Specifications include, but are not limited to: Below are main assessments the City would like to engage: a) Complete a Comprehensive Security Assessment. b) Benchmark the City’s current cybersecurity posture to the NIST Cybersecurity Framework and identify an appropriate target state based on the City’s threat and vulnerability profile. Use the NIST Cybersecurity Framework to perform a current and target state analysis that can be utilized as a driver for prioritized activities to improve the City’s security posture. City of Opelika’s goals and objectives for performing a security assessment include: • To understand, manage, and reduce cybersecurity risks. • To evaluate current and potential risks to core assets based on control objectives of data confidentiality, data integrity, and data availability, and then focusing on the control area of most concern. • To identify both the strengths and areas for improvement in the City’s existing Information Security Program by comparing it to industry leading standards and best practices, such as ISO 27001, CIS/SAN Top 20 Critical Security Control, NIST 800-53, NIST Cyber-Security Framework etc. • To identify non-existent and/or weak information security management processes within the City. • To identify vulnerabilities to the City’s Information Security Program from both external and internal threats using Internal, External and Physical Penetration Testing. • To provide a “snapshot” of the current state of information security and establish a customized information security management model for use within the City. • To provide the foundation for robust information security management, including well-developed policies and procedures, and thoroughly documented standards and guidelines. • Propose solutions including strategy plan to risk, vulnerabilities, and/or threats, including short- and longterm options for remediation of the identified vulnerabilities. The City of Opelika would like to review and assess the following areas: • Internet security, including vulnerability scanning and more sophisticated by-hand penetration testing. • Wireless security, including advanced capabilities for testing the security of wireless infrastructure, network cryptographic protections, and the security of endpoint systems. The Deliverables included in the review: • Access, Authorization and Authentication Control • Logging and Auditing Practices • Incident Handling Practices • Internet Usage Acceptable Use • Security Awareness Practices • Application Development Practices • Password Practices • IT Administrator Practices • Server Configuration Practices • System and Data Prioritization Practices • Assess Tracking Practices • Patch Management Practices • Software Licensing Practices • Computer System Acceptable Use