Title: RFB/RFP #LH-0467 Information Security Risk Assessment

Purchasing Department

Addendum #1

Date: August 25, 2017

Title: RFB/RFP #LH-0467 Information Security Risk Assessment

Subject: Questions and Answers

1. Regarding the 12,000 potentially in-scope devices:
2. While the vulnerability assessment (scan & analysis) would be performed against all or a majority of these devices, does JPS desire penetration testing (attempted exploitation) against all devices?
3. Our approach is typically to perform penetration testing (attempted exploitation) against an agreed upon subset of issues identified through the vulnerability assessment (scan & analysis) to provide meaningful and actionable results while maintaining efficiency. Would this approach be acceptable?
4. How many of the 12,000 IP addresses mentioned are public or externally facing?

Answer: a) Yes. b) We will not disclose information about our external/internal structure at this time.

1. Aside from an exit meeting, will any formal presentation of the results be required?

Answer: An exit meeting is an opportunity to address significant issues of concern prior to drafting a report. After the exit meeting, the selected Respondent will prepare a draft report for review by the District’s Chief Technology Officer (or designee). Once all content is agreed, the selected Respondent will prepare a final report for presentation to the District’s Chief Technology Officer and members of his management team. The format and timing of delivery – in person, conference call, or online forum – is negotiable.

1. The RFP indicates the term of the contract is 1 year. Can you provide additional information regarding the anticipated/desired timing for performance/execution?

Answer: Our preferred timeframe for completing all activities under this RFP – including presentation of the final report – is between October and November 2017.

1. For each activity (network penetration testing, physical/ administrative penetration testing, social engineering) is the engagement strictly limited to those items outlined in the "Desired Element" sections or is the Respondent expected to go beyond them.

Answer: Penetration Test: refer to the last bullet point under Desired Elements, page 9: Perform other network penetration exercise deemed necessary to meet the activity’s stated purpose, in accordance with information security best practices.

All activities shall be conducted within their respective Qualifying Conditions.

1. What flavor of Operating System, Databaseare used? This will help us determine whether we will need licensed tools.

Answer: We will not disclose information about our external/internal structure at this time.

1. When is the expected start date?

Answer: Refer to Question #3.

1. What type of penetration testing is requested: grey box, white box or black box. We are assuming white box, but wanted to be sure.

Answer: A “grey box” format is acceptable, in which the selected Respondent will have limited knowledge of the District’s information assets (subject to the Qualifying Conditions as outlined in the RFP).

1. Will JPS provide the selected consultant with a project liaison or coordinator to assist with the coordination, scheduling, and communications of this project?

Answer: Yes. The liaison will be a person who reports to the District’s Chief Technology Officer.

1. Will JPS be willing to provide advance materials, transmitted securely, to allow the successful consultant to review documentation and make preparations prior to conducting on-site work?

Answer: Same response as Question #4.

1. Do you desire the selected consultant to give and/or facilitate any presentations to JPS project leadership and/or stakeholders during the course of the project? If yes, at what milestones and to what audiences?

Answer: The selected Respondent will participate in a project “kickoff” meeting at the beginning of the engagement along with District’s Chief Technology Officer, his management team, and other persons at the Chief Technology Officer’s discretion. Updates will be given to the District’s Chief Technology Officer (or designee), as outlined in section V. Project Plan.

1. What is JPS’s desired timeframe for this project? Do you have specific start and end dates in mind for performing the testing and completing the engagement? Are there any project milestones that need to be considered to best meet JPS’s needs?

Answer: Refer to Question #3 above regarding timeframes. It will be the selected Respondent’s responsibility to establish project milestones for this engagement.

1. How many external IP addresses are in scope?

Answer: We will not disclose information about our external/internal structure at this time.

1. How many web applications are in scope?

Answer: We will not disclose information about our external/internal structure at this time.

1. How many servers?

Answer: We will not disclose information about our external/internal structure at this time.

1. Are there any external vendors providing support, software, or hosting services?

Answer: We will not disclose information about our external/internal structure at this time.

1. Has JPS previously conducted an Information Security Risk Assessment, similar to this current RFP? If yes:
2. When was this work conducted?
3. Did an external vendor conduct this work? If so, who? What was the dollar value of the contract?

Answer: We will not disclose such information at this time.

1. Do you have a budget estimate or range for this project that you can share? If yes, please provide detail.

Answer: We have no such information to share at this time.

1. Details were provided on the in-scope internal systems (up to 12,000 IP addresses), does JPS wish to also include external (Internet facing) infrastructure in the assessment?
2. If yes, how many total external services are in scope for the assessment?
3. If yes, how many of these external services are web services (HTTP and HTTPS)?
4. If yes, how many custom developed web applications are in scope?

Answer: We will not disclose information about our external/internal structure at this time.

1. For the wireless assessment, how many wireless networks are in scope for the assessment? How many facilities will need to be visited to test the networks?

Answer: We will not disclose information about our external/internal structure at this time. Facility visits, if necessary, will be discussed with the selected Respondent.

17. Evaluation Criteria’s #1, 2, and #5 on the score sheet has been revised.

1. Price – was 15 points is now 20 points.

2. To the extent to which the goods and or services meet the District needs

Specified in this RFP. – was 20 points now 25 points.

3. Vendor’s past relationship with the District. - Strike.

All corrections, changes, additions, revisions, and/or clarifications in this Addendum #1 to the

RFP are hereby made a part of the RFB/RFP for #LH-0467 Information Security Risk Assessment

All Respondents to the RFB/RFP shall acknowledge receipt and acceptance of this Addendum #1 by

signing in the space provided and submitting the signed Addendum #1 with the RFB/RFP.

Proposals submitted without an executed copy of this Addendum #1 attached may be considered

informal and may be rejected.

Received, acknowledged, and conditions agreed to on this ______day of ______, 2017, by:

Respondent: ______

Company Name: ______

If there are questions pertaining to this addendum please contact Lizzie Harris at