Specifications include, but are not limited to: perform a security assessment, external systems test, internal systems test, computer systems and software test, penetration test, and draft a risk report ; a. Security Assessment 1. Review existing State and MIA security policies, procedures and infrastructure; 2. Provide documentation on industry best practices for security policies, procedures and infrastructure related to information security; 3. Assess MIA security policies, procedures and infrastructure against industry best practices and document deficiencies ; b. External Systems Test 1. Conduct vulnerability scanning and validation against Internet-accessible IP addresses; 2. Examine externally accessible equipment for vulnerability from outside (Internet) the tested network; 3. Check network and server equipment versions and configurations; c. Internal System / Network Test 1. Conduct vulnerability scanning and validation against internal IP address ranges and configuration review of all internal systems ; Test the network traffic for unencrypted or decrypt-able passwords and accounts; 5. Provide documentation on test results and identify deficiencies; and 6. Provide recommendations to mitigate deficiencies and risks. ; d. Computer Systems and Software Test 1. Conduct analysis of Internet traffic to determine if any internal hosts have been compromised; 2. Examine equipment and systems for vulnerabilities; 3. Check Operating System Configuration and software version (Windows and SUSE Linux); 4. Test systems for malware (virus, Trojan, spyware).