Specifications include, but are not limited to: This assessment shall provide the state with an accurate understanding of the IES security and privacy controls in place. The Vendor shall identify at a minimum the following: Application or system vulnerabilities, the associated business and system risks, and potential impact; Weaknesses in the configuration management process such as weak system configuration settings that may compromise the confidentiality, integrity, and availability of the system; Policies not followed; and Major documentation omissions and discrepancies. The vendor must perform testing to analyze the application or system and the associated infrastructure. Tests and analyses performed shall include, at a minimum, the following: Security control technical testing. The following list of common test procedures and techniques shall be included at a minimum in the assessment: Examination of the implemented access controls and identification and authorization techniques (e.g., log-on with easily-guessed/default passwords); Tests to determine whether the system is susceptible to cross-site scripting (XSS), structured query language (SQL) injection, or other commonly exploited vulnerabilities; Attempts to alter database management system settings.
