philadelphia gas works information security assessment … · philadelphia gas works information...

PHILADELPHIA GAS WORKS

Information Security Assessment and Testing Services

RFP#30198

Questions & Answers

December 4, 2015

www.pgworks.com of 19

QUESTIONS ANSWERS

Q1 What is the goal of testing? A1 We engage in this type of testing to promote our own best

practices and ensure our security posture is as it should be.

Q2 No of active IP s (internal): A2 To be updated

Q3 Number of servers: A3 To be updated

Q4 Type of Operating Systems deployed on servers? A4 Due to security concerns, PGW will not provide this

information and post it on the website at this time. It may be

provided to the successful proposer.

Q5 Number of network devices (est.): A5 Due to security concerns, PGW will not provide this



Q6 Is internal penetration/vulnerability testing to be white box

(fully informed, regular User), or black box (visitor no rights,

etc.), or a combination?

A6 It will be a combination of white box and black box testing.

Q7 Number of desktops/laptops o How many images/builds?

A7 No more than 1000 desktops/laptops.

No more than 5 images.

Q8 What Operating System is deployed on the laptops that will

be assessed? A8 Due to security concerns, PGW will not provide this



Q9 Is an IDS/IPS device in place on the network? If so, type and

IP? A9 Due to security concerns, PGW will not provide this



http://www.pgworks.com/



RFP#30198

Questions & Answers

December 4, 2015


Q10 Configuration Reviews or Scope Honing for Penetration Testing:

Detailed Internal Information can be helpful in honing the

scope of an internal assessment.

Are their standard images for system types? If so, how

many? Hosts/Servers?

Configuration Audit

Total Number of Servers: [x]

Windows

Number of servers: [x]

Percentage of servers to be tested: [x]

Number of workstations: [x]

Percentage of workstations to be tested: [x]

Number of domain controllers: [x]

A10 Refer to A7

Q11 For the external network, how big are the network segments

and about how many active IP addresses are there? A11 One segment

Q12 For the internal network, including servers, databases,

desktops, networking devices and the VoIP system, how

large is PGW’s network segments and about how many

active IP addresses are there?

A12 Refer to A2




RFP#30198

Questions & Answers

December 4, 2015


Q13 How many web applications are in scope for the assessment?

For each web application, please provided the following:

a. Is it remotely accessible?

b. How many different user roles exist?

c. About how many different / unique pages

exist within the application?

A13 3 Web applications.

a. All are remotely accessible.

b. 1 to 2 user roles for each application

c. Not exceeding 30 pages for each application

Q14 For the physical security vulnerabilities, now many locations

will be included in the scope of the

assessment? Approximately how big is each location?

A14 5 locations

Q15 Approximately how many sites are including that have Wi-Fi

that would be included in the assessment? A15 One floor in one building

Q16 Is social engineering (i.e. phishing, phone calls, in person,

etc.) considered in-scope for this assessment? A16 In person only. NO Phishing and NO phone calls.

Q17 Please provide the total number of external systems that are

in scope A17 Refer to A11

Q18 Please provide the total number of internal systems that are in

scope A18 Refer to A2

Q19 Please provide the total number of physical locations A19 Refer to A14

Q20 Identify security vulnerabilities in servers, databases,

desktops and network devices utilized by PGW’s corporate

networks, which includes a VoIP system.

A20 SCADA is out of scope.

Due to security concerns, PGW will not provide the rest

of information and post it on the website at this time. It

may be provided to the successful proposer.




RFP#30198

Questions & Answers

December 4, 2015


Q: Is the SCADA network managed and isolated from your

business IP network?

Q: What Cloud Services are engaged by PGW? ERP’s,

CRM’s SaaS, PaaS et al)

Q: What is the VOIP system used? (Broadsoft et al)

Q: Do you have Network Managed Services?

Q: What type of Security Products i.e., Tripwire, OADM,

IDS, RSA, are currently in use in the Environment?

Q: What are your OS Environments? Linux, MS Windows,

Mainframe.

Q21 Exploit these vulnerabilities to gain access to PGW’s

computing environment and get as far as possible toward

attaining Root or Domain Administrator access privileges.

Q: What is the Geographic dispersion that it’s on scope?

Intra or Inter – State.

Q: What are the security Regulatory requirements (State and

Federal for your industry – DHS) (Industry NIST, et al)

Q: PEN TEST: After the initial External and Internal PEN

tests and reports do you want the remediation to be

performed in item 8 and the re-test to only target testing of

remediated issues or do you want a full scope retest to ensure

capture of any added changes since the initial to capture and

dynamic changes that may have been made in the interim

time frame?

A21 Intra-state. All the locations are within city limits- 35

miles.

PGW is not under the direct guidance of any security

regulation legislation.

Remediation is optional. If needed, only retest the

remediated issues.




RFP#30198

Questions & Answers

December 4, 2015


Q22 Demonstrate the attainment of elevated privileges and ability

to export potentially sensitive data.

Q: When it comes to physical security, Do you have

documented Break-Glass procedures?

Q: Is your current Identity and access management

framework documented and available?

Q: Is your current HR formal onboard and off-board

documented and available?

Q: How many end users?

Q: Do you have a self-serve Password management system?

A22 Due to security concerns, PGW will not provide that



Q23 Identify security vulnerabilities in PGW’s web applications.

Q: is there a documented and available Web architecture?

Q: Is Web application development Mobile outsourced?

A23 No

N/A

Q24 Identify physical security vulnerabilities by attempting access

to computing hardware and sensitive information using social

engineering techniques.

Q: What is the number of Business offices (How many

locations in scope?)

Q: Is your Data center a co-location? If so

A24 Refer to A14

Q25 Please provide an approximate number for each of the

following device types used by PGW and are considered in A25 Refer to A3, A5 and A7




RFP#30198

Questions & Answers

December 4, 2015


scope for this project.

Physical Servers

Virtual Servers

Desk top devices

Mobile devices

Wireless access points

Number of VoIP devices

Firewalls

Routers

Switches

Q26 What types of mobile devices are used by PGW? A26 N/A

Q27 How many network user accounts do you have? A27 Due to security concerns, PGW will not provide this



Q28 How many web applications are considered in scope for this

project? A28 Refer to A13

Q29 The RFP states: “Proposer would be expected to test physical

security controls at PGW’s main campus, gas plants, outlying

stations and District Offices.”

Please describe the buildings that make up the PGW

main campus?

A29 Refer to A14




RFP#30198

Questions & Answers

December 4, 2015


How many gas plants are considered in scope of this

project?

How many outlying stations are considered in scope

of this project?

How many District Offices are considered in scope of

this project?

Q30 Does PGW want an automated tool approach or a manual

technique approach for the penetration testing? A30 A combination of both

Q31 Does PGW want an automated tool review of the web

applications? How many applications are here? A31 No. Refer to A13

Q32 How many functional pages does each application have? A32 Refer to A13

Q33 How does PGW want the physical penetration test

conducted? What locations if any are off-Limits? A33 Refer to A16.

Due to security concerns, PGW will not provide this

information and post it on the website at this time. It

may be provided to the successful proposer.

Q34 Will the CVSS base score meet PGW’s requirements for an

assessment of the level of risk for each vulnerability? Or are

you looking for comprehensive risk scoring based on the

CVSS score (vulnerability), threats, and in-place/effective

controls?

A34 No specific requirement of the type of risk scoring




RFP#30198

Questions & Answers

December 4, 2015


Q35 How many servers, databases, desktops, network devices are

internal for testing? A35 Refer to A3, A5 and A7

Q36 How many Gas Plants to visit and test, outlying stations, and

district offices to visit and test? A36 Refer to A14

Q37 VOIP - system vendor? Is the VOIP system segmented from

the main network? A37 Due to security concerns, PGW will not provide this



Q38 How does PGW evaluate current control practices? A38 N/A

Q39 Under the risk assessment section, does PGW perform a risk

assessment for each vulnerability discovered? Also what

rating system PGW has used in the past to establish the level

of risk?

A39 Refer to A34

Q40 What is PGW’s estimated budget for the project? A40 We decline to provide that information now.

Q41 What does your external gateway consist of? Please provide

details. A41 Due to security concerns, PGW will not provide this


provided to the successful proposer

Q42 Will SCADA be included or excluded in this assessment? A42 SCADA will be excluded in this assessment.

Q43 For the mobile wireless access controls do you want the focus

on cell phones also, or simply wireless? A43 Wireless only

Q44 Testing physical security controls. Do you want people to

obtain interior access beyond the initial physical entry point

(that is, into restricted computer rooms, etc.) or simply

A44 Due to security concerns, PGW will not provide this

information and post it on the website at this time. It will be





RFP#30198

Questions & Answers

December 4, 2015


attempt to access building facilities?

Q45 In the social engineering techniques item (Item 2.2, Number

5) do you want social engineering contained to the physical

access component of the assessment, or do you also want a

phishing test?

A45 Social engineering is contained to physical test only. Refer to

A16

Q46 Do you want to determine at what level your incident

detection system detects our activity? In this case this would

mean that our activities would start stealthy and become

noisier to understand at which point activities are

detected. Would blocks be initiated by PGW if detected?

A46 The vendor would be expected to provide the IP addresses they

are using for testing so that PGW can monitor the activities.

Blocks will not be initiated.

Q47 Should we assume that no internal security assessment is

desired, other than the physical and wireless tasks?

A47 Please refer to page 35 of RFP about Malicious Insider Phase.

Q48 Are there any compliance requirements driving this project? A48 Refer to A21

Q50 For the external vulnerability and penetration test – How

many active IP addresses are in scope?

A50 Refer to A11

Q51 How many data centers are there? A51 Due to security concerns, PGW will not provide this






RFP#30198

Questions & Answers

December 4, 2015


Q52 How many physical locations are there? How many

locations have wireless access points?

A52 Refer to A14

Q53 What other wireless services besides WiFi are used by

PGW? Please describe. Are they in scope?

A53 None

Q54 Are all Security Procedures and Policies centrally managed? A54 Yes

Q55 How many individuals will need to be interviewed in order to

collect relevant Policy and Procedure Information?

A55 No interview is needed.

Q56 RFP identifies ISO and NIST as a policy reference model. Is

PGW sensitive to PCI and/or NERC control requirements?

A56 No

Q57 Will you provide address ranges? A57 Yes

Q58 If not would you like a Black Hat Test sequence executed? A58 N/A

Q59 What are the Number of IP's/Servers owned / in scope? A59 Refer to A2, A3 and A7

Q60 What are the Number of IP’s/Servers managed by another

party?




Q61 What is the Number of separate DMZs? A61 Due to security concerns, PGW will not provide this



Q62 What are the Number of IP's active within the scope? A62 Refer to A2

Q63 What Number of Web Applications and description (approx A63 Refer to A13




RFP#30198

Questions & Answers

December 4, 2015


# of pages, components)?

Q64 Is there a Mobile Device Management Solution in

place? How many PDAs? Etc are in scope?

A64 N/A

Q65 Are there any Modems in scope? A65 No

Q66 Are SCADA, Plant Controls, RTUs in scope? Please

describe the environment including number and type of

devices and locations.

A66 No

Q67 How many external WIFI environments exist? How many

Wireless Access Points are deployed?

A67 Refer to A15

Q68 What is Number of IP's owned. How many subnets? A68 Due to security concerns, PGW will not provide this



Q69 What is the Number of Servers, Desktops A69 Refer to A3 and A7

Q70 How many VOIP/IPT Call Manager Servers are in

place? Which vendor is used?




Q71 Is the Call Center IP enabled? A71 Due to security concerns, PGW will not provide this



Q72 Are Wireless IP phones utilized? A72 No

Q73 What are the Number of IP's active A73 Refer to A2, A3 and A7




RFP#30198

Questions & Answers

December 4, 2015


Q74 Wireless Testing: A74

Q75 What are the # SSID's. WAPs & physical location (s) A75 Due to security concerns, PGW will not provide this



Q76 Social Engineering: A76

Q77 What is the # of phishing targets? A77 NO phishing test is required.

Q78 How many locations will require a physical security check? A78 5 locations

Q79 Contract term is 1 year. How many optional “additional test

sequences” are anticipated after delivery of initial findings

and recommendations report?

A79 Refer to part 3 of A21

Q80 We are assuming that our questions and all questions asked

by competing vendors will be shared with all vendors or

clarity of scope for the RFP. Is this assumption correct?

A80 Yes

Q81 **2 - From the statement of requirements for the RFP,

elements of Vulnerability Assessment Services, Penetration

Test Services and Application Assessment Services are being

requested. Is this the intent of PGW, or are you asking

vendors to specifically focus on the Penetration Test

Services? Will there be an opportunity in the telephone

conference to further clarify intent?

A81 Vulnerability Assessment Services, Penetration Test

Services and Application Assessment Services are

requested. The vendor is expected to focus on all the

three services. Refer to 2.2 section of RFP (page 6).

Yes

Q82 Is there a target completion date for the services provided or A82 We expect the testing to start in 2016 as soon as the contract is




RFP#30198

Questions & Answers

December 4, 2015


is this an item to be determined after contract is awarded?

signed. No specific end date. Based on past experience, the

actual test should be finished within weeks.

Q83 Will presentations to PGW be at PGW premises? Will there

be any time limit to presentations?

A83 Onsite presentations are not mandatory. The presentation should

not exceed an hour.

Q84 Given question 2 above, there is a potential for scope

changes within the life of the contract? Is there a change

order process at PGW that vendors will be expected to

follow, or should we provide our standard change order

process?

A84 Yes, there is a potential for scope change. We can follow

vendor’s change order process.

Q85 Depending on your response to question number **2 above,

we have the following questions by service line that will

enable us to properly answer your RFP.

External Penetration Test:

Number of Internet-facing IPs (how many total IP addresses

do you have allocated on the Internet)?

Number of Internet-facing IPs in use (how many IP addresses

have services listening on the Internet)?

Would you like the test to include social engineering

(Email/Phone)?

A85 Refer to A2, A3, A7 and A11. NO Social Engineering via

email and phone.

Q86 Internal Penetration testing?

Are all internal systems logically accessible from a single A86 Yes

N/A




RFP#30198

Questions & Answers

December 4, 2015


location?

If not, how many locations would need to be visited?

Would you like the test to include social engineering

(physical)?

How many physical locations (buildings, campuses, etc.) will

be tested?

Yes

Refer to A14

Q87 General Questions:

What operating system platforms are in use (e.g., Windows,

Linux, Netware)?

Approximate number of servers and workstations? (please

map numbers to platforms above)

Approximate number of network devices (please map count

to device type: routers, firewalls, switches, wireless

APs/controllers, etc.)?

What vendor is your network hardware from (e.g., routers,

firewalls, switches)?

How many total locations make up the organization? How

many have server/storage infrastructure?

Are all internal systems logically accessible from a single

location? If not, how many locations would need to be

visited?

A87 Refer to A2, A3, A7, A11, A14, and A86.

Due to security concerns, PGW will not provide the rest of



Q88 Application Assessment Questions

How many applications in scope for the assessment?

How many User Roles are in the application(s)?

A88 Refer A13




RFP#30198

Questions & Answers

December 4, 2015


Q89 Organizational Security

Are you interested in a social engineering exercise? (Y/N)

Do you have documented policies and procedures? (Y/N)

Are you interested in a policies, procedures and practices

assessment? (Y/N)

Are you interested in policies and procedures templates?

(Y/N)

Are you interested in a Data Loss Prevention assessment?

(Y/N)

Are you interested in a top-down, strategic risk assessment?

(Y/N)

A89 Please refer to section 2.2 in RFP for scope of this project.

Q90 Platform Specific Security Assessment Questions

Are you interested in in-depth, platform-specific security

assessments? (Y/N - If yes, please answer the questions

below)

Number of in-scope infrastructure devices (routers and

firewalls) across all locations:

Number of in-scope Microsoft servers:

Number of in-scope Active Directory domains:

Number of in-scope virtual host servers:

A90 Yes

Due to security concerns, PGW will not provide the remaining



Q91 For web application vulnerabilities, is the proposer expected

to identify vulnerabilities only or identify and exploit? A91 We expect testers to exploit the identified vulnerabilities.




RFP#30198

Questions & Answers

December 4, 2015


Q92 Will the web application pen testing be performed on a

production network or test network? A92 Production

Q93 The RFP mentions “mobile wireless access controls”. Was

the intent to specify 802.11x (WiFi) type devices or

specifically tablet and smart phone access? If tablet and

smart phone access, which mobile operating systems are in

scope (e.g. iOS, Android, etc.)

A93 Wi-Fi only

Q94 When was last like assessment done/completed and by who? A94 The last assessment was done in 2015.

Q95 Does vendor need certificate of good standing from State or

City prior to award? A95 No

Q96 Are any systems or devices in scope hosted by a third party? A96 Due to security concerns, PGW will not provide the remaining



Q97 If IDS/IDP systems are in place, is the assessment also

intended to test the responsiveness during this

assessment? Or, will AT&T Consulting systems be

configured as exceptions in the IDS/IPS?

A97 No exceptions will be created.

Q98 Are brute-force attacks and password cracking in scope A98 Yes

Q99 Are there any timing restrictions on the testing? A99 No

Q100 Where will testing be performed? A100 In our headquarters.

Q101 For the Database Vulnerability Assessment and Penetration

assessments, how many databases need to be A101 Due to security concerns, PGW will not provide the information

and post it on the website at this time. It may be provided to the




RFP#30198

Questions & Answers

December 4, 2015


reviewed? (each instance counts as a separate database) successful proposer.

Q102 What is the name of the database (e.g., MS SQL 2005,

Oracle 9i, etc.) A102 Due to security concerns, PGW will not provide the information


successful proposer.

Q103 What OS does this database run on? (e.g., Windows Server

2008, Windows XP, AIX, etc.) A103 Due to security concerns, PGW will not provide the information



Q104 What is the business significance of this database? A104 Due to security concerns, PGW will not provide the information



Q105 Will you be able to provide a read-only account (capable of

reading all the security information on the database) to the

vendor? This account will only be used for collecting

security configuration information and will not be used for

accessing the data contents.

A105 No

Q106 Is this area high density with other organizations, or more or

less dedicated to one organization? For example, a

deployment in a skyscraper may interact with many other

companies.

A106 No

Q107 What types of traffic are traversing the Wireless LAN? A107 Due to security concerns, PGW will not provide the information



Q108 Who will be aware of the testing? A108 Network and Security team




RFP#30198

Questions & Answers

December 4, 2015


Q109 For the Application Vulnerability Assessment and

Penetration Assessment, what are the applications name? A109 Due to security concerns, PGW will not provide the information



Q110 What is the primary function of each application that will be

included in the Application Vulnerability Assessment? A110 Due to security concerns, PGW will not provide the information



Q111 What is the type of application (web, Thick-client, etc)? A111 Web

Q112 Approximately how many pages/screens accept user input? A112 No more than 30 screens

Q113 What is the network transport utilized? (Raw TCP/SSL)? A113 Due to security concerns, PGW will not provide the information



Q114 Considering the upcoming Holiday would PGW consider

extending the proposal due date to January 8, 2016. A114 Yes

Q115 What is the anticipated number of personnel needed?

A115 No preference

Q116 Is offshore allowed? A116 No

Q117 Will PGW be providing their own tools to scan the

environment or will the vendor be required to provide these

tools?

A117 Vendor will be required to provide tools.

Q118 Does PGW require the vendor to test the scripts in a lab

environment before testing in the live environment? If so, A118 Vendor is not required to test the scripts in a lab environment.




RFP#30198

Questions & Answers

December 4, 2015


will the test environment be provided by PGW?

Q119 Are there multiple/redundant environment in place that need

to be tested simultaneously? A119 No

Q120 Will the tests be conducted on the PGW production or the

test or the development environment? A120 Combination of all


philadelphia gas works information security assessment … · philadelphia gas works information...

Documents