SlideShare a Scribd company logo

Microsoft Word Morningstar Rfp Security Assessment 2008 V2 1

Todd Petty
Todd Petty

another client I helped several times

1 of 8
Download to read offline
Security Assessment - Request for Proposal Issued Date: June 16, 2008 Version: 2.0
Security Assessment; Request For Proposal Contents ..................................................................................................................................................................3 Introduction and Background ................................................................................................................................3 1.0 Purpose of the Request for Proposal ................................................................................................................... 3 1.1 Technical & Contractual Contact......................................................................................................................... 3 1.2 Due Dates........................................................................................................................................................ 4 1.2.1 Schedule of Events......................................................................................................................................... 4 Guidelines for Proposal Preparation ......................................................................................................................4 2.0 Proposal Submission ......................................................................................................................................... 4 2.1 Detailed Response Requirements ....................................................................................................................... 5 Evaluation Factors For Award.................................................................................................................................7 3.0 Criteria ............................................................................................................................................................ 7 Statement of Work and Deliverable .......................................................................................................................7 4.0 Requirements ................................................................................................................................................... 7 4.1 Detailed Technical Report .................................................................................................................................. 7 4.2 Executive Summary Report ................................................................................................................................ 7 4.3 External Customer Report.................................................................................................................................. 8 Morningstar, Inc. Page 2 of 8
Security Assessment; Request For Proposal Morningstar has developed this Request for Proposal (“RFP”) to help identify and select a quality security vendor to perform professional services work. It also lists questions for potential vendors, to ensure that a thorough and comprehensive approach to the project will be taken. Contents The RFP contains a number of different sections that provide the vendor with a better understanding of the Morningstar business and technical objectives of the effort and provide the vendor with direction on the specific information the organization needs the vendor to provide. The major sections of the RFP are: Introduction and Background: A description of the project’s objectives plus any additional background about the organization or business objectives that may provide the vendor with additional useful perspective. Administrative Information: Contact information that the vendors will need to prepare and submit their proposal as well as major dates associated with the RFP submission, evaluation and award process. Guidelines for Proposal Preparation: Guidelines for vendor communication with the organization are provided in this section and a preferred proposal format is described for the vendor. Statement of Work and Deliverables: This section provides sufficient technical details about the environment to allow a vendor to understand the scope of the effort and price it appropriately. In addition, the deliverables or work products required from the project are described. Introduction and Background 1.0 Purpose of the Request for Proposal Morningstar is a provider of financial services to individual customers, broker dealers, and financial advisors. It has facilities in approximately three locations within the United States, as well as several other locations in Europe and Asia. Morningstar is interested in conducting a security assessment that will allow it to: Validate Morningstar approach to regulatory compliance / preparedness with state security notification laws and federal regulations such as GLBA and Sarbanes-Oxley. Review network security and survivability, provide insight to fighting cyber crime, and learning tools and techniques hackers’ are using to prevent incident. Identify both the strengths and weakness within the Security Program by comparing it to industry practices and standards. Gain a better understanding of potential corporate network vulnerabilities that may be visible form both internally and externally. Determine if the current network is configured securely. Evaluate the security associated with public self-service web applications that are used by Morningstar customers. Propose solutions to risks, vulnerabilities and/or threats, short-and long-term options for remediation. These activities are part of Morningstar ongoing risk management program and are focused on identifying the risk level Morningstar is currently exposed to so that an appropriate set of responses to those threats can be developed. Morningstar is seeking to identify and select an outside independent organization to perform the activities listed above. The remainder of this document provides additional information that will allow a service provider to understand the scope of the effort and develop a proposal in the format desired by Morningstar. 1.1 Technical & Contractual Contact Morningstar, Inc. Page 3 of 8
Security Assessment; Request For Proposal Any questions concerning technical specifications or Statement of Work (SOW) and contractual terms and conditions or proposal format requirements must be directed to: Name Rana Shamoon Position Title Sr. Security Analyst Address 225 W. Wacker Phone 312.696.6302 E-mail Rana.shamoon@Morningstar.com Fax 312.696.6404 1.2 Due Dates A written confirmation of the Vendor’s intent to respond to this RFP is required by June 23, 2008. All proposals are due by 5:00 pm on July 16, 2008. Any proposal received at the designated location after the required time and date specified for receipt shall be considered late and non-responsive. 1.2.1 Schedule of Events Task Event Date 1 RFP Distribution to Vendors June 23, 2008 2 Written Confirmation of Vendors with Bid Intention June 27, 2008 3 Questions from Vendors about scope or approach due July 3, 2008 4 Responses to Vendors about scope or approach due July 11, 2008 5 Proposal Due Date July 16, 2008 6 Target Date for Review of Proposals July 18, 2008 7 Preliminary Skill Review July 21, 2008 8 Final Vendor Selection Discussion(s) – Week of July 23, 2008 9 Anticipated decision and selection of Vendor(s) July 25, 2008 10 Anticipated commencement date of work August 1, 2008 Guidelines for Proposal Preparation 2.0 Proposal Submission Award of the contract resulting from this RFP will be based upon the most responsive Vendor whose offer will be the most advantageous to Morningstar in terms of cost, functionality and other factors as specified elsewhere in this RFP. Morningstar reserves the right to: Reject any or all offers and discontinue this RFP process without obligation or liability to any potential Vendor, Accept other than the lowest priced offer, Award a contract on the basis of initial offers received, without discussions or requests for best and final offers, and Award more than one contract. Vendor's proposal shall be submitted in several parts as set forth below. The Vendor will confine its submission to those matters sufficient to define its proposal, and to provide an adequate basis for Morningstar evaluation of the Vendor’s proposal. In order to address the needs of this procurement, Morningstar encourages Vendors to work cooperatively in presenting integrated solutions. Vendor team arrangements may be desirable to enable the companies involved to complement each other's unique capabilities, while offering the best combination of performance, cost, and delivery of services being provided under this RFP. Morningstar will recognize the integrity and validity of Vendor team arrangements provided that: The arrangements are identified and relationships are fully disclosed, and A prime Vendor is designated which will be fully responsible for all contract performance. Morningstar, Inc. Page 4 of 8
Security Assessment; Request For Proposal Vendor’s proposal in response to this RFP will be incorporated into the final agreement between Morningstar and the selected Vendor(s). The submitted proposals are suggested to include each of the following sections: 2.1 Detailed Response Requirements 1.) Executive Summary This section will present a high-level synopsis of the Vendor’s responses to the RFP. The Executive Summary should be a brief overview of the engagement, and should identify the main features and benefits of the proposed work. 2.) Scope, Approach, and Methodology Include detailed testing procedures and technical expertise by phase. This section will act as the Statement of Work (SOW) to be used as a guideline by the consultants during the security testing. All information that you provide will be held in strict confidence. This section should include a description of each major type of work being requested of the vendor. The proposal should reflect each of the sections listed below: Scope Description Global Infrastructure Assessment – Phase 1 Information Gathering Footprinting and information gathering to obtain detailed blueprint of our network and its security profile. Gather domain names, IP network ranges, and information about hosts, port access, such as operating systems and applications. Network Architecture Assess the environment from the internal view of the network to identify Assessment vulnerabilities that may allow access to confidential areas of a network or sensitive internal information. Vulnerability Scan Find security vulnerabilities flaws in routers and firewalls configuration, un-patched (External & Internal) systems, and mis-configured architecture. Network Device Review device configurations of routers and firewalls. Perform configuration Assessment analysis line by line to ensure that they conform to industry best practices applicable to the environment. Wireless Security Identify and inventory all wireless network access points, identify and exploit Assessment weaknesses in the wireless network, and assess the overall exposure to wireless network attacks. Recommend best methods to secure the environment based on internal business requirements and best practices for wireless security. VPN Security Assessment Assess the current configuration of the VPN and associated systems, conduct a VPN architecture review and conduct an external and internal VPN vulnerability and penetration testing. External Penetration Test Confirm the true risk of vulnerabilities from a remote attack against, servers, / Ethical Hacking routers, firewalls, operating systems, etc. Internal Penetration Test / Confirm the true risk of vulnerabilities from an attack within the LAN/WAN. Ethical Hacking Application Level Assessment – Phase 2 Source Code Security Source code review to identify software security problems. Review violations, such Assessment as common semantic language constructs and configuration that lead to vulnerabilities with data and control flow analysis, tracking data and execution paths through an application. Web / Application Review the security controls of an application. This security review should be Penetration Assessment / directly related to the applications that have been custom developed or built on Morningstar, Inc. Page 5 of 8
Security Assessment; Request For Proposal Ethical Hacking top of other commercial applications. For example, for an application developed using Active Server Pages (ASP), using a Microsoft Internet Information Server (IIS) running on a Windows 2003 operating system, the focus of the application security testing would be the ASP application. Testing examples, include but not limited to: Examination of application-to-application interaction between system components such as the web service and back-end data sources. Discovery of opportunities that could be utilized by an attacker to escalate their permissions. Examination of authentication methods in use for their robustness and resilience to various subversion techniques. Web Penetration Evaluating the security of Morningstar websites by simulating attacks. An active Assessment / Ethical analysis of the website for any weaknesses, technical flaws or vulnerabilities. This Hacking analysis is to be carried out from the position of a potential attacker, and will involve active exploitation of security vulnerabilities. Testing examples, include but not limited to: Data validation testing detecting problems such as SQL injection, Cross Site Scripting, buffer overflows etc. Inspection of application validation and bounds checking for both accidental and mischievous input. Manipulation of client-side code and locally stored information such as session information and configuration files. Mitigation – Phase 3 Post Assessment Review Upon completion of security assessment conduct a post assessment. Provide three (3) month period for Morningstar to conduct remediation. 3.) Project Management Approach Include the method and approach used to manage the overall project and client correspondence. Briefly describe how the engagement proceeds from beginning to end. 4.) Deliverables Include descriptions and samples of the types of reports used to summarize and provide detailed information on secruity risk, vulnerabilites, and the necessary countermeasures and recommended corrective actions. 5.) Detailed and Itemized Pricing Include a fee breakdown by project phase and estimates of travel expenses. 6.) Appendix: References Three (3) current corporate references, including company name, contact name, title, address, telephone number, and client relationship synopsis. 7.) Appendix: Project Team Staffing Include biographies and relevant experience of key staff and management personnel. List the personnel who would work on this project along with their qualifications and relevant experience. 8.) Appendix: Company Overview Official registered name (Corporate, D.B.A., Partnership, etc.), Dun & Bradstreet Number, Primary and secondary SIC numbers, address, main telephone number, toll-free numbers, and facsimile numbers. Key contact name, title, address (if different from above address), and direct telephone and fax numbers. Person authorized to contractually bind the organization for any proposal against this RFP. Morningstar, Inc. Page 6 of 8
Security Assessment; Request For Proposal Brief history, including year established and number of years your company has been offering Information Security Testing. Evaluation Factors For Award 3.0 Criteria Any award to be made pursuant to this RFP will be based upon the proposal with appropriate consideration given to operational, technical, cost, and management requirements. Evaluation of offers will be based upon the Vendor’s responsiveness to the RFP and the total price quoted for all items covered by the RFP. The following elements will be the primary considerations in evaluating all submitted proposals and in the selection of a Vendor or Vendors: 1. Completion of all required responses in the correct format. 2. The extent to which Vendor’s proposed solution fulfills Morningstar stated requirements as set out in this RFP. 3. An assessment of the Vendor’s ability to deliver the indicated service in accordance with the specifications set out in this RFP. 4. The Vendor’s stability, experiences and record of past performance in delivering such services. 5. Availability of sufficient high quality Vendor personnel with the required skills and experience for the specific approach proposed. 6. Vendor’s acceptance of Morningstar contractual terms and conditions, if applicable. 7. Overall cost of Vendor’s proposal. Morningstar may, at their discretion and without explanation to the prospective Vendors, at any time choose to discontinue this RFP without obligation to such prospective Vendors. Statement of Work and Deliverable 4.0 Requirements Morningstar is providing the vendor with information that will allow the vendor to scope the level of effort required to complete the work. At the conclusion of the assessment, Morningstar requires written documentation of the approach, findings and recommendations associated with this project. A formal presentation of the findings and recommendations to senior management may also be required. The documentation should consist of the following: 4.1 Detailed Technical Report A document developed for the use of Morningstar technical staff which discusses: the methodology employed, positive security aspects identified, detailed technical vulnerability findings, an assignment of a risk rating for each vulnerability, supporting detailed exhibits for vulnerabilities when appropriate and detailed technical remediation steps. 4.2 Executive Summary Report A document developed to summarize the scope, approach, findings and recommendations, in a manner suitable for senior management. Morningstar, Inc. Page 7 of 8
Security Assessment; Request For Proposal 4.3 External Customer Report An external customer-facing document developed to summarize the scope, approach and overall Information Security Program compared to industry standards and practices. End of Document Morningstar, Inc. Page 8 of 8

Recommended

20161021 JS Cybersecurity Service Proposal
20161021 JS Cybersecurity Service Proposal20161021 JS Cybersecurity Service Proposal
20161021 JS Cybersecurity Service ProposalCarl Bradley Pate
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALCYBER SENSE
 
Security Proposal for High Profile/Government Individual
Security Proposal for High Profile/Government IndividualSecurity Proposal for High Profile/Government Individual
Security Proposal for High Profile/Government IndividualDayo Olujekun
 
Sample network vulnerability analysis proposal
Sample network vulnerability analysis proposalSample network vulnerability analysis proposal
Sample network vulnerability analysis proposalDavid Sweigert
 
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...Global Business Events
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 

Recommended

20161021 JS Cybersecurity Service Proposal
20161021 JS Cybersecurity Service Proposal20161021 JS Cybersecurity Service Proposal
20161021 JS Cybersecurity Service ProposalCarl Bradley Pate
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALCYBER SENSE
 
Security Proposal for High Profile/Government Individual
Security Proposal for High Profile/Government IndividualSecurity Proposal for High Profile/Government Individual
Security Proposal for High Profile/Government IndividualDayo Olujekun
 
Sample network vulnerability analysis proposal
Sample network vulnerability analysis proposalSample network vulnerability analysis proposal
Sample network vulnerability analysis proposalDavid Sweigert
 
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...Global Business Events
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations CenterSiemplify
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesOllie Whitehouse
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security ServicesGraham Mann
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015Paul Hogan
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)Vijilan IT Security solutions
 
3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment QuestionnairePriyanka Aash
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
How to Use the NIST CSF to Recover from a Healthcare Breach
How to Use the NIST CSF to Recover from a Healthcare Breach How to Use the NIST CSF to Recover from a Healthcare Breach
How to Use the NIST CSF to Recover from a Healthcare Breach Symantec
 
A case for Managed Detection and Response
A case for Managed Detection and ResponseA case for Managed Detection and Response
A case for Managed Detection and ResponseDigital Transformation EXPO Event Series
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentOllie Whitehouse
 
Business proposal software testing6
Business proposal software testing6Business proposal software testing6
Business proposal software testing6Global Solution
 
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF GEAR SHAFT MANUFACT...
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF GEAR SHAFT MANUFACT...STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF GEAR SHAFT MANUFACT...
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF GEAR SHAFT MANUFACT...IRJET Journal
 

More Related Content

What's hot

Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations CenterSiemplify
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesOllie Whitehouse
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security ServicesGraham Mann
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015Paul Hogan
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)Vijilan IT Security solutions
 
3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment QuestionnairePriyanka Aash
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
How to Use the NIST CSF to Recover from a Healthcare Breach
How to Use the NIST CSF to Recover from a Healthcare Breach How to Use the NIST CSF to Recover from a Healthcare Breach
How to Use the NIST CSF to Recover from a Healthcare Breach Symantec
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentOllie Whitehouse
 

What's hot (20)

Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations Center
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodes
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security Services
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
 
3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
How to Use the NIST CSF to Recover from a Healthcare Breach
How to Use the NIST CSF to Recover from a Healthcare Breach How to Use the NIST CSF to Recover from a Healthcare Breach
How to Use the NIST CSF to Recover from a Healthcare Breach
 
A case for Managed Detection and Response
A case for Managed Detection and ResponseA case for Managed Detection and Response
A case for Managed Detection and Response
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat Assessment
 

Similar to Microsoft Word Morningstar Rfp Security Assessment 2008 V2 1

Business proposal software testing6
Business proposal software testing6Business proposal software testing6
Business proposal software testing6Global Solution
 
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF GEAR SHAFT MANUFACT...
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF GEAR SHAFT MANUFACT...STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF GEAR SHAFT MANUFACT...
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF GEAR SHAFT MANUFACT...IRJET Journal
 
Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15kantarainitiative
 
Fundability Criteria Worksheet_MediCoventures_v3.1
Fundability Criteria Worksheet_MediCoventures_v3.1Fundability Criteria Worksheet_MediCoventures_v3.1
Fundability Criteria Worksheet_MediCoventures_v3.1Aaron Call
 
OST Energy - Global Services
OST Energy - Global Services OST Energy - Global Services
OST Energy - Global Services Sion Haswell
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF DRIP IRRIGATION PIP...
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF DRIP IRRIGATION PIP...STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF DRIP IRRIGATION PIP...
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF DRIP IRRIGATION PIP...IRJET Journal
 
NorthBrook Sample Grading Report
NorthBrook Sample Grading ReportNorthBrook Sample Grading Report
NorthBrook Sample Grading ReportRamses Moya
 
Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15kantarainitiative
 
Security Testing Market Share, Size & Growth | TechSci Research
Security Testing Market Share, Size & Growth | TechSci Research Security Testing Market Share, Size & Growth | TechSci Research
Security Testing Market Share, Size & Growth | TechSci Research TechSci Research
 
[2022.02] Umee blockchain - Final Report - Public(1).pdf
[2022.02] Umee blockchain - Final Report - Public(1).pdf[2022.02] Umee blockchain - Final Report - Public(1).pdf
[2022.02] Umee blockchain - Final Report - Public(1).pdfKennyNajarro2
 
[2022.02] umee blockchain final report - public
[2022.02] umee blockchain final report - public[2022.02] umee blockchain final report - public
[2022.02] umee blockchain final report - publicKennyNajarro2
 
Security Software as a Service Market.pdf
Security Software as a Service Market.pdfSecurity Software as a Service Market.pdf
Security Software as a Service Market.pdfMac Watson
 
Trackment
TrackmentTrackment
Trackmentmeaannn
 
EXTENT-2016: MiFID 2 Requirements for testing and business clocks
EXTENT-2016: MiFID 2 Requirements for testing and business clocksEXTENT-2016: MiFID 2 Requirements for testing and business clocks
EXTENT-2016: MiFID 2 Requirements for testing and business clocksIosif Itkin
 
Safety Sensors and Switches Market.pdf
Safety Sensors and Switches Market.pdfSafety Sensors and Switches Market.pdf
Safety Sensors and Switches Market.pdfVrushali913094
 
Running head ACQUISITION STRATEGY PIEZOELECTRIC EMBEDDED TRA.docx
Running head ACQUISITION STRATEGY PIEZOELECTRIC EMBEDDED TRA.docxRunning head ACQUISITION STRATEGY PIEZOELECTRIC EMBEDDED TRA.docx
Running head ACQUISITION STRATEGY PIEZOELECTRIC EMBEDDED TRA.docxSUBHI7
 
Peck shield audit-report-strips-1.0-for_medium
Peck shield audit-report-strips-1.0-for_mediumPeck shield audit-report-strips-1.0-for_medium
Peck shield audit-report-strips-1.0-for_mediumChengZhu22
 

Similar to Microsoft Word Morningstar Rfp Security Assessment 2008 V2 1 (20)

Business proposal software testing6
Business proposal software testing6Business proposal software testing6
Business proposal software testing6
 
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF GEAR SHAFT MANUFACT...
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF GEAR SHAFT MANUFACT...STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF GEAR SHAFT MANUFACT...
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF GEAR SHAFT MANUFACT...
 
Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15
 
Fundability Criteria Worksheet_MediCoventures_v3.1
Fundability Criteria Worksheet_MediCoventures_v3.1Fundability Criteria Worksheet_MediCoventures_v3.1
Fundability Criteria Worksheet_MediCoventures_v3.1
 
OST Energy - Global Services
OST Energy - Global Services OST Energy - Global Services
OST Energy - Global Services
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
Trust optix 4 1-14
Trust optix 4 1-14Trust optix 4 1-14
Trust optix 4 1-14
 
Test Engineer
Test EngineerTest Engineer
Test Engineer
 
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF DRIP IRRIGATION PIP...
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF DRIP IRRIGATION PIP...STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF DRIP IRRIGATION PIP...
STUDY ON VALUATION OF PLANT AND MACHINERY – CASE STUDY OF DRIP IRRIGATION PIP...
 
NorthBrook Sample Grading Report
NorthBrook Sample Grading ReportNorthBrook Sample Grading Report
NorthBrook Sample Grading Report
 
Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15
 
Security Testing Market Share, Size & Growth | TechSci Research
Security Testing Market Share, Size & Growth | TechSci Research Security Testing Market Share, Size & Growth | TechSci Research
Security Testing Market Share, Size & Growth | TechSci Research
 
[2022.02] Umee blockchain - Final Report - Public(1).pdf
[2022.02] Umee blockchain - Final Report - Public(1).pdf[2022.02] Umee blockchain - Final Report - Public(1).pdf
[2022.02] Umee blockchain - Final Report - Public(1).pdf
 
[2022.02] umee blockchain final report - public
[2022.02] umee blockchain final report - public[2022.02] umee blockchain final report - public
[2022.02] umee blockchain final report - public
 
Security Software as a Service Market.pdf
Security Software as a Service Market.pdfSecurity Software as a Service Market.pdf
Security Software as a Service Market.pdf
 
Trackment
TrackmentTrackment
Trackment
 
EXTENT-2016: MiFID 2 Requirements for testing and business clocks
EXTENT-2016: MiFID 2 Requirements for testing and business clocksEXTENT-2016: MiFID 2 Requirements for testing and business clocks
EXTENT-2016: MiFID 2 Requirements for testing and business clocks
 
Safety Sensors and Switches Market.pdf
Safety Sensors and Switches Market.pdfSafety Sensors and Switches Market.pdf
Safety Sensors and Switches Market.pdf
 
Running head ACQUISITION STRATEGY PIEZOELECTRIC EMBEDDED TRA.docx
Running head ACQUISITION STRATEGY PIEZOELECTRIC EMBEDDED TRA.docxRunning head ACQUISITION STRATEGY PIEZOELECTRIC EMBEDDED TRA.docx
Running head ACQUISITION STRATEGY PIEZOELECTRIC EMBEDDED TRA.docx
 
Peck shield audit-report-strips-1.0-for_medium
Peck shield audit-report-strips-1.0-for_mediumPeck shield audit-report-strips-1.0-for_medium
Peck shield audit-report-strips-1.0-for_medium
 

Microsoft Word Morningstar Rfp Security Assessment 2008 V2 1

  • 1. Security Assessment - Request for Proposal Issued Date: June 16, 2008 Version: 2.0
  • 2. Security Assessment; Request For Proposal Contents ..................................................................................................................................................................3 Introduction and Background ................................................................................................................................3 1.0 Purpose of the Request for Proposal ................................................................................................................... 3 1.1 Technical & Contractual Contact......................................................................................................................... 3 1.2 Due Dates........................................................................................................................................................ 4 1.2.1 Schedule of Events......................................................................................................................................... 4 Guidelines for Proposal Preparation ......................................................................................................................4 2.0 Proposal Submission ......................................................................................................................................... 4 2.1 Detailed Response Requirements ....................................................................................................................... 5 Evaluation Factors For Award.................................................................................................................................7 3.0 Criteria ............................................................................................................................................................ 7 Statement of Work and Deliverable .......................................................................................................................7 4.0 Requirements ................................................................................................................................................... 7 4.1 Detailed Technical Report .................................................................................................................................. 7 4.2 Executive Summary Report ................................................................................................................................ 7 4.3 External Customer Report.................................................................................................................................. 8 Morningstar, Inc. Page 2 of 8
  • 3. Security Assessment; Request For Proposal Morningstar has developed this Request for Proposal (“RFP”) to help identify and select a quality security vendor to perform professional services work. It also lists questions for potential vendors, to ensure that a thorough and comprehensive approach to the project will be taken. Contents The RFP contains a number of different sections that provide the vendor with a better understanding of the Morningstar business and technical objectives of the effort and provide the vendor with direction on the specific information the organization needs the vendor to provide. The major sections of the RFP are: Introduction and Background: A description of the project’s objectives plus any additional background about the organization or business objectives that may provide the vendor with additional useful perspective. Administrative Information: Contact information that the vendors will need to prepare and submit their proposal as well as major dates associated with the RFP submission, evaluation and award process. Guidelines for Proposal Preparation: Guidelines for vendor communication with the organization are provided in this section and a preferred proposal format is described for the vendor. Statement of Work and Deliverables: This section provides sufficient technical details about the environment to allow a vendor to understand the scope of the effort and price it appropriately. In addition, the deliverables or work products required from the project are described. Introduction and Background 1.0 Purpose of the Request for Proposal Morningstar is a provider of financial services to individual customers, broker dealers, and financial advisors. It has facilities in approximately three locations within the United States, as well as several other locations in Europe and Asia. Morningstar is interested in conducting a security assessment that will allow it to: Validate Morningstar approach to regulatory compliance / preparedness with state security notification laws and federal regulations such as GLBA and Sarbanes-Oxley. Review network security and survivability, provide insight to fighting cyber crime, and learning tools and techniques hackers’ are using to prevent incident. Identify both the strengths and weakness within the Security Program by comparing it to industry practices and standards. Gain a better understanding of potential corporate network vulnerabilities that may be visible form both internally and externally. Determine if the current network is configured securely. Evaluate the security associated with public self-service web applications that are used by Morningstar customers. Propose solutions to risks, vulnerabilities and/or threats, short-and long-term options for remediation. These activities are part of Morningstar ongoing risk management program and are focused on identifying the risk level Morningstar is currently exposed to so that an appropriate set of responses to those threats can be developed. Morningstar is seeking to identify and select an outside independent organization to perform the activities listed above. The remainder of this document provides additional information that will allow a service provider to understand the scope of the effort and develop a proposal in the format desired by Morningstar. 1.1 Technical & Contractual Contact Morningstar, Inc. Page 3 of 8
  • 4. Security Assessment; Request For Proposal Any questions concerning technical specifications or Statement of Work (SOW) and contractual terms and conditions or proposal format requirements must be directed to: Name Rana Shamoon Position Title Sr. Security Analyst Address 225 W. Wacker Phone 312.696.6302 E-mail Rana.shamoon@Morningstar.com Fax 312.696.6404 1.2 Due Dates A written confirmation of the Vendor’s intent to respond to this RFP is required by June 23, 2008. All proposals are due by 5:00 pm on July 16, 2008. Any proposal received at the designated location after the required time and date specified for receipt shall be considered late and non-responsive. 1.2.1 Schedule of Events Task Event Date 1 RFP Distribution to Vendors June 23, 2008 2 Written Confirmation of Vendors with Bid Intention June 27, 2008 3 Questions from Vendors about scope or approach due July 3, 2008 4 Responses to Vendors about scope or approach due July 11, 2008 5 Proposal Due Date July 16, 2008 6 Target Date for Review of Proposals July 18, 2008 7 Preliminary Skill Review July 21, 2008 8 Final Vendor Selection Discussion(s) – Week of July 23, 2008 9 Anticipated decision and selection of Vendor(s) July 25, 2008 10 Anticipated commencement date of work August 1, 2008 Guidelines for Proposal Preparation 2.0 Proposal Submission Award of the contract resulting from this RFP will be based upon the most responsive Vendor whose offer will be the most advantageous to Morningstar in terms of cost, functionality and other factors as specified elsewhere in this RFP. Morningstar reserves the right to: Reject any or all offers and discontinue this RFP process without obligation or liability to any potential Vendor, Accept other than the lowest priced offer, Award a contract on the basis of initial offers received, without discussions or requests for best and final offers, and Award more than one contract. Vendor's proposal shall be submitted in several parts as set forth below. The Vendor will confine its submission to those matters sufficient to define its proposal, and to provide an adequate basis for Morningstar evaluation of the Vendor’s proposal. In order to address the needs of this procurement, Morningstar encourages Vendors to work cooperatively in presenting integrated solutions. Vendor team arrangements may be desirable to enable the companies involved to complement each other's unique capabilities, while offering the best combination of performance, cost, and delivery of services being provided under this RFP. Morningstar will recognize the integrity and validity of Vendor team arrangements provided that: The arrangements are identified and relationships are fully disclosed, and A prime Vendor is designated which will be fully responsible for all contract performance. Morningstar, Inc. Page 4 of 8
  • 5. Security Assessment; Request For Proposal Vendor’s proposal in response to this RFP will be incorporated into the final agreement between Morningstar and the selected Vendor(s). The submitted proposals are suggested to include each of the following sections: 2.1 Detailed Response Requirements 1.) Executive Summary This section will present a high-level synopsis of the Vendor’s responses to the RFP. The Executive Summary should be a brief overview of the engagement, and should identify the main features and benefits of the proposed work. 2.) Scope, Approach, and Methodology Include detailed testing procedures and technical expertise by phase. This section will act as the Statement of Work (SOW) to be used as a guideline by the consultants during the security testing. All information that you provide will be held in strict confidence. This section should include a description of each major type of work being requested of the vendor. The proposal should reflect each of the sections listed below: Scope Description Global Infrastructure Assessment – Phase 1 Information Gathering Footprinting and information gathering to obtain detailed blueprint of our network and its security profile. Gather domain names, IP network ranges, and information about hosts, port access, such as operating systems and applications. Network Architecture Assess the environment from the internal view of the network to identify Assessment vulnerabilities that may allow access to confidential areas of a network or sensitive internal information. Vulnerability Scan Find security vulnerabilities flaws in routers and firewalls configuration, un-patched (External & Internal) systems, and mis-configured architecture. Network Device Review device configurations of routers and firewalls. Perform configuration Assessment analysis line by line to ensure that they conform to industry best practices applicable to the environment. Wireless Security Identify and inventory all wireless network access points, identify and exploit Assessment weaknesses in the wireless network, and assess the overall exposure to wireless network attacks. Recommend best methods to secure the environment based on internal business requirements and best practices for wireless security. VPN Security Assessment Assess the current configuration of the VPN and associated systems, conduct a VPN architecture review and conduct an external and internal VPN vulnerability and penetration testing. External Penetration Test Confirm the true risk of vulnerabilities from a remote attack against, servers, / Ethical Hacking routers, firewalls, operating systems, etc. Internal Penetration Test / Confirm the true risk of vulnerabilities from an attack within the LAN/WAN. Ethical Hacking Application Level Assessment – Phase 2 Source Code Security Source code review to identify software security problems. Review violations, such Assessment as common semantic language constructs and configuration that lead to vulnerabilities with data and control flow analysis, tracking data and execution paths through an application. Web / Application Review the security controls of an application. This security review should be Penetration Assessment / directly related to the applications that have been custom developed or built on Morningstar, Inc. Page 5 of 8
  • 6. Security Assessment; Request For Proposal Ethical Hacking top of other commercial applications. For example, for an application developed using Active Server Pages (ASP), using a Microsoft Internet Information Server (IIS) running on a Windows 2003 operating system, the focus of the application security testing would be the ASP application. Testing examples, include but not limited to: Examination of application-to-application interaction between system components such as the web service and back-end data sources. Discovery of opportunities that could be utilized by an attacker to escalate their permissions. Examination of authentication methods in use for their robustness and resilience to various subversion techniques. Web Penetration Evaluating the security of Morningstar websites by simulating attacks. An active Assessment / Ethical analysis of the website for any weaknesses, technical flaws or vulnerabilities. This Hacking analysis is to be carried out from the position of a potential attacker, and will involve active exploitation of security vulnerabilities. Testing examples, include but not limited to: Data validation testing detecting problems such as SQL injection, Cross Site Scripting, buffer overflows etc. Inspection of application validation and bounds checking for both accidental and mischievous input. Manipulation of client-side code and locally stored information such as session information and configuration files. Mitigation – Phase 3 Post Assessment Review Upon completion of security assessment conduct a post assessment. Provide three (3) month period for Morningstar to conduct remediation. 3.) Project Management Approach Include the method and approach used to manage the overall project and client correspondence. Briefly describe how the engagement proceeds from beginning to end. 4.) Deliverables Include descriptions and samples of the types of reports used to summarize and provide detailed information on secruity risk, vulnerabilites, and the necessary countermeasures and recommended corrective actions. 5.) Detailed and Itemized Pricing Include a fee breakdown by project phase and estimates of travel expenses. 6.) Appendix: References Three (3) current corporate references, including company name, contact name, title, address, telephone number, and client relationship synopsis. 7.) Appendix: Project Team Staffing Include biographies and relevant experience of key staff and management personnel. List the personnel who would work on this project along with their qualifications and relevant experience. 8.) Appendix: Company Overview Official registered name (Corporate, D.B.A., Partnership, etc.), Dun & Bradstreet Number, Primary and secondary SIC numbers, address, main telephone number, toll-free numbers, and facsimile numbers. Key contact name, title, address (if different from above address), and direct telephone and fax numbers. Person authorized to contractually bind the organization for any proposal against this RFP. Morningstar, Inc. Page 6 of 8
  • 7. Security Assessment; Request For Proposal Brief history, including year established and number of years your company has been offering Information Security Testing. Evaluation Factors For Award 3.0 Criteria Any award to be made pursuant to this RFP will be based upon the proposal with appropriate consideration given to operational, technical, cost, and management requirements. Evaluation of offers will be based upon the Vendor’s responsiveness to the RFP and the total price quoted for all items covered by the RFP. The following elements will be the primary considerations in evaluating all submitted proposals and in the selection of a Vendor or Vendors: 1. Completion of all required responses in the correct format. 2. The extent to which Vendor’s proposed solution fulfills Morningstar stated requirements as set out in this RFP. 3. An assessment of the Vendor’s ability to deliver the indicated service in accordance with the specifications set out in this RFP. 4. The Vendor’s stability, experiences and record of past performance in delivering such services. 5. Availability of sufficient high quality Vendor personnel with the required skills and experience for the specific approach proposed. 6. Vendor’s acceptance of Morningstar contractual terms and conditions, if applicable. 7. Overall cost of Vendor’s proposal. Morningstar may, at their discretion and without explanation to the prospective Vendors, at any time choose to discontinue this RFP without obligation to such prospective Vendors. Statement of Work and Deliverable 4.0 Requirements Morningstar is providing the vendor with information that will allow the vendor to scope the level of effort required to complete the work. At the conclusion of the assessment, Morningstar requires written documentation of the approach, findings and recommendations associated with this project. A formal presentation of the findings and recommendations to senior management may also be required. The documentation should consist of the following: 4.1 Detailed Technical Report A document developed for the use of Morningstar technical staff which discusses: the methodology employed, positive security aspects identified, detailed technical vulnerability findings, an assignment of a risk rating for each vulnerability, supporting detailed exhibits for vulnerabilities when appropriate and detailed technical remediation steps. 4.2 Executive Summary Report A document developed to summarize the scope, approach, findings and recommendations, in a manner suitable for senior management. Morningstar, Inc. Page 7 of 8
  • 8. Security Assessment; Request For Proposal 4.3 External Customer Report An external customer-facing document developed to summarize the scope, approach and overall Information Security Program compared to industry standards and practices. End of Document Morningstar, Inc. Page 8 of 8