INVITATION TO TENDER – SELECTION OF VENDOR FOR THE IMPLEMENTATION OF INFORMATION TECHNOLOGY VULNERABILITY MANAGEMENT AND PENETRATION TESTING SOLUTION

Lagos, Nigeria
Closing date for applications: 2021-06-18

Tender application form

Upload your tender document here

Summary

1.0 BACKGROUND

The African Reinsurance Corporation (Africa Re) is an International Financial Institution with Headquarters in Lagos (Nigeria). Africa Re has six Regional Offices in Casablanca (Morocco), Nairobi (Kenya), Abidjan (Côte d’Ivoire), Port Louis (Mauritius), Lagos (Nigeria) and Cairo (Egypt); two subsidiaries in Johannesburg (South Africa) and Cairo (Egypt) as well as a Local Office in Addis Ababa (Ethiopia).and Kampala (Uganda).

The Corporation is currently in the process of implementing a network Vulnerability Management and Penetration Testing solution that provides a fully available, scalable, and efficient platform to help us gain access to vulnerabilities across our enterprise and also simulate real-world attacks to find our weak points before a malicious attacker does. This solution must be able to leverage the latest analytics and endpoint technology to discover vulnerabilities in a real-time view, pinpoint their location within our environment, prioritize them and facilitate remediation to ensure that the security loopholes are closed.

2.0 OBJECTIVES

As the volume of data within the Corporation grow exponentially, the threat of attacks become more sophisticated, and the challenges of minimizing risk and optimizing operations are becoming more challenging. For this purpose, Africa Re intends to implement a network Vulnerability Management Solution to enhance the overall security of its environment in the following areas:

• Determine and discover vulnerabilities in server’s environment and key IT systems.

• Generate report for all vulnerability scanning activities

• Harden the systems configuration to reduce vulnerability in technology applications, systems, infrastructure and firmware by eliminating potential attack vectors and condensing the system's attack surface.

• Implement industry best practices that provide auditability and demonstrate compliance against security standards for cyber risk monitoring, vulnerability, and configuration management..

• Implement industry best practices that provide auditability and demonstrate compliance against security standards for cyber risk monitoring, vulnerability, and configuration management..

• Provide remediation steps to all discovered vulnerabilities.

• Run penetration testing programs at scale and pinpoint weak links in the attack chain

• Reduce user risk using phishing campaigns and education

Vendors with necessary technical skills, experience and business knowledge are invited to submit their best proposals for review.

Below is an overview of Africa Re’s current network infrastructure:

- Africa Re operate in multiple branches (Cairo, Casablanca, Abidjan, Nairobi, Addis-Ababa, Mauritius, Johannesburg) with active users in these branches.

- The connectivity between Africa Re Data centers and branches is encrypted through site-to site virtual private network (VPN)

- The current total number of assets within our environment to be covered within this VM scope is 500 assets which includes network devices, servers, and personal computers.

- The operating systems on endpoints i.e. PCs and mobile devices in Africa Re environment is a mix of Windows, MAC OS, and Linux

3.0 DELIVERABLES

The solution and implementation services required from vendors must have the following capabilities:

1. Ability to gather fresh data, whether via agents or agentless, without the false positives of passive scanning:  

a. Automatically assess for change in our network when it happens.

b. Identify the risk posed by our entire network footprint, including cloud, virtual, and endpoints.

c. Integrate seamlessly with other critical security enforcement tools within our network and prioritize remediation actions.

2. Ability to spot change as it happens in our network using a library of Threat Exposure Analytics and automatically prioritize actions: 

a. Ability to query our vulnerability scan results to understand our risk exposure from multiple lines of defense (risk owners/managers, risk control and compliance, independent assurance functions.

b. Shift prioritization of vulnerability remediation towards the most important assets within our organization.

c. Lightweight deployment with unified endpoint agent to achieve effective baseline checks and only update changes in vulnerability status

3. Advanced dashboard to visualize, prioritize, assign, and fix our exposures:

a. Ability to build reports to communicate with multiple audiences from IT and compliance.

b. Provide an instant view on what new vulnerabilities have been discovered and their priority for remediation.

c. Ability to check the status of remediation projects across both security and IT and to understand how different segments of our network are performing against each other

4. Ability to run penetration tests at scale and simulate phishing campaigns to harvest credentials, deliver payloads, and improve security awareness within our enterprise

5. Ability to generate reports that present the findings as required by relevant security standards

4.0 EVALUATION PROCESSES AND SELECTION CRITERIA

Responses to this RFP will be evaluated and scored based on the following criteria:

- Experience of the service provider in implementing network Vulnerability Management and Penetration Testing Solution (specifically Rapid 7 Insight VM & Metasploit).

- Technical approach and methodology

- Organization and staffing

- Proposed Cost

- Financial Information

- Similar projects delivered previously

- Quality, clarity, and presentation of proposal...

PLEASE DOWNLOAD FULL RFP BELOW

  • Invitation To Tender – Selection of Vendor for the Implementation of Information Technology Vulnerability Management and Penetration Testing Solution

    Download PDF English 3.43 MB