ART II
SCHEDULE
SECTION
TITLE
D
Scope of Work
E
Special Terms and Conditions
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
14
SECTION D
SCOPE OF WORK
D.1
D.2
OVERVIEW
A.
The Contractor shall provide all labor, supervision, materials, supplies and
transportation to complete the Scope of Work to the satisfaction of VRE.
B.
The Contractor shall ensure compliance with Payment Card Industry (PCI)
standards, as well as Federal Information Processing Standards (FIPS) 199
and National Institute of Standards and Technology (NIST) 800-53r4.
C.
In the performance of this Contract, the Contractor shall comply with
ATTACHMENT V.1 – GENERAL TERMS AND CONDITIONS
included herein.
GENERAL REQUIREMENTS
A.
The Contractor shall provide a plan to optimize and enhance VRE’s critical
network infrastructure and perform a risk and security assessment.
B.
A testing schedule must be coordinated with the VRE Project Manager prior
to commencing work. Intrusive testing shall not be performed by the
Contractor between the hours of 4:00 A.M. to 10:00 A.M. and 12:00 P.M. to
9:00 P.M. EST, Monday through Friday.
C.
The work shall be performed by the Contractor in three (3) phases as follows:
1.
Data collection, documentation and analysis;
2.
Strategic recommendations, implementation and remediation plans
and capital expenditure estimates; and
3.
Cyber security training and education program.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
15
D.3 PHASE 1 – DATA COLLECTION, DOCUMENTATION AND ANALYSIS
A.
Local Area Network (LAN) Assessment
The Contractor shall perform the following tasks:
B.
1.
Create a comprehensive asset inventory of VRE LAN infrastructure
hardware, providing the base data for many functions and analyses,
including asset management, bandwidth utilization and disaster
recovery. The asset inventory shall be submitted to VRE in Microsoft
Excel format.
2.
Conduct a site visit to perform visual inspections of all locations and
facilities, conduct staff interviews and use approved industry standard
tools to perform cyber-based network mapping.
3.
Create detailed physical and logical network maps.
4.
Provide Microsoft Visio drawings of the LAN infrastructure to
include physical rack location drawings along with physical and
logical network maps.
5.
Analyze the data collected against current industry standards and best
practices to identify areas for improving LAN operations.
Wide Area Network (WAN) Assessment
The Contractor shall perform the following tasks:
1.
Create a comprehensive asset inventory of VRE WAN infrastructure
hardware and communication circuits, providing the base data for
many functions and analyses, including asset management,
bandwidth utilization and disaster recovery. The asset inventory shall
be submitted to VRE in Microsoft Excel format.
2.
Conduct a site visit to perform visual inspections of all locations and
facilities, conduct staff interviews and use approved industry standard
tools to perform cyber-based network mapping.
3.
Create detailed physical and logical network maps.
4.
Provide Microsoft Visio drawings of the WAN infrastructure to
include physical rack location drawings along with physical and
logical network maps.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
16
5.
C.
Analyze the data collected against current industry standards and best
practices to identify areas for optimizing WAN services between
VRE locations.
Cyber Security/Resiliency Assessment
The Contractor shall perform the following tasks:
1.
Assess the risks to critical IT functions identified within VRE’s
infrastructure, to include a social engineering attack test.
2.
Evaluate the IT security of VRE’s internal and external networks to
include PCI-DSS infrastructure.
3.
Examine the capabilities VRE currently possesses to prevent, detect,
absorb and respond to the risks identified. This assessment shall
examine the capabilities that exist within VRE, including staff with
specialized training and knowledge, as well as physical assets.
4.
Analyze the findings from the Risk and Vulnerability Assessment,
Penetration Testing and Capabilities Assessment against current
industry standards and best practices to identify gaps in VRE’s overall
cyber security and resiliency posture.
D.4 PHASE 2 – STRATEGIC RECOMMENDATIONS, IMPLEMENTATION
AND REMEDIATION PLANS AND CAPITAL EXPENDITURE
ESTIMATES
A.
Local Area Network (LAN) Assessment
Using the information collected in Phase 1, the Contractor shall perform the
following tasks:
1.
2.
Provide the findings of the assessment in a LAN Infrastructure Gap
Analysis Report. The report shall include the following:
a.
Strategic recommendations for improvement, including
estimates for capital expenditures.
b.
Consideration for core business applications, e.g. payment
processing, Voice over Internet Protocol (VoIP), security
cameras and disaster recovery.
Develop a prioritized Remediation Plan to resolve deficiencies and
optimize VRE’s LAN infrastructure.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
17
3.
B.
Present the Remediation Plan to VRE key personnel, including
executive level management, and discuss the findings, strategic
recommendations and next steps to advance this project.
Wide Area Network (WAN) Assessment
Using the information collected in Phase 1, the Contractor shall perform the
following tasks:
1.
C.
Provide the findings of the assessment in a WAN Infrastructure Gap
Analysis Report. The report shall include the following:
a.
Strategic recommendations for improvement, including
estimates for capital expenditures.
b.
Consideration for core business applications, e.g., payment
processing, VoIP, security cameras and disaster recovery.
2.
Develop a prioritized Remediation Plan to resolve deficiencies
identified and optimize VRE’s WAN infrastructure.
3.
Present the Remediation Plan to VRE key personnel, including
executive level management, and discuss the findings, strategic
recommendations and next steps to advance this project.
Cyber Security/Resiliency Assessment
Using the information collected in Phase 1, the Contractor shall perform the
following tasks:
1.
2.
Provide the findings of the assessment in a Cyber Security Risk and
Vulnerability Gap Analysis Report. The report shall include the
following:
a.
Potential cyber related risks to VRE.
b.
VRE’s current capabilities to respond to and recover from
risk and cyber disruptions.
c.
Recommendations on how to improve overall cyber security
and resiliency within VRE’s cyber infrastructure.
Develop a Remediation Plan to mitigate or prevent identified
security and resiliency risks and vulnerabilities within VRE’s cyber
networks.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
18
3.
Present the Remediation Plan to VRE key personnel, including
executive-level management, and discuss the findings, strategic
recommendations and next steps to advance this project.
D.5 PHASE 3 – CYBER SECURITY TRAINING AND EDUCATION PROGRAM
The Contractor shall perform the following tasks:
A.
Work with VRE to develop an effective cyber security training and education
program for VRE staff. The training and education program shall be based
on a combination of findings and industry trends and shall be designed as
role based.
B.
Plan and conduct two (2) cyber security related workshops to educate VRE
staff about the importance of safe cyber practices. These workshops shall
include Subject-Matter-Experts (SME) and information about current best
practices in cyber security.
C.
Develop a social engineering test program to educate VRE staff in
recognizing and reporting malicious phishing and social engineering
attempts.
D.
Develop a training program to teach VRE staff cyber practices and raise
awareness of risky behavior. The program shall include a method for tracking
compliance among VRE staff in an effort for VRE to maintain annual
training.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
19