Specifications include, but are not limited to:The audit is expected to concentrate on human/operational vulnerabilities, controls, risk management, operational performance, and governance. Services will include the following: A targeted audit of the following National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4 family controls: Access Control, Identification and Authorization, System and Information Integrity, and additional areas to be determined jointly by SMUD and the contractor. Identification of areas of high risk, and recommendations for improvement. Penetration and vulnerability testing; although specific requirements are to be agreed upon later, it will likely take the form of an independent, AQS-driven “white hat” test. Work will be performed both on-site at our SMUD Headquarters Campus in Sacramento, California, and off-site as mutually agreed.
