Office of Rail and Road

Penetration testing - ORR Network

24 Incomplete applications

20 SME, 4 large

15 Completed applications

13 SME, 2 large

Important dates

Friday 27 September 2019
Deadline for asking questions
Friday 4 October 2019 at 11:59pm GMT
Closing date for applications
Friday 11 October 2019 at 11:59pm GMT


Specialist role
Cyber security consultant
Summary of the work
Penetration testing required. ORR requires penetration testing of its network. The work will involve all areas of ORR's network including cloud applications.
Latest start date
Monday 13 January 2020
Expected contract length
No longer than a month?
Organisation the work is for
Office of Rail and Road
Maximum day rate

About the work

Early market engagement
Who the specialist will work with
Working for the Security manager and with the Service delivery manager and Technical services manager
What the specialist will work on
Carry out Penetration testing across ORR's network including cloud applications.

Work setup

Address where the work will take place
ORR HQ is in London but we also have 5 other locations.
Working arrangements
A period of time working with the team on-site at HQ. Drafting the report (offsite) and then presentation of the findings at on-site at HQ. May include a check from one of the Regional locations.
Security clearance
At least government baseline.

Additional information

Additional terms and conditions
Organisation bidding for the work will need to be Check accredited.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Excellent understanding of mixed cloud and on-premise networks
  • Good Knowledge of NCSC security principles and best practice
Nice-to-have skills and experience
  • Knowledge of HMG baseline cyber security standards
  • Experience of working with small government or public sector organisations

How suppliers will be evaluated

How many specialists to evaluate
Cultural fit criteria
  • Ability to work with our technical team (2 members) against a background of daily operational priorities.
  • Confident and with good communications skills.
Assessment methods
Work history
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Is there an incumbent supplier.
There is no incumbent supplier.
2. Does this role sit inside or outside of IR35.
We envisage that this service is provide by a company, possibly a lead contractor and would be outside of IR35.
3. Will government help the specialist to acquire baseline minimum security clearance.
No, The contractor involved should have the requisite clearance. Baseline clearance is through a DBS check.
4. Questions regarding External and external infrastructure (combined)
External Infrastructure
• Number of active Internet facing IP addresses? We have 4 external facing IP’s
• Types of publicly accessible services (e.g. FTP, SFTP, SMTP)? Just SMTP
Internal Infrastructure
• Number of workstations? We have 350 workstations on the network
• Number of servers? We have 7 Physical server and a number of VM’s
• Which operating systems are in use? Windows 10, Windows Server 2008, 2012, 2016
• Is the network segmented or flat? It is Segmented
o Can all networks/VLANs in scope be accessed from one network point? Yes this is possible
5. Further information regarding Internal infrastructure - 2;
o Number of networks/VLANs in scope? We have 10
• Is there any Wireless capability? Yes there is
o Number of Access Points? There are around 30 AP’s
o Number of SSIDs broadcasted? There are 4 available
o What types of authentication are in use, if any? WPA2, Captive Webportal back to Radius server
• Where is geographical location of the internal environment? Around the UK
o If there are multiple sites, where are the locations for each? London, Manchester, Birmingham, York, Bristol, York
o Can all locations be accessed from one main site? Yes they can be accesses
6. Information on firewalls etc (from question).
Firewall Review/Rulebase Review
• Number of Firewalls including brands? There are 9 firewalls in total
• Is the requirement for a full firewall configuration review and/or a rulebase review? It is for both
• Number of rules per rulebase/firewall? 30
7. Answers to questions around external architecture - Azure
Azure Infrastructure
• Number of Virtual Networks There are 2
• Number of Network Security Groups (Azure FWs) There are 5
• Number of User Security Groups 0
• Network Diagrams Not at this stage
• Can this network be access from an on-premise environment? Yes it Can be accessed
8. Questions about external architecture - Azure and Networking.
• Number of VMs within the Azure Tenancy around 40 VM’s
o Are they custom built or deployed from within the Azure VM Pool (eg Palo Alto VMs etc) Mostly customer built
AWS Infrastructure
• Number of VPCs Not applicable
• Number of Security Groups Not applicable
• Number of Network ACLS Not applicable
• Network Diagrams Not applicable
• Can this network be access from an on-premise environment? Not applicable
• Number of EC2/Lightsail servers Not applicable
9. You mention that 'ORR HQ is in London but we also have 5 other locations'. Could you please advise where the other 5 locations are? Are they all UK based?
We have offices in the City centres of the following locations in addition to our London HQ
These are all between 15 and 25 people. No non-UK offices.