The following tasks outline the functional areas in which the Service provider shall assess in this engagement. Penetration Testing The scope of the Penetrating test is to identify exploitable security weaknesses in an information system and determine effectiveness of security controls. The test should include the entire perimeter and any critical systems that may impact the security of the systems. This includes both the external perimeter (public-facing attack surfaces) and the internal perimeter (LAN to LAN attack surfaces). Perimeter Testing The service provider shall test BPHC’s network perimeter both externally and internally. In addition, the test must include critical systems that could affect the security including security systems (e.g. firewalls, authentication servers, etc.) or any assets utilized by privileged users to support and manage the systems. Activities must include, but may not be limited to: Perform an in-depth Information Security vulnerability assessment and penetration testing of BPHC IT infrastructure of: • External network - all external public-facing systems including firewalls, FTP, web servers, and web service interface points. o Enumerate systems on the network and validate them against known systems. Identify any unknown or unexpected systems.
