Specifications include, but are not limited to: The State intends to secure a contract for Information Security Assessment and Consulting Services (ISACS) Consultants to assist in strengthening the State’s security posture. Services include vulnerability, compliance, and application assessments, risk assessments, penetration tests, source code reviews, information security program assessment services, system design services, data loss prevention services, data recovery, and data and network forensics services. Vulnerability assessments and penetration testing services will be used to identify and validate configuration and/or technical flaws within a given system or network. System components include, but are not limited to, load-balancers, firewalls, routers, servers, workstations, operating systems, system software, applications, and databases. Application assessments (including mobile applications assessments) including code review will be conducted to identify vulnerabilities and programming errors and shall be evaluated against Open Web Application Security Project (OWASP) top 10 and SANS top 25 guidelines . Information security program assessment services will be used to determine the maturity and effectiveness of the State’s information security program. Developer workshops will be conducted where findings are explained, and remediation steps detailed with examples. System design services will be used to assist with the architecture and detailed design of complete systems such as networks and physical security. Data Loss Prevention (DLP) services will be used to assess the State’s or individual agency’s infrastructure, policies and procedures around the storage and handling of confidential data. This may include data discovery and data classification. Data and network forensics services will be limited to the “root cause” analysis of information security incidents within the State’s environment. Any other services not specifically mentioned above will be included in this contract as “general security consulting services.”
