All correspondence must be made through the Vendor Portal. Specifications include, but are not limited to: 1. Advisory Services: can include identification of cybersecurity and related physical security weaknesses, identifying potential risks, and offering advice on how to safeguard information and systems related to Information Technology (IT), Operating Technology/Industrial Control Systems(OT/ICS), and Internet of Things (IoT). Focus can include people, policy and process evaluation, service provider evaluation, vulnerability management, cybersecurity resilience assessments, compliance programs, and leadership. These services focus on holistic and technical review and reporting.; 2. Vulnerability Assessment Services: Can include holistic people, processes, and technology review of the utility’s environment, which can include corporate infrastructure, control system infrastructure, cyber-related physical assessments, and external managed services evaluation. The focus of this service is to ascertain vulnerabilities in the organization’s environment. People review can include cyber security awareness level, determination of staff compliance to existing security policies and procedures, and assessment of training effectiveness. Process review can include elements such as review of policies and procedures that are in place and their effectiveness in the organization, and whether the policies and procedures align to user security and business requirements. Technology review can include reviews of cyber security technologies and their effectiveness in the organization, technology configuration and deployment, and holistic maintenance effectiveness.; 3. Penetration Testing Services: can include utilization of knowledge, tools, and other resources to penetrate hosts and infrastructure equipment to identify vulnerabilities to both the devices and infrastructure of the organization. The intent of this service is to focus on cyber and physical posture, as well as device vulnerability from an attack vector perspective both within and the outside of the organization.; 4. Remediation Services: can include specific focused activities of remediation, such as policy and procedure development or improvement, implementation of technical controls, application or upgrade of patches to existing systems, building technical procedures, adjusting and update plans (such as Business Continuity, Disaster Recovery, and Incident Response), or build security baseline standards. These services focus on specific operational and technical engagement activities.; 5. Incident Response Services: can include specific small-scale forensic analysis tasks, breach containment, and large-scale cybersecurity incident management.
