RFP - Network Security Audit and Vulnerability Assessment

Background
The Atlanta Regional Commission (ARC) is seeking proposals from qualified independent service providers to conduct a Network Security Audit and Vulnerability Assessment. The ARC's Information Technology Group aims to enhance the security, reliability, and availability of the Agency's data through this assessment. The goal is to evaluate the maturity of the Agency’s information security program and provide expert insights for future improvements.

Work Details
The selected service provider will perform a comprehensive Network Security Audit and Vulnerability Assessment that includes:

1. Edge Security: Conducting ping sweeps, port scans, vulnerability scans, reviewing firewall policies, and auditing edge security devices.

2. Network Security: Reviewing switch configurations, internal firewalls, encryption measures, wireless security settings, and intrusion detection systems.

3. Systems Security: Performing internal IP address scans, reviewing server configurations for unnecessary services, patch management solutions, endpoint protection applications, and file share permissions.

4. Access Management: Evaluating authentication methods, domain group memberships for high-privilege groups, password policies, and remote access security.

5. Disaster Recovery: Conducting tabletop exercises and full disaster recovery drills to assess recovery strategies and incident response plans.

Deliverables include a findings document detailing identified vulnerabilities with risk levels assigned; a risk analysis with recommendations; a Security Roadmap for technology improvements over the next 24-36 months; presentations to the executive team; 30-day vulnerability assessments; full disaster recovery drills; and tabletop exercises.

Period of Performance
The project is expected to be completed within 30 days for the vulnerability risk assessment and disaster recovery exercises extending through the end of the year.

Place of Performance
The contract will be performed at the Atlanta Regional Commission's facilities located in Atlanta, Georgia.

Bidder Requirements
Proposers must have Computer Information Security Audit (CISA) certified security experts or equivalent certifications. They are required to submit an executive summary outlining their proposal along with qualifications and experience on similar projects with references from at least three former customers within the past five years. Proposals must also include a detailed budget breakdown in Exhibit B format.