Provision of a Vulnerability Management Solution at Micro Enterprises Support Programme Trust (MESPT)

KEY FEATURES OF THE VULNERABILITY MANAGEMENT SOLUTION

• Ability to perform a Network Asset Inventory; The solution should be able to do this either by pulling information from Active Directory and/or a high-level network scan that probes for active IP addresses.
• Baseline Scan: The solution should be able to identify the operating system and applications running on identified hosts.
• Identifying possible vulnerabilities: Retrieve information on vulnerabilities that might affect the hosts and identify possible vulnerabilities across all major operating systems, applications, network devices and database systems. E.g. configuration flaws, missing patches, default passwords, insecure protocols etc.
• Prioritization: The solution should be able to prioritize the actions that will have the greatest impact on MESPT’s security posture. This can be achieved by incorporating information about the severity and impact of the vulnerability, the priority of the system and any compliance issues that may exist.
• Quality and Speed of Updates: Frequency of releasing new vulnerability updates. Ability to accurately detect vulnerabilities.
• Support for Cloud Services. The product should include the ability to detect issues with configurations in the cloud. This is for environments of any tools we use for Infrastructure as a Service, Platform as a Service or Software as a Service.
• Compliance. The product should provide support for compliance programs such as ISO 27001, GDPR etc. Ability to use the product to perform required scans and complete self-assessments.
• Active and Passive Detection. The product should integrate both traditional active scanning of systems with passive vulnerability detection based upon observation of network traffic.
• Authenticated and Unauthenticated Scanning. The product should support authenticated and unauthenticated scanning. The product should support scanning with agents installed and without agents.
• Remediation Guidance. The product should provide remediation guidance for identified vulnerabilities. The product should provide enough information to remediate the vulnerability.
• Audit trails; The solution should provide audit trails on user activity e.g. Alerts on system and administrative activity e.g. new accounts creation, permissions addition/deletion, configuration changes etc.
• Role based Access: The solution should provide role-based access by function.
• Report Creation: The solution must provide an intuitive reporting interface that can leverage existing reports or the creation of new reports. The reports should also provide for drill down capabilities.
• Dashboards: The solution should provide dashboards with drill down capability to make it easier to identify and select certain vulnerabilities or vulnerabilities affecting a particular system.
• Scheduled Reports: The solution should have the ability to schedule reports and/or alerts.
• Scheduled Scans: The solution should allow for scheduled vulnerability scans and scheduled Asset discovery scans.

KEY DELIVERABLES
Detailed Project Schedule, with major deliverables, including but not limited to:

• Project plan and schedule
• Resource allocations
• Product installation
• Training
• Add-ons or customizations
  • Documentation / Manuals: Provide electronic copies of the technical and user documentation with your response to the RFP
  • Detailed Cost Schedules: Provide detailed, itemized unit and total costs for each component and service proposed, indicating as appropriate optional and required components and services, including:
  • Recommended hardware specifications, itemized, to meet MESPT’s requirements
  • Recommended software, itemized, to meet MESPT’s requirements and including any 3rd party software license fees
  • Installation/Implementation costs e.g. number of estimated hours / weeks to complete project
  • On-site training costs, e.g. number of estimated hours
  • Provide a post-implementation cost schedule for support, maintenance and upgrades (including any 3rd party licensing fees)

Contract / license agreement: Submit a copy of any contract / license agreement you will require to be executed at time of award.
Non-disclosure Agreements: Submit a copy of any non-disclosure contracts you would require to be executed as part of the evaluation process.
Staff Qualifications: Describe the qualifications and experience of the staff who would be assigned to the implementation. Provide an electronic copy of resumes for your project manager and technical leads.