The Bavarian State Ministry for Education and Culture requires IT security services. The demand is divided into two lots as follows.

• Lot 1: IT security consulting (ITSC)

Advisory support in the development of security concepts and operational implementation and

Monitoring security requirements:

o Cybersecurity

o IT security (ISO 27K)

o Data protection (GDPR)

• Lot 2: Security testing (hereinafter SITE)

Carrying out security tests and supporting the implementation of necessary

security measures

Lot 1: IT security consulting (ITSC)

IT Security Consulting (ITSC) advises the AG's departmental security officer and provides advisory and operational advice on substantive issues

to the side. The ITSC role includes the following tasks:

• Assistance in describing security requirements in the preparation of tender documents

in further digitalization projects of the StMUK in cooperation with the departmental ISB

• Development of security concepts in accordance with BSI basic IT protection

• Support with data protection issues, e.g. in conjunction with the GDPR

• Support in the creation of data protection concepts, data protection impact assessment, etc.

• Support for the ISB in carrying out the basic IT protection check (programming requirements to ensure the necessary cyber security levels)

• Development and establishment of security-relevant processes in accordance with BSI basic IT protection

• Verification of the overall documentation of the solutions for compliance with the BSI IT baseline protection

• Execution of internal audits

• Auditing of the implementation of ISO 27k requirements by commissioned ext. Service provider in cooperation with the CISO/IT security officer

Lot 2: Security Testing Tasks (SITE)

The SITE carries out security tests for IT services responsible by the client. The SITE role includes the following tasks:

• Examination of IT security (cyber security) of applications and software services (penetration tests, greytesting, white testing of web applications and mobile applications of various operating systems (in particular iOS, Android, Windows, macOS))

• Support with acceptance tests

• Analysis and evaluation of security gaps in the solutions using IT forensic methods

• Advising software developers on correcting security gaps

• Advising software developers on the elimination of security vulnerabilities as part of PEN tests (=external perspective) through insights into the software architecture (=inside view)