ALL OTHER TERMS AND CONDITIONS OF THE RFP

ALL OTHER TERMS AND CONDITIONS

OF THE RFP

REMAIN THE SAME.

McHenry County Purchasing Department Mailing/Shipping Address: 2200 N Seminary Avenue, Room 200

Physical Address: Administration Building, 667 Ware Rd, Room 200 Woodstock, IL 60098 Phone: 815-334-4818

Fax: 815-334-4680 March 21, 2018

ADDENDUM #1

RFP #18-20 Provide Information Security Assessment & Penetration Testing due March 28, 2018 at 2:00PM (CST)

Questions for RFP/Bid

Question #1:

External Penetration Test: 1. What type of penetration test is requested (white box, grey box, black box)?

2. Is there an Intrusion Prevention System in place?

3. Are any of the IPs in scope hosted on AWS or similar cloud provider?

4. Are there any 3rd parties that need to be contacted in advance of the penetration test (hosting providers, 3rd party security monitoring service providers, etc.)

5. Do you have any special timeframe requirements for the engagement?

6. Within the remediation section of the report, are you looking for remediation guidance, or step by step remediation procedures?

Response #1:

1. Grey box 2. Yes 3. No 4. No 5. October, November, 2018 completed 6. Organized guidance

Question #2:

Internal Penetration Test: 1. What type of penetration test is requested (white box, grey box, black box)?

2. Please provide the total number of IP addresses in scope.

3. Please provide an approximate amount of server/network devices in scope.

4. Please provide an approximate number of workstations in scope.

5. Are you looking for the vendor to attempt to gain physical access to the network, or will an internal network connection be provided?

6. Are you looking for social engineering to be in scope for this portion of the test?

Response #2:

1. Grey box 2. Class B 3. Six hundred 4. One thousand two hundred 5. Vendor should attempt to gain physical access, but in the event they cannot, it will be provided 6. Yes


OF THE RFP

REMAIN THE SAME.

Question #3:

Wireless Testing: 1. What type of penetration test is requested (white box, grey box, black box)?

2. How many physical locations are in scope?

3. Would access to each physical location be provided?

4. How many SSIDs are in use?

5. Would pivoting be in scope should the vendor gain a foothold?

6. Would user and/or client manipulation be in scope?

Response #3:

1. Grey box 2. Two 3. Yes 4. Four 5. Yes 6. No

Question #4:

Application Penetration Testing: 1. What type of penetration test is requested (white box, grey box, black box)?

2. Is there a Web Application Firewall in use?

3. Are all URLs available from outside the network, or would onsite access be required for testing?

Response #4: 1. Grey box 2. Yes 3. Onsite access required

Question #5:

FOR EACH APP, PLEASE ANSWER THE FOLLOWING: 1. Provide a basic description of the application. (e.g. Corporate Site, CMS, e-Commerce, Intranet, etc.)

2. List functions present in the application (please find on page 2): a. Upload images, document, spreadsheets, others.

b. Manage users

c. Edit content, comment posts, manage posts

d. Buy, pay, manage credit card

e. Other: Please Specify 3. Indicate the number of static pages.

4. Indicate the number of dynamic pages or web forms.

5. Indicate the number of dynamic functions such as, AJAX, WebSockets, Webhooks, if any.

6. What are the technologies that support the application (PHP, ASP, .NET, IIS, Apache, Operating system, database?)

7. Is 2 factor authentication required?

8. Does the application contain different user profiles? a. How many different profiles should be included in scope? 9. Does the application expose an API? a. How many API calls does it have?


OF THE RFP

REMAIN THE SAME.

10. Are there any pages in the application that submit emails or trigger some alerting mechanism?

Response #5:

1. 1 through 10 to be determined during the testing 2. 3. 4. 5. 6. 7. 8. 9. 10.

Question #6:

Client-Side Testing: 1. What type of penetration test is requested (white box, grey box, black box)?

2. How many users are expected to be in scope?

3. In relation to social engineering, which techniques would be in scope? (e.g. Phishing, Phone, Physical, etc.)

4. If an agent was deployed, would pivoting be included in the scope?

Response #6:

1. Grey box 2. Fifty 3. All 4. Yes

Question #7:

External Network Vulnerability and Penetration Test Questions 1. What level of effort is desired? - Vulnerability Scanning: Automated detection of vulnerabilities. Minimal manual intervention and no exploitation. - Vulnerability Assessment: Automated scanning and manual verification. Comprehensive, but will not exploit identified vulnerabilities. - Penetration Testing: Automated and manual attacks. Additionally, exploits will be executed to fully determine risk and potential cascade into other vulnerabilities. 2. What is the desired frequency of testing (e.g. one-time, monthly, quarterly, yearly) 3. How large is the IP space to be assessed (i.e., range size, how many class Cs, Class Bs, etc.)? Please provide the subnets/IP addresses. 4. How may hosts are in scope as part of this assessment (i.e., how many hosts are expected to be live out of the IP space in question 3)? 5. Are any systems or devices in scope hosted by a third party?


OF THE RFP

REMAIN THE SAME.

6. If IDS/IPS systems are in place, is the assessment also intended to test the responsiveness during this assessment, or will AT&T Consulting systems be configured as exceptions in the IDS/IPS? 7. Are there any timing restrictions on the testing (e.g., after-hours testing only, weekends, etc.)?

Response #7:

1. All 2. Yearly 3. Class C 4. To be determined during the testing 5. None 6. Yes, it is intended to test responsiveness of IPS 7. No

Question #8:

Internal Network Vulnerability and Penetration Test Questions 1. What level of effort is desired? - Vulnerability Scanning: Automated detection of vulnerabilities. Minimal manual intervention and no exploitation. - Vulnerability Assessment: Automated scanning and manual verification. Comprehensive, but will not exploit identified vulnerabilities. - Penetration Testing: Automated and manual attacks. Additionally, exploits will be executed to fully determine risk and potential cascade into other vulnerabilities. 0 Vulnerability Scanning 0 Vulnerability Assessment 0 Penetration Testing 2. What is the desired frequency of testing (e.g. one-time, monthly, quarterly, yearly) 3. How large is the IP space to be assessed (i.e., range size, how many class Cs, Class Bs, etc.)? Please provide the subnets/IP addresses. 4. How may hosts are in scope as part of this assessment (i.e., how many hosts are expected to be live out of the IP space in question 3)?? 5. Are any systems or devices in scope hosted by a third party? 6. If IDS/IPS systems are in place, is the assessment also intended to test the responsiveness during this assessment, or will AT&T Consulting systems be configured as exceptions in the IDS/IPS?


OF THE RFP

REMAIN THE SAME.

7. Are there any timing restrictions on the testing (e.g., after-hours testing only, weekends, etc.)? 8. Where will testing be performed (geographic location)?

Response #8:

1. All 2. Yearly 3. Class B 4. To be determined during the testing 5. None 6. Yes, it is intended to test responsiveness of IPS 7. No 8. Onsite

Question #9:

Application Vulnerability and Penetration Test Questions (Please complete the following questions for each application to be assessed.) 1. What is the application name?

2. What is the primary function of the application?

3. What is the type of application (Web, Thick-client, etc.)? 4. Is the application available over the Internet? If not, what location does the testing team

need to be at in order to test? (Name onsite location, if available via VPN, etc). If Web Application/Client Server/Mobile Device 5. Approximately how many pages/screens accept user input? 6. On average, approximately how many user input fields are on each page? (Usually 10-20) If Web Services 7. Approximately how many web service methods are supported? 8. Approximately how many total operations are supported? Because some web services support multiple operations with a single method, the total number of operations is required to scope. For example, if a single method can support add, modify and delete functionality - that would count as three operations. 9. On average, approximately how many parameters are supported by each method? 10. What is the network transport utilized? (Raw TCP/SSL)


OF THE RFP

REMAIN THE SAME.

If Mobile Device Application 11. What Platform(s)? (iPhone, Android, Blackberry – include versions supported) Optional Scoping Questions – Answers can provide tighter scoping of level of effort. Answers will be required prior to engagement. Answer If Web Application/Web Services 12. How many URLs are required to access the application components? [basic application functions, administration] 13. What is the web application / web services platform/framework? (ASP.Net/JSF/Servlets/Struts) 14. What other technologies are involved in the web application’s n-Tier architecture? All Applications 15. Is the application that will be assessed in a dev, test or production environment? 16. What type of authentication is required? [password, OTP token, certificate] 17. What is the total number and type of authorization levels in scope for this assessment? [anonymous, admin, workflow] 18. Is a current application design diagram for the application architecture including platforms, locations of customer data, network-based controls, etc. available? 19. Was the application purchased from a vendor, developed in-house, or the result of an outsourced development project? 20. What languages are used? [C, C++, Java, JSP, ASP, PHP, Perl, Ruby, Cold Fusion] 21. What is the development platform? [.Net Visual Studio, Java Eclipse, Other(describe)] 22. Which application server or middleware is used? [Weblogic, Websphere, .Net] 23. What Database server is used? [MS SQL, Oracle, Sybase, DB2] 24. Is a code review needed? If so, please request Secure Code Review Questionnaire

Response #9:

1. 1 through 10 are to be determined during testing 2. 11 through 14 are not in scope 3. 15 through 24 are to be determined during engagement preparation 4. 5. 6. 7. 8. 9.


OF THE RFP

REMAIN THE SAME.

10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24.

Question #10:

Wireless LAN Penetration Test Questions 1. What is the location of the facilities in scope (please provide addresses)?

2. What is the approximate size of the facilities in scope (e.g. sq. feet, number of floors, etc.)?

3. How many access points are at each of the facilities in question 1? 4. How many ESSID are at each of the facilities in question 1? 5. How much traffic is traversing the wireless network (e.g. MB/GB/TB)?

Response #10:

1. 2200 North Seminary Avenue, Woodstock, IL 60098 2. Three floors, 265,120 square feet 3. Sixty-five 4. To be determined during testing 5. To be determined during testing

Question #11:

Social Engineering Questions 1. What types of testing scenarios are of interest (e.g. physical breach, telephone/call center,

email/phishing, SMiShing, USB drop)?

2. Who will be aware of the testing?

3. What locations are in scope (please provide addresses)? 4. What is the area of the locations to be assessed and are the locations co-located with other

businesses (if physical assessment is desired) (e.g., 15,000 sq. ft co-located facility)?


OF THE RFP

REMAIN THE SAME.

5. How many targets need to be tested for the email & voice based social engineering (e.g., 10

email recipients, 3 targets for phone including helpdesk)?

Response #11:

1. All 2. Select Upper Management 3. 2200 North Seminary Avenue, Woodstock, IL 60098 4. Co-located 5. Fifty email and twenty-five phone

Question #12:

Reference page 9, Evidence of Insurance., item (c) and second paragraph at the top of page 10, our insurance company cannot guarantee (by including language in a certificate of insurance) 30 days notice of cancellation. Their position is that they may not know 30 days in advance that any customer will cancel insurance and/or faii to pay premiums; therefore, they cannot in good faith agree to 30 days notice. In addition, if the insurance company made a decision to cancel our insurance coverage (a very unlikely occurrence) without giving us 30 days written notice, we would not be able to comply with this clause through no fault of our own. Would the County consider modifying this requirement to state something more like "There shall be no termination, cancellation, material change, potential exhaustion of aggregate limits, or nonrenewal of coverage by the successful bidder without thirty (30) days written notice from the successful bidder to the County"?

Response #12:

The County requires as per the Purchasing Ordinance; Article 3; S3-102 Procedures #(18) (cc), page 27 of the ordinance: “the County of McHenry shall be provided with

thirty (30) days prior notice, in writing, of Notice of Cancellation or material change and

said notification requirement shall be stated on the Certificate of Insurance”

Question #13:

Reference page 9, Evidence of Insurance., item (e) and first paragraph at the top of page 10. Insurance companies will not/cannot list additional insureds for Workers' Compensation or Professional Liability insurance. Would the County consider modifying these requirements to state "except for Workers' Compensation or Professional Liability insurance have McHenry County named as an additional insured ....“ and "The County shall be named as additional insured on all liability policies, except Professional Liability, ... "?

Response #13: Yes, the County would consider it.

Question #14:

Reference page 13, Section II - Internal Network Vulnerability Assessment and Penetration Testing. Can the county provide the following additional information to allow us to scope the level of effort for the requested services? a. How many internal IP addresses are in-scope for this portion of the assessment? b. How many Servers are ln-scope for this portion of the assessment? c. Can all internal IP addresses be accessed for assessment from a single location; and, if so, what location?

Response #14: a. Class B b. To be determined during testing c. Yes, onsite at 2200 North Seminary Avenue, Woodstock, IL 60098

Question #15: Reference page 14, Section Ill- Wireless Network Assessment and Penetration Testing. Can the County provide the following additional information to allow us to scope the level of effort for the requested services?


OF THE RFP

REMAIN THE SAME.

a. How many wireless access points are in-scope for this portion of the assessment? b. How many locations (facilities) would need to be visited to perform the wireless assessment, and what are the locations? c. Does the County have a central wireless management control system (such as Cisco WCS)?

Response #15: a. Sixty-five b. One, 2200 North Seminary Avenue, Woodstock, IL 60098 c. Yes

Question #16: How many active internal IPs are in scope?

Response #16: Class B

Question #17: How many wireless controllers are in scope?

Response #17: To be determined during testing

Question #18: For the wireless assessment, how many locations are in scope?

Response #18: One, 2200 North Seminary Avenue, Woodstock, IL 60098

Question #19: How many pretexting targets are in scope?

Response #19: Seventy-five

Question #20: What is the size of your IT team? Please provide the break-up by application portfolio.


Question #21: What is the current QA organization structure (Number of QA resources by skill (ex: functional, automation, performance, security etc.) and roles (manager, lead, analyst) that includes both Vendors and County’s permanent employees?

Response #21: N/A

Question #22:

Other than applications that are listed in the RFP (Microsoft Sharepoint, Microsoft Dynamics Great Plains, Microsoft Azure, Email and Archiving, Justware, Custom Applications – iJustice and Performance Series), is there any other application that needs to be considered for the scope? Please list the technology stack of all the in-scope applications.

Response #22: No

Question #23: What is the SDLC methodology that is being followed in County to develop/updated the in-scope applications? This will help us to determine the testing windows in case of waterfall, and the need for continuous testing in case teams following Agile/iterative SDLCs

Response #23: N/A

Question #24: Please provide projects that are currently in Agile, their sprint team size (Dev and QA), and # of sprints for each release across in-scope application(s)?

Response #24: N/A

Question #25: What are key business drivers for Security Assessments and Penetration Testing? Has County conducted any assessment or testing before? If Yes, Please share any analysis report that you may have.

Response #25: Yes, we have conducted Assessments on an annual basis

Question #26: Was there any security incident registered against application, network or server/client that we should be aware of and devise our strategy to overcome those vulnerabilities?

Response #26: N/A


OF THE RFP

REMAIN THE SAME.

Question #27: List the number and type of internal systems/end nodes that are in scope for Vulnerability Assessment and Penetration Testing?


Question #28: List the number and type of wireless access points/components in scope?

Response #28: Sixty-five

Question #29: How many input fields and user roles for each web application that need to be considered during application penetration testing?


Question #30: How many dynamic pages are present in each in-scope web application?


Question #31: Explain the details (application logic, end users, transaction details…etc.) about each application, including custom applications?

Response #31: To be determined during engagement preparation

Question #32: For all these applications that are currently in-scope, please describe the number of release cycles per annum, type of releases (major/minor) and duration of these releases for each application?

Response #32: To be determined during engagement preparation

Question #33: What is the frequency of Application Penetration Testing?

Response #33: Annually

Question #34: How many users are to be chosen for social engineering?

Response #34: Fifty

Question #35: Is there any tool that County has already evaluated for security testing? If yes, please share the report and preferences that you may have.

Response #35: No

Question #36: Are you currently working with any Vendors (Outsourcing IT Service Providers)/Independent Contractors? What is the split between Vendors/Independent Contractors supporting the IT organization?

Response #36: No

Question #37: What are the services your existing Vendors/Independent Contractors are providing?

Response #37: N/A

Question #38: What are your engagement models (Fixed bid, Time & Materials or any other model) with the existing Vendors/Independent Contractors?

Response #38: N/A

Question #39: Are there any requirements for the services to be performed only by US Citizens/Permanent Residents? Or County is open for other cost effective resourcing model?

Response #39: Must pass background check

Question #40:

Page 12-Objectives, Bullet Points 1&3 a. We understand that in bullet point 1 a Penetration test is required while bullet point 3 is

just a Vulnerability assessment and validation (not a penetration test) with information knowledge. Is our understating correct?

b. For the purpose of this testing (bullet point 3), should we consider the legitimate user as a normal unprivileged user or privileged/administrative user?


OF THE RFP

REMAIN THE SAME.

Response #40: Unsure of the questions

Question #41: Page 13-Section I, Bullet Point 2 Is the vulnerability identification of HTTP, HTTPS services limited to the application servicer and service? Or also to the web applications hosted in these services?

Response #41: Also to the web application hosted

Question #42:

Page 13-Section II, Bullet Point 1 This section states “Acquire network access: locate and connect to network connections to access local network”

a. Is this activity to be performed as a stealth action simulating a physical intruder/opportunistic utilizing open network ports?

b. If yes to a, and an open network port is not identified within a reasonable time, would you be granting access to the network?

Response #42: Yes to both questions

Question #43: Page 14-Section III How many locations/SSIDs and networks are under the scope of this test?

Response #43: One location; SSIDs - to be determined; networks - Class B

Question #44:

Page 14-Section IV a. What are the total number of applications? b. Are all these applications publically available? If not, how many applications are internal? c. What is the scope of Microsoft Azure testing? Is the laaS elements related to the county?

Response #44: a. To be determined during testing b. No; All c. N/A; No

Question #45: Page 15-Section V Is the target user sample set limited to 50 for all tests?


Question #46:

Page 10-Directions for Submission This section states “Qualified individuals or firms are to submit one (1) original and four (1) copy of the completed proposal along with…” Please confirm that there is a type in this section and the vendors are to submit one (1) original and one (1) copy of our RFP response.

Response #46: Please submit one (1) original and one (1) copy

Question #47:

Page 1-Submission Location If a vendor decides to mail in their response, does the vendors submission package need to be to the Purchasing Department Contact by 3/28/18 2pm CST, or just to the mailing address location by 3/28/18 2pm CST? If responses need to be to the Purchasing contact by 3/28/18 2pm CST, then what is the typical/average time that it takes for mail to be delivered from the mailroom to the contact/recipient?

Response #47: The mailroom delivers morning mail by 11:00am CST to Purchasing. The overnight deliveries are received in the mailroom by 11:00am CST and delivered to Purchasing by 12:00pm CST.


OF THE RFP

REMAIN THE SAME.

Question #48:

Page 17-Vendor Proposal Checklist The vendor proposal checklist, #4 has “Vendor Certification” listed to be included with the proposal submission. Is the county only looking for the mandatory form on page 22 or all certifications that the vendor possess?

Response #48: The County is only looking for the mandatory pages be submitted.

Question #49:

Page 17-Requirements The last bullet point of this Section states that vendors are to provide a “Sample Contract with Confidentiality Agreement”. In most RFP’s the Requestor of Services, RFP issuer, has the vendor sign their contract since that contract has already been approved by their own legal team. Is the county looking for vendors to submit our on contract that we would use for services or a redacted sample contract of work that was done, by the responding vendor, which was similar in size and scope of this RFP? Please advise/clarify on what the county is looking for in regards a “Sample Contract with Confidentiality Agreement”.

Response #49: Please send a sample of what your (the vendor) contract would look like for these services.

Question #50:

Page 4-Cerified Payroll Requirements This section states “Effective August 10, 2005 Vendors and Subcontractors on public works projects must submit certified payroll records on a monthly basis to the public body in charge of the construction project…” Is this section applicable since this is not a construction project?

Response #50: No this is NOT a construction project or Prevailing Wage project. Please refer to the IDOL website for their information.

Question #51: Page 9-Insurenace Section Please confirm that the Certificate of Insurance is to be submitted posted award and not at RFP submission.

Response #51: COI and Endorsement Page will be requested upon award of contract.

ALL OTHER TERMS AND CONDITIONS OF THE RFP

Documents

Transcript of ALL OTHER TERMS AND CONDITIONS OF THE RFP