Awarded to Information Risk Management Plc

Start date: Monday 5 October 2020
Value: £8,750
Company size: SME

The Queen's University Belfast

Penetration Testing

16 Incomplete applications

15 SME, 1 large

14 Completed applications

12 SME, 2 large

• Published: Tuesday 1 September 2020
• Deadline for asking questions: Tuesday 8 September 2020 at 11:59pm GMT
• Closing date for applications: Tuesday 15 September 2020 at 11:59pm GMT

Overview

• Specialist role: Cyber security consultant
• Summary of the work: Penetration testing of up to 20 external targets using black box testing techniques followed by testing of up to 200 internal targets, including one critical business system, using white box testing techniques. Testing to include a mix of on and off-site working.
• Latest start date: Friday 29 January 2021
• Expected contract length: 10 days
• Location: Northern Ireland
• Organisation the work is for: The Queen's University Belfast
• Maximum day rate: Maximum daily rate of £2000 to include travel and subsistence costs.

About the work

• Who the specialist will work with: Data Security Manager and Systems Admins where appropriate.
• What the specialist will work on: Complete penetration testing of external and internal targets within the Queen's University Belfast infrastructure.

Work setup

• Address where the work will take place: Belfast, Northern Ireland and remotely.
• Working arrangements: Work remotely on external testing and report writing.; Work onsite in Belfast on internal testing.; Expenses to be included in per day costs.
• Security clearance: Tester to have basic UK security clearance.

Additional information

• Additional terms and conditions: Tester must be a CHECK Team Leader.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

• Essential skills and experience:
  • be a CHECK Team Leader
  • have experience of testing in a large network >10000 endpoints

How suppliers will be evaluated

All suppliers will be asked to provide a work history.

• How many specialists to evaluate: 6
• Cultural fit criteria:
  • be able to work with multiple teams in the University
  • be comfortable communicating with senior management
• Evaluation weighting:

  Technical competence

  10%

  Cultural fit

  5%

  Price

  85%

Questions asked by suppliers

• 1. Is there a current or preferred incumbent for this work please?: There is no incumbent nor indeed any preference for a provider of this work.
• 2. You mention "Tester to have basic UK security clearance", does this mean DBS or SC?: We would expect that the tester has a basic security check status e.g. CRC, but the requirement is for a CHECK certified tester, so will have a higher security clearance by default.
• 3. The rate is also a max of £2k/day but the weighting is 85% dependent on price. Please can we have further clarification on your expectations?: Expectations are that we will get a supplier under the max daily rate.
• 4. Please clarify "basic security clearance". Will you accept a DBS check?: This question was answered previously.
• 5. Do you have a methodology you want followed, which shows the scope and attack methods you want to see? Also re the suggested short timescale are you looking for a team rather than a indivudal?: We accept that the scope of testing is limited by budget and time, and we will discuss the scope before work commences, but the outcome of testing should be the identification of as many vulnerabilities as possible by whatever attack methods the supplier recommends. Preference would be for an individual to complete testing, but open to other options if this potentially provides a better outcome.
• 6. Our maximum day rate on the digital marketplace portal is below the proposed rate we intend to input hence we are not allowed to proceed. How do we fix this? Can we send our response via email?: This is a question you need to ask the Digital Marketplace, I am not an expert on the rules of this portal.
• 7. Would you be open to using a remote testing virtual appliance instead of physical on-site presence for the internal segment of the test?: No we already have such a capability.
• 8. Do you require a CHECK report?: NO the CHECK team leader status is purely to assure competence and experience.
• 9. Do you require a CHECK report?: No the Check team leader status is purely to assure competence and experience.
• 10. What is the proportion of onsite work?: We expect this to be about 90% of the volume of the work.
• 11. The essential skills state that the Specialist must be a Check Team Leader. Would CREST be an acceptable substitute?: No
• 12. Could you confirm if a CHECK Team Member would be sufficient to provide this testing capability, or are you specifically looking to take on a CHECK Team Leader for this?: We are you specifically looking for a CHECK Team Leader to do this work.
• 13. Can you confirm IF there is a preference for the CHECK Team leader to be infrastructure or web applications focus? Thank you.: Infrastructure would be preferable.
• 14. Please can we ask your reason for listing CHECK TL creds but no mention of CREST. As nowadays, the only organisations that require CHECK are central government offices.we have CREST, which is widely accepted as being equivalent and better in many ways. Is this acceptable to the Queen’s University Belfast?: The requirement here is for a CHECK team leader