Specifications include, but are not limited to: A.Ensure appropriate security controls are implemented within the City’s IT infrastructureB.This assessment is to include, but not limited to:i.External penetration testing – the ability of an attacker to penetrate City systemsand network externally, without the City providing additional information thanwould be available to a bad actor.ii.Internal penetration testing – the ability to identify and document anomalies withthe City’s network such as configuration flaws, use of default or weak passwords,missing patches, etc.iii.Application penetration testing – the ability for an attacker to exploit at least five(5) City applications.iv.Penetration testing of City wireless networks.v.Obtain PCI compliance scan during penetration testing.