CITY AND COUNTY OF DENVER AUDITOR’S OFFICE
REQUEST FOR PROPOSAL FOR PROFESSIONAL AUDITING SERVICES Additional Information
March 10, 2016
The following questions were asked and answered at the February 26, 2016 Pre-Proposal Conference:
Scope Limitation:
The scope of the information network security audit, which is the subject of the Request for Proposals issued by the Auditor’s Office on February 12, 2016 is: (1) a “Black Box” / “Zero Knowledge” External Penetration Test; (2) limited to the “denvergov” domain (denvergov.org); (3) limited to exclude any testing or involvement of Denver International Airport, Denver County Court, or Denver Department of Safety systems (i.e., police, fire, and sheriff); and (4) additional limitations will be communicated to the selected vendor.
The goal and objective of the audit is evaluate the City’s vulnerability to outside cybersecurity threats.
1. What is the estimated budget for the project?
A: No. The Auditor’s Office would like all proposed costs and budgets itemized.
2. How many different operating systems and databases will be covered?
A: Because the goal and objective of the audit is to evaluate the City’s vulnerability to outside threats, specific information related to the City’s information network will not be provided. Vendors are encouraged to use publicly available information.
3. What are the different operating systems and databases that will be covered?
A: See Answer to Question 2.
4. How many network domains will be covered?
A: The audit will be limited to the “denvergov” domain (denvergov.org). Please see the exclusions in the scope limitation above.
5. How many externally facing IP addresses does the City and County of Denver own, use, and manage?
A: See Answer to Question 2.
6. How many externally facing web applications are hosted and pointed towards externally facing IP addresses does the city maintain and consider a part of this project?
A: See Answer to Question 2. Additional limitations regarding the size and scope of the audit will be provided to the selected vendor.
7. Is there a level of participation the city would like its audit staff involved in the project?
A: A member of the Auditor’s Office will oversee the contract. Members of the Audit Services Division will facilitate City involvement in the audit, and review the Vendor’s work and work papers. Additional members of the Audit Services Division may also be involved for training purposes. 8. Does the City and County of Denver have a data classification scheme in place? If
so, are there segmented data classifications that are not considered within the scope of this project?
A: See Scope Limitation.
9. In the introduction, you mention, “including penetration testing”. However, in the Scope of work to be performed, it sounds like you would like a vulnerability assessment. Would you like both a vulnerability assessment and a penetration assessment? Or, just a vulnerability assessment? (Pen testing involves actually safely breaking into systems.) Or, is a penetration test the method you would like each of these areas tested?
A: The Auditor’s Office is seeking an external vulnerability assessment through a “black box” / “zero knowledge” penetration test. As stated in the Request for Proposals, all proposals should include a description or descriptions of method the Vendor can use to achieve the audit goals. 10.Are addressing cloud based service providers within the scope of the review?
11.Is this review tied with meeting any compliance-based requirement? A: No.
12.What is the total number of firewalls, routers, and switches considered to be a part of this project?
A: See Answer to Question 2. Additional limitations regarding the size and scope of the audit will be provided to the selected vendor.
13.How many wireless networks and access points are considered a part of this project?
A: See Answer to Question 2. Additional limitations regarding the size and scope of the audit will be provided to the selected vendor.
14.Is a social engineering test a part of this audit? A: No. Email phishing is also excluded.
15.Can you provide an organizational overview of the company and divisions which includes:
o List Physical Locations o Estimate of number of staff? o Number of IT staff
A: See Scope Limitation and Answer to Question 2.
16.Please provide the following documents (if available):
o Copy of previous/most recent SAQ assessment o Network WAN/LAN diagrams
A: See Scope Limitation and Answer to Question 2.
17.Is the IT service delivery organization centralized or decentralized? o Number of IT Staff:
A: See Answer to Question 2.
18.Are there documented policies/procedures for the core IT processes: o Change Management
o Incident Management o DRP/BCP
o Logical Access Management o Backup/Recovery
o Etc.
A: See Answer to Question 2.
19.Which of the following governance frameworks apply: o PCI-DSS (Credit Card security standards) o CJIS (Criminal Justice Information Systems)
A: These governance frameworks apply to the City; however, they are not the subject of any evaluation contemplated or sought in the Request for Proposals.
20.Please describe any applications that are hosted internally, that can be accessed directly from the Internet.
o Ex: Customer facing websites or applications, staff portal, other websites…
o Please provide the URL/web addresses
o Do you anticipate web/application penetration testing of the above described Internet facing applications (i.e. more than automated vulnerability scanning)?
A: See Answer to Question 2.
21.Is email in house or hosted?
o Do you use web based remote email?
o Do you do email filtering in house, or use a 3rd party filtering service?
A: See Answer to Question 2.
22.What forms or remote access do you provide for staff and vendors? o Email/web based email/etc
o VPN
o Remote desktop
23.Do you have an IDS/IPS
o Is it run/managed by in-house resources, or a vendor
A: See Answer to Question 2.
24.Are there any applications hosted by third party (outside the organization) that should be considered in-scope for audit and/or testing?
o Please describe each, including who the hosting provider is A: No.
25.Please describe the internal WAN subnetting/Vlan setup/IP addressing schemes for internal networks.
o The intent of this is to understand the potential size of the internal address space to be scanned and tested.
o How many vlans or subnets, and what is their approximate size?
o Please provide a network diagram if possible. A: See Answer to Question 2.
26.Is there an up to date inventory of computing devices? o How many servers
A: See Answer to Question 2.
27.Are any of the servers running a mainframe operating system? Please describe. o How many workstations/laptops?
o How many others?
A: See Answer to Question 2.
28.Please describe the key/critical business applications (not MS Word, Excel, etc…). o Are any of these hosted by a third party, outside the
organization?
29.What centralized authentication is used (Novell, Windows AD, something else?)?
o If Windows, how many Domains?
A: See Answer to Question 2. Additional limitations regarding the size and scope of the audit will be provided to the selected vendor.
30.Do you “allow” BYOD, or does the organization supply the mobile devices? o Is there a standard?
o What controls/policies are in place (if any?)
o Are you using a Mobile Device Management system? If yes, please describe.
A: See Answer to Question 2.
31.How many locations make up the wide area network?
o Please describe the connection/connectivity between facilities. o What sort of connection/pipe to the internet do you have? A: See Answer to Question 2.
32.Has the City and County of Denver contracted for prior cybersecurity audits of this nature? If so, please share the cost and deliverables.
A: No.
33.Please explain what the ‘Public Report’ deliverable format should look like. A: Denver City Auditor’s Office Audit Reports. Examples are available at
https://www.denvergov.org/content/denvergov/en/denver-auditor/audit-services/audit-reports.html .
34.Under section II.C. Please clarify the applicability of GAO Government Auditing standards and A-133 in terms of a cybersecurity audit/assessment.
A: No special authorization is required. Vendor needs to be familiar and able to apply GAO Government Auditing “yellow book” standards.
35.How important is Government auditing experience? Especially as related to cybersecurity?
A: Government experience will be a factor considered, but cybersecurity and technical experience is of greater importance.
36.Did you work with other organizations or entities in drafting the RFP? A: No.
37.What is driving this RFP? Is there a specific rule, regulation or compliance requirement?
A: The Auditor’s concern regarding cybersecurity. No specific rule, regulation, or compliance requirement.
38.Is an audit-type report (i.e. AICPA) or consulting-assessment report desired? A: The Auditor desires best practices applied to evaluate the City’s
cybersecurity and generate recommendations for improvements in the City’s cybersecurity. The Auditor’s Office will work closely with the vendor to produce two reports as discussed in detail in the Request for Proposals.
39.Will all questions and answers be provided in written form after the pre-proposal conference?
