Specifications include, but are not limited to: Enterprise-wide risk assessment of Louisville Metro including; External risk assessment and/or penetration test Internal risk assessment and/or penetration test Cloud risk assessment and/or penetration test Executive summary with business impact analysis Technical summary of findings, including critical vulnerabilities and applicable controls Report of Metro’s effectiveness against the CIS Top 20 Critical Controls. Metro’s goals in offering this contract are as follows: Show areas for improvement in critical information systems Use business impact analysis and technical findings to drive long term strategic planning Assess effectiveness of Metro’s current security controls against known TTP’s (Tactics, Techniques & Procedures)