You work for a small firm that specializes in infrastructure assurance. You have just received notice of an opportunity to compete for a small security assessment contract to be awarded by the South by Southwest Consolidated School District (SSCSD). The school district operates the Palo Duro Adult Education Center (PDAEC). This center provides short courses on a range of practical topics of interest to the local community. The school district has requested a proposal from your firm and others to perform a security assessment of the information systems network operated and maintained by the PDAEC. This document constitutes the formal Request for Proposal.

Client Background

Your prospective client, the PDAEC, is located in the Texas Hill Country. The PDAEC operates and maintains an information systems network that includes an Internet accessible web site, central file server, and email server in a domain-based network. Since the PDAEC must also manage registration and fiscal operations, the network is equipped with a centralized application that provides for management of accounts receivable, finance and payroll, and student registration and scheduling. The infrastructure hardware consists of 20 workstations for faculty and administrative staff, 20 workstations in a computer classroom, cabling, a switch, and a router/firewall combo that provides always-on internet connectivity for multiple internet hosts. The border routers also double as wireless access points. The goal of the PDAEC is to provide opportunities for life-long education and to improve the quality of life in the local community.

Statement of Work

1. Review the Project Specifications

The contractor shall initiate, plan, execute, monitor, control and close a formal project to perform a security assessment of the PDAEC information system network. The contractor shall perform on-going project management activities to include the conduct of regular team meetings and status briefings. The contractor shall provide monthly project performance reports that address cost, schedule and technical performance.

1. Baseline the Current Operating Environment

The contractor shall baseline the current operating environment to determine the current access patterns, system performance, hardware configurations, services, installed applications and user behaviors. The contractor shall analyze the results of the baseline analysis to identify the operational and maintenance needs of the system. The contractor shall document and deliver the baseline information and resultant analysis in a formal baseline assessment report to be used to troubleshoot the system and establish a disaster recovery path to ensure system availability.

1. Audit and Assess the Network

The contractor shall plan and execute audits of the operational environment against the previously established baseline. The contractor shall rely upon both manual tasks and automated tools to execute the audits. The contractor shall assess the results of the audit in terms of technical configuration and business needs. The contractor shall present the results of the audit in a summary audit report. The contractor shall perform a risk analysis to weigh trade-offs between security and business needs. The contractor shall compile a complete list of the potential vulnerabilities identified through the audits and assessments. Based upon the risk analysis, the contractor shall develop a remediation proposal that recommends which vulnerabilities should be remediated. The remediation proposal should prioritize the top ten recommendations.

1. Secure the Environment

The contractor shall implement the approved remediation proposal. The remediation effort shall include technical changes to the environment as well as policies or procedures that govern the management and use of all IT resources.

5.0 Perform the System Evaluation

The contractor shall evaluate the results of the remediation effort to ensure that functional business needs were not adversely impacted by the changes implemented. The contractor shall ensure the configuration and policy changes implemented actually remediated the assessed threats and vulnerabilities. The contractor shall adapt and integrate implemented changes to establish standards to be used throughout the PDAEC. The contractor shall prepare and deliver a system evaluation report to document the results obtained through the remediation effort.

1. Capture Lessons Learned

The contractor shall capture lessons learned from the security assessment. The contractor shall prepare a lessons learned document to serve as a tool to further educate technical and administrative staff and faculty.

***Question I'm not sure how to do this part and would appreciate guidance.

1. Prepare a cost estimate for the contract effort. Each team must document the assumptions used to prepare the cost estimate. The cost estimate must be derived from the project WBS. Each team shall present the cost estimate using the cost estimate summary template provided in Appendix A.

Work Package Template Title: WBS Element Number: Description of Work: Deliverable(s): Inputs: Direct Labor Summary Specialty Effort (Hrs) Activity Rate(/hr) Cost Total Direct Labor Cost Other Direct Cost Materials Travel Subcontractor Other Total Other Direct Cost Allocated (Direct) Overhead Cost 40% of DL TOTAL WORK PACKAGE COST Cost Estimate Summary Template WBS # WP Title Total Direct Direct Labor Other Direct Direct Overhead Total Direct Cost General & Administrative (10% of Total Direct Cost) Profit Total Billing Cost Work Package Template Title: WBS Element Number: Description of Work: Deliverable(s): Inputs: Direct Labor Summary Specialty Effort (Hrs) Activity Rate(/hr) Cost Total Direct Labor Cost Other Direct Cost Materials Travel Subcontractor Other Total Other Direct Cost Allocated (Direct) Overhead Cost 40% of DL TOTAL WORK PACKAGE COST Cost Estimate Summary Template WBS # WP Title Total Direct Direct Labor Other Direct Direct Overhead Total Direct Cost General & Administrative (10% of Total Direct Cost) Profit Total Billing Cost