Scenario You work for a small firm that specializes in infrastructure assurance. You have just received notice of an opportunity to compete for a small security assessment contract to be awarded by the South by Southwest Consolidated School District (SSCSD). The school district operates the Palo Duro Adult Education Center (PDAEC). This center provides short courses on a range of practical topics of interest to the local community. The school district has requested a proposal from your firm and others to perform a security assessment of the information systems network operated and maintained by the PDAEC. This document constitutes the formal Request for Proposal." Client Background Your prospective client, the PDAEC, is located in the Texas Hill Country. The PDAEC operates and maintains an information systems network that includes an Internet accessible web site, central file server, and email server in a domain-based network. Since the PDAEC must also manage registration and fiscal operations, the network is equipped with a centralized application that provides for management of accounts receivable, finance and payroll, and student registration and scheduling. The infrastructure hardware consists of 20 workstations for faculty and administrative staff, 20 workstations in a computer classroom, cabling, a switch, and a router/firewall combo that provides always-on internet connectivity for multiple internet hosts. The border routers also double as wireless access points. The goal of the PDAEC is to provide opportunities for life-long education and to improve the quality of life in the local community. Statement of Work 1.0 Review the Project Specifications The contractor shall initiate, plan, execute, monitor, control and close a formal project to perform a security assessment of the PDAEC information system network. The contractor shall perform on-going project management activities to include the conduct of regular team meetings and status briefings. The contractor shall provide monthly project performance reports that address cost, schedule and technical performance. 2.0 Baseline the Current Operating Environment The contractor shall baseline the current operating environment to determine the current access patterns, system performance, hardware configurations, services, installed applications and user behaviors. The contractor shall analyze the results of the baseline analysis to identify the operational and maintenance needs of the system. The contractor shall document and deliver the baseline information and resultant analysis in a formal baseline assessment report to be used to troubleshoot the system and establish a disaster recovery path to ensure system availability. 3.0 Audit and Assess the Network The contractor shall plan and execute audits of the operational environment against the previously established baseline. The contractor shall rely upon both manual tasks and automated tools to execute the audits. The contractor shall assess the results of the audit in terms of technical configuration and business needs. The contractor shall present the results of the audit in a summary audit report. The contractor shall perform a risk analysis to weigh trade-offs between security and business needs. The contractor shall compile a complete list of the potential vulnerabilities identified through the audits and assessments. Based upon the risk analysis, the contractor shall develop a remediation proposal that recommends which vulnerabilities should be remediated. The remediation proposal should prioritize the top ten recommendations. 4.0 Secure the Environment The contractor shall implement the approved remediation proposal. The remediation effort shall include technical changes to the environment as well as policies or procedures that govern the management and use of all IT resources. 5.0 Perform the System Evaluation The contractor shall evaluate the results of the remediation effort to ensure that functional business needs were not adversely impacted by the changes implemented. The contractor shall ensure the configuration and policy changes implemented actually remediated the assessed threats and vulnerabilities. The contractor shall adapt and integrate implemented changes to establish standards to be used throughout the PDAEC. The contractor shall prepare and deliver a system evaluation report to document the results obtained through the remediation effort. 6.0 Capture Lessons Learned The contractor shall capture lessons learned from the security assessment. The contractor shall prepare a lessons learned document to serve as a tool to further educate technical and administrative staff and faculty. Instructions 1. Prepare a scope overview (50 words or less): 2. Prepare a business case (75 words or less): 3. Develop a milestone schedule with acceptance criteria that includes 8-10 major milestones along with their planned completion dates. Milestone Completion Date Acceptance Criteria 4. Identify 5-10 significant risks you may encounter in the performance of this effort if your team wins the bid. a. b. C. d. e. f. 8 h. i. 1. 5. Provide rough estimates of the resources you will need to complete this project. Be sure to include the number and type of team members required along with an order of magnitude estimate of your project cost. Resources Needed Estimate PEOPLE MONEY SPACE Total: FTE: 6. Identify at least five key stakeholders and their interest in the project. Stakeholder Interest 7. Prepare an initial set of team operating principles