Specifications include, but are not limited to:The Port is soliciting proposals from firms for the provision of a comprehensive IT cybersecurity vulnerability assessment.The Port will select a qualified consultant on a best value basis using a point-method of award, to undertake a comprehensive IT Cybersecurity Vulnerability Assessment, thoroughly reviewing the current state of the Port’s information technology security, develop a vulnerability mitigation plan, and prioritized road map of activities to enhance the Port’s future Cybersecurity position. The consultant’s approach will utilize industry best practice methodologies to ensure a standardized risk mitigation approach that will offer the highest risk reduction potential. The approach will complement the ‘Framework for Improving Critical Infrastructure Cybersecurity’ (developed by the National Institute for Standards and Technology (NIST) in response to Presidential Executive Order 13636 (http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf). Additionally, the approach shall consider the OpSec (Operations Security) Five Step Process (http://www.opsecprofessionals.org/process.html) as it pertains to Cybersecurity. The assessment is to include, but not be limited to: a) Test for susceptibility to Advanced Persistent Threats (APTs) such as viruses, malware, Trojan horses, botnets and other targeted attack exploits. Evaluate the Port of Tacoma’s current threat posture including antivirus and Intrusion Detection and Prevention (IDP) capabilities. b) Review wireless network system components for security vulnerabilities, validating system-specific configurations and known exploits. c) Validate system-specific configurations and review for known exploits. This includes firewalls, switches and routers, Microsoft Active Directory, email and file servers, web servers, wireless routers, VPN, VoIP and CCTV systems. d) Assess VoIP network system components for security vulnerabilities, validating system-specific configurations and reviewing for known exploits. e) Review existing IT policies and procedures and make recommendations for changes and/or additional policy and procedure development.
