Specifications include, but are not limited to: A. At a minimum, vendors submitting a proposal (“Proposer”) in response to this RFP must have experience providing vulnerability assessments and conducting penetration tests for government agencies, preferably in medium to large airport environments.; The selected vendor will conduct an annual vulnerability assessment to determine vulnerabilities and compromises in the Environment. At minimum, the assessment will include: 1. External Network Vulnerability Assessment and Penetration Testing; 2. Internal Network Vulnerability Assessment and Penetration Testing; 3. Virtual Infrastructure Security Assessment; 4. Voice over IP Vulnerability Assessment; 5. Web Application Penetration Testing ; 6. Wireless Network Assessment and Penetration Testing; 7. Network Configuration Review (including LAN, DMZ, Firewalls and Routers); 8. Server Configuration Reviews; 9. Review of Patch Management Practices for Network Devices, Servers, and Endpoints; 10. Server and Endpoint Log Configuration Reviews; 11. Active Directory and Group Policy Reviews; B. The Proposer must propose using an industry standard in their approach and indicate in their response which industry standard(s) they plan to follow, and software tool(s) they plan to use in their approach.; C. The selected vendor shall provide all results to the Port, including scan data, as well as provide all findings and recommended actions to mitigate any issues found, as well as a Summary Report outlining findings and recommended actions.; D. All findings and recommended actions must include prioritization based on risk, factoring current intelligence into the risk level. Findings and recommended actions must also include guidance on how to remediate each item, as well as estimated internal staff hours needed to address each item. The Proposer will not remediate any findings. The Port will validate and remediate any findings or recommended actions using the Proposer’s guidance as appropriate.; E. The Proposer will coordinate the schedule of the project with the Port’s Information Technology Department. The Port will provide any necessary information on infrastructure, networks, configurations, and specific vendors to the winning firm upon award of the contract. Due to the sensitive nature of this information, this information cannot be provided in advance.
