The URL can be used to link to this page

Home My WebLink AboutRESPONSE - RFP - 8155 CYBERSECURITY ASSESSMENTResponse to Request for Proposal: RFP 8155 Cybersecurity Vulnerability Assessment Contact for RFP Response: Paul Ashe Corporate Office: Project Office: pashe@securanceconsulting.com Office: 877.578.0215 Direct: 813.758.2532 Fax: 813.960.4946 Securance Consulting 6922 W. Linebaugh Avenue Suite 101 Tampa, FL 33625 www.securanceconsulting.com Securance Consulting 1434 Spruce Street Suite 100 Boulder, CO 80302 www.securanceconsulting.com Date: August 19, 2015 Introduction Cover Letter A. Executive Summary Project Overview .................................................1 B. Consultant Information and Firm Capability Exhibit A - Proposal Acknowledgement Form Company Overview About Securance ............................................4 Organizational Chart ......................................6 Related Experience Related Experience .........................................7 Client References Client References ...........................................9 Letters of Recommendation C. Scope of Proposal Proposed Scope ................................................10 Approach and Methodology Compliance Gap Analysis NIST 800-53 .........11 Network Architecture Review .......................15 Server Configuration Review ........................16 Database Server Review ...............................17 Router | Switch Configuration Analysis .........17 Audit Approach ...........................................18 Documentation Standards ............................19 Project Management Project Management ....................................20 Information Sharing Security ........................21 Project Timeline ............................................22 Gantt Chart .................................................23 D. Availability Securance’s Workload .......................................24 E. Sustainability Methodology Sustainability Statement ....................................25 F. Cost and Work Hours Project Cost ......................................................26 G. Assigned Personnel Proposed Project Team ......................................27 Executive Profile ................................................28 Staff Profiles .....................................................30 H. Additional Information What to Expect .................................................34 The material, ideas and concepts contained herein are to be used solely and exclusively to evaluate the capabilities of Securance Consulting to provide assistance to City of Fort Collins (City). This proposal does not constitute an agreement between Securance Consulting and City. Any services Securance Consulting may provide to City will be governed by the terms of a separate written agreement signed by both parties. All offers to provide professional services are valid for one-hundred and eighty (180) days. Table of Contents August 19, 2015 Pat Johnson, CPPB Senior Buyer City of Fort Collins Purchasing Division 215 North Mason Street 2nd Floor Fort Collins, CO 80524 Dear Pat, Thank you for considering Securance Consulting as your IT risk management partner. Eager to work with City of Fort Collins (City), we appreciate this opportunity to present a plan for your upcoming project. We are a firm of Senior IT Consultants passionate about helping organizations like yours assess and improve their compliance profiles, risk management programs and IT security postures. Ours is a unique combination: remarkable skill and expertise, reasonable pricing and people who care. We apply our knowledge, years of experience and industry-leading assessment tools to identify and remediate risks before they harm operations and business. When it comes to achieving your IT objectives, selecting the right vendor is crucial. Our interest is in forging a positive, long- term relationship with you, as we do with all of our clients. We will attend to your organization’s particular needs and goals and will support you throughout -- and after -- the remediation phase. Again, thank you for including Securance in your evaluation process. We are prepared to begin work immediately, and we look forward to discussing our project plan with you. Please do not hesitate to contact me with questions or comments. Professional regards, Paul Ashe, CPA, CISA, CISSP President & Sr. IT Audit Consultant Securance Consulting 6922 W. Linebaugh Ave. | Suite 101 | Tampa, FL 33625 877.578.0215 | FAX: 813.960.4946 WWW.SECURANCECONSULTING.COM A. Executive Summary Securance Consulting is a professional services firm dedicated to IT security, internal audit risk consulting and compliance. Founded in 2002 by a former “Big 4” risk consultant, we have been a leader in the information security industry for over thirteen years. We are privately owned, independent of affiliate firms, technology vendors and service providers. We pride ourselves on delivering objective assurance and reliable results. In Securance, you will find a team passionate about IT risk management, a service plan aligned with your priorities, and an unqualified commitment to your initiatives and needs. Organization, leadership, cooperation and teamwork, efficiency, innovation and common goals will define our relationship. You will be our top priority; together, we will significantly improve your security posture and internal controls environment. We deliver world-class security and internal controls solutions to major corporations, small- and medium-sized businesses, and federal, state and municipal government leaders. Our clientele includes public utilities, electric cooperatives and energy companies throughout the United States. We are passionate about helping organizations like City of Fort Collins identify vulnerabilities and establish secure industrial control systems. Having reviewed the City’s Request for Proposal (RFP), we are confident that we can meet the City’s objectives and deliver a solution that satisfies regulators, yet also fits the City’s unique operating environment. Experience and Qualifications Our consultants are experts when it comes to in-depth evaluations of information security postures. Securance has helped numerous governmental entities discover security vulnerabilities and establish appropriate mitigation procedures. Our recent projects include: l l Cedar Falls Utilities - Network Security Risk Assessment l l City of Bowling Green, Kentucky - IT Security and General Controls Audit l l City of Thornton, Colorado - Security Assessment l l Colorado Office of the State Auditor - IT Security Audits l l Colorado Public Employees’ Retirement Association - System Security Audits l l City of Tacoma | Tacoma Water - Cyber Security Assessment l l Cedar Falls Utilities - Network Security Risk Assessment l l Kissimmee Utility Authority - IT Risk Assessment and Internet Security Review l l Santee Cooper - IT Security Assessment and Vulnerability Assessment l l San Antonio Water System - System Security Controls Review For detailed summaries of scope, please refer to the related experience tables on pages 7 and 8. We encourage the City of Fort Collins to contact our references for a client perspective on the quality of our service, approach and deliverables. Project Overview 1 Executive Summary 2 In addition, each member of the team we propose for the City’s project has at least 15 years’ experience evaluating risks in environments similar to the City’s. Led by Securance President Paul Ashe, our senior staff members will conduct a gap analysis of the Water Resources and Treatment Industrial Control System architecture and components to provide a detailed overview of system flaws, the risk associated with those flaws and realistic recommendations to curtail those risks to an appropriate level and achieve compliance with NIST SB 800-53. For details regarding our staff’s qualifications, training and experience, please see their resumes on pages 27 through 33. Assessment Approach We offer a best-value solution that satisfies the scope and objectives laid out in the City’s Request for Proposal (RFP), 8155 Cybersecurity Vulnerability Assessment. Our approach, summarized below, includes a dedicated planning phase; a baseline assessment of the general security of the Water Resources and Treatment ICS; a detailed assessment of WR&T components and controls; and the development of best practice recommendations to improve the City’s cyber security posture. The key elements of our assessment plan are summarized below: l l Planning n l Hold a Kick-off Conference: m l Introduce the Securance team. m l Review the City’s objectives and expectations. m l Finalize the assessment scope and timeline. m l Address the City’s questions and concerns. n l Develop a client assistance request. l l CyberSecurity Assessments n l Task 1: Assessment of Cybersecurity Controls. m l Review the current status of implementation of NIST 800-53 controls and prioritize mitigation actions. n l Task 2: Review Water Resources and Treatment (WR&T) System Security Architecture m l Review the security of the the WR&T system network architecture and boundary protections. n l Task 3: Assess WR&T System Components Security Configurations m l Assess security configurations of key WR&T ICS system components. l l Deliverables n l Task 4: Finding and Recommendations Report, Including: m l Summary of findings with probability and impact of vulnerabilities being exploited; and m l Prioritized mitigation actions to advance WR&T ICS system’s security level. n l Task 5: Report Presentation. m l Present findings to Fort Collins Utilities’ Management. Ongoing Support Securance’s knowledge, expertise and commitment to City of Fort Collins makes us the right choice for this project. Our priority is meeting your needs. We will do what we can to exceed expectations, and we look forward to a long-term partnership that will extend beyond this project. We will provide technical support and advice, free of charge, during and after the remediation phase, and look forward to future opportunities to help City of Fort Collins achieve its information security initiatives. B. Consultant Information and Firm Capability 3 Official Registered Name: Securance LLC Structure: Securance is organized as a limited liability company (LLC) in the state of Florida. Address: 6922 West Linebaugh Avenue, Suite 101, Tampa, FL 33625 Main Number (Toll-Free): 877.578.0215 Facsimile Number: 813.960.4946 Key Contact: Paul Ashe Authorized Representative: Paul Ashe, President of Securance LLC, is authorized to contractually bind the firm to perform all services set forth in this proposal. Size: 10 Full Time Employees; and 32 Sr. IT Consultants available at any time to perform work for Securance. Year Established: 2002 Ownership: Paul Ashe is the sole owner of Securance. Securance is a 100-percent minority-owned firm, certified as a Minority Business Enterprise by the Florida Minority Supplier Development Council, the State of Florida’s Office of Supplier Diversity and certifying agencies in several other states. Securance is also a self-certified Small Disadvantaged Business. Brief Firm History: Securance Consulting is a risk management firm that specializes in IT security assessment, IT auditing and regulatory compliance consulting. Founded in 2002 by a former “Big 4” audit consultant, Securance has offered Cybersecurity Vulnerability Assessment services for over 13 years. Please refer to pages 4-5 for more information about our firm’s history, structure and vision. Receipt of Addendum: Securance acknowledges receipt of Addendum No. 1. Company Overview 4 Securance Consulting - Success Built on Results Securance Consulting is a professional services firm dedicated to IT security, internal audit risk consulting and compliance. In a decade of rapid and substantial growth, Securance Consulting has found success through the power of a simple idea: deliver uncompromising, high-quality services at a reasonable cost, and customers will follow. Securance Consulting was launched in 2002 by a former trusted member of a “Big 4” consulting team. The founder felt that his experience at Ernst & Young had provided him with an understanding of the challenges that many different kinds of companies face -- as well as what it would take to master those challenges. Securance set out to deliver outstanding results to each and every client and to ensure that projects were always done right. The mission of Securance was twofold: to convince hundreds of companies about the importance of risk and audit services, and to deliver outstanding services in those areas. Though getting the message out and building an outstanding reputation took persistence, it almost immediately yielded success, as demonstrated by a 20-percent annual growth rate. To help sustain that growth, in late 2003, Securance Consulting began the process of creating a balanced professional consulting team. Unlike many consulting firms, Securance does not look to hire new college graduates; rather, Securance only hires professionals with a minimum of 10 years’ experience. Generally, that means people with Big 4 experience. Each new hire needs to have special technical strength or leadership skills in order to act as team leader. From the start, Securance Consulting has worked to provide a presence across all 50 states and has maintained an unwavering commitment to delivering superior results. Securance has never positioned itself as a one-stop shop. Our sweet spot is IT risk and consulting. This focus has impressed client organizations. They know that they can count on Securance to deliver outstanding results without trying to “pad” projects or up-sell them unrelated services. In fact, Securance even offers some services on a fixed-price basis. Over the past decade, Securance Consulting has built a strong following in the private sector, serving almost 200 organizations as diverse as Lowe’s Home Centers, DelMonte Foods, US Food Service, General Mills, Bob Evans, the power- utility industry and major banks. Between 2009 and 2011, the company also developed a significant presence in the government sector -- federal, state and municipal -- and continues to grow that part of its practice at double-digit rates. From its inception, Securance Consulting has been willing to “go the extra mile” to ensure client satisfaction. With that kind of commitment, Securance clients become true partners. Securance Consulting has a unique firm structure, which is supported by these points: Efficiency One common process and methodology that is consistently applied throughout the firm reflects our philosophy and attitude toward projects: “Get it right the first time…every time,” and that means we want it to be done right, on time and on budget, the first time and every time,” says the founder. Knowledge of the Industry Our professional consultants are highly competent and continually train to remain current in evolving trends and audit regulatory compliance issues. Expertise We are frequently asked to speak as subject matter experts at select industry conferences and meetings. About Securance 5 About Securance Qualifications Our consultants have a vast array of experience within business, audit services and information technology; they maintain professional certifications. Examples of these certifications are as follows: l l CISA - Certified Information Systems Auditor l l CISSP - Certified Information Systems Security Professional l l CPA - Certified Public Accountant l l GIAC - Global Information Assurance Certification(s) l l CBCP - Certified Business Continuity Professional l l MCSE - Microsoft Certified System Engineer l l SANS - Hacker Techniques, Exploits and Incident Handling Quality Control Our approach is continuous, with a strong focus on co-development, risk insight, measurement and client satisfaction. Each project performed by Securance is reviewed by an executive independent of the engagement to ensure that all quality and regulatory standards are met. In addition, all preliminary findings will be presented to City’s Management prior to issuance to obtain evaluation and approval. Client Base Private and Public Sector Organizations. Summary of Professional Services l l Compliance (SOX, PCI, GLBA, HIPAA, etc.) l l Governance | Risk | Compliance l l Internal Audit Outsourcing | Co-sourcing l l Audit and IT Risk Assessments l l IT Security Assessments l l Business Process Review | Redesign l l Vulnerability Assessments and Penetration Testing Areas of Expertise l l IT Risk Management in the following areas: n l Network Security (LAN, WAN, Wireless) n l Operating System Security n l Database Security n l IT Process Improvement Analysis n l IT Policy | Procedure Development n l Disaster Recovery Planning Securance Added Value l l Most comprehensive risk database. l l We review our client’s security posture and provide suggestions about areas that may be improved. l l As a professional services firm, our advanced knowledge of emerging audit guidance and technologies means that we know about an industry’s risk before our clients do. We are able to freely share this information. Just a Few of...”The Securance Differences” l l No junior staff. All of our staff have at least 10 years of experience. l l Our Executive Team will have hands-on involvement with every project, not just with project management. l l We guarantee 100-percent consistency in executive management and strive for 100-percent consistency in our practice. l l We are not driven by budget requirements. If there is extra work to do, we will do it and will not add billings to the project. l l We are truly our client’s partner. We assist our clients even when we are not under contract. l l Our fee structure is ultra-competitive. l l We focus on financial, operational, and technology risk and compliance like no other firm. 6 Organizational Chart Chris Cook CISA, CISSP Senior IT Audit Consultant Paul Ashe CPA, CISA, CISSP Engagement Manager President and Senior IT Audit Consultant l Primary point of contact. l Work with City’s stakeholders to define project objectives, scope, methodology and timeline. l Oversee the project team to ensure assessments are completed on schedule and all issues are resolved in a timely fashion. l Present findings and recommendation to the City of Fort Collins. Chris Bunn CISA Practice Director Senior IT Audit Consultant l Draft detailed assessment plan based on City’s desired objectives, scope and timeline. l Perform security and risk assessments to identify risks, vulnerabilities and exposures. l Provide status reports to the City and notify Securance Engagement Manager of any project issues or delays. l Prepare assessment reports and other deliverables. l Draft detailed assessment plan based on City’s desired objectives, scope and timeline. l Perform security and risk assessments to identify risks, vulnerabilities and exposures. l Provide status reports to the City and notify Securance Engagement Manager of any project issues or delays. l Prepare assessment reports and other deliverables. 7 Related Experience Related Experience Organizations that have trusted Securance to perform similar projects include: Project Summary of Scope Client Name IT Risk Assessment | System Security Audits In 2011, Securance conducted an IT risk assessment for the Colorado Public Employees’ Retirement Association (CO PERA). Our review included auditable technologies (applications, databases, platforms and network hardware), IT processes and infrastructure systems. Following interviews with IT managers and business process owners, we used a proprietary risk assessment tool to generate a risk score for each item. Based on the results, we designed a three-year audit plan addressing high-risk areas. The system security audits included: lllA database vulnerability assessment across multiple servers; and lllA review of IT general controls supporting the in-scope technologies. Colorado Public Employees’ Retirement Association Consultants: Paul Ashe Beginning Price: $49,152 Ending Price: $49,152 IT Risk Assessment and Internet Security Review In 2013, Securance conducted an information systems risk assessment and network security review for KUA. Our primary objective was to determine whether the policies and standards governing the management of KUA’s technology environment were adequate to ensure the security and integrity of its information assets. We evaluated the effectiveness of controls and security infrastructure in critical areas of KUA’s information systems function: lllInformation systems risk assessment, including the policies, procedures and guidelines governing the management and operation of the IT organization; lllContinuous service, or disaster recovery, procedures; lllChange and patch management controls; lllUser provisioning; lllPhysical security controls limiting access to technology resources; lllDatabase controls over enterprise systems; lllInternal LAN security, including internal network vulnerabilities, network architecture and internal database security; and lllInternet security, including external network vulnerabilities and the configuration of the Internet-facing firewall. Kissimmee Utility Authority Consultants: Paul Ashe, Chris Bunn, Chris Cook Beginning Price: $28,137 Ending Price: $28,137 Cyber Security Assessment In 2013, Securance conducted a cybersecurity vulnerability assessment for a Washington municipality’s water utility, focusing on the security posture of the SCADA network, associated technologies and supporting IT processes. We designed an approach that would uncover technical vulnerabilities and process risks. Combining manual audit techniques with commercial and proprietary tools, we performed detailed vulnerability assessments of 8 Related Experience Project Summary of Scope Client Name IT Risk Assessment | IT Governance Framework | Roadmap - Critical Assets In 2014, Securance conducted an IT risk assessment of the control systems for an electric utility. The overall objective of the engagement was to identify IT process and technology and risks. The scope of the review was limited to those areas specifically defined by their control systems IT management personnel and included an assessment of IT Governance; and the following IT Processes: lllAccess Management llEnterprise IT Security; (User Provisioning); lllllllIncident Management; lllBackup; lllllIT Asset Management; lllChange Management; llMonitoring and Logging; lllConfiguration Management;lllPatch Management; l lllDisaster Recovery; llProject Management. lllData Center Controls; llRemote Access Management; and (Physical & Environmental);llllSoftware License Compliance. Client Name Confidential Electric Utility Consultants: Paul Ashe Beginning Price: $75,000 Ending Price: $64,730 Price decrease due to change in project scope. IT Risk Assessment In 2014, an Illinois state agency engaged Securance to conduct an IT risk assessment and security review. Our objective was to identify IT process risks and technology-specific vulnerabilities, then formulate detailed remediation recommendations to improve the agency’s risk profile and security posture. Our review included assessments of IT governance, general controls, network architecture and infrastructure (firewalls and intrusion detection | prevention systems), external and internal network security, enterprise application security and controls, and web-application security. We reviewed the agency’s internal IT policies, standards and procedures; interviewed IT management and other key personnel; tested the operating effectiveness of in-scope controls; and performed vulnerability testing procedures to identify technical risks in the agency’s networks, infrastructure hardware and application systems. Client Name Confidential Illinois State Agency Consultants: Paul Ashe, Chris Bunn, Martin Goss Beginning Price: $111,561 Ending Price: $111,561 Information Security Risk Assessment In 2012, the City of Milwaukee, Wisconsin, engaged Securance to perform an IT risk assessment of critical applications, databases and servers belonging to several government divisions. We evaluated the risks associated with auditable technologies and supporting IT controls, then performed fact- based testing of select policies and processes. We also conducted external and internal network vulnerability assessments for the City in 2011. 9 Client References Selected Client References The following client references were selected because the services provided by Securance Consulting resemble those that you have requested. We invite you to talk with our clients to confirm the quality and added value of the services we provided. Colorado Office of the State Auditor 1525 Sherman Street, 7th Floor - Denver, CO 80203-2211 Mr. Matt Devlin, Deputy State Auditor Direct: (303) 869-2800 l email: matt.devlin@state.co.us l www.leg.state.co.us n l IT Security Audits City of Tacoma, WA (Tacoma Water) 3628 South 35th Street - Tacoma, WA 98409 Mr. Christopher Johnson, P.E., Supply Operations Supervisor Direct: (253) 502-8743 l email: cjohnso2@cityoftacoma.org l www.tacomawater.com n l Cyber Security Vulnerability Assessment City of Bowling Green, Kentucky 1001 College Street - Bowling Green, KY 42101 Ms. Deborah Jenkins, Internal Auditor Direct: (270) 393-3682 l email: Deborah.Jenkins@bgky.org l www.bgky.org n l IT Security and General Controls Audit City of Grants Pass, Oregon 101 Northwest A Street - Grants Pass, OR 97526 Mr. Ken Selland, IT Manager Direct: (541) 450-6186 l email: kselland@grantspassoregon.gov l www.grantspassoregon.gov n l Network Security and General Controls Assessment 10 C. Scope of Proposal Execute, Analyze, REPORT and Improve Based on our understanding of the scope of requested services, Securance will execute the following activities: Task 1: Assessment of Cybersecurity Controls l l Perform a Compliance Gap Analysis to NIST SP 800-53 Controls Using the Existing Fort Collins Utilities’ Staff Generated Self-Assessment Reports. l l Help FCU’s Staff Interpret the Findings. l l Recommend Improvements to the Self-Assessment Report Documentation. (See detailed methodology on pages 11-14.) Task 2: Review Water Resources and Treatment (WR&T) System Security Architecture l l Perform a Network Architecture Review of WR&T System and Boundary Protections from a Cybersecurity Perspective. (See detailed methodology on page 15.) Task 3: Assess WR&T System Components Security Configurations l l Assess Security Configurations of Key WR&T ICS System Components, Including: n l Programmable logic controllers (PLC); n l HMI servers and client machines; n l Database servers; n l Web-application servers; n l Routers; and n l Switches. (See detailed methodology on pages 16-17.) Task 4: Finding and Recommendations Report l l Management Report, Including: n l Executive summary; n l Introduction and scope; n l Approach and methodology; n l Findings with associated risk rankings; and n l Actionable recommendations to mitigate risks and achieve compliance. l l Technician’s Report: n l Raw data extracts from utilized security tools. Task 5: Report Presentation l l Present findings to Fort Collins Utilities’ Management. Approach and Methodology 11 Compliance Gap Analysis NIST 800-53 and FISMA Access Control l l Access Control Policy and Procedures l l Account Management l l Access Enforcement l l Information Flow Enforcement l l Separation of Duties l l Least Privilege l l Unsuccessful Logon Attempts l l System Use Notification l l Previous Logon (Access) Notification l l Concurrent Session Control l l Session Lock l l Session Termination l l Permitted Actions Without Identification or Authentication l l Security Attributes l l Remote Access l l Wireless Access l l Access Control for Mobile Devices l l Use of External Information Systems l l Information Sharing l l Publicly Accessible Content l l Data Mining Protection l l Access Control Decisions l l Reference Monitor Awareness and Training l l Security Awareness and Training Policy and Procedures l l Security Awareness Training l l Role-Based Security Training l l Security Training Records Audit and Accountability l l Audit and Accountability Policy and Procedures l l Audit Events l l Content of Audit Records l l Audit Storage Capacity l l Response to Audit Processing Failures l l Audit Review, Analysis and Reporting l l Audit Reduction and Report Generation l l Time Stamps l l Protection of Audit Information l l Non-Repudiation l l Audit Record Retention l l Audit Generation l l Monitoring for Information Disclosure l l Session Audit l l Alternative Audit Capability l l Cross-Organizational Auditing Security Assessment and Authorization l l Security Assessment and Authorization Policies and Procedures l l Security Assessments l l Security Interconnections l l Plan of Action and Milestones l l Security Authorization l l Continuous Monitoring l l Penetration Testing 12 Approach and Methodology Configuration Management l l Configuration Management Policy and Procedures l l Baseline Configuration l l Configuration Change Control l l Security Impact Analysis l l Access Restrictions for Change l l Configuration Settings l l Least Functionality l l Information Systems Component Inventory l l Configuration Management Plan l l Software Usage Restrictions l l User-Installed Software Contingency Planning l l Contingency Planning Policy and Procedures l l Contingency Plan l l Contingency Training l l Contingency Plan Testing l l Alternative Processing Site l l Telecommunications Services l l Information System Backup l l Information System Recovery and Reconstitution l l Alternate Communications Protocols l l Safe Mode l l Alternate Security Mechanisms Identification and Authentication l l Identification and Authentication Policy and Procedures l l Identification and Authentication (Organizational Users) l l Device Identification and Authentication l l Identifier Management l l Authenticator Management l l Authenticator Feedback l l Cryptographic Module Authentication l l Identification and Authentication (Non- Organizational Users) l l Service Identification and Authentication l l Adaptive Identification and Authentication l l Re-Authentication Incident Response l l Incident Response Policy and Procedures l l Incident Response Training l l Incident Response Testing l l Incident Handling l l Incident Monitoring l l Incident Reporting l l Incident Response Assistance l l Incident Response Plan l l Incident Spillage Response l l Integrated Information Security Analysis Team Maintenance l l System Maintenance Policy and Procedures l l Controlled Maintenance l l Maintenance Tools l l Non-Local Maintenance l l Maintenance Personnel l l Timely Maintenance Media Protection 13 Approach and Methodology Physical and Environmental Protection l l Physical and Environmental Protection Policy and Procedures l l Physical Access Authorizations l l Physical Access Control l l Access Control for Output Devices l l Monitoring Physical Access l l Visitor Access Records l l Power Equipment and Cabling l l Emergency Shutoff l l Emergency Power l l Emergency Lighting l l Fire Protection l l Temperature and Humidity Controls l l Water Damage Protection l l Location of Information Systems Components Planning l l Security Planning Policy and Procedures l l System Security Plan l l Rules of Behavior l l Security Concept of Operations l l Information Security Architecture l l Central Management Personnel Security l l Personnel Security Policy and Procedures l l Position Risk Designation l l Personnel Screening l l Personnel Termination l l Personnel Transfer l l Access Agreements l l Third-Party Personnel Security l l Personnel Sanctions Risk Assessment l l Risk Assessment Policy and Procedures l l Security Categorization l l Risk Assessment l l Vulnerability Scanning l l Technical Surveillance Countermeasures Survey System and Services Acquisition l l System and Services Acquisition Policy and Procedures l l Allocation of Resources l l System Development Life Cycle l l Acquisition Process l l Information Systems Documentation l l Security Engineering Principles l l External Information Systems Services l l Developer Configuration Management l l Developer Security Testing and Evaluation l l Supply Chain Protection l l Trustworthiness l l Criticality Analysis l l Development Process, Standards and Tools l l Developer-Provided Training l l Developer Security Architecture and Design l l Tamper Resistance and Detection l l Component Authenticity l l Customized Developement of Critical Components 14 Approach and Methodology System and Communications Protection l l System and Communications Protection Policy and Procedures l l Application Partitioning l l Security Function Isolation l l Information in Shared Resources l l Denial of Service Protection l l Resource Availability l l Boundary Protection l l Transmission Confidentiality and Integrity l l Network Disconnect l l Trusted Path l l Cryptographic Key Establishment and Management l l Cryptographic Protection l l Collaborative Computing Devices l l Transmission of Security Attributes l l Public Key Infrastructure Certificates l l Mobile Code l l Voice Over Internet Protocol l l Secure Name | Address Resolution Service (Authoritative Source) l l Secure Name | Address Resolution Service (Recursive or Caching Resolver) l l Architecture and Provisioning for Name | Address Resolution Service l l Session Authenticity l l Fail in Known State l l Thin Nodes l l Honeypots l l Platform-Independent Applications l l Protection of Information at Rest l l Heterogeneity l l Concealment and Misdirection l l Covert Channel Analysis l l Information Systems Partitioning l l Non-Modifiable Executable Programs l l Honeyclients l l Distributed Processing and Storage l l Out-of-Band Channels l l Operations Security l l Process Isolation l l Wireless Link Protection l l Port and I/O Device Access l l Sensor Capability and Data l l Usage Restrictions l l Detonation Chambers System and Information Integrity l l System and Information Integrity Policy and Procedures l l Flaw Remediation l l Malicious Code Protection l l Information Systems Monitoring l l Security Alerts, Advisories and Directives l l Security Function Verification l l Software, Firmware and Information Integrity l l Spam Protection l l Information Input Validation l l Error Handling 15 Network Architecture Review The Securance methodology for assessing the design and architecture of a core network ensures that the network is designed to provide users as much bandwidth as possible, as often as possible. In our opinion, the best network design is the one that meets the needs of its users. There is no one “correct” switched design; there are only proven design principles that should be incorporated where possible. Designs can differ based on a number of real-world factors, including budgets, available existing hardware, application requirements and implementation timelines. The Securance approach is to gain an understanding of the network and user requirements, then weigh the pros and cons of each design principle against the overall goals for the design. Current practices recommend a Layer 3 | 4 switched network. Our analysis includes a review of all 3 layers and the configuration sets (i.e., switching and routing) at each layer. Some of the other areas we analyze include: l l Routers should be intelligently and securely configured. They are another security skin and should be leveraged. l l We review all unused ports to ensure they are disabled. l l Routers should be used to bin generic classes of undesired traffic before such traffic hits any firewall. l l The company uses Private IPs on the internal and DMZ networks. l l The external router bins Private IP addresses, while the internal core bins any connections that have an Internet IP as the originating address. l l The external router also bins any unknown protocols not provisioned in the DMZs. l l All three parties are handled with IPSEC to the remote location and terminated in a DMZ. l l A choke VLAN exists and enforces an inspection point for IDS and IPS systems. l l The servers in the data center are protected by a separate firewall. l l All business unit servers are in separate VLANs. l l External connections are facilitated via reverse proxies hosted in a DMZ. l l Email is relayed via a bridge head in a DMZ. Use is made of mail scrubbing services. l l DNS is properly and securely configured. l l Workstations are separated into functional business unit bases. This stops any worms and Trojans in their tracks and prevents information leakage. l l On the inside networks, all route distribution is authenticated, especially routes between the firewalls and the core. l l A separate network management VLAN exists, accessed off the core and protected by ACLs. l l The management VLAN should contain jump servers which are the designated points to access all network device and firewall consoles. l l Do not publish intranet on port 80; rather, use port 8080 to 8090. This will assist with controlling web traffic. Approach and Methodology 16 Approach and Methodology Windows Server Review The following are included in our server analysis: l l Change | Patch Management l l User Administration l l Account Policy (if applicable) l l Account Policy Settings (if applicable) l l Event Logging (if applicable) l l 50+ Security Option Settings l l Group Policy Objects (GPO) and Links l l Customer-Selected Registry Key Values l l Group Management l l User Management l l Overall Structure l l Accounts with no Password l l Disabled Accounts l l Directory Rights and Privileges l l Trusted and Trusting Servers l l Discretionary Access Controls l l RAS Dial-In l l Connected Servers and Workstations l l Services and Drivers Installed l l Security Updates, Patches and Hot Fixes l l Network Connections l l Network Shares l l OS-Specific Vulnerability Management (if applicable) l l Comparisons against Industry Average and Leading Practice Linux Server Review The following are included in our server analysis: l l Change | Patch Management l l User Administration l l System-Wide Security Settings l l Password Shadowing l l Usernames, UIDs and Home Directory l l Groups and Group Members l l Group Administrators l l Users with Administrative Status l l Discrepancies in Password and Shadow Password Files l l All Password-Related Settings l l System-Wide Security Settings l l Comparisons against Industry Average and Leading Practice l l Redundant Groups and Members l l SUID and SGID Permissions l l Disabled Usernames l l Trivial Passwords l l Passwords 30 Days or Older l l Login Retries l l Accounts with Expired Dates l l Last Logins l l System Search Paths l l System Login Script File l l Files with World-Writeable Permissions l l Network Services Enabled l l Permissions on Selected Sensitive Files and Directories l l Current Network Connections 17 Approach and Methodology Router | Switch Configuration Review The following are included in our network device analysis: l l Interview Device Administrator(s) l l Review Configuration Manually, Line by Line, to Identify Problem Settings l l Perform a Vulnerability Scan of Device l l Assess Firmware Version l l Ensure Compliance with Change Management l l Assess Access Control Lists l l Review Logs Manually l l Assess Use of Insecure Protocols Database Server Review The Securance database review includes assessments of the following: l l Database Account Management l l Use of ‘SA’ Account l l Automated Table Auditing l l Accounts with No Password l l Disabled Accounts l l Default Passwords l l Easily Guessed Passwords l l FORMATMESSAGE Buffer Overflow l l Agent Jobs Privilege Escalation l l Extended Stored Proc Privilege Upgrade l l Look for Permissions Granted to View the Linked Table l l Permissions on Sensitive Tasks l l Public Can Create Agent Jobs l l SysAdmin Only for CmdExec Job Steps l l Temporary Stored Procedures Bypass Permissions l l Console Password Not Set l l Several DBCC Buffer Overflows l l Hello Buffer Overflow l l Comparisons Against Industry Average and Leading Practices l l Latest Service Pack l Hot Fix Not Applied l l Password Attack l l PL l SQL Injection l l PWDENCRYPT Buffer Overflow l l RAISERROR Buffer Overflow l l Slammer l Sapphire Worm l l Several Parameter Buffer Overflows l l Application-Specific DB-Related Buffer Overflows l l Blank Password l l Blank Password for ‘SA’ l l Blank Password for Well-Known Login l l Default Password for Well-Known Login l l DTS Password Management l l Easily Guessed Passwords on Sensitive Accounts l l Password Same as Login Name l l Proxy Password in Secure Registry Key l l Replication Password Publicly Viewable l l SQL Agent Password Publicly Viewable l l XSTATUS Backdoor 18 Approach and Methodology Project-Specific Risk Analysis l l We begin by selecting the most comprehensive audit program. l l We adjust the audit program to fit client-specific risks that we learn about during an initial interview process with our client’s Business Process Owner and IT professionals. Joint Development of Audit l Review Program l l Draft a risk-based audit program and present to client for review. l l Make modifications deemed necessary by Management. Execution of Audit Program l l Present a client assistance request list to minimize disruption to staff. l l Schedule on-site interviews and evidence gathering. l l Conduct on-site activities. l l Analyze the results and probe further, as deemed necessary. l l Review preliminary findings with Management to confirm results. Audit Techniques Our audit techniques are as follows: l l Interviews with appropriate staff; l l Online review of configuration settings; l l Review of hardcopy documentation; l l Positive and negative configuration settings test; l l Sample testing of in-scope processes; l l Utilization of computer auditing techniques for data analysis; and l l Use of software tools to support technical audits and reduce manual efforts. Software and Computer Tools Select software and computer tools utilized as deemed necessary include: l l ACL and Monarch - a data extraction and analysis tool; l l Log Reader - an event viewer and application log viewing tool; l l MS Excel; l l Nessus - an open-source vulnerability scanner; l l SekChek - a scripting tool used to create scripts to extract configuration data from operating systems; l l Firewall Analyzer - a tool for analyzing firewall rule sets and configurations; l l Phonesweep - a package used to identify open modems; l l Web Scanner - a vulnerability scanner specifically designed to assess web applications; and l l Application Scanner - select application scanners. Audit Approach Each project we undertake will follow this standard methodology. While we are flexible in modifying our approach and methodology, we do so only in the best interest of our clients and their internal control initiatives. 19 Approach and Methodology Entrance l Kick-Off Conference l l Each of our meetings is supported by an agenda. l l The entrance conference is designed to accomplish the following tasks: n l Introduce our team to the auditee; n l Discuss the audit scope, objectives, and plan; n l Review the client assistance request listing to determine if there are any questions; n l Obtain an understanding of our client’s working environment and other logistics; n l Define specific milestones and our client’s preferred communication method; and n l Answer any questions our clients may have about the process. Fieldwork Interviews n l All fieldwork interviews with City’s personnel will be scheduled in advance and at a convenient time for the interviewee. n l All interviews will be limited to 30 or 45 minutes. If additional time is needed, we will schedule another interview, in an attempt to minimize disruption to staff members’ workloads. Findings Documentation l l All potential findings will be documented on an “Issue Tracker Document.” This document is used to ensure that a potential issue is properly documented and associated with adequate evidence to support a finding. l l All findings that constitute immediate risks to the organization will be immediately brought to the attention of Internal Audit Management and the responsible remediation person or team. Periodic Reporting l l Depending on the size of a project, we issue weekly or biweekly status reports. These reports are designed to capture and communicate the following information about an ongoing project: n l Budget to actual hours and projected hours to complete project; n l Project issues or risks that may hinder project completion; n l Change control items (typically only applicable if the scope changes); n l Project milestone status; n l Upcoming activities; and n l Summary of any potential findings. Exit Conference l l The exit conference is designed to accomplish the following tasks: n l Thank our client for assistance and support; n l Review the audit scope, objectives and findings; n l Potentially present a draft report; n l Obtain information from our client about report presentation and tone; and n l Define a timeline for final report review, management responses, and final report delivery. Documentation Standards The following section describes our policies and practices with respect to meetings, interviews and workpaper documentation. 20 Project Management Project Management Approach Each project we undertake will follow this standard accountability model. Engagement Manager l l Ensure the appropriate team is assembled for each project. l l Initial point of contact for City’s Management Team. l l Ensure engagement is performed in a timely way and without any issues. l l Resolve any issues that may arise. l l Deliver and review project reports. Senior IT Audit Consultants l l Draft detailed audit procedures. l l Lead the execution of the procedures. l l Prepare workpapers that meet the reperformance standard. l l Identify vulnerabilities and exposures. l l Prepare periodic status reports and review with City’s Project Manager. l l Notify the Engagement Manager of any potential project issues or concerns. l l Draft audit reports. Independent Reviewer l l Perform an independent review of the project and report to ensure they meet our firm’s Quality Standards. City’s Project Manager l l Coordinate meetings between Securance and City’s staff. l l Join project interview meetings as considered necessary or desired. l l Review periodic status reports and discuss any concerns with Engagement Manager. l l Provide Securance with guidance relative to City’s mode of operations. l l Review vulnerabilities to obtain a clear understanding of the risks and recommendations. Status Reports l l Depending on the size of a project, we issue weekly or biweekly status reports. These reports are designed to capture and communicate the following information about an ongoing project: n l Budget to actual hours and projected hours to complete project; n l Project issues or risks that may hinder project completion; n l Change control items (typically only applicable if the scope changes); n l Project milestone status; n l Upcoming activities; and n l Summary of any potential findings. 21 Information Sharing Security Safeguards to Protect City’s IT Assets, Including eCommunications l l All Securance consultants will execute a confidentiality agreement. l l All Securance consultants will perform their activities on a company-issued workstation. The workstation will be configured using whole disk encryption; local firewalls will be enabled; and the anti-virus solution will be current. l l This full-disk encryption software will protect data from unauthorized access, providing strong security for intellectual property, customer and partner data. l l It will often be essential that sensitive information be shared between Securance and City. In these situations, our team will adhere to the following standards: n l Any sensitive information shared via email must be encrypted. n l Any reports containing sensitive information must be encrypted and password-protected. n l All passwords used will meet or exceed standard complex password standards. n l Any passwords that need to be communicated will be communicated via telephone or under separate email cover. l l Any hardcopy documents containing sensitive information will be shredded upon completion of the engagement. l l Engagement information will be shared only with the Engagement Team. l l At the conclusion of the engagement, all electronic data will be permanently deleted from all consultants’ workstations. All engagement workpapers will be digitized, encrypted and stored on a secure file server. City’s Project Manager may direct Securance to destroy all workpapers after an electronic copy has been delivered to the designated personnel. Workpaper Security Standards l l All working papers are maintained electronically on our secured drive for a period of three years. l l All data on the Securance network is regularly backed up, archived and securely stored according to best practice standards. l l All working papers obtained from clients are considered confidential and treated as such. Securance does not provide any working papers to any third parties without explicit written permission from the client. l l Any data obtained for the performance of the review that is classified as “sensitive” is either reviewed on site or disposed of via best practice standards at the completion of the review; Securance does not retain sensitive client information. l l Upon engagement, Securance will also discuss any further data retention standards required by our clients. Quality Assurance Process All projects are led by Senior IT Audit and Security Consultants with a minimum of 15 years’ experience. Their work is reviewed by the Engagement Manager, and the final product is reviewed by an executive independent of the project. Additionally, our service level commitment to our clients is as follows: l l Our work product will meet or exceed the requirements of our client’s internal standards. l l We ask you to measure our quality based on the comprehensiveness and quality of our reports. l l We ask our clients to complete a satisfaction survey. Independence Assurance Process Securance Consulting adheres to the principle guidelines outlined in the Institute of Internal Audit Practice Standards. Our Management Team ensures that the firm maintains independence and objectivity on each project. Our staff is required to maintain select certifications; this requirement ensures independence, proficiency and due care. 22 Project Timeline Proposed Project Plan On the following page, we provide a detailed project plan based on our understanding of the scope of requested services. The Gantt chart outlines each step in our assessment process, designating major tasks, subtasks and key milestones. The Gantt chart shows how our assessment will progress from start to finish. The target start and end dates are not fixed. We are flexible with respect to when we start this project. We look forward to working with City of Fort Collins’ stakeholders to determine the best possible start date and finalize the assessment timeline. Task Name Start Finish City of Fort Collins Project Plan Mon 9/14/15 Thu 10/8/15 Introduce Team to Client Mon 9/14/15 Mon 9/14/15 Develop a Client Assistance Request Mon 9/14/15 Mon 9/14/15 Task 1: Assessment of Cybersecurity Controls Mon 9/14/15 Tue 9/22/15 Perform a compliance gap analysis to NIST SP 800-53 controls using the existing Fort Collins Utilities' staff generated self-assessment reports. Mon 9/14/15 Fri 9/18/15 Help FCU's staff interpret the findings. Mon 9/21/15 Mon 9/21/15 Recommend improvements to the self-assessment report documentation. Tue 9/22/15 Tue 9/22/15 Task 2: Review Water Resources and Treatment (WR&T) System Security Architecture Wed 9/23/15 Thu 9/24/15 Perform a network architecture review of WR&T system and boundary protections from a cybersecurity perspective. Wed 9/23/15 Thu 9/24/15 Task 3: Assess WR&T System Components Security Configurations Fri 9/25/15 Mon 10/5/15 Assess security configurations of key WR&T ICS system components, including: Fri 9/25/15 Mon 10/5/15 Programmable Logic Controllers (PLC) and connected field equipment; Fri 9/25/15 Mon 9/28/15 Human Interface Machines (HMI) servers and client machines; Mon 9/28/15 Wed 9/30/15 Database servers; and Thu 10/1/15 Fri 10/2/15 Web-application server. Mon 10/5/15 Mon 10/5/15 Task 4: Finding and Recommendations Report Tue 10/6/15 Wed 10/7/15 Task 5: Report Presentation Thu 10/8/15 Thu 10/8/15 Exit Conference Thu 10/8/15 Thu 10/8/15 10/8 10/8 S M T W T F S S M T W T F S S M T W T F S S M T W T F S Sep 13, '15 Sep 20, '15 Sep 27, '15 Oct 4, '15 Milestone Project Summary Manual Task Manual Summary City of Fort Collins Proposed Project Plan 23 We are currently engaged on a number of client projects. We attempt to keep our workload commensurate with our staff. However, we believe the best measure of our ability to complete task orders, issued by City of Fort Collins, in the required time is through discussion with our current clients (see client references on page 9). Securance will complete tasks 1-3 by October 9, 2015, and deliver the final report and presentation by October 31, 2015. We guarantee that we will: l l Properly staff each project with employees that are qualified and technical experts; l l Begin all task orders on time; l l Complete them within budget, within the required time frame; and l l Deliver a draft report within one (1) week of fieldwork completion. Certification of Key Personnel Securance certifies that all key personnel will be employed by Securance as full-time employees and will not be removed from the City of Fort Collins account without prior written notice and the approval of City’s Project Manager. If any key personnel resign from Securance or leave the employment of the firm, City of Fort Collins will be notified within five (5) business days of such separation. Securance currently has 32 Sr. IT consultants available for replacement of key personnel (if required) or if needed to complete the work by the agreed upon deadline. D. Availability Securance’s Workload 24 25 E. Sustainability Methodology Environmental stewardship is a good business practice and we actively work to implement sustainable efforts to reduce our impact on the world around us. Our commitment to becoming a green company is ongoing and takes constant improvement. We review, improve and implement practices to ensure they are as environmentally and economically sustainable as possible. A short list of our practices include: l l All paper used by Securance is at least 30% post-consumer recycled paper. l l Whenever possible, office supplies are purchased from suppliers that are carbon neutral, offer recycled items and provide delivery from a local source. l l Employees are strongly encouraged to print double-sided and to use misprints as scratch paper. l l Air conditioning units and overhead lights are turned off during periods of time that the building is vacant (evenings and weekends). l l Styrofoam cups have been replaced by reusable coffee mugs in the break room. l l Green cleaning products are utilized wherever possible. Substainability Statement 26 F. Cost and Work Hours Project Scope Item Hourly Rate Hours Line Item Fee Task 1 Assessment of Cybersecurity Controls - NIST 800-53 Compliance Gap Analysis $128 160 $20,480 Task 2 System Security Architecture Review $128 40 $5,120 Task 3 System Components Configuration Review l l Programmable Logic Controllers and Connected Field Equipment l l Human Machine Interface Servers l l Human Machine Interface Client Machines l l Database Servers l l Web-Application Server $128 180 $23,040 Task 4 Findings and Recommendations Report $128 16 $2,048 Task 5 Report Presentation $128 8 $1,024 Administrative Fee* - - $1,616 Total $53,328 Ask about Our Price Match Guarantee! *Administrative Fee is 5% of billable hours at a rate of $80.00 per hour. This is a fee added to all engagements to cover back office costs related to the project such as printing materials, deliverables, shipping, copies, and archives of workpapers. Securance Consulting is a firm of Senior IT Audit and Security Consultants, which simplifies our fee structure. Our standard hourly rate for all our services and seasoned consultants is $135, plus reasonable travel and per diem expenses. We offer the City a discounted hourly rate of $128 and we will absorb all of travel and per diem expenses associated with this engagement. This fee estimate is based on our understanding of the activities required to successfully complete this engagement. We believe that our fee estimate is competitive for these services. Often in a proposal situation, we find that most of the differences in fee quotations relate to variations in scope of work. If you find this to be the situation here, we would be glad to discuss our understanding of the scope and preliminary work plan with you so that you can make an “apples-to-apples” comparison of the proposals. Should any material changes in scope occur or unforeseen situations arise, Securance will first determine their potential impact on the project, project approach, schedule and professional fees, then present any changes to City for discussion and consideration. The Engagement Manager will review the status and any changes to these estimates as necessary from time to time during the course of this engagement. Securance will submit an invoice after the initial Management Report draft has been delivered. The final Management Report will be delivered upon processing of invoice. All fees are due upon receipt of invoice. Securance Consulting will absorb 100% of all travel-related expenses. 27 G. Assigned Personnel Proposed Project Team Securance Consulting only hires experienced IT audit and security professionals. We take great care in matching our consultants to engagements that suit their strengths and backgrounds, so that our customers receive the best possible service, while meeting their compliance and management objectives. Each member of every team has at least 15 years’ experience, not merely in the services outlined in the project scope on pages 10, but, rather, in performing diverse assessments for government and industry leaders. The team will consist of a combination of personnel with technical and business credentials, including CISA, CISSP, MCP, CPA, CEH, CFE, CIA, CISM and CITP. We understand the difference between “textbook” and real-world, practical controls. Our consultants’ experience will allow us to effectively strike the balance that is crucial to your organization and your IT risk management goals. Securance’s proposed project team for this engagement is as follows: Paul Ashe, President and Engagement Manager CPA, CISA, CISSP Paul, Founder and President of Securance Consulting, has provided hands-on project management to lead numerous engagements throughout the past 15 years. A former IT consultant for Ernst & Young, Paul has leveraged his knowledge and experience into an effective, time- and budget-conscious project management style. His expertise includes risk and threat analysis, general controls auditing, network and system security, and regulatory compliance. Please see his complete resume and client references on pages 28-29, respectively. Chris Bunn, Practice Director and Senior IT Audit Consultant CISA Chris, Practice Director at Securance Consulting, is an expert in IT security, risk management and regulatory compliance -- from NIST and ISO to SOX, HIPAA, GLBA, MAR and PCI. With over 30 years of IT experience, Chris has audited network, system and platform security for countless government entities. Please see his complete resume and client references on pages 30-31, respectively. Chris Bunn, Practice Director and Senior IT Audit Consultant CISA Chris, Practice Director at Securance Consulting, is an expert in IT security, risk management and regulatory compliance, from best practice control frameworks to international, federal, state and industry-specific security regulations. With over 30 years of IT experience, Chris has audited information security, managed project teams and established successful risk assessment programs for global corporations, small- to medium-sized businesses and government entities. His expertise includes diverse systems, platforms, network architecture schemes and compliance requirements. Please see his complete resume and client references on pages 32-33, respectively. 28 Executive Profile Paul Ashe, CPA, CISA, CISSP President and Senior IT Audit Consultant Paul Ashe, President of Securance Consulting, has a proven track record of success delivering profit-driven technology solutions and minimizing technology-related risk to top organizations. Over the course of his career, he has taken charge of risk management engagements throughout the public and private sectors -- and, in so doing, has established Securance as a leader in the IT field. Paul is an expert in: Paul has been the lead IT professional on numerous audit and security engagements throughout the past 15 years. He has significant experience conducting risk assessments, controls audits and regulatory compliance reviews, as well as breaching MS Windows and Unix platforms and perimeter security devices. He is proficient in the use of over 75 security tools. His functional experience includes: l l Security Infrastructure Management l l Security Auditing l l Business Impact Assessment l l Risk and Threat Analysis l l Vulnerability Assessments l l Penetration Testing l l VPN Solutions l l IDS Deployment l l SLA and Vendor Management l l Incident Response l l “Best Practice” Deployment l l Software Functionality Reviews l l Physical Security Management l l Web-Application Testing l l Mobile Device Reviews l l Social Engineering l l Secure Network and DMZ Architecture Development Education l l Bachelor of Science - Accounting and Management Information Systems (Dual Degree) l l Master of Science - Accounting Information Systems 29 Executive References Client References for Paul Ashe Dairyland Power Cooperative - 3200 East Avenue S - La Crosse, WI 54601 Mr. Dave Becker, Director - Plant Operations Direct: (608) 787-1225 l email: djb@dairynet.com l www.dairynet.com n l Business Continuity | Disaster Recovery Plan Assistance n l IT Governance n l IT Risk Assessment Cedar Falls Utilities - 1 Utility Parkway, P.O. Box 769 - Cedar Falls, IA 50613 Mr. Bill Rogers, Network and Security Administrator Direct: (319) 268-5269 l email: Bill.Rogers@cfunet.net l www.cfu.net n l Network Security Risk Assessment Colorado Office of the State Auditor - 1525 Sherman Street, 7th Floor - Denver, CO 80203-2211 Mr. Matt Devlin, Deputy State Auditor Direct: (303) 869-2800 l email: matt.devlin@state.co.us l www.leg.state.co.us n l IT Security Audits Experience: Project-Specific Paul helps leaders in every industry identify, analyze and remediate technology-related risks. Recent projects include: l l Cedar Falls Utilities - Network Security Risk Assessment l l City of Bowling Green, Kentucky - IT Security and General Controls Audit l l City of Milwaukee, Wisconsin - Information Security Risk Assessment l l City of Thornton, Colorado - Security Assessment l l Colorado Office of the State Auditor - IT Security Audits l l Colorado Public Employees’ Retirement System - IT Risk Assessment and System Security Audits l l Dairyland Power Cooperative - IT Risk Assessment | IT Governance Framework | Roadmap - Critical Assets l l Dormitory Authority of the State of New York - Risk Assessment and IT Audit Plan l l El Paso Electric - Cyber Vulnerability Assessment and Penetration Testing l l Entergy Services - External Vulnerability Assessment and Penetration Security Assessment l l Illinois State Board of Education - IT Risk Assessment l l Jackson Energy Authority - Network Vulnerability Assessment l l Johnson County Community College - Internal Controls Audit of Firewalls and Routers l l Johnson County Rural Electric Membership Cooperative - AMI Network Assessment and Vulnerability Assessment l l Kissimmee Utility Authority - IT Risk Assessment and Internet Security Review l l Louisville-Jefferson County Metro Government - Application and Database Audits, IT Risk Assessments and Security Reviews l l Mid-Carolina Electric Coop - External Vulnerability Assessment and Penetration Test l l Ohio Public Employees’ Retirement System - Information Systems Risk Assessment l l Orange County, Florida - IT Audit l l Orange County Sanitation District - Security Assessment l l Piedmont Natural Gas - Vulnerability Assessment l l Santee Cooper - IT Security Assessment and Vulnerability Assessment l l Sumter Electric Coop - Network Security Tests l l Waterfront Toronto - Information Security Policy Review 30 Staff Profile Chris Bunn, CISA Practice Director and Senior IT Audit Consultant Chris Bunn is a Senior Management Professional with over 30 years’ experience in the IT field. An expert in IT security, risk management and regulatory compliance, he has delivered successful, efficient IT solutions to clients in a range of industries. Experience: IT Risk Management Experis Finance – Risk Advisory Services Senior Consultant l l Responsible for the execution of Sarbanes-Oxley (SOX 404) compliance audits for clients in the banking, manufacturing, healthcare and energy industries. l l Completed ISO 27002 compliance, VMware security, Six Sigma and HIPAA compliance audits. l l Performed General Computing Control Audits (GC2R) utilizing COSO and CoBIT audit frameworks. l l Performed segregation of duties reviews, ITIL Service Management (ITSM) V3 evaluations, architecture reviews, business intelligence, IT governance and other information system audits. University of Florida – IT Audit Manager l l Planned, supervised, and conducted audits of PeopleSoft 8 ERP and Data Warehouse and reporting systems residing on Unix AIX platform; financial systems; and information security operations. l l Supervised and performed audits of computer systems residing on a variety of hardware platforms. l l Managed HIPAA compliance audits for Shands Hospital. l l Implemented Paisley (Thomson Reuters) Enterprise GRC tool and AutoAudit for Windows to streamline risk management processes within the Internal Audit Division. Education l l Master of Science - Management Information Systems l l Bachelor of Science - Computer Science for Business 31 Staff References Client References for Chris Bunn Cedar Falls Utilities - 1 Utility Parkway, P.O. Box 769 - Cedar Falls, IA 50613 Mr. Bill Rogers, Network and Security Administrator Direct: (319) 268-5269 l email: Bill.Rogers@cfunet.net l www.cfu.net n l Network Security Risk Assessment Colorado Office of the State Auditor - 1525 Sherman Street, 7th Floor - Denver, CO 80203-2211 Mr. Matt Devlin, Deputy State Auditor Direct: (303) 869-2800 l email: matt.devlin@state.co.us l www.leg.state.co.us n l IT Security Audits Kissimmee Utility Authority - 1701 W. Carroll Street - Kissimmee, FL 34741 Mr. Joe Hostetler, Vice President of Finance and Risk Management Direct: (407) 933-7777 ext. 6200 l email: jhostetl@kua.com l www.kua.com n l Information Systems Risk Assessment Experience: Project-Specific Together with Engagement Manager Paul Ashe, Chris helps top organizations improve their risk profiles and establish best practice controls. His recent projects include: l l Cedar Falls Utilities - Network Security Risk Assessment l l Colorado Office of the State Auditor - IT Security Audits l l Dormitory Authority of the State of New York - Risk Assessment and IT Audit Plan l l Eagle Rock Energy Partners - SOX Compliance Testing l l First Financial Bank - IT Security Assessment l l Hallmark - IT Security Assessment l l Houston Community College - IT Audit l l Illinois State Board of Education - IT Risk Assessment l l Johnson County Community College - Internal Controls Audit of Firewalls and Routers l l Kissimmee Utility Authority - IT Risk Assessment l l Liberty Savings Bank - IT Security Assessment l l Maryland-National Capital Park and Planning Commission - IT General Controls Review l l Ohio Public Employees’ Retirement System - Information Systems Risk Assessment l l Oil States International - Application Security Audits l l Orange County, Florida - IT Audit l l Pinellas County, Florida - IT Security Assessment l l Simpson Manufacturing - Enterprise IT Risk Assessment l l Teachers’ Retirement System of the State of Illinois - IT General Controls Review l l tw Telecom - Revenue Network Logical Access Audit l l University of Kentucky - Application Security and HIPAA Compliance Assessment l l United Community Bancorp - IT | IS Audits l l Waterfront Toronto - Vulnerability Assessment and Penetration Test 32 Staff Profile Chris Cook, CISSP, CISA Senior IT Audit Consultant Chris Cook, a Senior IT Consultant with Securance for the last 9 years, is a subject matter expert in IT security, risk analysis and regulatory compliance. His expertise includes: l l Security Evaluations l l Risk Assessments l l Vulnerability Assessments l l Penetration Tests l l UNIX l Linux and Windows Server Reviews l l Internet Security Assessments l l Application Vulnerability Assessments l l Regulatory Compliance Reviews and Testing l l NIST, ISO, GLBA, HIPAA, PCI-DSS and SOX Compliance Experience: IT Security Ericsson - Senior Security Analyst l l Assessed application security. Formulated actionable remediation recommendations. NASA Ames Research Center - Senior Control Analyst l l Prepared FISMA certification and accreditation packages according to NIST guidelines. l l Packages included risk assessments, security plans and contingency plans. IBM - Managing Consultant, Security and Privacy Practices l l Conducted security evaluations according to ISO and NIST standards. l l Performed application vulnerability assessments using WebInspect software. l l Reviewed internal clients’ practices for compliance; recommended appropriate solutions Education l l Bachelor of Science – History 33 Staff References Client References for Chris Cook City of Tacoma, WA (Tacoma Water) - 3628 South 35th Street - Tacoma, WA 98409 Mr. Christopher Johnson, P.E., Supply Operations Supervisor Direct: (253) 502-8743 l email: cjohnso2@cityoftacoma.org l www.tacomawater.com n l Cyber Security Vulnerability Assessment Kissimmee Utility Authority - 1701 W. Carroll Street - Kissimmee, FL 34741 Mr. Joe Hostetler, Vice President of Finance and Risk Management Direct: (407) 933-7777 ext. 6200 l email: jhostetl@kua.com l www.kua.com n l Information Systems Risk Assessment Orange County Sanitation District - 10844 Ellis Avenue - Fountain Valley, CA 92708 Mr. Mike Herrera, Information Technology Direct: (714) 593-7250 l email: mherrera@ocsd.com l www.ocsd.com n l IT Security Assessment Experience: Project-Specific Chris works closely with Engagement Manager Paul Ashe to help top organizations improve their security postures and to ensure that best practice controls are used to mitigate known threats. Recent projects include: l l City of Richmond, Virginia - Network Security Assessment l l City of Tacoma, Washington - Cyber Security Vulnerability Assessment l l Educational Service Unit #3 - Network Security Audit l l Entergy Services - Penetration Security Assessment l l First Financial Bank - IT Security Assessment l l Hallmark - IT Security Assessment l l Inter-American Development Bank - Extended Enterprise Mobility Security Assessment l l Kissimmee Utility Authority - IT Risk Assessment l l Liberty Savings Bank - IT Security Assessment l l Newtown Savings Bank - Network Vulnerability Assessment l l Orange County Sanitiation District - Security Assessment l l Santee Cooper - IT Security Assessment l l Transocean - Penetration Test 34 H. Additional Information What City of Fort Collins Should Expect Securance provides the best fit to City for this assignment for the following reasons: Qualifications – the team we proposed includes senior leadership from the firm. Our team leaders and staff are Certified IT Audit Professionals with intimate knowledge of the technologies in your environment. IT Audit Expertise – as a firm of Senior IT Consultants, we intimately understand information technology and internal controls. Our methodology is designed around global best practices. We are experts already. Sustained Improved Controls – only the Securance approach includes a sustainable improved internal controls environment solution. Our team will identify and share with City processes and improvements to current processes that will help improve the organization’s controls on an ongoing basis. Experience – key members of our team of consultants are former “Big 4” IT consultants. In addition, our team has real-world experience that enables us to differentiate between “textbook”and real-world practical controls. Your reports will not contain recommendations that cannot be implemented in your environment. High-Quality Deliverable – our Management Report is tailored to the various audiences that will receive it. The report contains an easy-to-read executive summary with no technical jargon. Yet, it also contains sufficient detail that your team of system administrators and engineers can implement our proven recommendations. True Partnership – we are long-term partners with staying power. We will not simply leave when the assignment is over. We will be there to support the remediation and ensure the implementation of our recommendations is successful. When needed, we will roll up our sleeves and participate in the implementation. City will become a Securance client for life. This means you can contact us for support or technical advice, free of charge, even when not under contract. That is the Securance definition of a partner! Competitive Fee Structure – our fee structure is ultra-competitive and easy to follow. We will provide our Senior IT Audit Consultants at a rate of $128 per billable hour (inclusive of travel). By selecting Securance, City will be working with the very best executive-level consultants at rates similar to those our competitors charge for junior-level consultants. It is easy to see why Securance should be the firm of choice! 6922 W. Linebaugh Ave., Suite 101 Tampa, FL 33625 877.578.0215 www.securanceconsulting.com the advantage of insight l l Trusted Hosts l l Users Allowed to Login Remotely l l FTP Access l l Guest Account Management l l Use and Control of ‘r’ Commands l l Root Account Management and Control l l Use of Telnet and High-Risk Protocols l l OS-Specific Vulnerability Management l l Information Handling and Retention l l Predictable Failure Prevention l l Non-Persistence l l Information Output Filtering l l Memory Protection l l Fail-Safe Procedures Program Management l l Information Security Program Plan l l Senior Information Security Officer l l Information Security Resources l l Plan of Action and Milestones Process l l Information System Inventory l l Information Security Measures of Performance l l Enterprise Architecture l l Critical Infrastructure Plan l l Risk Management Strategy l l Security Authorization Process l l Mission | Business Process Definition l l Insider Threat Program l l Information Security Workforce l l Testing, Training and Monitoring l l Contacts with Security Groups and Associations l l Threat Awareness Program l l Developer Screening l l Unsupported System Components l l Media Protection Policy and Procedures l l Media Access l l Media Marking l l Media Storage l l Media Transport l l Media Sanitization l l Media Use l l Media Downgrading l l Internal System Connections City of Milwaukee, Wisconsin Consultants: Paul Ashe Beginning Price: $35,000 Ending Price: $39,508 Price increase due to expansion of the project scope. Internal Controls Audit of Firewalls and Routers In 2014, Securance audited the security of Johnson County Community College’s border routers, firewalls, virtual private network (VPN) technologies and intrusion detection | prevention systems. Our objective was to ensure that network hardware was configured securely and that supporting IT general controls were operating as intended. We performed detailed configuration analyses of routers, firewalls, VPN appliances and the intrusion detection | prevention system, and assessed the effectiveness of IT processes supporting the in-scope technologies: llllChange controls and patch management; llllUser provisioning; llllIncident response management; and llllLogging and monitoring management. Johnson County Community College Consultants: Paul Ashe, Chris Bunn Beginning Price: $24,090 Ending Price: $27,930 Price increase due to expansion of the project scope. the water utility’s SCADA network, network appliances and supporting technologies; in addition, we audited select IT general controls: lllChange and patch management; llllIT governance; lllInformation security management; lllAccess controls; and lllMalicious software protection; llPhysical security. Client Name Confidential Water Utility Consultants: Paul Ashe, Chris Cook Beginning Price: $24,000 Ending Price: $24,000