Achizitie comuna/ Joint Procurement: Teste de penetrare infrastructura informatica / Supply of IT Security Assessment Services: Penetration Testing / IT Security Assessment Services according to the TIBER-EU framework
SEAPIDStare
CAN1068262
Data05 Decembrie 2021
Valoare89.748,24 RON
Atribuita
Tip procedura:Licitatie deschisa
Tipul contractului::Servicii
Autoritatea contractantaLocalitateBucuresti
FurnizorCod CPVDescriere:The contract implies a joint procurement.
The contracting authority is purchasing also on behalf of other contracting authorities.
The participating institutions are:
Banca d'Italia, Via Nazionale 91, Roma, IT 00184, Italy
Banco de España, Calle Alcalá, 48, 28014, Spain
Banque centrale du Luxembourg, 2, boulevard Royal, L-2983 Luxembourg
Central Bank of Cyprus, 80 Kennedy Avenue, Nicosia, CY-1076, CYPRUS
Central Bank of Ireland, New Wapping Street, North Wall Quay, Dublin 1, Ireland
Central Bank of Malta, Castille Place, Valletta, VLT1060, Malta
European Central Bank, Sonnemannstrasse 20, Frankfurt am Main,60314, Germany
Oesterreichische Nationalbank, Otto-Wagner-Platz 3, Wien, 1090, Austria
Malta Financial Services Authority, Triq l-Imdina, Zone 1, Central Business District, Birkirkara, Malta
Other institutions, having the right to participate in EPCO’s activities (according to Decision ECB/2008/17 as amended), which did not express an interest in this procedure before the publication of the contract notice in the OJEU will also have the possibility to join the Framework Agreements - if they wish so - before its expiry. The identity of EPCO members may be consulted on EPCO's website: https://epco.lu/.
The objective of the current joint tender procedure is to contract the services for identifying the cybersecurity risks and for guidance to take appropriate technical and organizational measures to minimize those risks within current and future EPCO members of the ESCB.
To cover a wider scope, according to the testing methodology, the National Bank of Romania identified three lots for the joint tender procedure:
• Lot no. 1 - IT Security Assessment Services in line with the latest Regular Penetration Testing Execution Standards;
IT Security Assessment Services according to the TIBER-EU framework:
• Lot no. 2 - Targeted Threat Intelligence Services;
• Lot no. 3 - Red team IT Security Services.
Each lot will result in a framework agreement with the following characteristics: multi-supplier framework agreement (max 5), with reopening the competition. For all Participating Institutions, except NBR, this Framework Agreement shall be non-exclusive, meaning that these Participating Institutions will not have obligation to award assignments to the Contractor according to this Framework Agreement for the purchase of IT Security Assessment Services with the Contractor. For NBR this Framework Agreement shall be exclusive, meaning that during the term of this Framework Agreement NBR will have the obligation to fulfill its needs for IT Security Assessment Services through this Framework Agreement by concluding Further Agreements with the Contractors.
All current and future EPCO member central banks are together potential beneficiaries of the Framework Agreements, which the Participating Institutions will implement via reopening of the competition (mini-competition) among the Contractors. Each Participating Institution shall be entitled to describe its specific needs regarding the IT Security Assessment Services (the IT infrastructure that needs to be tested), apply its own offers evaluation methodology, and quality/price weighting within the terms of the Framework Agreement to assign the Further Agreements.
Deadline for requesting clarifications to the award documentation: 16 days before the deadline for submission of offers
Date of response to all requests for clarification: 11 days before the deadline for submission of offers
Loturi:200.000 RON
NBR Headquarters,
the headquarters of the participating institutions
Targeted Threat Intelligence Services
The IT infrastructure of the NBR (as well as that of the other participating institutions), as it is implemented at the time of the tests, available to both internal and external customers is within the purpose of these tests. The IT infrastructure contains the components required to operate and manage the IT environments.
These components include hardware, software, networking components, an operating system (OS), and data storage, all of which are used to deliver IT services and solutions.
The main objective is to identify the Participating Institution's cybersecurity risks and to take appropriate technical and organizational measures to minimize/mitigate those risks.
More granular objectives are defined as follows:
- Identify the external exposure in terms of surface attack and determine if the implemented security controls ensure appropriate protection against malicious actors;
- Measure the level of responsiveness and capability to identify and react against a cyber-attack targeted to the weakness points;
- Determine if the security policy and controls implemented within the internal IT infrastructure are strong enough to be able to identify an ongoing cyber-attack and to take measures to stop it;
- Measure the effectiveness of the security awareness program by testing the user’s reaction to a social engineering cyber-attack;
- Determine if the sensitive data is well protected against bad actors;
- Being compliant with the regulatory requirements in terms of ensuring that the IT infrastructure offers a certain level of security protection.
From the point of view of the TIBER - EU methodology:
The tests will provide an overview of the existing vulnerabilities in employees, business processes, associated technology (applications and infrastructure) and will provide a detailed threat assessment that can be used to raise awareness of the current situation and the measures to be taken to address it, improve the situation and reduce the associated risks. These tests performed on the basis of the "Red / Blue / White Team" concept are an extended form of the classic concept of penetration testing which usually provides a detailed and useful assessment of technical and configuration vulnerabilities. In the end, the tests will follow a complete scenario for a targeted attack against the entire entity.200.000 RON
NBR Headquarters,
the headquarters of the participating institutions
Red team IT Security Services
The IT infrastructure of the NBR (as well as that of the other participating institutions), as it is implemented at the time of the tests, available to both internal and external customers is within the purpose of these tests. The IT infrastructure contains the components required to operate and manage the IT environments.
These components include hardware, software, networking components, an operating system (OS), and data storage, all of which are used to deliver IT services and solutions.
The main objective is to identify the Participating Institution's cybersecurity risks and to take appropriate technical and organizational measures to minimize/mitigate those risks.
More granular objectives are defined as follows:
- Identify the external exposure in terms of surface attack and determine if the implemented security controls ensure appropriate protection against malicious actors;
- Measure the level of responsiveness and capability to identify and react against a cyber-attack targeted to the weakness points;
- Determine if the security policy and controls implemented within the internal IT infrastructure are strong enough to be able to identify an ongoing cyber-attack and to take measures to stop it;
- Measure the effectiveness of the security awareness program by testing the user’s reaction to a social engineering cyber-attack;
- Determine if the sensitive data is well protected against bad actors;
- Being compliant with the regulatory requirements in terms of ensuring that the IT infrastructure offers a certain level of security protection.
From the point of view of the TIBER - EU methodology:
The tests will provide an overview of the existing vulnerabilities in employees, business processes, associated technology (applications and infrastructure) and will provide a detailed threat assessment that can be used to raise awareness of the current situation and the measures to be taken to address it, improve the situation and reduce the associated risks. These tests performed on the basis of the "Red / Blue / White Team" concept are an extended form of the classic concept of penetration testing which usually provides a detailed and useful assessment of technical and configuration vulnerabilities. In the end, the tests will follow a complete scenario for a targeted attack against the entire entity.200.000 RON
NBR Headquarters,
the headquarters of the participating institutions
IT Security Assessment Services in line with the latest Regular Penetration Testing Execution Standards
The IT infrastructure of the NBR (as well as that of the other participating institutions), as it is implemented at the time of the tests, available to both internal and external customers is within the purpose of these tests. The IT infrastructure contains the components required to operate and manage the IT environments.
These components include hardware, software, networking components, an operating system (OS), and data storage, all of which are used to deliver IT services and solutions.
The main objective is to identify the Participating Institution's cybersecurity risks and to take appropriate technical and organizational measures to minimize/mitigate those risks.
More granular objectives are defined as follows:
- Identify the external exposure in terms of surface attack and determine if the implemented security controls ensure appropriate protection against malicious actors;
- Measure the level of responsiveness and capability to identify and react against a cyber-attack targeted to the weakness points;
- Determine if the security policy and controls implemented within the internal IT infrastructure are strong enough to be able to identify an ongoing cyber-attack and to take measures to stop it;
- Measure the effectiveness of the security awareness program by testing the user’s reaction to a social engineering cyber-attack;
- Determine if the sensitive data is well protected against bad actors;
- Being compliant with the regulatory requirements in terms of ensuring that the IT infrastructure offers a certain level of security protection.
Penetration tests are performed usually by following the stages defined below:
• Pre-engagement Interactions;
• Intelligence Gathering and Threat Modelling;
• Vulnerability Identification and Analysis;
• Exploitation;
• Post Exploitation;
• Reporting.