(a) Utilize manual and automated penetration testing efforts; (b) Maintaining open communication with the designated CGA ITS representative during the testing process; (c) Test multiple layers of security, including network, application, and physical layers; (d) Conduct testing based on established methodologies and standards including: i. OWASP (Open Web Application Security Project): ii. PTES (Penetration Testing Execution Standard); iii. PTF (Penetration Testing Framework); iv. NIST SP 800-115 (National Institute of Standards and Technology Special Publication 800-115); v. OSSTMM (Open Source Security Testing Methodology Manual); vi. ISSAF (Information Systems Security Assessment Framework); vii. MITRE ATT&CK; (e) Confirm with the CGA, in writing, prior to testing, of all permitted and prohibited activities during the testing process; (f) Coordinate all tests with CGA Information Technology Services team. Tests should occur both during and outside regular business hours (M-F 8 am - 5 pm EST). All CGA security systems will remain in full effect during the testing and assessment. Regular operation of the network and systems must remain in effect during testing. If the proposed testing plan may interrupt communications, the awarded respondent must schedule this interruption per ITS written approval to be conducted during off hours, not during normal business hours; (g) Provide unlimited post-report review phone call support in order to remedy discovered deficiencies and validate remediation; (h) Upon CGA request, re-test of the vulnerabilities previously discovered to validate remediation and to ensure the CGA correctly fixed them to eliminate the risk of false remediation up to a three month period from the initial testing; (i) Agree to non-disclosure agreements with the CGA to ensure the confidentiality of findings and to adhere to all applicable data privacy regulations when handling any sensitive data discovered during the test; (j) Provide all testing and data storage that is based in the United States.
