HomeMy WebLinkAboutStaff Report 3981
City of Palo Alto (ID # 3981)
City Council Staff Report
Report Type: Consent Calendar Meeting Date: 11/12/2013
City of Palo Alto Page 1
Summary Title: Information Security Risk Assessment
Title: Approval of Professional Services Contract with Coalfire Systems, Inc.
for Information Security Risk Assessment in the Amount of $200,448
From: City Manager
Lead Department: IT Department
Recommendation
Staff recommends that Council approve the award of a Professional Services contract in
an amount not to exceed $200,448 to Coalfire Systems, Inc. (Coalfire) for Information
Security Risk Assessment (ISRA) services.
Executive Summary
The City of Palo Alto seeks the services of Coalfire to conduct comprehensive risks
assessments on critical IT infrastructure and services, and to provide detailed reports
and remediation guidance that is prioritized based on the City’s ability and resources
available to address security gaps and vulnerabilities.
Background
Under the leadership of the Chief Information Officer (CIO), the City of Palo Alto is
executing its 3-year technology strategy (July 2012 – June 2015). A priority and core
component of the IT strategy is to ensure that the City addresses gaps in information
security and ensures a long-term, appropriately secure information environment. In
addition to hiring its first-ever information security manager, the City is pursuing several
essential projects to meet information security needs. The work proposed in this CMR is
a major step towards executing the 3-year technology strategy and further protecting
the City and its information assets.
The Information Security Steering Committee (ISSC) of the City of Palo Alto has
approved an initiative to implement ISO 27001 (Information Security Management
City of Palo Alto Page 2
System) framework at the City, which requires a formal ISRA to be conducted, in
conjunction with ISO 31000 (Risk Management Principles and Guidelines) and ISO
31010 (Risk Management and Risk Assessment Techniques).
Discussion
The City faces the challenge of ensuring it has correctly evaluated risks to information
and systems supporting its business and establishing controls to protect against
dynamic cyber threats while also ensuring the smooth flow of ongoing business
operations. In addition, it is the City’s intention to comply with security and regulatory
compliance requirements. The information security risk assessment will support the City
to comply with security and regulatory compliance requirements.
Upon the completion of the RFP process, the City has selected Coalfire Systems, Inc. to
conduct the ISRA. Coalfire understands the City’s needs and proposed a 12 week
project plan.
As North America’s largest, independent IT Security Governance, Risk and Compliance
(GRC) firm, Coalfire’s methodology has been validated by more than 1,500 projects
completed annually nationwide and abroad, focused exclusively on IT audit ISRA.
Summary of City Bid Process
Proposed Duration of Project To be completed by June 30, 2014
Number of Solicitations Emailed 10
Total Days to Respond 20 Business Days
Number of Responses Received: 5
Number of Vendors Interviewed: 3
Vendor Selected Coalfire Systems, Inc.
Reference
Please see attached file for more information (ISRA CMR Reference.pdf)
Resource Impact
This project will be funded in the Information Technology Disaster Recovery capital
City of Palo Alto Page 3
improvement project (CIP TE-01012). No additional resources are required at this time
to support the Information Security Risk Assessment.
Environmental Review
Approval of these contracts do not constitute a project under the California
Environmental Quality Act (CEQA); therefore, no Environmental Assessment is required.
Attachments:
ISRA CMR Reference (PDF)
S14150215 - Coalfire Systems Inc Signed Final (PDF)
Reference: Information Security Risk Assessment
Supplier Inputs Process Outputs Cycle Time
Coalfire System, Inc.
As North America’s largest, independent IT
Security Governance, Risk and Compliance
(GRC) firm, Coalfire’s methodology has been
validated by more than 1,500 projects
completed annually nationwide and abroad.
Since 2001, the company have been a vendor
neutral and platform agnostic firm focused
exclusively on IT audit and compliance to the
exclusion of other IT security product related
services.
Coalfire, execute more than 1,000 projects
annually.
Coalfire has approximately 150 delivery
resources; two (2) dozen in California.
Coalfire is a Thought leadership in new and
emerging technologies and implications on
security (mobile devices, virtualization,
encryption strategies, etc.)
Coalfire’s unique perspective on the cyber-
security threat and risk landscape;
supporting end-clients in fortifying, while
contributing to national/federal mitigation
and risk management strategies.
Coalfire is AICPA Certified and Approved
Audit and Assertion firm.
Information Security Risk
Assessment (ISRA) will be
conducted on the following
major area:
IT Infrastructure
Tier 1 IT Services that
have direct impact on
Public Safety and/or
Security
Tier 2 IT Services that
have indirect impact on
Public Safety and/or
Security
Tools and Techniques
Risk Management Process using ISO/IEC 27001, 27005, 31000
and 31010 standards
Risk Assessment Steps using NIST 800-30 methods
COBIT - Framework for IT management and governance; created
by ISACA
PCI DSS - Framework for the protection of cardholder data for
entities that store, process or transmit cardholder data
NeXpose - Network discovery and vulnerability assessment tool
by Rapid7
Acunetix - Web Application Vulnerability assessment tool
Metasploit - Open Source exploitation framework to compile
and execute exploit code
NMAP - Open source utility for network exploration and security
auditing
NetSparker - Web application vulnerability assessment tool
BurpSuite Pro - Web Application proxy and exploitation utility
Tenable Nessus - Network discovery and vulnerability
assessment tool
AppDetective PRO - Top rated database scanning tool
WAP Testing - Kismet, KisMAC, WEPcrack, Network Stumbler
Example of Project Activities
External and Internal Network Vulnerability Assessment
External and Internal Penetration Testing
Secure Internet Gateway Assessment
Wireless Network Risk Assessment
Data Privacy Risk Assessment
Server Hardening Assessment
Web Application Services Risk Assessment
Network Architecture Review
IT Policies, Standards and Guideline Assessment
DNS Server Risk Assessment
Network Access Control Assessment
Application and Services Access Control Assessment
Database Access Control Assessment
Database Vulnerability/Security Assessment
Servers Security Assessment
Datacenter Physical Security Assessment
War Dialing
Social Engineering
Risk assessment reports will
include the systematic
articulation of the
magnitude of risks (risk
analysis) and the process of
comparing the estimated
risks against risk criteria to
determine the significance
of the risks (risk evaluation).
The risk assessment report
will include guided
remediation around which
risk must be managed along
with risk treatment plan and
appropriate
controls/countermeasures
to manage the risk
The risk treatment plan
should include minimum
three (3) different solution
to manage each risk,
including
i) cost of each solution
ii) advantages and
disadvantages of each
solution iii) speed/flexibility
of
implementation/integration
with the City’s environment.
Month 1, Nov 2013,
Completion of the
Infrastructure Assessment
Month 2, Dec 2013,
Completion of the Tier 1
Services Assessment
Month 3, Jan 2014,
Completion of the Tier 2
Services Assessment
Month 4, Feb 2014,
Delivery of the Reports and
Guided Remediation
Month 5 to 8, Mar to Jun
2014, the City’s executive
management will develop
a strategy to implement
the guided remediation.