Gloucestershire County Council

Pen testing

Incomplete applications

12
Incomplete applications
9 SME, 3 large

Completed applications

14
Completed applications
10 SME, 4 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Thursday 18 April 2019
Deadline for asking questions Thursday 25 April 2019 at 11:59pm GMT
Closing date for applications Thursday 2 May 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work Build Reviews - 4 days:
Firewall Review - 2 days:
Wireless Testing - 1 day:
VPN - 1 day:
Netscaler – 1 day:
External Infrastructure - 2 days:
Internal Infrastructure - 3 days:
Infrastructure level scanning of the PSN domain Internal Infrastructure authenticated vulnerability analysis – 8 days:
Blackberry UEM
Latest start date Saturday 1 June 2019
Expected contract length
Location South West England
Organisation the work is for Gloucestershire County Council
Budget range

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done Provide an independent programme of penetration and security assessment to focus on the vulnerabilities and security risks present in the infrastructure consistent with the requirements for a PSN ITHC.
It is a requirement for connection with the PSN that regular CHECK ITHC’s are undergone. GCC are already connected to PSN and this is the second reconnection assessment.
It is critical to GCC to demonstrate that their security controls are consistent with the requirements set out in the Cabinet Office ‘IT Health Check Supporting Guidance’ document available on the Internet from the Cabinet Office website and published June 2013.
Problem to be solved Pen testing for PSN compliance
Who the users are and what they need to do It is critical to GCC to demonstrate that their security controls are consistent with the requirements set out in the Cabinet Office ‘IT Health Check Supporting Guidance’ document available on the Internet from the Cabinet Office website and published June 2013.
Early market engagement
Any work that’s already been done
Existing team GCC ICT Team
Current phase Not applicable

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Onsite in Gloucestershire and remotely
Working arrangements Work to take place over period of up-to 1 month
Security clearance

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Relevant Certifications
  • Share their findings with relevant parties
Nice-to-have skills and experience Provide evidence that they have worked with other local government companies

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 3
Proposal criteria
  • Technical solution
  • Time frames
  • Methodology
  • Compliance
Cultural fit criteria
  • Take responsiblity for their work
  • Share knowledge and experience with other members of the team
Payment approach Fixed price
Assessment methods Written proposal
Evaluation weighting

Technical competence

40%

Cultural fit

20%

Price

40%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Would you allow the work to be done from offshore if we provide enough evidence for data privacy and data protection? No. Unfortunately not.
2. Would you accept applications from CREST and CBEST certified testers? We will consider them but they will not score as highly when ranking proposals.
3. How many servers and workstations do you have?

Do you use a Mobile Device Management Solution?
How many firewalls and rules are there in each PSN firewall?

How many different server and workstation builds do you have?
How many servers and workstations do you have? Servers:
DMZ
2012 R2 29
2016 7
2008 R2 13
2008 2

Main GCC estate
OS Version Count
2008 12
2008 R2 114
2012 3
2012 R2 173
2016 27

+ Citrix 193 servers

PN
OS Version Count
2008 R2 3
2012 8

Workstations: 6391

Do you use Mobile Device Management Solution? Yes - Blackberry
How many firewalls and rules are there in each PSN firewall?1 firewall, 10 rules.

How many different server and workstation builds do you have? Workstations: Windows 7 Enterprise (note: Thin Clients are 32 bit).
Servers: as above.