing (general and targeted) How many scenarios should the vendor include in the scope of testing? How many employees does the City of Memphis want to test? Are there any employees that the vendor is not to test? Will the City of Memphis provide a target user list, or will vendor beexpected to perform a discovery? 3 scenarios 200 Random Targets No See response to question 35For Social Engineering,Pre-Texting How many scenarios should the vendor include in the scope of testing? Will the City of Memphis provide a target user list or will vendor beexpected to perform a discovery?See response to question 72.“The proposed schedule should include planning for two tests annually, oneexternal penetration test and one internal penetration test.”However, in Section 2.4, the following is stated:
“Vendor shall specify the ability to perform and complete External, Internal,Web Application, Physical Security and Social Engineering tests within Ten(10) continuous business days.”75A Could you please clarify if the external testing and internal testing willbe conducting during two different time periods over the course of theyear or is the request to perform all external and internal testing at thesame time? Is the intent to perform the entire scope (5 activities) twice a year? Or,to perform all of the external testing separately from all of the internaltesting (so each activity is performed only once during the course of theyear)?All 5 Phases of the assessment listed in Section 2.4, Pg 8 ( which coversboth internal and external testing) will be performed during thescheduled timeframe listed in the RFPPenetration Testing engagement will be performed once a year unlessotherwise determined. 76For all of the in-scope elements, will there be any time restrictions (testingwindows) in terms of when testing can be performed, or will vendor beallowed to perform testing 24 hours a day?76Q 2.4.12.4.22.4.32.4.42.4.5A77Q 4.377AWill the City of Memphis consider an extension to allow for more time torespond to the RFP?No.78Q 4.9, Exhibit 478A79Q 4.9, Exhibit 4(sectionsregardingindemnification2.4.1 – No time restrictions2.4.2 – No time restrictions2.4.3 - Business Hours2.4.4 – Business Hours2.4.5 - No time restrictionsAre deviations or exceptions to the requirements in the City of MemphisService Agreement Sample Contract incorporated in Exhibit 4 of the RFPpermissible? If so, please clarify in which format the City would like toreceive such exceptions.To ensure all vendors submit proposals based on the same information, nochanges to the contract template will be considered. Please prepare yourproposal and cost accordingly.As the terms and conditions are silent in regard to any limitation ofrespondent’s liability or a damage cap with respect to respondent’sindemnity obligations as set forth in the City of Memphis Service AgreementSample Contract incorporated in Exhibit 4 of the RFP, are you willing tonegotiate some limitation or damage cap of respondent’s liability?
obligations ofcontractor)79ATo ensure all vendors submit proposals based on the same information, nochanges to the contract template will be considered. Please prepare yourproposal and cost accordingly.80Q 4.9, Exhibit 480AFor clarification, will you consider respondent’s standard master serviceagreement with the inclusion of applicable service schedules as a baselinefor developing any contract between the parties?To ensure all vendors submit proposals based on the same information, nochanges to the contract template will be considered. Please prepare yourproposal and cost accordingly.81Q81A82Q82A83832.4.31. What software/service is currently being used for VulnerabilityManagement?Nessus.2.4.32. What software/service is currently being used for networkmonitoring and management?Extreme NMC.QA2.4.33. What software is being used for Endpoint detection and Response?Crowdstrike EDR.84Q2.4.384A4. Does the City utilize any cloud assets such as AWS, Azure orGoogle?Cloud Assessment is out of scope.85Q2.4.285A5. For each Web Application please answer the following:a. Is the application Multi-Tenant?b. Is there a REST API / AJAXc. If 'Yes' to REST API / AJAX, are there more than 20methods?d. Is there a shopping cart / payments?e. Is there a login form?f. Does the app have customizable reporting?g.
Apr 21, 2021 · Penetration Test Is authenticated testing being requested? Authenticated testing typically provides for more thorough testing, however often takes quite a bit more time. If authenticated testing is requested, how many and what types of user roles would be tested? (i.e. Three - user,
