Opportunity Detail

Questions and Answers

Ohio Department of Taxation Penetration Test
Document #:  TRUST-21-01-003

Question:   Section 3: Penetration Testing Approach section: Is this a Windows only exercise, or are Mac/Linux Operating Systems also in use? Can a VM be utilized?

Answer:   The internal environment consists primarily of Microsoft OS. Findings of other OS are to be reported but not in scope for the penetration test.

A VM cannot be utilized.

Date: 11/18/2020

Inquiry: 82221

Question:   Section 3 : Penetration Testing Approach section: Can ODT provide a more detailed list of items that require penetration testing in its internal environment (e.g., a list of network-connected devices currently in use)?

Answer:   Workstations, laptops, servers, printers (additional details may be provided after SOW awarded).

Date: 11/18/2020

Inquiry: 82220

Question:   Section 3: Penetration Testing Approach section: Does the scope of internal follow similar rules of engagement as external testing (e.g., "environment lateral movement and privilege escalation must be exploited to its full extent”)?

Answer:   Yes, but assessment is non-destructive.

Date: 11/18/2020

Inquiry: 82219

Question:   Section 3: Penetration Testing Approach section: Is access to hardware (such as USB ports) allowed? How does the tester interact with the kiosk? Are the kiosks networked to the internal environment such that they are separate from the internal scope section?

Answer:   Access to the workstations is permitted. Kiosks are computers located in office cubicles, which are connected to peripherals and the network. The CPU is in a locked cabinet. The penetration tester should attempt to exploit any security weakness or vulnerability in this setting. Should penetration prove unsuccessful in these conditions, the cabinet will be unlocked to continue penetration testing by any means.

Date: 11/18/2020

Inquiry: 82216

Question:   Section 3: Penetration Testing Approach section: Does ODT intend for the scope to include Social engineering/Phishing?

Answer:   The scope does NOT include Social engineering/Phishing.

Date: 11/18/2020

Inquiry: 82214

Question:   Section 3: Penetration Testing Approach section: Is this intended to be a true Black-Box exercise, or will basic URLs and/or IP ranges provided by ODT?

Answer:   Basic URLs/IP ranges will be provided.

Date: 11/18/2020

Inquiry: 82211

Question:   Section 3: Scope Item 3: Does the scope include all potential network connected devices?

Answer:   The penetration testing should attempt to laterally move by any means, including exploiting any security weakness or vulnerability of any device connected to the network.

Date: 11/18/2020

Inquiry: 82207

Question:   Section 3: Is the selected vendor required to report only exploitable and exploited issues, or everything of note (e.g., full vulnerability report)?

Answer:   The report must focus on exploitable and exploited issues, within the context of the entire environment.

Date: 11/18/2020

Inquiry: 82204

Question:   Section 3: Scope Item 3: Approximately how many overall endpoints require testing?

Answer:   Approximately 1500 overall endpoints require testing.

Date: 11/18/2020

Inquiry: 82201

Question:   Section 3: Scope Item 1: Is authenticated application testing in scope for this project? If so, how many applications and how many user roles require testing?

Answer:   Authenticated application testing is NOT in scope for this project.

Date: 11/18/2020

Inquiry: 82197

Question:   Section 3: Scope Item 3: How many unique domain are required to be tested in the ODT ecosytem/enterprise?

Answer:   There is one (1) unique domain required to be tested in the ODT ecosytem/enterprise.

Date: 11/18/2020

Inquiry: 82194

Question:   Section 3: Scope item 3: Does testing of internal environments include testing of individual staff workstations? If so, how many individual workstations require penetration testing?

Answer:   Testing of internal environments does NOT include testing of individual staff workstations.

Date: 11/18/2020

Inquiry: 82191

Question:   Section 3: Scope item 2: How many kiosks require testing at the Northland location?

Answer:   There are 5 kiosks that require testing at the Northland location.

Date: 11/18/2020

Inquiry: 82188

Question:   Should the Hourly Rate or the Flat Fee Amount (or both) as quoted in the response reflect the fifteen percent discount requested back in the Spring or will that be applied afterwards on the invoice?

Answer:   It is the Contractor's choice to determine if they want to offer the discount at the time of submission or at the invoice phase. Contractors responding to this SOW should note where the discount will be applied.

Date: 11/18/2020

Inquiry: 82223

Question:   Is testing of a kiosk in our lab environment possible, or potentially testing of the kiosk at a later date?

If not, what precautions will Tax provide to ensure the safety of our testing team?

Answer:   Offsite or conducting testing in the future is NOT an option.

TAX will provide the following precautions:
o Ingress/egress to the facility is limited to one main entrance.
o A temperature check is required prior to access.
o Masks are required.
o Facility is cleaned and disinfected daily.
o Most staff is telecommuting (e.g., very few employees are in the building) so social distancing is being practiced.
o Testers may use gloves and/or bring hand sanitizer or cleaning wipes, as they see fit.

Date: 11/17/2020

Inquiry: 82140

Question:   The scope of work includes onsite testing of the kiosk according to the document. Is this truly required during the current COVID spike?

Answer:   The State anticipates allowing taxpayers back into our facility at a future date to be determined. As such, the State feels the workstation kiosks must be included in any security assessment.

Date: 11/17/2020

Inquiry: 82140


Inquiry period ended:  11/18/2020 8:00:00 AM