Awarded to Prism Infosec

Start date: Monday 17 May 2021
Value: £3,500
Company size: SME
Office of Rail and Road

Penetration testing - ORR Network (Feb 21)

30 Incomplete applications

25 SME, 5 large

19 Completed applications

18 SME, 1 large

Important dates

Wednesday 20 January 2021
Deadline for asking questions
Wednesday 27 January 2021 at 11:59pm GMT
Closing date for applications
Wednesday 3 February 2021 at 11:59pm GMT


Specialist role
Cyber security consultant
Off-payroll (IR35) determination
Summary of the work
Non-Intrusive penetration testing required. ORR requires penetration testing of its network. The work will involve all areas of ORR's network including cloud applications.
Latest start date
Friday 19 February 2021
Expected contract length
5 days work to be delivered over 30 day period.
Organisation the work is for
Office of Rail and Road
Maximum day rate

About the work

Early market engagement
Who the specialist will work with
Working for the Security manager and with the Service delivery manager and Technical services manager
What the specialist will work on
Carry out Penetration testing across ORR's network including cloud applications.

Work setup

Address where the work will take place
ORR HQ is in London but we also have 5 other locations.
Working arrangements
A period of time working with the team on-site at HQ. Drafting the report (offsite) and then presentation of the findings via VC. May include a check from one of the Regional locations (to be determined).
Security clearance
Security check equivalence by recognised provider.

Additional information

Additional terms and conditions
Organisation bidding for the work will need to be Check accredited.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Excellent understanding of mixed cloud and on-premise networks
  • Good Knowledge of NCSC security principles and best practice
  • Must be able to return any media containing data collected during the testing.
Nice-to-have skills and experience
  • Knowledge of HMG baseline cyber security standards
  • Experience of working with small government or public sector organisations

How suppliers will be evaluated

All suppliers will be asked to provide a work history.

How many specialists to evaluate
Cultural fit criteria
  • Ability to work with our technical team (2 members) against a background of daily operational priorities.
  • Confident and with good communications skills.
Additional assessment methods
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Please confirm that you will accept bids from providers who have CREST and not necessarily CHECK accreditations as well.
Either CREST or CHECK will be acceptable.
2. Do you have an idea of the budget?
Under £5k.
3. What is the application stack for cloud applications?
Windows, Linux , ESX
4. What is the exact Security clearance that is needed?
Security Clearance or SC level in government speak from a recognised provider.
5. Is there an incumbent?
No there is not.
6. Is a CREST or CHECK accreditation required to undertake this work?
Yes it is.
7. How many devices to be tested in the network infrastructure i.e. number of servers, number of workstations, etc. we don’t need the exact figure, but good know the scope.
There are around 10 servers that can be tested, We setup a laptop to be tested because we have no user in the office or on the ORR Network.
8. Is full Report need (or only the summary of findings)?
Full report.
9. Will the entire work be done offline or would you expect an on-site element?
Expected to be an on-site element.
10. The URL/IP address if publicly accessible.
Number of Firewalls including brands?
Number of rules per rulebase/firewall?
Please describe any infrastructure in the cloud including any always-on VPN connectivity?
Held for release when contract let.
11. Desktop Applications – if applicable.
All Standard applications from Microsoft.
12. Is the network segmented or flat?
It’s a flat network.
13. Can all networks/VLANs in scope be accessed from one network point?
14. Number of networks/VLANs in scope?
One network and one VLAN.
15. Number of workstations?
1 workstation will be made available
16. Number of servers?
5 server can be used for this exercise
17. Which operating systems are in use?
Microsoft Windows on both Servers and Workstations
18. Is there any Wireless capability?
19. Is the solution centrally configured?
20. Number of Access Points?
Approx 15 AP’s
21. Number of SSIDs broadcasted? and Are 2.4Ghz, 5Ghz, or both frequencies broadcasted?
Both are broadcast and Just a password is required to access the wifi
22. Desktop Applications – if applicable
All Standard applications from Microsoft
23. How are the applications accessed?
The applications are accessed via a VPN tunnel onto the ORR network
24. A brief summary on what the application is used for.
There are two applications one is for data statistics and the other is for driver licenses.
25. What functionality exists before login, and approximate number of pages (e.g. login, register, forgotten password)?
The users log on via a VPN app on their laptops this authenticates them on to the network and from there they navigate either to the share or the URL. The URL has a landing page with all the details included so user name, password, etc.
26. What functionality exists after login, and approximate number of pages (e.g. add to basket, payment, write blog post, account management – change password)?
There are around 30 pages after login the user can access and it is all information that is personal to a driver.
27. How many user roles are there and what additional functionality can they access?
The users have admin access to the URL so can change pretty much everything they wish.
28. Reports to be generated per application/infrastructure component or single report covering the entire engagement?
Single report.
29. You have indicated that each the scope of work is for 5 days in 30 days. but need 3 resources. does this mean all the 3 have to work on the same days.
The 3 does not refer to resources. It refers to the evaluation criteria. The supplier will need to assess what resources are needed to accomplish this task and quote accordingly.
30. Does this have to be quoted on man-days basis or can this be done as an SOW.
Either but a statement of work should indicate anticipated timescales.
31. Where is geographical location of the internal environment?
What internal environment we have is located at our Main HQ in 25 Cabot Square in Canary Wharf.
32. If there are multiple sites, where are the locations for each?
The sites are located in London (HQ), Bristol, Birmingham, Manchester, York and Glasgow.
33. Can all locations be accessed from one main site?
Yes, main HQ in London.