Penetration testing - ORR Network (Feb 21)

Description

Summary of the work Non-Intrusive penetration testing required. ORR requires penetration testing of its network. The work will involve all areas of ORR's network including cloud applications. Specialist role Cyber security consultant Expected Contract Length 5 days work to be delivered over 30 day period. Latest start date Friday 19 February 2021 Who Speclialist Work With Working for the Security manager and with the Service delivery manager and Technical services manager What Specialists Work On Carry out Penetration testing across ORR's network including cloud applications. Skills & Experience • Excellent understanding of mixed cloud and on-premise networks • Good Knowledge of NCSC security principles and best practice • Must be able to return any media containing data collected during the testing. Nice to Haves • Knowledge of HMG baseline cyber security standards • Experience of working with small government or public sector organisations Work Location ORR HQ is in London but we also have 5 other locations. Working Arrangments A period of time working with the team on-site at HQ. Drafting the report (offsite) and then presentation of the findings via VC. May include a check from one of the Regional locations (to be determined). Security Clearance Security check equivalence by recognised provider. Additional T&Cs Organisation bidding for the work will need to be Check accredited. No. of Specialists to Evaluate 3 Cultural Fit Criteria • Ability to work with our technical team (2 members) against a background of daily operational priorities. • Confident and with good communications skills. Evaluation Weighting Technical competence 40% Cultural fit 20% Price 40% Questions from Suppliers 1. Please confirm that you will accept bids from providers who have CREST and not necessarily CHECK accreditations as well. Either CREST or CHECK will be acceptable. 2. Do you have an idea of the budget? Under £5k. 3. What is the application stack for cloud applications? Windows, Linux , ESX 4. What is the exact Security clearance that is needed? Security Clearance or SC level in government speak from a recognised provider. 5. Is there an incumbent? No there is not. 6. Is a CREST or CHECK accreditation required to undertake this work? Yes it is. 7. How many devices to be tested in the network infrastructure i.e. number of servers, number of workstations, etc. we don’t need the exact figure, but good know the scope. There are around 10 servers that can be tested, We setup a laptop to be tested because we have no user in the office or on the ORR Network. 8. Is full Report need (or only the summary of findings)? Full report. 9. Will the entire work be done offline or would you expect an on-site element? Expected to be an on-site element. 10. The URL/IP address if publicly accessible. Number of Firewalls including brands?Number of rules per rulebase/firewall? Please describe any infrastructure in the cloud including any always-on VPN connectivity? Held for release when contract let. 11. Desktop Applications – if applicable. All Standard applications from Microsoft. 12. Is the network segmented or flat? It’s a flat network. 13. Can all networks/VLANs in scope be accessed from one network point? Yes. 14. Number of networks/VLANs in scope? One network and one VLAN. 15. Number of workstations? 1 workstation will be made available 16. Number of servers? 5 server can be used for this exercise 17. Which operating systems are in use? Microsoft Windows on both Servers and Workstations 18. Is there any Wireless capability? Yes. 19. Is the solution centrally configured? Yes. 20. Number of Access Points? Approx 15 AP’s 21. Number of SSIDs broadcasted? and Are 2.4Ghz, 5Ghz, or both frequencies broadcasted? Both are broadcast and Just a password is required to access the wifi 22. Desktop Applications – if applicable All Standard applications from Microsoft 23. How are the applications accessed? The applications are accessed via a VPN tunnel onto the ORR network 24. A brief summary on what the application is used for. There are two applications one is for data statistics and the other is for driver licenses. 25. What functionality exists before login, and approximate number of pages (e.g. login, register, forgotten password)? The users log on via a VPN app on their laptops this authenticates them on to the network and from there they navigate either to the share or the URL. The URL has a landing page with all the details included so user name, password, etc. 26. What functionality exists after login, and approximate number of pages (e.g. add to basket, payment, write blog post, account management – change password)? There are around 30 pages after login the user can access and it is all information that is personal to a driver. 27. How many user roles are there and what additional functionality can they access? The users have admin access to the URL so can change pretty much everything they wish. 28. Reports to be generated per application/infrastructure component or single report covering the entire engagement? Single report. 29. You have indicated that each the scope of work is for 5 days in 30 days. but need 3 resources. does this mean all the 3 have to work on the same days. The 3 does not refer to resources. It refers to the evaluation criteria. The supplier will need to assess what resources are needed to accomplish this task and quote accordingly. 30. Does this have to be quoted on man-days basis or can this be done as an SOW. Either but a statement of work should indicate anticipated timescales. 31. Where is geographical location of the internal environment? What internal environment we have is located at our Main HQ in 25 Cabot Square in Canary Wharf. 32. If there are multiple sites, where are the locations for each? The sites are located in London (HQ), Bristol, Birmingham, Manchester, York and Glasgow. 33. Can all locations be accessed from one main site? Yes, main HQ in London.