Questions and Answers
Ohio Department of Taxation Penetration Test
Document #: TRUST-21-01-003
Question: Section 3: Penetration Testing Approach section: Is this a Windows only exercise, or are Mac/Linux Operating Systems also in use? Can a VM be utilized?
The internal environment consists primarily of Microsoft OS. Findings of other OS are to be reported but not in scope for the penetration test.
A VM cannot be utilized.
Question: Section 3 : Penetration Testing Approach section: Can ODT provide a more detailed list of items that require penetration testing in its internal environment (e.g., a list of network-connected devices currently in use)?
Answer: Workstations, laptops, servers, printers (additional details may be provided after SOW awarded).
Question: Section 3: Penetration Testing Approach section: Does the scope of internal follow similar rules of engagement as external testing (e.g., "environment lateral movement and privilege escalation must be exploited to its full extent”)?
Answer: Yes, but assessment is non-destructive.
Question: Section 3: Penetration Testing Approach section: Is access to hardware (such as USB ports) allowed? How does the tester interact with the kiosk? Are the kiosks networked to the internal environment such that they are separate from the internal scope section?
Answer: Access to the workstations is permitted. Kiosks are computers located in office cubicles, which are connected to peripherals and the network. The CPU is in a locked cabinet. The penetration tester should attempt to exploit any security weakness or vulnerability in this setting. Should penetration prove unsuccessful in these conditions, the cabinet will be unlocked to continue penetration testing by any means.
Question: Section 3: Penetration Testing Approach section: Does ODT intend for the scope to include Social engineering/Phishing?
Answer: The scope does NOT include Social engineering/Phishing.
Question: Section 3: Penetration Testing Approach section: Is this intended to be a true Black-Box exercise, or will basic URLs and/or IP ranges provided by ODT?
Answer: Basic URLs/IP ranges will be provided.
Question: Section 3: Scope Item 3: Does the scope include all potential network connected devices?
Answer: The penetration testing should attempt to laterally move by any means, including exploiting any security weakness or vulnerability of any device connected to the network.
Question: Section 3: Is the selected vendor required to report only exploitable and exploited issues, or everything of note (e.g., full vulnerability report)?
Answer: The report must focus on exploitable and exploited issues, within the context of the entire environment.
Question: Section 3: Scope Item 3: Approximately how many overall endpoints require testing?
Answer: Approximately 1500 overall endpoints require testing.
Question: Section 3: Scope Item 1: Is authenticated application testing in scope for this project? If so, how many applications and how many user roles require testing?
Answer: Authenticated application testing is NOT in scope for this project.
Question: Section 3: Scope Item 3: How many unique domain are required to be tested in the ODT ecosytem/enterprise?
Answer: There is one (1) unique domain required to be tested in the ODT ecosytem/enterprise.
Question: Section 3: Scope item 3: Does testing of internal environments include testing of individual staff workstations? If so, how many individual workstations require penetration testing?
Answer: Testing of internal environments does NOT include testing of individual staff workstations.
Question: Section 3: Scope item 2: How many kiosks require testing at the Northland location?
Answer: There are 5 kiosks that require testing at the Northland location.
Question: Should the Hourly Rate or the Flat Fee Amount (or both) as quoted in the response reflect the fifteen percent discount requested back in the Spring or will that be applied afterwards on the invoice?
Answer: It is the Contractor's choice to determine if they want to offer the discount at the time of submission or at the invoice phase. Contractors responding to this SOW should note where the discount will be applied.
Is testing of a kiosk in our lab environment possible, or potentially testing of the kiosk at a later date?
If not, what precautions will Tax provide to ensure the safety of our testing team?
Offsite or conducting testing in the future is NOT an option.
TAX will provide the following precautions:
o Ingress/egress to the facility is limited to one main entrance.
o A temperature check is required prior to access.
o Masks are required.
o Facility is cleaned and disinfected daily.
o Most staff is telecommuting (e.g., very few employees are in the building) so social distancing is being practiced.
o Testers may use gloves and/or bring hand sanitizer or cleaning wipes, as they see fit.
Question: The scope of work includes onsite testing of the kiosk according to the document. Is this truly required during the current COVID spike?
Answer: The State anticipates allowing taxpayers back into our facility at a future date to be determined. As such, the State feels the workstation kiosks must be included in any security assessment.
- Ohio|Buys Suppliers Login
- Current Contract Search
- Bid Opportunities Search
- Ohio|Buys Catalog Search
- IT Release and Permit
- Telecommunication Contracts &
Cloud Services Agreements
- IT Enterprise Services Portal
- MBE & EDGE Opportunities
- State Contract Opportunities
- State Printing and Mail Services
- Agency Request to Purchase
- Procurement Related Web Links
- State Procurement Manual
- State Procurement Supplier Handbook
- Agency State Term Schedule Purchases
- FY 2018 (07/1/17-09/30/17)
- FY 2018 (10/1/17-12/31/17)
- FY 2018 (01/1/18-03/31/18)
- FY 2018 (04/1/18-06/30/18)
- FY 2019 (07/1/18-09/30/18)
- FY 2019 (10/1/18-12/31/18)
- FY 2019 (01/1/19-03/31/19)
- FY 2019 (04/1/19-06/30/19)
- FY 2020 (07/1/19-09/30/19)
- FY 2020 (10/1/19-12/31/19)
- FY 2020 (01/1/20-03/31/20)
- FY 2020 (04/1/20-06/30/20)
- FY 2021 (07/1/20-09/30/20)
- FY 2021 (10/1/20-12/31/20)
- FY 2021 (01/1/21-03/31/21)