Vulnerability Assessment And Penetration Testing Services . - OECM
VULNERABILITY ASSESSMENT AND PENETRATION TESTING SERVICESREQUEST FOR PROPOSALS NUMBER #2021-381Request for Proposals Issued On: May 10, 2021Proponent’s Information & OTP Demonstration Session: 2:00 pm on May 13, 2021Proponent’s Deadline to Submit Questions: 5:00 pm on May 18, 2021Proponent’s Deadline to Submit Questions Related toAddenda & Question and Answer Documents: 5:00 pm on May 26, 2021Closing Date: 2:00:00 pm on June 29, 2021 local time in Toronto, Ontario, CanadaAll times specified in this RFP timetable are local times in Toronto, Ontario, Canada.Please refer to Section 5.1.1 for the complete RFP timetable.OECM shall not be obligated in any manner to any Proponent whatsoever until a written Master Agreement has beenduly executed with a Supplier.OECM Vulnerability Assessment and Penetration Testing Services RFP #2021-381Page 1 of 54
TABLE OF CONTENTSPART 1 – INTRODUCTION . 51.1Objective of this RFP . 51.2Project Background . 51.3Historical Spend . 51.4Project Advisory Committee. 51.5Overview of OECM . 61.6Use of OECM Master Agreements . 61.7The Ontario Broader Public Sector Procurement Directive . 61.8Trade Agreements . 61.9Rules of Interpretation. 7PART 2 – THE DELIVERABLES. 82.1Description of Deliverables . 82.2Vulnerability Assessment Services . 82.2.1Vulnerability Assessment Services Reporting and Presentation . 82.3Penetration Testing Services . 82.3.1Key Penetration Testing Services . 82.3.2Application Penetration Testing Services. 92.3.3Network Penetration Testing Services . 92.3.4Social Engineering Testing Services . 102.3.5Web Application Penetration Testing Services . 102.4Additional Penetration Testing Services . 102.4.1Payment Card Industry (“PCI”) Penetration Testing Services . 102.4.2Wireless Penetration Testing Services . 112.5Penetration Testing Methodologies and Standards . 112.6General Requirements on Penetration Testing Services . 112.7Penetration Testing Services Clean Up . 122.8Logs . 122.9Penetration Testing Services Reporting and Presentation. 122.10Optional Services . 122.11Additional Insurance Requirements . 132.12Confidentiality and Protection of Customer’s Information . 132.13Compliance . 132.14Data Residency . 132.15Invoicing. 132.15.1 Payment Terms and Methods . 142.15.2 Electronic Fund Transfer. 142.15.3 Electronic Commerce. 142.16Support to Customers . 142.16.1 Incentive to Customers . 152.17Environmental and Sustainability Considerations . 152.18Social Procurement. 152.19Disaster Recovery and Business Continuity . 152.20Licences, Right to Use and Approvals . 152.21Workplace Hazardous Material Information System . 16PART 3 – EVALUATION OF PROPOSALS . 163.1Stages of Proposal Evaluation . 163.2Stage I – Review of Qualification Responses (Pass/Fail) . 173.3Stage II – Technical Response . 173.4Stage III – Commercial Response . 183.5Stage IV – Cumulative Score . 193.6Stage V – Tie Break Process . 193.7Stage VI – Negotiations . 193.8Stage VII – Master Agreement Finalization. 20PART 4 – MASTER AGREEMENT STRUCTURE AND MANAGEMENT . 214.1Master Agreement Structure . 214.1.1No Contract until Execution of Written Master Agreement . 214.1.2Customer’s Usage of Master Agreements . 214.1.3No Guarantee of Volume of Work or Exclusivity of Master Agreement . 22OECM Vulnerability Assessment and Penetration Testing Services RFP #2021-381Page 2 of 54
4.2Rates . 224.2.1Expenses or Additional Charges . 224.2.2Optional Rate Refresh . 234.2.3Optional Process to Add Other Services. 234.2.4OECM Geographical Zones . 244.2.5OECM Cost Recovery Fee . 244.2.6Financial Administration Act Section 28 . 254.2.7Saving Calculation . 264.3Supplier Management Support to OECM. 264.3.1Master Agreement Award and Launch. 264.3.2Promoting OECM Master Agreements. 264.3.3Supplier’s Performance Management Scorecard . 274.3.4OECM’s Supplier Recognition Program . 274.3.5Reporting to OECM. 27PART 5 – TERMS AND CONDITIONS OF THE RFP PROCESS . 295.1General Information and Instructions . 295.1.1RFP Timetable . 295.1.2Proponent’s Information and OTP Demonstration Session. 305.1.3Proponent to Follow Instructions . 305.1.4OECM’s Information in RFP Only an Estimate . 305.1.5Proponent’s Costs . 305.2Communication after RFP Issuance . 305.2.1Communication with OECM . 305.2.2Proponent to Review RFP . 315.2.3Proponent to Notify . 315.2.4All New Information to Proponents by way of Addenda . 315.3Proposal Submission Requirements . 325.3.1General . 325.3.2Proposal in English . 325.3.3Proposal Submission Requirements . 325.3.4Other Proposal Considerations . 335.3.5Proposal Receipt by OECM . 335.3.6Withdrawal of Proposal . 335.3.7Amendment of Proposal on OTP . 335.3.8Completeness of Proposal . 335.3.9Proposals Retained by OECM . 335.3.10 Acceptance of RFP . 345.3.11 Amendments to RFP. 345.3.12 Proposals will not be Opened Publicly . 345.3.13 Clarification of Proposals . 345.3.14 Verification of Information . 345.3.15 Proposal Acceptance . 345.3.16 RFP Incorporated into Proposal . 345.3.17 Exclusivity of Contract. 355.3.18 Substantial Compliance . 355.3.19 No Publicity or Promotion . 355.4Negotiations, Timelines, Notification and Debriefing . 355.4.1Negotiations with Preferred Proponent . 355.4.2Failure to Execute a Master Agreement. 355.4.3Master Agreement . 355.4.4Notification to Other Proponents . 365.4.5Debriefing . 365.4.6Bid Dispute Resolution. 365.5Prohibited Communications, and Confidential Information . 365.5.1Confidential Information of OECM . 365.5.2Confidential Information of the Proponent. 375.5.3Proponent’s Submission . 375.5.4Personal Information . 375.5.5Non-Disclosure Agreement . 375.5.6Freedom of Information and Protection of Privacy Act . 375.5.7Intellectual Property . 375.6Reserved Rights and Governing Law of OECM . 38OECM Vulnerability Assessment and Penetration Testing Services RFP #2021-381Page 3 of 54
5.6.1General . 385.6.2Rights of OECM – Proponent . 395.6.3No Liability . 405.6.4Assignment . 405.6.5Entire RFP . 405.6.6Priority of Documents. 405.6.7Disqualification for Misrepresentation . 405.6.8References and Past Performance . 405.6.9Cancellation . 405.6.10 Competition Act . 415.6.11 Trade Agreements . 415.6.12 Governing Law . 41APPENDIX A – DEFINITIONS. 42APPENDIX B – FORM OF MASTER AGREEMENT . 46APPENDIX C – COMMERCIAL RESPONSE AMENDED AS OF MAY 21, 2021 . 47APPENDIX D – OECM GEOGRAPHICAL ZONES . 48APPENDIX E – OECM SCHOOL BOARD, COLLEGE AND UNIVERSITY CUSTOMERS IN ONTARIO . 49APPENDIX F – REPORTING REQUIREMENTS. 50APPENDIX G – PERFORMANCE MANAGEMENT SCORECARD . 51APPENDIX H – CODE OF CONDUCT . 53OECM Vulnerability Assessment and Penetration Testing Services RFP #2021-381Page 4 of 54
PART 1 – INTRODUCTIONThis non-binding Request for Proposals (“RFP”) is an invitation to obtain Proposals from qualified Proponents forVulnerability Assessment and Penetration Testing Services as described in Part 2 – The Deliverables and Part 4 –Master Agreement Structure and Management.OECM intends to award up to seven (7) Master Agreements, with an initial Term of the Master Agreement (“Term”) ofthree (3) years with an option in favour of OECM to extend the Term on the same terms and conditions for one (1)additional two (2) year option for extension.This RFP is issued by OECM.1.1Objective of this RFPThe objective of this RFP is to select qualified suppliers who:(a) Actively promote professional and ethical practices in its operation;(b) Provide Customers with high quality Services, demonstrating value for money;(c) Provide Customers with well-defined project management support;(d) Provide Customers professional and responsive customer support and account management; and,(e) Work in a cooperative manner with Customers, be flexible, innovative, and professional in providingquality Services to Customers.1.2Project BackgroundOECM’s first Vulnerability Assessment and Penetration Testing Services Request for Proposals (RFP) wasawarded in 2017. Over the span of the Agreement, there has been a cumulative spend of approximately onemillion one hundred thousand dollars ( 1,100,000.00) as of March 2021. This project is the second-generationRFP for Vulnerability Assessment and Penetration Testing Services.1.3Historical SpendOECM’s current IT Vulnerability Assessment and Penetration Testing Services agreement, that will expiry onJanuary 11, 2022, was awarded to four (4) Suppliers. Twenty eight (28) unique Customer Service Agreementswere created between Suppliers and Customers during the span of the current agreement, with the followingbreakdown:(a) Eleven (11) School Boards;(b) Ten (10) other organizations;(c) Five (5) Colleges; and,(d) Two (2) Universities.Approximate purchases through the existing agreement from January 2017 to March 2021 were approximatelyone million one hundred thousand dollars ( 1,100,000.00).Customers using the current OECM IT Vulnerability Assessment and Penetration Testing Services agreementare not, in any way, obligated to participate in any Master Agreement resulting from this RFP.1.4Project Advisory CommitteeThe following Customers were involved with the development of the requirements set out in this RFP:(a) Cambrian College(b) Centennial CollegeOECM Vulnerability Assessment and Penetration Testing Services RFP #2021-381Page 5 of 54
(c) City of Hamilton(d) Education Computing Network of Ontario (ECNO)(e) Hamilton Health Sciences(f)Limestone District School Board; and,(g) Mohawk College of Applied Arts and Technology.The above Customers are not, in any way, committed to participating in the Master Agreement resulting fromthis RFP.1.5Overview of OECMOECM is a trusted not-for-profit partner for Ontario’s education sector, Broader Public Sector (“BPS”) entities,Provincially Funded Organizations (“PFO”), Crown Corporations, and other not-for-profit organizations. OECMoffers a comprehensive choice of collaboratively sourced and competitively priced products and servicesthrough its Marketplace, the goal of which is to generate savings, choice and service for its Customers.Recognizing the power of collaboration, OECM is committed to fostering strong relationships with bothCustomers and suppliers by:(a) Actively sourcing products and services in an open, fair, transparent and competitive manner, compliantwith BPS Procurement Directive and applicable trade agreements;(b) Establishing, promotingits Customer edthroughout(c) Supporting Customers’ access and use of OECM agreements through analysis, reporting and thedevelopment of tools, guides, and other materials;(d) Effectively managing supplier contract performance while harnessing expertise and innovative ideas, todrive continuous improvements through a Supplier Relationship Management program;(e) Promoting OECM’s Supplier Code of Conduct, based on its core values, to ensure that all supplierpartners adhere to a set standard when conducting business with OECM and its Customers resulting incontinuous, long-term success; and,(f)1.6Supporting supplier partners through a Supplier Recognition Program.Use of OECM Master AgreementsAs of March 2021, one thousand fifty-six (1056) Customers were using one (1) or more OECM agreements.Since 2009, the cumulative spend from our Customers is approximately two-point-four billion ( 2.4B).More information about OECM is available on our website - http://www.oecm.ca/.1.7The Ontario Broader Public Sector Procurement DirectiveOECM, and the Customers they service, follow the Ontario BPS Procurement Directive. The directive sets outrules for designated BPS entities on the purchase of goods and services using public funds. The ProcurementDirective is available here b.nsf/English/bpsprocurementdirective.1.8Trade AgreementsOECM procurements are undertaken within the scope of Chapter 5 of the Canadian Free Trade Agreement(“CFTA”), Chapter 19 of the Comprehensive Economic and Trade Agreement ("CETA"), and within the scopeof the Trade and Cooperation Agreement between Quebec and Ontario and are subject to such agreements,although the rights and obligations of the parties shall be governed by the specific terms of this RFP. For moreinformation, refer to the Section 5.6.11.OECM Vulnerability Assessment and Penetration Testing Services RFP #2021-381Page 6 of 54
1.9Rules of InterpretationThis RFP shall be interpreted according to the following provisions, unless the context requires a differentmeaning:(a) Unless the context otherwise requires, wherever used herein the plural includes the singular, the singularincludes the plural, and each of the masculine and feminine includes the other gender;(b) Words in the RFP shall bear their natural meaning;(c) References containing terms such as “includes” and “including”, whether or not used with the words“without limitation” or “but not limited to”, shall not be deemed limited by the specific enumeration of itemsbut shall, in all cases, be deemed to be without limitation and construed and interpreted to mean “includeswithout limitation” and “including without limitation”;(d) In construing the RFP, general words introduced or followed by the word “other” or “including” or “inparticular” shall not be given a restrictive meaning because they are followed or preceded (as the casemay be) by particular examples intended to fall within the meaning of the general words;(e) Unless otherwise indicated, time periods will be strictly applied; and,(f)The following terminology applies in the RFP:i.The terms “must” and “shall” relate to a requirement the Supplier will be obligated to fulfil.Whenever the terms “must” or “shall” are used in relation to OECM or the Supplier, such termsshall be construed and interpreted as synonymous and shall be construed to read “OECM shall”or the “Supplier shall”, as the case may be;ii.The term “should” relates to a requirement that OECM would like the Supplier to fulfil; and,iii.The term “will” describes a procedure that is intended to be followed.[End o
OECM Vulnerability Assessment and Penetration Testing Services RFP #2021-381 Page 1 of 54 . VULNERABILITY ASSESSMENT AND PENETRATION TESTING SERVICES REQUEST FOR PROPOSALS NUMBER #2021-381 . OECM shall not be obligated in any manner to any Proponent whatsoever until a written Master Agreement has been duly executed with a Supplier.
Assessment, Penetration Testing, Vulnerability Assessment, and Which Option is Ideal to Practice? Types of Penetration Testing: Types of Pen Testing, Black Box Penetration Testing. White Box Penetration Testing, Grey Box Penetration Testing, Areas of Penetration Testing. Penetration Testing Tools, Limitations of Penetration Testing, Conclusion.
RFP for Vulnerability Assessment and Penetration Testing REQUEST FOR PROPOSAL For Vulnerability Assessment And Penetration Testing Reference Number: VAPT 02042015 MTVIEW Dated: 04/13/2015 RSU 3 Regional School Unit 3 84 School Street Unity, Maine 04988 Tel: 207 948 6136 Fax: 207 948 6173
Penetration Testing Report Independent / 3rd party Web Application Vulnerability & Security Assessment / Penetration Testing / Audit (come with report) . independent security assessment and/or penetration testing services on their End Client systems to help identify any potential risks, as well as to suggest appropriate security measures to .
Open Web Application Security Project (OWASP) National Institute of Standards and Technology (NIST) Penetration Testing Execution Standard (PTES) What is PTES? PTES, penetration testing execution standard, as the name implies is an assessment methodology for penetration testing. It covers everything related to a penetration test.
Solid customer base utilizing the proposed solution, including cities similar in size and service . External Network Vulnerability Assessment and Penetration Testing Internal Network Vulnerability Assessment and Penetration Testing Network Analysis Threat Prevention/Detection Web Application Penetration Testing .
penetration test services, and for assessors who help scope penetration tests and review final test reports. . Application-layer testing: Testing that typically includes websites, web applications, thick clients, or other applications. . The differences between penetration testing and vulnerability scanning, as required by PCI DSS, still causes
Definitive Guide to PENETRATION TESTING. Chapter 1 Getting To Know Penetration Testing A. What is Penetration Testing? . Nmap was traditionally developed as a host discovery and port scanner in order to "map" out the a network. But can now also be used for host fingerprinting, service detection, and vulnerability .
GRADE 2 SYLLABUS AND CURRICULUM INFORMATION Second Grade English/Language Arts Grade Level/Dept. Grade 2 Instructor Mrs. Vicki Feldker Certification/s Elementary Education, Middle school Language Arts Degree/s BS Elementary Ed. MAED Teacher Leadership Textbook/ Journeys 2014 Resources Journeys text, teacherspayteachers.com,
