Specifications include, but are not limited to: The vendor shall conduct a total of three (3) audits which are comprised of a vulnerability assessment and policy review over the course of 3 years. Over the course of the project the total deliverables shall include: • Three (3) vulnerability assessments • Three (3) vulnerability assessment reports • Three (3) Policy reviews • Three (3) Policy review reports • One (1) Strategic improvement plan 1.1 The vulnerability assessment shall meet or exceed the following criteria: • Internal assessment of 700 IP addresses • Internal assessment shall consist of conducting a vulnerability scan of internal assets including workstations, servers, network equipment, and other networked equipment. • External assessment of 60 IP addresses • External assessment shall consist of servers hosted by the city of Charleston and servers hosted via an external Infrastructure as a service provider