Office of Rail and Road

Penetration testing - ORR Network

Incomplete applications

24
Incomplete applications
20 SME, 4 large

Completed applications

15
Completed applications
13 SME, 2 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Friday 27 September 2019
Deadline for asking questions Friday 4 October 2019 at 11:59pm GMT
Closing date for applications Friday 11 October 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Specialist role Cyber security consultant
Summary of the work Penetration testing required. ORR requires penetration testing of its network. The work will involve all areas of ORR's network including cloud applications.
Latest start date Monday 13 January 2020
Expected contract length No longer than a month?
Location London
Organisation the work is for Office of Rail and Road
Maximum day rate

About the work

About the work
Opportunity attribute name Opportunity attribute value
Early market engagement
Who the specialist will work with Working for the Security manager and with the Service delivery manager and Technical services manager
What the specialist will work on Carry out Penetration testing across ORR's network including cloud applications.

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place ORR HQ is in London but we also have 5 other locations.
Working arrangements A period of time working with the team on-site at HQ. Drafting the report (offsite) and then presentation of the findings at on-site at HQ. May include a check from one of the Regional locations.
Security clearance At least government baseline.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions Organisation bidding for the work will need to be Check accredited.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Excellent understanding of mixed cloud and on-premise networks
  • Good Knowledge of NCSC security principles and best practice
Nice-to-have skills and experience
  • Knowledge of HMG baseline cyber security standards
  • Experience of working with small government or public sector organisations

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many specialists to evaluate 3
Cultural fit criteria
  • Ability to work with our technical team (2 members) against a background of daily operational priorities.
  • Confident and with good communications skills.
Assessment methods Work history
Evaluation weighting

Technical competence

40%

Cultural fit

20%

Price

40%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Is there an incumbent supplier. There is no incumbent supplier.
2. Does this role sit inside or outside of IR35. We envisage that this service is provide by a company, possibly a lead contractor and would be outside of IR35.
3. Will government help the specialist to acquire baseline minimum security clearance. No, The contractor involved should have the requisite clearance. Baseline clearance is through a DBS check.
4. Questions regarding External and external infrastructure (combined) External Infrastructure
• Number of active Internet facing IP addresses? We have 4 external facing IP’s
• Types of publicly accessible services (e.g. FTP, SFTP, SMTP)? Just SMTP
Internal Infrastructure
• Number of workstations? We have 350 workstations on the network
• Number of servers? We have 7 Physical server and a number of VM’s
• Which operating systems are in use? Windows 10, Windows Server 2008, 2012, 2016
• Is the network segmented or flat? It is Segmented
o Can all networks/VLANs in scope be accessed from one network point? Yes this is possible
5. Further information regarding Internal infrastructure - 2; o Number of networks/VLANs in scope? We have 10
• Is there any Wireless capability? Yes there is
o Number of Access Points? There are around 30 AP’s
o Number of SSIDs broadcasted? There are 4 available
o What types of authentication are in use, if any? WPA2, Captive Webportal back to Radius server
• Where is geographical location of the internal environment? Around the UK
o If there are multiple sites, where are the locations for each? London, Manchester, Birmingham, York, Bristol, York
o Can all locations be accessed from one main site? Yes they can be accesses
6. Information on firewalls etc (from question). Firewall Review/Rulebase Review
• Number of Firewalls including brands? There are 9 firewalls in total
• Is the requirement for a full firewall configuration review and/or a rulebase review? It is for both
• Number of rules per rulebase/firewall? 30
7. Answers to questions around external architecture - Azure Azure Infrastructure
Networking
• Number of Virtual Networks There are 2
• Number of Network Security Groups (Azure FWs) There are 5
• Number of User Security Groups 0
• Network Diagrams Not at this stage
• Can this network be access from an on-premise environment? Yes it Can be accessed
8. Questions about external architecture - Azure and Networking. Compute
• Number of VMs within the Azure Tenancy around 40 VM’s
o Are they custom built or deployed from within the Azure VM Pool (eg Palo Alto VMs etc) Mostly customer built
AWS Infrastructure
Networking
• Number of VPCs Not applicable
• Number of Security Groups Not applicable
• Number of Network ACLS Not applicable
• Network Diagrams Not applicable
• Can this network be access from an on-premise environment? Not applicable
Compute
• Number of EC2/Lightsail servers Not applicable
9. You mention that 'ORR HQ is in London but we also have 5 other locations'. Could you please advise where the other 5 locations are? Are they all UK based? We have offices in the City centres of the following locations in addition to our London HQ
Bristol
Birmingham
York
Manchester
Glasgow
These are all between 15 and 25 people. No non-UK offices.