System quality assurance assessment and review services | Tenderlake

System quality assurance assessment and review services

Contract Value:
-
Notice Type:
Contract Notice
Published Date:
30 October 2020
Closing Date:
30 November 2020
Location(s):
DE7 HESSEN (DE Germany/DEUTSCHLAND)
Description:
Pentests 2020

For the technical verification of the IT security level and for the identification of weak points in the IT systems (web apps, applications, networks, products, ...) of the ekom21, IT penetration tests must be carried out. The aim of these investigations is to find technical weak points in the IT systems that could potentially cause damage or negative effects on the business processes of ekom21 in the event of cyber attacks.

In penetration tests, in order to check the security level, attempts are made to use weak points to enable system access that should actually be technically prevented. This is also intended to prove whether or that the measures implemented for the technical protection of the IT systems offer the expected protection.

Penetration tests are used to check whether the target application is vulnerable to a potential attacker and whether it is possible to manipulate the target application or to penetrate the system.

These analyzes are coordinated in advance with the responsible persons, IT security managers and IT service providers of the relevant procedures and the implementation is accompanied.

Cyber attacks are increasing worldwide. The ekom21 - KGRZ Hessen (hereinafter: ekom21) cannot escape this trend either and is increasingly the focus of targeted cyber attacks. In addition to prevention, measures to detect and respond to such targeted cyber attacks to protect IT-supported business processes are becoming increasingly important.

In the case of cyber attacks, existing security gaps in IT systems are usually exploited, so that ekom21 must systematically ensure that existing weak points are regularly searched for, which must then be eliminated promptly before they can be exploited by attackers.

In addition, ekom21 must sustainably improve the reaction capabilities and analysis options in the event of successful cyber attacks in order to avoid or minimize damage to business processes.

For this reason, there is a need for security services such as the implementation of penetration tests in the following service areas

- Planning and implementation of IS penetration tests,

- Planning and implementation of IS web checks,

- IS short revisions,

- regression tests on previously performed penetration tests,

- Technical security audits,

- Creation of penetration test result reports and result presentations,

- individual security advice.

You can count on 120 man-days per year.

The tests to be carried out are to be carried out exclusively by the contractor's own employees; the use of sub-service providers and / or external specialists is not permitted.

The qualification of the employees (pentester) is to be documented according to the data sheet_Mitarbeiter Qualität.xlsx

As part of the implementation, it is not desirable to provoke work errors through covert work or deceit of the employees or to receive information in such a way (no social engineering).

The penetration tests are usually carried out via the Internet or a VPN connection provided by the customer or at the customer's location in close coordination with representatives of the respective business area / service center). In some cases, the testers may be present on site (company locations in Kassel, Gießen and Darmstadt), e.g. B. for the WLAN module.

The client provides an estimate of the duration of the penetration test when making the request to the contractor. This should make it possible to submit an offer within 5 working days. The estimated time period for the implementation may also be exceeded or fallen short of in the later penetration test if necessary. If no time frame has been specified by the client, the implementation period must be within the next 4 weeks.

The results of the tests must be explained and assessed in a German-language final report. A detailed description, including relevant technical parameters, is always required. During the analysis, the weak points found are to be assessed with a CVSS vector. The results of pure vulnerability scans must be marked as such. Vulnerabilities found automatically should be verified. It must be stated how this was done. If verification is not possible in individual cases, this must be stated explicitly. For the weak points described, the possible attack vectors as well as the exploitability should be described. More detailed requirements for documentation are defined in Section 6.

In addition, if necessary, final presentations for technical and technical specialists and representatives of management are to be held on site. Communication takes place in German.

Electronic communication via emails must be encrypted (using S / MIME or PGP) when exchanging sensitive information between the customer and the contractor.

The client provides a web application for the exchange of data, which must be used.

The results of penetration tests carried out must be treated confidentially. The principle of data economy must be taken into account. Any work results are to be transmitted by the contractor to the client and then immediately and securely deleted. The test reports are excluded from this, as they can also be the basis for any subsequent tests, for example.

Download full details as .pdf
The Buyer:
ekom21 – Kommunales Gebietsrechenzentrum Hessen
CPV Code(s):
72225000 - System quality assurance assessment and review services