Specifications include, but are not limited to: Community Action Partnership of Kern (CAPK) is issuing this Request for Proposal (RFP) to select a vendor to conduct independent audit and testing services for CAPK’s cyber security program and controls. The ideal vendor(s) will have qualified network security staff assigned to this project and have experience (within the last 2 years) performing network security assessments for businesses and/or local government agencies of similar size to CAPK, and in larger agencies. 1. Project 1: Vulnerability Assessment To assess and evaluate the security measures and identify all risks to the security of information because of the architecture (network infrastructure, firewalls, servers, desktops and remote access systems) and the configuration of the implemented infrastructure. To validate the effectiveness of key technical controls that safeguard the organization’s sensitive data including (but not limited to): 1. Internet perimeter security External vulnerability scanning Perimeter device configuration review 2. Internal technical controls Internal vulnerability scanning Configuration review and assessment Access controls Email security Wireless access Administrative controls Active directory policies Workstation and laptop security Mobile device management Database Security & Policies Microsoft Defender & Compliance Configuration DLP Policies SPAM Polices Best Practices Assessment of Power Platform Architecture Data Handling process Access controls Integration points 2. Project 2: External Penetration Test We would like the proposal to present a penetration test on the internet perimeter that attempts to exploit external facility vulnerabilities to simulate a “real world attack”. Vendor should propose services that attempt to bypass controls and/or exploit vulnerabilities with the goal of obtaining unauthorized access to the ORG ABBREVIATION network. Denial of service attempts are prohibited. 3. Project 3: Social Engineering – Email phishing To assessinternal cybersecurity awareness of employees, we would like vendor to propose conducting an email phishing attempt that targets up to 100 employees.
