Project 1: Vulnerability Assessment To assess and evaluate the security measures and identify all risks to the security of information because of the architecture (network infrastructure, firewalls, servers, desktops and remote access systems) and the configuration of the implemented infrastructure. To validate the effectiveness of key technical controls that safeguard the organization’s sensitive data including (but not limited to): 1. Internet perimeter security • External vulnerability scanning • Perimeter device configuration review 2. Internal technical controls • Internal vulnerability scanning • Configuration review and assessment • Access controls • Email security • Wireless access • Administrative controls • Active directory policies • Workstation and laptop security • Mobile device management • Database Security & Policies • Microsoft Defender & Compliance Configuration DLP Policies SPAM Polices Best Practices Assessment of Power Platform Architecture Data Handling process Access controls Integration points Project 2: External Penetration Test We would like the proposal to present a penetration test on the internet perimeter that attempts to exploit external facility vulnerabilities to simulate a “real world attack”. Vendor should propose services that attempt to bypass controls and/or exploit vulnerabilities with the goal of obtaining unauthorized access to the OTC network. Denial of service attempts are prohibited. Project 3: Social Engineering – Email phishing To assess internal cybersecurity awareness of employees, we would like vendor to propose conducting an email phishing attempt that targets up to 1,700 employees. Project 4: Information Security Program Assessment To assess the cybersecurity governance and oversight, we would like vendor to propose an audit / assessment of OTC’s information security program. This will include a review of the information security program roles and responsibilities, security policies, and employee training.
