Specifications include, but are not limited to: • Vendor shall be able to provide complimentary post-remediation reviews. • Vendor shall provide a methodology of how the vendor shall assess Harris County’s network and assets. • Vendor shall complete all clean up processes before finishing the penetration test, including but not limited to: o Removal of accounts created as part of the assessment. o Removal of tools installed by tester on Harris County’s systems. • Confidential Harris County data obtained from the penetration test shall be disposed of in an appropriate manner. • Vendor shall not store any cardholder data, if obtained during a penetration test. • Awarded vendor shall sign a non-disclosure agreement, with a copy to be retained by Harris County. • Vendor shall provide verifiable references with a description of the vendor’s work with other clients and provide Harris County with contact information and/or testimonials if available. • Vendor shall specify the ability to perform and complete external, internal, web application, physical security and social engineering tests within ten (10) continuous business days. • Vendor shall supply a list of potential employees that will be performing the penetration testing exercise on the Harris County network in terms of: o Relevant working experience (employees must have at minimum of three (3) years of experience) in the cybersecurity field. o Relevant Industry Cyber Security Certifications, e.g.: ➢ EC-Council Certified Ethical Hacker (CEH); ➢ EC-Council Licensed Penetration Tester — Master (LPT); ➢ Global Information Assurance Certification (GIAC) GIAC Certified Penetration Tester (GPEN); ➢ GIAC Web Application Penetration Tester (GWAPT); ➢ GIAC Exploit Researcher and Advanced Penetration Tester(GXPN); ➢ Certified Penetration Tester (CPT) ➢ CompTIA PenTest+; ➢ Offensive Security Certified Professional(OSCP); ➢ eCPPTv2 eLearnSecurity Certified Professional Penetration Tester; ➢ eCPTX eLearnSecurity Certified Penetration Tester eXtreme. • Results of vendor’s employees Criminal Justice Information Services (CJIS) background check(s) with each employee having a clean background record. • The vendor shall provide a summary of any key differentiators that make vendor uniquely positioned to provide penetration testing services to Harris County. • Each phase of the assessment should be considered and itemized as independent modules of the overall assessment.
