RFP 0696 Penetration Test and Vulnerability Assessment

Date: March 4, 2024 COMPETITIVE BID Issued by: Agriculture Financial Services Corporation COMPETITIVE BIDS FOR: IT Security Consultant to provide Penetration Tests and Vulnerability Assessment for AFSC COMPETITIVE BID #: RFP 0696 CONTRACTED SERVICE: Penetration Test and Vulnerability Assessment Provider CLOSING: March 26, 2024 AFSC BUYER: Kathy Walker TITLE: Buyer, Business Services ADDRESS: AFSC Purchasing Department 5718 56th Avenue Lacombe, Alberta T4L 1B1 E-MAIL: RFP@afsc.ca TABLE OF CONTENTS: TERMS AND CONDITIONS - 1 - 1.0 INTRODUCTION - 1 - 1.1 DEFINITIONS - 1 - 1.2 MANDATORY REQUIREMENTS AND DESIRABLE PROVISIONS - 1 - 1.3 CONFIDENTIALITY AND SECURITY OF INFORMATION - 2 - 1.4 MATERIAL OWNERSHIP - 2 - 1.5 CONFLICT OF INTEREST - 2 - 1.6 INACCURACIES OR MISREPRESENTATIONS - 3 - 1.7 INQUIRIES - 3 - 1.8 BLACKOUT PERIOD - 4 - 1.9 LIABILITY FOR ERRORS - 4 - 1.10 NOTIFICATION OF CHANGES - 4 - 1.11 VENDOR’S EXPENSES - 5 - 1.12 SHORT

LISTING - 5 - 1.13 RESOURCE REPLACEMENT - 5 - 1.14 FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY - 5 - 1.15 RESERVATION OF RIGHTS - 6 - 1.16 COMPETITIVE BID ADMINISTRATION - 6 - 1.17 AFSC’S POLICIES AND PROCEDURES FOR SECURITY AND TRAINING ON SITE - 7 - 1.18 VENDOR DEBRIEFING - 7 - 2.0 STATEMENT OF WORK - 8 - 2.1 INTRODUCTION - 8 - 2.2 BACKGROUND - 8 - 2.3 OBJECTIVES - 9 - 2.3.1 PENETRATION TESTING SERVICES - 9 - 2.3.1.1 NETWORK PENETRATION TESTING SERVICES - 10 - 2.3.1.2 APPLICATION PENETRATION TESTING SERVICES - 10 - 2.3.1.3 SOCIAL ENGINEERING TESTING SERVICES - 10 - 2.3.2 VULNERABILITY ASSESSMENT SERVICES - 10 - 2.3.3 WEB APPLICATION PENETRATION TESTING SERVICES - 11 - 2.3.4 RED TEAMING EXERCISE - 11 - 2.3.5 ADDITIONAL SERVICES - 11 - 2.3.6 SECURITY POLICY REVIEW. CONTINUOUS THREAT EXPOSURE MANAGEMENT (CTEM) - 12 - 2.4 DURATION - 12 - 2.5 REQUIREMENTS - 12 - 2.5.1 PREFERRED REQUIREMENTS - 12 - 2.5.2 OPTIONAL REQUIREMENTS - 16 - 2.5.3 TRAINING - 18 - 2.6 CORPORATE CAPABILITIES AND EXECUTIVE SUMMARY - 18 - 2.7 RESOURCES - 18 - 2.8 VALUE ADD - 19 - 2.9 APPROACH - 19 - 2.10 SECURITY - 20 - 2.10.1 DATA CLASSIFICATION - 20 - 2.11 TECHNOLOGY INFORMATION - 20 - 2.12 DOCUMENTATION - 20 - 2.13 ADDITIONAL INFORMATION - 21 - 2.14 DISCLOSURE - 22 - 2.15 PRICING - 22 - 3.0 EVALUATION - 23 - 4.0 CONTRACT REVIEW - 26 - 4.1 NEGOTIATIONS - 27 - 5.0 MASTER SCHEDULE - 27 - 6.0 PROPOSAL SUBMISSION GUIDELINES - 29 - 6.1 PROPOSAL FORMAT - 29 - 6.2 PROPOSAL SUBMISSIONS - 31 - TERMS AND CONDITIONS 1.0 Introduction Agriculture Financial Services Corporation (AFSC) is an Alberta Provincial Crown Corporation under the Ministry of Agriculture and Irrigation. AFSC’s core programs include business risk management programs and services to the agriculture industry as well as lending products and services to farmers’ agribusinesses, value added enterprises and commercial operations. More detailed information about AFSC is available on the website www.afsc.ca. The objective of this Competitive Bid is for AFSC to solicit Proposals from those qualified in providing the specified services described under section 2.0 of this Competitive Bid. 1.1 Definitions The following abbreviations and terminology are used throughout this Competitive Bid: Term Description Personnel Employees, contractors, subcontractors and agents of the Vendor. Vendor Any business that is registered in Canada and is authorized to operate in Alberta, proposing to submit a Proposal to the Competitive Bid. Competitive Bid Competitive Bid (RFP), Request for Quote (RFQ), Value Based Request (VBR), Notice of Proposed Procurement (NPP), Request for Information (RFI), Request for Comment (RFC) Statement of Work The services required by this Competitive Bid as described in section 2.0 of this Competitive Bid. Contract Monitor AFSC representative that will be responsible for the management of the contract that may result from this Competitive Bid. 1.2 Mandatory Requirements and Desirable Provisions Proposals that do not comply with the Competitive Bid requirements will be rejected. “Must”, “shall”, “mandatory” and “will” mean a requirement that must be met in order for the Proposal to receive consideration. For mandatory requirements, the Vendor must provide sufficient information in the Proposals to sustain compliance to the Competitive Bid’s Mandatory requirements. “Should” and “desirable” mean a provision having a significant degree of importance to the objectives of the Competitive Bid. For desirable/optional provisions, the Vendor’s Proposal should provide details of how the desirable/optional provisions are addressed. 1.3 Confidentiality and Security of Information The Vendor and the Vendor’s personnel shall: a) Keep strictly confidential all information concerning AFSC or third parties, or any of the business or activities of AFSC or third parties acquired as result of participation in the Competitive Bid; b) Only use, copy or disclose such information as necessary for the purpose of submitting a Proposal or upon written authorization of AFSC. The Vendor shall maintain security standards, including control of access to data and other information, consistent with the highest standards of business practice in the Vendor’s industry. 1.4 Material Ownership Ownership in all materials including copyright, patent, trade secret, industrial design or trademark that are made, prepared, developed, generated, produced or acquired under or in relation to the Competitive Bid and any subsequent contract by the Vendor, the Vendor’s employees, subcontractors or agents belongs to AFSC as they are made, prepared, developed, generated, produced or acquired. Any such materials shall be delivered to AFSC upon completion or termination of the Competitive Bid. The Vendor: a) Irrevocably waives in whole all moral rights. b) Shall ensure that its employees, subcontractors, and agents irrevocably waive in whole all moral rights to the materials made, prepaid, developed, generated produced, or acquired under the Competitive Bid and any subsequent contract and declares that these waivers shall operate in favour of AFSC and AFSC’s assignees and licenses. 1.5 Conflict of Interest Vendor(s) must fully disclose, in writing to AFSC on or before the closing date of the Competitive Bid, the circumstances of any possible conflict of interest or what could be perceived as a possible conflict of interest if the Vendor were to become a contracting party pursuant to the Competitive Bid. AFSC will review any submissions by Vendor(s) under this provision and may reject any Proposals where, in the sole opinion of AFSC, the Vendor could be in a conflict of interest or could be perceived to be in a possible conflict of interest position if the Vendor were to become a contracting party pursuant to the Competitive Bid. 1.6 Inaccuracies or Misrepresentations If, during the Competitive Bidding process, AFSC determines that the Vendor has made a material misstatement or misrepresentation or that materially inaccurate information has been provided to AFSC, the Vendor will be disqualified from the Competitive Bidding process. 1.7 Inquiries All inquiries related to this Competitive Bid must be addressed to the AFSC Buyer on or before the date specified in the Master Schedule and as per the following: a) Inquiries must be sent by e-mail to the AFSC Buyer at RFP@AFSC.ca, utilizing the Q&A template provided. b) No telephone inquiries will be accepted. c) No additional information or clarifications will be provided to inquiries received after the applicable deadline. d) To be considered, all inquiries must provide the following Vendor information: • Name of Primary Contact • Address • Telephone number • E-mail address • Competitive Bid Reference Number. e) All inquiries received will be reviewed by AFSC. f) All inquiries will be compiled and answered in the form of written Addendum(s) issued by AFSC via Alberta Purchasing Connection (APC) to all prospective Vendor(s). g) Vendor(s) are advised that all inquiries answered by AFSC will be provided verbatim in writing to all prospective Vendor(s). h) Inquiries that may contain proprietary or confidential information of a Vendor may be answered exclusively to the submitting Vendor (AFSC will direct the correspondence regarding this inquiry only to the Vendor’s Primary Contact) provided the Addendum does not: • Require a modification to this Competitive Bid; or • Potentially provide an undue advantage in the competitive process. i) If either of the above situations (h) arises, AFSC reserves the right to: • Request the Vendor reword and resubmit the inquiry; or • Decline to provide a response. j) AFSC reserves the right to not disclose information in conjunction with this Competitive Bid on any inquiry that requires releasing information that AFSC, in its sole discretion, regards as confidential to AFSC. k) AFSC reserves the right in any event to decline to provide a Proposal for any reason in its sole discretion. l) It is the Vendor’s responsibility to notify AFSC, in writing, and in advance, of any change in the Vendor(s) Primary Contact Information. m) AFSC assumes no responsibility or liability arising from information obtained in a manner other than as described in this Competitive Bid. 1.8 Blackout Period With respect to the Competitive Bid, AFSC prohibits communications initiated by a Vendor to any AFSC employee, other than the Purchasing Department, for the period of time from the submission date of the Competitive Bid up to and including the date of contract award resulting from this Competitive Bid. Any communication between a Vendor and AFSC during the Blackout Period will be initiated by AFSC, in writing, for the purpose of obtaining information or clarification necessary to ensure a proper and accurate evaluation of the Proposal. Any communication initiated by a Vendor during the Blackout Period may be grounds for disqualifying the offending Vendor from further consideration for the acquisition and/or any future AFSC solicitations. AFSC will notify all Vendors upon award of a contract from this requisition. Accordingly, Vendors are asked to refrain from requesting status updates during the proposal evaluation process. Vendors who are currently engaged in an active contract with AFSC may continue to communicate directly with the AFSC Contract Monitor as it relates to activities covered under the active contract. 1.9 Liability for Errors While every effort is taken to ensure an accurate representation of information in this Competitive Bid, AFSC shall not be liable or accountable for any error or omission in any part of this Competitive Bid. 1.10 Notification of Changes Any changes to this Competitive Bid, as well as the Response(s) to inquiries, will be posted as an addendum on the Alberta Purchasing Connection (APC). Vendors should routinely check APC for amendments and adhere to any amendment requirements. In the event of a Directed Competitive Bid, Vendors should routinely check the email address the Bid was delivered to for amendments. 1.11 Vendor’s Expenses Vendors are solely responsible for their own expenses in preparing the Proposal, as well as any subsequent Proposals, including any costs associated with attendance to Information sessions, site tours or a potential short-listed Vendor’s interview with AFSC. 1.12 Short listing A shortlist of Vendors may be established. Short listed Vendors may be requested to make formal presentations, regarding their Proposal to AFSC. Key Vendor management and technical personnel will be expected to participate in the presentations. This process is used to validate claims made in the Proposal and confirm the Vendor’s ability to meet the requirements in the Competitive Bid. These presentations must be made at no cost to AFSC. Based on information obtained at the presentation, Vendors’ scores may be adjusted. 1.13 Resource Replacement Resource replacement is not encouraged, however, there could be circumstances following the Competitive Bids closing date and prior to contract execution that a Vendor may request that a proposed resource be replaced. Any proposed resource replacement must have, in the opinion of AFSC, equivalent or better qualifications than the originally proposed resource. Vendors will not receive additional credit in the evaluation process if the qualifications of the replacement resource exceed those of the original resource. AFSC reserves the right to deny any request for replacement and reject any proposed replacement. 1.14 Freedom of Information and Protection of Privacy The Vendor acknowledges that: a) The Freedom of Information and Protection of Privacy Act of Alberta (FOIP) applies to all information and records relating to, or obtained, generated, created, collected or provided under the Competitive Bid and any subsequent contract and which are in the custody or control of AFSC. FOIP allows any person a right of access to records in AFSC’s custody or control, subject to limited and specific exceptions as set out in FOIP. b) FOIP imposes an obligation on AFSC, and through the Competitive Bid and any subsequent contract on the Vendor(s), to protect the privacy of individuals to whom information relates. The Vendor(s) will protect the confidentiality and privacy of any individual’s Personal Information accessible to the Vendor(s) or collected by the Vendor(s) pursuant to the Competitive Bid and any subsequent contract. c) The Vendor(s), if it considers portions of its Proposal to be confidential, will identify those parts of its Proposal to AFSC considered to be confidential and what harm could reasonably be expected from disclosure. AFSC does not warrant that this identification will preclude disclosure under FOIP. d) Materials produced by the Vendor(s), in connection with or pursuant to the Competitive Bid and any subsequent contract, which are the property AFSC pursuant to the Competitive Bid and any subsequent contract, could be considered records under the control of a public body and could therefore also be subject to the FOIP before delivery to AFSC. As such, the Vendor must conduct itself to a standard consistent with FOIP in relation to such materials. e) For the records and information obtained or possessed by the Vendor(s) in connection with or pursuant to the Competitive Bid and any subsequent contract, and which are in the custody or control of AFSC, the Vendor(s) must conduct itself to a standard consistent with FOIP when providing the services or carrying out the duties or other obligations of the Vendor under the Competitive Bid and any subsequent contract. The purpose for collecting Personal Information for the Competitive Bid is to enable AFSC to ensure the accuracy and reliability of the information, to evaluate the Proposal, and for other related program purposes of AFSC. Authority for this collection is the Government Organization Act, as amended from time to time. The Vendor(s) may contact the Buyer identified in the Competitive Bid regarding any questions about collection of information pursuant to the Competitive Bid. 1.15 Reservation of Rights AFSC reserves the right in its sole discretion to: a) Accept or reject any or all Proposals. b) Disqualify a Vendor in the event that, in AFSC’s opinion, the Proposal does not contain sufficient information to permit a thorough evaluation. c) Verify the validity of the information supplied and to reject any Proposal where the contents appear to be incorrect or inaccurate in AFSC’s estimation. d) Seek Proposal clarification at any time with Vendor(s) to assist in making evaluations. e) Accept Proposals in whole or in part. f) Accept a Proposal with only minor non-compliance. g) Retain one copy and destroy and dispose of all other copies of any and all Proposals received by AFSC. h) Cancel this Competitive Bid process at any stage, without award or compensation to Vendors, their officers, directors, employees or agents, without assigning any reasons. 1.16 Competitive Bid Administration The Proposal must indicate that the Vendor accepts the Procedures set down in this Competitive Bid. In accordance with this Competitive Bid, the Vendor, if it considers portions of its Proposal to be confidential, shall identify those parts of its Proposal to AFSC considered to be confidential and what harm could reasonably be expected from disclosure. AFSC does not warrant that this identification will preclude disclosure under FOIP. 1.17 AFSC’s Policies and Procedures for Security and Training On Site The Vendor, its employees, subcontractors, and agents when using any of AFSC’s buildings, premises, equipment, hardware or software shall comply with all safety and security policies, regulations or directives relating to those buildings, premises, equipment, hardware or software that are promulgated by AFSC from time to time. The Vendor’s employees, subcontractors and agents shall comply, as applicable, with all provisions of the Alberta Occupational Health and Safety Act, Occupational Health and Safety Regulation and Occupational Health and Safety Code with respect to the provision of services and materials. When the Workers’ Compensation Act (Alberta), as amended, applies, and upon request from AFSC, deliver to AFSC a certificate from the Workers’ Compensation Board showing that the Vendor is registered and in good standing with the Board. 1.18 Vendor Debriefing The Corporate Purchasing Section will, at the request of an unsuccessful Vendor who responded to this Competitive Bid, conduct a debriefing after contract award for the purpose of informing the Vendor on the reasons their Proposal was not selected. 2.0 STATEMENT OF WORK 2.1 Introduction Agriculture Financial Services Corporation (AFSC), as part of its Vulnerability Management program is seeking the services of an Information Technology Security Vendor to carry out third-party assessment of AFSC IT systems and infrastructure using various techniques and services as specified in 2.3 of the scope of work to evaluate the effectiveness of the existing security controls and to provide input into the development of security and risk management program at AFSC. A major high-level objective of this engagement is to request the respondents independently validate identified risks discovered utilizing vendor’s standard penetration testing methodologies, vulnerability assessments techniques, and red teaming methodologies. Another goal is to assist AFSC to identify critical security controls gaps that could significantly affect the confidentiality, integrity, availability, privacy, and safety of AFSC, its clients and/or its staff. 2.2 Background As an Alberta provincial Crown corporation, AFSC provides farmers, agribusinesses and other small businesses loans, crop insurance and farm income disaster assistance. With this service portfolio, AFSC holds in trust, vast amounts of small and medium scale enterprise SME records and information that must be protected; AFSC must also comply with Alberta's Freedom of Information and Protection of Privacy (FOIP) Act which provides a framework for how Alberta public bodies must handle citizen’s information. With the sensitivity and volume of data involved, a data breach will have severe risk consequences for AFSC. It is thus paramount that this supporting risk management activity (Continuous Threat Exposure Management, Vulnerability Assessment, Penetration Testing and Red Teaming Exercise) complements AFSC’s assurance functions. The purpose of the engagement is to: • Find vulnerabilities in the publicly exposed (Internet accessible) elements of the AFSC infrastructure from a potential intruder’s point of view. • Determine whether technical vulnerabilities may be exploited and the degree of exploitation and its impact to AFSC. • Assess the overall effectiveness of security controls on the perimeter network and external hosts in a safe and controlled manner with no unplanned interruptions to AFSC’s business functions. • Explore the ability for a company to help AFSC build and mature a CTEM program The successful respondent may be required to provide the following as part of its deliverables to AFSC: • Evaluate and assess current AFSC Information security controls for mission critical applications within the organization. • Perform cloud assessment and penetration testing services (e.g. Infrastructure, Applications). • Determine the extent to which internal users may represent an exploitable vulnerability to the AFSC’s security through social engineering techniques. • Analyze the results, rule out false positives, prioritize the confirmed vulnerabilities and provide steps for immediate remediation. • Provide a detailed account of findings and a prioritized list of remediation actions to be taken. • Provide or assist in building a complete CTEM actionable security posture remediation and improvement plan • Perform a detailed analysis of AFSC network architecture evaluating data flow, physical and logical connections, communication protocols (intranet, extranet, remote VPN), and identify all vulnerabilities not covered by current security controls. • Conduct an enterprise network discovery and data leakage test to identify hosts, routers, and subnets that may be transmitting data on non-approved or unauthorized devices such as unauthorized third-party connections, unauthorized Internet circuits, or unauthorized Virtual Private Networks (VPN’s); • Live fire type tuning of current security tools in utilization at AFSC 2.3 Objectives The Respondent shall provide a broad range of quality services to meet the requirements of AFSC in the following categories: • Penetration Testing Services – Preferred • Vulnerability Assessment Services – Preferred • Web App Penetration testing - Preferred • Red Teaming Exercise – Optional; • Additional / Value add services – Optional; and • Continuous Threat Exposure Management (CTEM) – Optional The respondent is expected to submit a proposal for all preferred categories and can choose to submit for the optional categories as well. 2.3.1 Penetration Testing Services Penetration tests are important part of a security team’s threat and vulnerability management capability. Penetration tests are used as an independent verification mechanism to assess Organizations’ IT environment controls. This type of test will be utilized to determine the organization’s overall security posture. The respondent shall provide the following quality penetration testing services as further described below: • Network Penetration Testing Services; • Web Application Penetration Testing services; • Web Application Testing Services; and • Social Engineering Testing Services. 2.3.1.1 Network Penetration Testing Services A Network penetration testing of the computing infrastructure of AFSC. This test will be designed to determine what vulnerabilities exist from within/outside AFSC network. The objective is to perform a controlled attack against findings to verify results, and provide an overall risk assessment to assist AFSC in securing network infrastructure. The respondent shall provide network penetration testing services including but not limited to the details provided in section 2.5. 2.3.1.2 Application Penetration Testing Services Application penetration testing provides an independent verification of the security status of AFSC’s applications. This test determines whether applications present and exploitable risk to the organization. The respondent shall provide application penetration testing services including but not limited to the details provided in section 2.5. 2.3.1.3 Social Engineering Testing Services Social Engineering testing is the use of deception and manipulation to obtain confidential information. It is a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking people into breaking normal security procedure. The respondent shall provide human centric social engineering testing services including but not limited to the following: • Pretexting; • Phishing campaigns (e.g., email, phone); • Brute force (on designated systems); • Password Cracking. 2.3.2 Vulnerability Assessment Services A vulnerability assessment exercise will identify what vulnerabilities exist within the AFSC network and will also provide recommendation on prioritization and remediation based on the resultant risks to AFSC. This will also complement the findings of the AFSC vulnerability management program. The respondent shall provide vulnerability assessment services which will include; • Identification of vulnerabilities on the AFSC network; • Analysis of such identified vulnerabilities and removing false positives; • Prioritization of the identified vulnerabilities; • Contextualization of risks that might arise due to a successful exploit of the vulnerability; • Recommendations for remediation of the vulnerability. 2.3.3 Web Application Penetration Testing Services Web Application penetration testing provides an independent verification of the security status of AFSC’s web applications. This test determines whether web applications present and exploitable risk to the organization. The respondent shall provide Web application penetration testing services including but not limited to the details provided in section 2.5. 2.3.4 Red Teaming Exercise Red Teaming exercise is used to validate the efficacy of security controls and capabilities, or as part of ongoing incident response and threat & vulnerability management. The respondent will conduct a Red Teaming exercise to obtain a realistic level of risk and vulnerabilities against: • Technology – Systems, Networks and Applications devices and appliances; • People – Staff, Outsourced Vendor personnel, Departments and Business partners; • Processes; • Incident Response Handling(or Testing); and • Physical Facilities – Offices and Data Centre. 2.3.5 Additional services The respondent should provide any additional / out of the band services to AFSC. Additional services may include, but not limited to the following: • Remediation assessments following to the initial penetration tests: • Physical security controls review: • Internet and Email security controls review: • Security Architecture Review: • Security Awareness Exercise Review: 2.3.6 Security Policy Review. Continuous Threat Exposure Management (CTEM) A CTEM program uses tools to inventory and categorize assets and vulnerabilities, simulate or test attack scenarios and other forms of posture assessment processes and technologies. It is important that a CTEM program has an effective and actionable path. A Continuous Threat Exposure Management (CTEM) program is a set of processes and capabilities that allow enterprises to evaluate the accessibility, exposure, and exploitability of an enterprise’s digital and physical assets continually and consistently. The respondent shall provide CTEM cycle that must include: • Scoping • Discovery • Prioritization • Validation • Mobilization 2.4 Duration May 2024 would be the anticipated start date of contract, activities to follow after that. The resulting initial contract shall be for a period of one (1) year with an option for extension subject to negotiations satisfactory to both parties The successful Vendor(s) will be AFSC’s preferred Vendor(s) on a need-to-need basis during the term of the contract or until such time as AFSC’s business needs change. If Cloud services are involved, then durations may change. Expansion Capabilities – In the future, AFSC may wish to expand services into other areas of its business. In this regard, AFSC reserves the right to engage the successful Vendor in the future for integrated expansion capabilities/modules for other ASFC business areas. 2.5 Requirements AFSC requests respondents to execute a comprehensive Vulnerability Assessment, Penetration Testing services, and Red Teaming exercise for AFSC’s systems and applications. Respondents are required to provide supporting information to show how vendor will execute based on the above exercises and/or services. 2.5.1 Preferred Requirements Network Penetration Testing Please indicate which of the following network-related environments you can perform penetration testing on. Please provide short descriptions of your approach or methodology for each. Network Penetration Testing Requirements Response (Yes / No) Approach/Methodology Internal and External Penetration testing Perimeter and publicly facing infrastructure Telephony systems/VoIP Cloud assessment and penetration testing Printers, HVAC, CCTV Systems Network Penetration Testing supporting information Please indicate if and how you can perform and meet the following network-related testing requirements. Please provide short descriptions of your approach or methodology for each. Requirements Response (Yes / No) Approach or Methodology Denial of service testing Out of band attacks War dialing Wireless, WEP/WPA cracking Spoofing Malware attacks Service Discovery/Port Scanning Web & Non-Web Application Penetration Testing Please indicate which of the following application (web and Non-Web)-related environments and (or) vectors you can perform penetration testing on. Please provide short descriptions of your approach or methodology for each. Requirements Response (Yes / No) Approach or Methodology Web applications (i.e. APIs, Java, XML, asp.net, PHP) Custom apps (i.e. CRM systems, SAP, HR systems ) Databases (i.e. SQL, MySQL, Oracle) 3rd party hosted applications Mobile Applications Web & Non-Web Application Penetration Testing supporting information Please indicate if and how you can perform and meet the following application (web and Non-Web) -related testing requirements. Please provide short descriptions of your approach or methodology for each. Requirements Response (Yes / No) Approach or Methodology Code review: analyzing application source code for sensitive information of vulnerabilities in the code. Authorization testing: testing systems responsible for user session management to see if unauthorized access can be permitted. This includes: • Input validation of login fields: inputting of bad or overlong characters and inputs with the aim of generating irregular results. • Cookie security: theft of cookies by unauthorized person. • Lockout testing: validating lockout processes such as timeout and intrusion controls to ensure legitimate sessions cannot be compromised Functionality testing: performing testing of the application functionality itself. This includes: • Input validation: inputting of bad or overlong characters, URLs, or other inputs with the aim of generating irregular results. • Transaction testing: ensuring desired application performance and run with no ability to be abused by end users. Website penetration testing: active analysis of web application weaknesses or vulnerabilities. Encryption usage testing: testing applications’ use of encryption to ensure secure standards and management are being used. Authentication process testing: ensuring strong authentication processes are in place for end users. User session integrity testing: ensuring user sessions’ ability to remain uncompromised Social Engineering Testing Please indicate which of the following vectors you can perform some level of penetration testing on. Please provide short descriptions of your approach or methodology for each vector. Requirements Response (Yes / No) Approach or Methodology Email / Phishing Phone / Vishing Physical Building access Social Engineering Testing supporting information Please indicate which of the following methods of social engineering or tendencies you can support. Please provide short descriptions of your approach or methodology for each. Requirements Response (Yes / No) Approach or Methodology Phishing attacks Social networking scams – Facebook, LinkedIn Pretexting Watering hole attacks Tailgating Bypassing other physical security measures Impersonation – employee or external authority Password cracking Others – Please indicate Vulnerability Analysis and Exploitation Please indicate if and how you can perform and meet the following vulnerability analysis and exploitation requirements: Requirements Comments: Please state your justification for how requirements are met Please indicate any exploitation techniques that will be used to validate identified vulnerabilities. Please indicate what tools are used to exploit vulnerabilities and whether they are open source, commercial, or proprietary Please indicate how you will perform traversal of systems and hosts Please indicate which of the following methods are used: • Credential compromise • Cross site scripting • Any other method used 2.5.2 Optional Requirements Red Teaming Exercise Please indicate if and how you can perform and meet the following red team exercise requirements. Please provide short descriptions of your approach or methodology for each. Requirements Response (Yes / No) Approach or Methodology Please provide information about the methodology that will be used in conducting Red team exercise of the AFSC environment. Which of the following areas are included in the assessment. • Digital Assets • Physical Assets • Technical and Operational Processes What exploitation tactics are used for this exercise? Does these include • The Network services • Physical layer • Application layer Are there particular cyberattack emulations or threat actor roles (such as organized crime, cyberterrorist, hacktivist, cyberspy) that will be used during this exercise? If Yes, please provide additional information on the emulations used. How does the team ensure foothold and maintain presence during the exercise to achieve the set objectives Continuous Threat Exposure Management Please indicate which of the following network-related environments you can perform CTEM plan on. Please provide short descriptions of your approach or methodology for each. CTEM Requirements Response (Yes / No) Approach/Methodology Scoping Discovery Prioritization Validation Mobilization 2.5.3 Training If there is a need for a device install or configuration changes needed, documentation and training to be provide to AFSC staff in order to assist with timely install and configuration for what is needed. Vendor to provide any needed training for documentation to AFSC in order to facilitate any vulnerability assessment activities. 2.6 Corporate Capabilities and Executive Summary Proposals must include an executive summary of the key features of the Proposal. This summary should include: a) A brief introduction of the Vendor; b) A brief company history and overview of the Vendor as it applies to the content of the Competitive Bid; c) Demonstrate a sound understanding of the scope, objectives and requirements presented in this Competitive Bid; d) The number and nature of engagements in similar scope and size as outlined in section 2.0 of Competitive Bid during the past two (2) years; and e) Industry awards, certifications and other market place distinctions; f) Social responsibilities and environmental consideration; g) Indicate why the Vendor considers itself to be a “right” service provider and what key strengths it will bring to AFSC in the immediate and long term. 2.7 Resources Please provide a list of the staff members that will be assigned to the engagement at AFSC. Please note, the successful respondent will be required to sign off on all of AFSC’s security forms prior to any work being completed. The Response should include but not limited to the following: Requirements Comments: Please state your justification for how requirements are met Provide information pertaining to previous projects/engagements of similar nature that the resource or team lead has had and provide references for the project Provide resumes for staff that will be assigned to the engagement at AFSC. The resume should include skills, experience, qualification, certifications and accreditation. If any of the assigned staff possess or requires government security clearances. Respondent should also identify the tasks and the task dependencies involved in the completion of the requested services. Provide evidence of license to conduct Pentest in location. 2.8 Value Add The Vendor may describe two (2) significant value added services provided relative to the scope of work provided to other clients including the Vendor’s commitment for future support. The Proposal should contain a description of value added services provided by the Vendor and the strategy that the Vendor would employ in proposing a similar type of service to AFSC. The Proposal must clearly outline if there are any additional cost for the value added services. 2.9 Approach Proposal should include the following: a) A description of corporate philosophies, values, culture and approaches especially as they relate to the requirements of AFSC; b) A description of the Vendor’s decision making approach and philosophy; and; c) The Proposal must provide two project examples to demonstrate the Vendor’s ability to take ownership, accept accountability and deliver on commitments made and to “stand behind their work”. d) How the Vendor plans to proactively address issues that may come up in regards to a relationship with AFSC. e) Provide the Vendor’s approach to quality assurance, continuous improvement, and performance management processes, techniques, change control and tools. Vendor(s) proposing an alternative to a Competitive Bid requirement must clearly denote each as an alternative and substantiate the merit of that alternative. Proposed alternatives must substantially meet the fundamental intent of the requirement. 2.10 Security Please complete Appendix D Information Security Privacy Cloud Assessment Form and include it with your proposal. This form must be completed and submitted prior to the closing date in order to proceed to the next review phase. 2.10.1 Data Classification For awareness, the type of data involved in this project are ( not limited to Restricted/protected C. This can be reviewed on the GOA site. Do you provide the ability to apply different data or information classification levels to your data sets, and are different levels of controls available for them based on the classification? If so please provide detail for different processes such as security, privacy or retention. 2.11 Technology Information AFSC’s central office is situated in Lacombe, Alberta Canada. With 2 geographically separated data centers located in Edmonton AB and Lacombe AB, AFSC’s enterprise network also consists of branch office LANs dispersed across Alberta, Canada. The AFSC branch office LANs are connected via VPN tunnels implemented in a hub-and-spoke architecture. These VPNs run in private leased MPLS clouds and terminate on head-ends situated at each of the data centers earlier described. At a very simplified level, AFSC has about 38 offices across Alberta, with social media and cloud presence; it also has just under 700 staff providing client, administration and technical support. 2.12 Documentation Please describe your final penetration results report structure; Requirements Response (Yes/ No) Comments: Please state your justification for how requirements are met Are these components included in the final report? • Introduction • Executive summary • Technical review • Detailed findings • Testing methodology • Screen shots • Validation of compromise Will the report contain the methodology used Please describe how you prioritize any identified vulnerabilities or security weaknesses Do you provide recommendations for remediation? Please describe Please provide a sample report for each of the test services conducted (i.e. Penetration testing, etc.) 2.13 Additional Information Additional Requirements Comments: Please state your justification for how requirements are met Description of at least three (3) engagements for Vulnerability Assessment, Penetration Testing / Red teaming exercise the respondent company has conducted including a statement regarding the type of IT infrastructure and the results for each. A detailed recommended approach associated with an assessment of this nature for the scope of work outlined above. Project plan that contains the elements relative to the Vulnerability Assessment, Penetration Test and Red teaming exercise conducted from a location external to AFSC. What activities would be performed and how those activities would be controlled so that AFSC operations are not interrupted. A detailed timeline required to complete scope and provide deliverables as outlined. Preferably in electronic/paper form that contains a project plan with the entire high level Work Breakdown list. A brief description of each project (Vulnerability assessment, Penetration testing & Red teaming exercise) plan phase and milestones and also the estimated timelines for each phase and milestone. The methodology that will be followed for implementation of your plan from within AFSC and outside of AFSC (remote location) processing environment. Include any unique requirements or conditions. Description of how the respondent company stays abreast with the changing governmental regulations and industry guidelines for cyber security. In protection of the AFSC confidential information, the respondent company is expected to describe how it; • Protects the information gathered during the engagement from both internal and external sources. • Stores data collected during engagement. • Disposes of data collected during engagement. Please list and describe all the tools you use for an engagement like this and include if they are commercially or in-house developed. 2.14 Disclosure In the interest of full disclosure to all Vendors wishing to submit a Proposal, please note that AFSC has had a previous working relationship with a Vendor who may submit a Proposal to this Competitive Bid. In this regard, through the normal course of providing prior services to AFSC, it is likely that this Vendor will have acquired knowledge about AFSC, in addition to having had access to information, beyond what has been included within this Competitive Bid. The nature of the services provided by the Vendor to AFSC includes services that are similar, or identical, to the services described in the Statement of Work. 2.15 Pricing Please indicate that the price quoted will be guaranteed until implementation. AFSC is requesting a fixed price response for the scope of work as outlined in the section above in Canadian dollars. Identify any other administrative fees or services charges, and indicate how you will be invoicing in detail. Please provide pricing for one year period. Vendors must also identify any other administrative fees or service charges, and provide details on invoicing (which may subject to change based on AFSC’s requirements). Services / Solution Pricing Penetration Test (Internal Pentest and External Pentest) 3rd party hosted web application. Price should be provided for four (4) of such applications annually Red Teaming exercise Vulnerability Assessment G. S. T. Certification Clause This is to certify that the services ordered or purchased are for the use of, and are being purchased by AFSC with Crown funds, and are therefore not subject to the goods and services and harmonized sales tax. 3.0 Evaluation EVALUATION CRITERIA The Competitive Bid evaluation criteria will be distributed within the following rating categories. Evaluation Criteria Evaluation Category Weighting % Requirements • Network Penetration Testing • Web & Non-Web Application Penetration Testing • Social Engineering Testing • Vulnerability Analysis and Exploitation • Red Teaming Exercise • Continuous Threat Exposure Management For this criteria the Evaluation Committee will give particular reference to the Vendor’s response to Section 2.5 25% Corporate Capability & Executive Summary • Demonstrate a sound understanding of the scope • Indicate why the Vendor considers itself to be a “right” service provider and what key strengths it will bring to AFSC in the immediate and long term. For this criteria the Evaluation Committee will give particular reference to the Vendor’s response to Section 2.6 5% Resource Qualifications • Previous projects/engagements of similar nature that the resource or team lead has had • Skills, experience, qualification, certifications and accreditation. • Identify the tasks and the task dependencies involved in the completion of the requested services. • Evidence of license to conduct Pentest in location. For this criteria the Evaluation Committee will give particular reference to the Vendor’s response to Section 2.7 20% Value Add • The Vendor may describe two (2) significant value added services provided relative to the scope of work provided to other clients including the Vendor’s commitment for future support. • The Proposal should contain a description of value added services provided by the Vendor and the strategy that the Vendor would employ in proposing a similar type of service to AFSC. The Proposal must clearly outline if there are any additional cost for the value added services. For this criteria the Evaluation Committee will give particular reference to the Vendor’s response to Section 2.8 10% Approach For this criterion the Evaluation Committee will give particular reference to the Vendor’s response to Section 2.9 5% Documentation For this criterion the Evaluation Committee will give particular reference to the Vendor’s response to Section 2.12 10% Additional Requirements For this criterion the Evaluation Committee will give particular reference to the Vendor’s response to Section 2.13 5% Pricing (can be removed and scored independently) 20% Each evaluation category and/or sub-category is given a Weight as a percentage to reflect its relative importance in the evaluation. The members of the evaluation committee consist of AFSC staff from the product lines or a part of the specified project/area/department requesting the services. Proposals will be evaluated and scored based on quality of response to the requirements of this RFP. Those Proposals that score the highest may be shortlisted to participate in a subsequent interview/presentation/demo process. The written portion will be weighted at _60_% and the interview/demo at _40_%. The scores from the Proposals may be adjusted as per the clarifications presented in the interview. Selection of the preferred Vendor will be based on the highest score. (if applicable) Contract negotiations may be completed prior to award and may be used as part of the award decision. Pre-screening Proposals may be subject to pre-screening based on select mandatory criteria. (If applicable) 4.0 Contract Review All agreements must be drafted (or reviewed and agreed to) by AFSC’s Legal Department. Previously entered into agreements between AFSC and the successful Vendor WILL NOT be used as the form of definitive agreement for this engagement. The definitive agreement that is entered into between the Vendor and AFSC will incorporate AFSC’s Terms of Business set out at Appendix (B), as well as Key AFSC Standards for Contracts, which are as follows: • Termination for Convenience upon written notice. • No Limitations of Liability or Monetary Caps granted. • No Disclaimers of Liability granted. • No Indemnities Against Third Party Claims granted (limited exceptions). • Governing Law - Province of Alberta, Country of Canada. • Finite Term of Contract - No Auto-Renewals. If the Vendor wishes to propose alternative wording to the Terms of Business set out at Appendix (B) or disagrees with the above-listed Key AFSC Standards for Contracts, the Vendor must complete and submit Appendix (C) (Alternate Wording – Additional Clause Template) clearly citing the suggested variations. ***Note that AFSC has the sole discretion to consider whether wording changes or alternate clauses will be considered for negotiation purposes and/or incorporated into the definitive agreement. The extent and materiality of any requested changes/deviations from the Terms of Business or Key AFSC Standards for Contracts by the Vendor may impact the Vendor’s overall rating when the Proposal is evaluated. By submitting a Proposal without a completed Appendix (C) attached thereto, Vendors are deemed to accept the Terms of Business as set out at Appendix (B), as well as the above-listed Key AFSC Standards for Contracts as a condition of submitting a Proposal. A Vendor’s acceptance of the Terms of Business and Key AFSC Standards for Contracts may have a positive bearing on the Vendor’s overall score. As part of the Vendor’s Proposal, AFSC requires the Vendor to submit the Vendor’s typical form of agreement generally used with customers. ***AFSC may or may not choose to use the Vendor’s typical form of agreement as the basis of the definitive agreement between AFSC and the Vendor. Even if AFSC opts to use the Vendor’s typical form of agreement as a foundation for the definitive agreement, as stated above, the final version of the definitive agreement WILL incorporate AFSC’s Terms of Business set out at Appendix (B), as well as Key AFSC Standards for Contracts. ***Note that AFSC has the discretion to amend the wording of the Terms of Business as set out at Appendix (B) when incorporating into the definitive agreement and, to the extent that there is any inconsistency between the Terms of Business and the definitive agreement, the definitive agreement shall take precedence. No work will commence in relation to this Competitive Bid until a fully executed definitive agreement is in place between AFSC and the Vendor. Failure to comply with this requirement will result in non-payment of any activities performed prior to the execution of the definitive agreement. 4.1 Negotiations AFSC may require selected Vendor(s) to participate in negotiations and to submit revisions to pricing, technical information, agreements and any other items in any Proposal that may result from negotiations. If negotiations do not result in modification of the agreement(s) that is acceptable to AFSC, the Proposal may be rejected. 5.0 Master Schedule The Master Schedule of Competitive Bid related events is set out in the table below and is governed by the following principles: a) In the event that any dates elsewhere in this Competitive Bid conflict with a date set out in this table, the date set out in this table shall prevail; b) All times listed are based on Mountain Standard Time (MST); c) AFSC reserves the right to adjust the dates of the schedule if required through an addendum process. # Event Scheduled Date/Time 1 AFSC to accept e-mail inquiries relevant to this Competitive Bid. Vendor(s) must use the Q & A template provided as Appendix (A) and submit through RFP@afsc.ca. March 12, 2024 2 Final receipt of Proposals. (closing date) March 26, 2024 @ 1:00 pm 3 Evaluation of Competitive Bid written Proposals. AFSC in its discretion may extend this time. March 27, 2024 to April 4, 2024 4 Interviews or presentations for short-listed Vendors. AFSC in its discretion may change this date. Week of April 15, 2024 5 AFSC to perform reference checks on shortlisted Vendors. AFSC in its discretion may change this date. Week of April 15, 2024 6 Final Evaluation and notification of award of contract. AFSC in its discretion may change this date. Week of April 22, 2024 7 Target Commencement Date AFSC in its discretion may change this date. May 15, 2024 6.0 Proposal Submission Guidelines 6.1 Proposal Format To facilitate ease of evaluation by the Evaluation Team, and to ensure each Proposal receives full consideration, Proposals should be organized in the following format using the section titles and sequence listed below: Table of Contents; a) Pre-Screening Requirements (optional) b) Proposal to Statement of Work (2.0); including Legal and Contact Information: • The full legal name of the Vendor. • The location of the Vendor’s head office and service centers. • A Vendor contact for all questions and clarifications arising from the Proposal. • Vendor contact authorized to participate in contract finalizations. References • The Proposal should include three (3) references including, but not limited to organization, address, contact name, telephone number and email address. • References should include organizations that can verify the satisfactory provision, performance and or/servicing of goods and associated services the name as, or similar to the requirements of this Competitive BIds, the Corporate Purchasing Section may contact references in addition to those provided in the Proposal. • References may be conducted to validate information provided in the Vendor’s Proposal • It is expected that the Vendor(s) will be able to arrange for AFSC to contact the reference during the evaluation period. • Government and Agencies, references would be preferred if available. (Optional) Additional Information • Additional information may be included at the Vendor’s discretion, but this must not detract from the ability of AFSC to easily reference information for evaluation purposes. Assumptions • Vendor is expected to identify in detail any assumptions that have been made during the creation of their written Proposal to the scope identified. c) Alternate Wording Template (Appendix C) d) Vendor’s Agreement Template e) Proof of WCB and Insurance f) Proof of Corporate Registry g) Financial Requirements (optional) h) Vendor’s Ethics Policy (optional) The Vendor should have an ethics policy that guides their organization in all its business activities and should provide a copy of this ethical policy as an attachment to their Proposal. This policy will not form part of the evaluation. Appendices The following Appendices are included and applicable to this Competitive Bid: Appendix A: Question and Answer Template Appendix B: Terms of Business Appendix C: Alternate Wording-Additional Clause Template Appendix D: Information Security Privacy Cloud Assessment Form Appendix E: Letter of Submission revised 2023 Responsive proposals should provide straightforward, concise information that satisfies the requirements noted in the Proposal Guidelines section of this RFP. Emphasis should be placed on conformity to AFSC’s instructions, requirements of this RFP, and completeness and clarity of content. Ambiguous, repetitive, unclear or unreadable Proposals may be cause for rejection. 6.2 Proposal Submissions Vendors must provide an electronic version of their proposal by e-mail to RFP@AFSC.ca prior to the closing date and time of this Competitive Bid. (optional) Buyer may request that a hard copy is submitted. Electronic versions (emails) must be less than 18 MB in order for AFSC to receive the Vendor’s submission. If the proposal is larger than 18 MB, it must be divided into a sufficient number of files such that each email, including attachments, is less than 18 MB. AFSC cannot accept files on media storage devices. (optional) All hard copy proposal materials are to be sealed in a single package and clearly labelled with the Competitive Bid # to: Attention: Buyer, Business Services AFSC 5718 – 56th Avenue Lacombe, AB T4L 1B1 In responding to this Competitive Bid, your attention is drawn to the following: • Proposals received after this Competitive Bid’s closing date and time will be rejected. • Proposals received not in the order outlined above in Section 6.1 may not be evaluated further. Vendors by submitting a Proposal are deemed to have accepted the Competitive Bid terms and conditions. Contract duration The estimated contract period will be 1 month(s), with a proposed start date of 2024/03/27. Trade agreements Canadian Free Trade Agreement (CFTA) Canada-European Union Comprehensive Economic and Trade Agreement (CETA) Contracting organization Organization Agriculture Financial Services Address 5718 56 Ave Lacombe Alberta Lacombe, Alberta, T4L 1B1 Canada Contracting authority Kathy Walker Phone (587) 815-6146 Email RFP@afsc.ca Address 5718 56 Ave Lacombe Alberta Lacombe, Alberta, 5878156146 Canada