Specifications include, but are not limited to: perform an in-depth review of the District’s current cybersecurity environment, identifying threats and attack vectors, and analyzing impacts and risks to the District. ; Define a project plan for the full length of the engagement, including high level milestones (including the assessment, recommendations and roadmap) • Define whether and how many facilitated sessions will be performed • Draft agendas for each session • Define the key people required and the expected deliverables, over and above the Risk Assessment Report and Roadmap. • Conduct comprehensive penetration testing of the District’s critical infrastructure. o Network, Web, and mobile application penetration testing. ; This review shall include the following major topic and detailed areas: • Information Security Governance • Governance and Compliance Activities • Information Security Strategy • Information Security Policies and Procedures • Information Security Risk Management • Information Security Metrics Reporting • Processes o Review IT Policies and Procedures o Identity and Access Management o Information Classification and Handling o Information Security Architecture o Threat and Vulnerability Management o Information Security Incident Management.
