As documented in this RFP a consortium of Scottish Government agencies are seeking Penetration Testing Services.
This opportunity is for the establishment of a Framework Agreement for the provision of IT Security (Penetration) Testing Services to Skills Development Scotland (SDS), Scottish Enterprise (SE), Highlands and Islands Enterprise (HIE), South of Scotland Enterprise (SOSE) and Enterprise Information Systems (EIS).
In previous years SDS have awarded the contract for IT Security Testing to a single supplier. The current contract has been widely utilised, however, the EIS Cyber team have experienced challenges in recent times in terms of the capacity available to meet testing requirements.
On that basis, there is a desire to move away from the current position to a framework agreement approach where specialised suppliers can be appointed and engaged for specific projects/pieces of work.
The scope of the tendered services covers provision of security testing services which will require a supplier to identify, test for and exploit vulnerabilities (only where specifically required and agreed), confirm security controls are effective and recommend remedial actions to any vulnerability or weakness found.
The Framework Agreement will also include provisions for a supplier to recommend remedial actions to any vulnerability found following the Cyber Essentials certification process.
Testing will include external penetration testing, vulnerability assessment & internet facing systems testing.
It is anticipated that any Onsite Health Check/Penetration Test will involve the examination and assessment of vulnerabilities on the EIS internal infrastructure. Internal testing should include vulnerability scanning and manual analysis of our internal network.
At a minimum it should include:
- Desktop and server build and configuration, and network management security.
- Patching at operating system, application and firmware level.
- Configuration of remote access solutions (including solutions for managed devices and BYOD)
- Build and Configuration of laptops and other mobile devices such as phones and tablets used for remote access.
- Internal security gateway configuration.
- Wireless network configuration.
It is expected that the successful suppliers will undertake testing on a range of external solutions
which is including but not limited to:
- Internet facing systems.
- Firewalls / Web Application Firewalls (WAF).
- Mail servers.
- VPN gateways.
- Web servers (Azure).
- Third party Web servers.
- Mobile device management solution / BYOD.
- Wireless access.
- VoIP solutions.
- Web Application Testing
It is expected that the successful suppliers will test web applications to identify vulnerabilities within the applications such as misconfigurations, SQL Injections, XSS, privilege escalation etc. via unauthenticated and authenticated methods. This test should also include vulnerability scans of the underlying platform.
Web Application test methodology should be based on OWASP Top 10.
It is expected that the successful suppliers will test for human vulnerabilities and gain access to the network and in turn sensitive information via means such as online research, telephony, email and physical access.
All bidders must confirm and provide evidence that they hold a valid CREST certification along with a valid Cyber Security certification such as Cyber Essentials Plus, ISO 27001, or equivalent third-party certification.