Awarded to NTA Monitor Ltd.

Start date: Monday 17 December 2018
Value: £2,550
Company size: SME

Service Complaints Ombudsman for the Armed Forces

Web Application Penetration Test copy

24 Incomplete applications

19 SME, 5 large

18 Completed applications

15 SME, 3 large

• Published: Wednesday 3 October 2018
• Deadline for asking questions: Wednesday 10 October 2018 at 11:59pm GMT
• Closing date for applications: Wednesday 17 October 2018 at 11:59pm GMT

Overview

• Specialist role: Cyber security consultant
• Summary of the work: You will be required to carry out number of advanced manual tests with automated vulnerability scans to ensure every area of our website and application forms are tested.
• Latest start date: Wednesday 17 October 2018
• Location: London
• Organisation the work is for: Service Complaints Ombudsman for the Armed Forces

About the work

• Who the specialist will work with: You will be working with our supplier who developed the website and the Communications Team within the Service Complaints Ombudsman's office.
• What the specialist will work on: The security of our website and applications is of paramount importance to business continuity and integrity. Therefore we require penetration testing to provide visibility of the risks associated with our organisation's application components, identify vulnerabilities that may occur, how they can be exploited to extract data or take control of our applications. ; ; Our objective is to understand how the website forms deals with the following:; - data entered by users ; - identify any weak access controls ; -minimal loss of productivity; -allow us to assess our security posture; - prevent disclosure of confidential information; - complies with regularity requirement and legislation

Work setup

• Address where the work will take place: Our supplier Connect that manages the website is located within Liverpool. However, the OSCO is based in London. The work will be conducted within London.
• Working arrangements: We have a good working relationship with our supplier who we can reach 5 days a week, Monday- Friday, if need be. Therefore, we would expect the same with the service provider that we select.
• Security clearance: CREST Certified

Additional information

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

• Essential skills and experience:
  • identify and fix potential vulnerabilities in your web applications
  • identify any weak access controls
  • Prevent loss of productivity
  • allow us to assess our security posture
  • prevent disclosure of confidential information
  • complies with regularity requirement and legislation (PCI DSS and ISO 27001)
  • Provide data entered by users

How suppliers will be evaluated

• How many specialists to evaluate: 5
• Cultural fit criteria:
  • Work as a team with our organisation and other suppliers
  • Be transparent and collaborative when making decisions
  • Have a no-blame culture and encourage people to learn from their mistakes
  • Take responsibility for their work
  • Share knowledge and experience with other team members
  • Can work with clients with low technical expertise
• Assessment methods:
  • Work history
  • Reference
• Evaluation weighting:

  Technical competence

  70%

  Cultural fit

  5%

  Price

  25%

Questions asked by suppliers

• 1. Do applicants need any clearance or CHECK accreditation?: Applicants need to have valid accreditations and qualifications that either work for, or apart of, an organisation that is a member of a professional penetration testing body, such as CREST
• 2. Please can you confirm the latest start date? Is the 17th October correct as the deadline for submission is also the 17th October.: The submission deadline for applications is the 17th October. Once the applicant or organisation has been chosen, we would like pen testing to start immediately.
• 3. What is the envisioned contract length?: We expect that the contact length would be based on 3-5 days to complete the web application test
• 4. What platform is the system built on (ie. development language, any frameworks or proprietary systems, Operating System) ?: WordPress. The website has approximately 100 static/dynamic pages.
• 5. Can you please clarify your 'Essential requirement' of "Provide data entered by Users"?: We would like to know whether the personal information entered by users on our application forms are secure, including the files that they upload
• 6. Are you looking for just the one consultant? or could a consultancy bid and make available multiple resources?: A consultant or organisation can bid for the work. However, the quotes should be based on a fixed to conduct the test.
• 7. Would it be possible to carry out the work remotely rather than on-site in London?: We require offsite testing only. All testing conducted remotely.
• 8. Can you please let me know how many days you will need the security consultant onsite for?: The work is to be carried out offsite. The successful applicant will need to conduct testing for a period of maybe 3 days : Test, Report and Retest. Quotations should take this into consideration.
• 9. What is the maximum day rate for the role?: There is no standard day rate. We are looking for price to complete the job.