Myers and Stauffer Service Descriptions

DIR Information Technology Security Hardware, Software and Services Contract

Contract No. DIR-TSO-3748

DIR Logo

Contingency Planning: Operational and Disaster Recovery

Review, evaluate, and provide advice on the design, establishment, documentation, implementation, and/or operating effectiveness of operational and disaster recovery plans, processes, procedures, and controls including data backup and recovery. Could also include assessing controls for compliance with relevant laws, rules, and regulations or guidelines and best practices such as HIPAA and TAC 202.

(Price for service will be impacted by the size and complexity of the organization and its contingency plans and whether external, contractor service providers, and/or backup data centers are in scope. Price will be determined by blended hourly rate times level of effort/hours. MSRP is blended hourly rate.)

Network and System Monitoring and Auditing Services

Perform monitoring and auditing procedures such as use of automated scanning tools (for example NMap and Nessus) and/or review of network architecture and configuration to identify potential security vulnerabilities, configuration issues, performance issues, or architecture issues for the network and network-connected devices including firewalls, routers, servers, workstations, and printers.

(Price for service will be impacted by the size and complexity of the organization's network in scope. Price will be determined by blended hourly rate times level of effort/hours. MSRP is blended hourly rate.)

Network Discovery, Mapping, and Inventory Services

Perform discovery, mapping, and inventory primarily through the use of automated scanning tools (for example NMap and Nessus) and/or review of network architecture and configuration.

(Price for service will be impacted by the size and complexity of the organization's network in scope. Price will be determined by blended hourly rate times level of effort/hours. MSRP is blended hourly rate.)

Security Governance and Advisory Services

Review, evaluate, and provide advice on the design, establishment, documentation, implementation, and/or operating effectiveness of security processes, procedures, and controls. Could also include assessing security controls for compliance with relevant laws, rules, and regulations or guidelines and best practices such as HIPAA and TAC 202.

(Price for service will be impacted by the size and complexity of the organization and the breadth and/or granularity of focus - such as organization level general controls or system/application level controls. Price will be determined by blended hourly rate times level of effort/hours. MSRP is blended hourly rate.)

Security Policy Development

Review, evaluate, and provide advice and/or assistance on the design, development, update, and documentation of security policies to reflect implemented processes and procedures and to comply with relevant laws, rules, and regulations or guidelines and best practices such as HIPAA and TAC 202.

(Price for service will be impacted by the size and complexity of the organization and the number of policies to be developed. Price will be determined by blended hourly rate times level of effort/hours. MSRP is blended hourly rate.)

Security Regulatory Compliance Assessment Services

Assess the design and implementation of security controls for compliance with relevant laws, rules, and regulations or guidelines and best practices such as HIPAA, FISMA, NIST Guidelines (including NIST SP 800-53), GLBA, FERPA, CJIS, IRS Publication 1075, and TAC 202. Includes reviewing, evaluating, and providing advice on the design, establishment, documentation, implementation, and/or operating effectiveness of security processes, procedures, and controls in comparison to criteria from one or more regulatory requirements, recognized guidelines, or best practices.

(Price for service will be impacted by the size and complexity of the organization, the number of regulatory compliance requirements to be assessed, and the breadth and/or granularity of focus - such as organization level general controls or system/application level controls. Price will be determined by blended hourly rate times level of effort/hours. MSRP is blended hourly rate.)

Third-Party Service Provider Security Assessment Services

Assess the design, implementation, and effectiveness of security controls at third-party service providers (eg: Cloud Service providers, system development vendors, infrastructure and application hosting providers, etc) for compliance with relevant laws, rules, and regulations or guidelines and best practices and/or contract requirements. Assessment could include performing SSAE 16/SOC 1 or SOC 2 audits in accordance with AICPA audit standards.

(Price for service will be impacted by the size and complexity of the third-party provider, the type of assessment needed, and the breadth and/or granularity of focus - such as organization level general controls or system/application level controls. Price will be determined by blended hourly rate times level of effort/hours. MSRP is blended hourly rate.)

Security Training Services

Provide security training to end users (employees and contractors) and staff with security administration responsibilities. Training can be tailored to the organization and its existing policies and procedures. Types of training include, but are not limited to, end-user security awareness training and IT security compliance training (such as HIPAA Security, Privacy, and Breach Notification Rule training).

(Price for service will be impacted by the size and complexity of the organization, the type of training to be performed, the number and locations of personnel to be trained, and the amount of tailoring of training required. Price will be determined by blended hourly rate times level of effort/hours. MSRP is blended hourly rate.)

Controlled Penetration Testing

Perform network and/or application penetration testing. Testing will include use of automated tools, scripts, and manual procedures to identify and attempt to exploit network, system, or application vulnerabilities.

(Price for service will be impacted by the size and complexity of the organization's network and/or the number and complexity of applications in scope for testing and whether testing will be performed with knowledge, with partial knowledge, or without knowledge. Price will be determined by blended hourly rate times level of effort/hours. MSRP is blended hourly rate.)

Risk Assessment

Assess information technology controls to identify risks to confidentiality, integrity, or availability of information systems and data.

(Price for service will be impacted by the size and complexity of the organization's IT environment in scope for assessment. Price will be determined by blended hourly rate times level of effort/hours. MSRP is blended hourly rate.)

Cloud Compliance

Assess processes, procedures, and controls for cloud-based systems and/or third-party services to determine compliance with applicable security laws, rules, and regulations; agency policies and procedures; contract requirements; and best practices.

(Price for service will be impacted by the size and complexity of the organization's Cloud-based IT environment in scope for assessment. Price will be determined by blended hourly rate times level of effort/hours. MSRP is blended hourly rate.)

Vulnerability Scanning

Perform automated scanning (for example using NMap and Nessus) to identify potential security vulnerabilities for network-connected devices including firewalls, routers, servers, workstations, and printers. Scanning can be performed from outside the network perimeter, inside the perimeter, or both. Could include scanning and assessment of wireless networks.

(Price for service will be impacted by the size and complexity of the organization's network in scope for scanning and whether scanning will be external, internal, or both. Price will be determined by blended hourly rate times level of effort/hours. MSRP is blended hourly rate.)

Web Application Scanning

Perform automated scanning (for example using Nessus plug-ins, AppScan, WebInspect, etc) to identify potential security vulnerabilities for web applications. Scanning can be performed from outside the network perimeter (DMZ), inside the perimeter, or both.

(Price for service will be impacted by the number and complexity of the organization's web applications in scope for scanning and whether scanning will be external, internal, or both. Price will be determined by blended hourly rate times level of effort/hours. MSRP is blended hourly rate.)

Social Engineering Testing

Perform social engineering testing. Social engineering attacks take place on two levels: physical and psychological. Regardless of the method used, the main objective is to convince the person disclosing the information that the social engineer is in fact a person they can trust with sensitive information. We focus on both the physical and psychological aspects of social engineering. We use a variety of techniques to test for security weaknesses, which could include, but are not limited to: Foot printing to gather information for exploitation; Impersonation and persuasion, such as impersonating help desk personnel to persuade users to provide system credentials; Internet/Intranet/email spoofing, such as email phishing; Sanitation reconnaissance ("dumpster diving”); Use of “media drops”, such as planting USB devices.

(Price for service will be impacted by the size and complexity of the organization including the number of locations and employees to be tested. Price will be determined by blended hourly rate times level of effort/hours. MSRP is blended hourly rate.)