15-074 IT Health Check

Description

RMBC requires the provision of an annual IT Health Check [ITHC] to meet requirement CHE.1 of the Public Services Network Code of Connection annex b v2.7, and relevant updates or amendments to the code. RMBC also requires the provision of a service that meets the requirement 11.2 of the PCI DSS. RMBC are looking for an integrated Information Assurance & Security service to include the provision of annual ITHC in line with CESG recommendations, compliance, vulnerability and risk management platform, log-forwarding, log storage and event management to meet GPG13 PMCs & an integrated vulnerability scanning provision. The winning bidder will also be the preferred supplier of ad-hoc application security testing, cyber essentials testing, QSA for PCI-DSS and consultant on all ICT security issues. The Public Services Network Code of Connection requires that Organisations shall implement an annual programme of IT Health Checks to validate equipment not provided as part of a PSN service that interacts with PSN services. Services to be included are: · Provision of advice on required scope for ITHC to meet PSN and PCI DSS. · Social Engineering/Physical Security Summary · Onsite Internal IT Penetration Test - to include automated scanning AND ethical exploitation of known vulnerabilities performed by CHECK qualified team leader · Desktop Build Review · Wireless Security Testing · Server Build Review · PSN Firewall Rule-set Review · Network Segregation review · External penetration test to include automated scanning AND ethical exploitation of known vulnerabilities performed by CHECK qualified team leader · Integrated management application platform · Provision of written reports detailing vulnerabilities and solution to each vulnerability found · Provision of risk based score for each vulnerability discovered and ranking of risks · Provision of report showing findings suitable for presentation as evidence to Cabinet Office Information Assurance Assessors · Provision of hosting where Health Check reports can be accessed · Provision of risk management action tracking facility to include identification of person or group responsible for action on each risk, action taken and impact of remediation