Specifications include, but are not limited to: • Create an inventory of security and privacy policies that exist in the organization. Include policies related to: a. firewall updates b. anti-virus software usage and updates c. business continuity planning d. incident response planning. • Create an inventory of significant information technology assets (hardware, software, services) used on a regular basis by the business. • Create an inventory of data assets and their locations that would be considered confidential or proprietary to the business. • Create an inventory of individuals who have access to critical data assets and their privileges. • Create an inventory of third-party suppliers or partners who are significant to the business. • Create an inventory of physical security controls. • Identify gaps in inventories by mapping them against industry standard requirements. • Assess risk based on effective security principles that are applicable. • Assess Wi-Fi vulnerability. • Assess network security training for employees. • A final report shall be produced that contains the following. a. Risk assessment based on gaps identified. b. Suggested remedial actions. c. Inventory lists d. Detailed control assessments • A final presentation shall be given to the business owner summarizing the contents of the report. • A final redacted report shall be provided to DBEDT. The redaction should prevent any identification of the small business that completed the technical assessment. • Provide non-disclosure agreement with the business.
