See attached files.

Penetration Testing Methodologies and Standards

The Vendor shall provide automated, manual, or hybrid penetration testing services as requested. Clients may request various types of penetration testing services such as White Box, Black Box, or Grey Box testing.

Penetration testing shall adhere to recognized industry methodologies and standards, including:

• Open-Source Security Testing Methodology Manual (OSSTMM)
• National Institute of Standards and Technology (NIST)
• Open Web Application Security Project (OWASP)
• Penetration Testing Execution Standard (PTES)
• Payment Card Industry Data Security Standard (PCI DSS) Guidance: PCI Information Supplement
• Federal Risk and Authorization Management Program (FedRAMP)
• Information Systems Security Assessment Framework (ISSAF)
• British Standards Institution (BSI) Penetration Testing Model
• Web Application Security Consortium (WASC) Threat Classification

General Requirements for Penetration Testing Services:

• Establish an incident and escalation management process to handle any issues that may arise during the test.
• Identify information to be provided by the client based on the nature of the test (e.g., White Box, Black Box, Grey Box).
• Identify targets and map attack vectors.
• Identify exploitable vulnerabilities and provide information with the proves.
• Exploitation within the scope, such as elevating privileges.
• Provide comprehensive reporting to the client.

Penetration Testing Services Clean Up:

The Vendor must ensure a thorough cleanup after the completion of penetration testing services, ensuring the client’s environments are not adversely affected. Cleanup activities include:

• Updating and/or removing test accounts added or modified during testing.
• Updating and/or removing database entries added or modified during testing.
• Uninstalling test tools or other artifacts as applicable.
• Restoring any security controls altered for testing purposes.
• Providing the client with necessary information and guidance to verify that environments have been restored.
• Confirming to the client that the environments have been cleaned and restored.

Penetration Testing Services Reporting and Presentation:

The Vendor shall provide the client with a detailed report for each service completed. The report shall include:

• Executive Summary
• Scope of Services
• Identification of critical components and explanation of why these components were tested
• Methodologies and tools used to conduct the testing
• Any constraints that impacted the testing (e.g., specific testing hours, bandwidth, special requirements)
• Description of the test progression and issues encountered with timelines
• Findings from the tests (e.g., exploitation, severity) with detailed explanations
• Affected targets in the client’s environments
• Recommendations for remediation

Interested persons shall submit in a sealed envelope:

• Letter of Reference
• Application Form filled and signed (see the attached file)
• Signed price list (Prices should be calculated separately for each main component: Network, 24/7 zone, social engineering, etc.)
• Professional Liability Insurance signed  
• Scope of Penetration Testing and detailed plan
• Payment Procedure
• Extract from the Entrepreneurial Register
  
• NDA
• At least 5 years of experience in the relevant field, including a short description, scale, and number of implemented penetration testing projects.
• Certifications: Proof of permanent staff of experts with relevant certifications involved in the project (e.g., CISA, OSCP, OSWE, OSCE, OSEE, SANS GIAC, LPT (Master), GXPN, ECSA (Practical), GMOB).  

Interested parties will be provided with detailed information about the scope of penetration test after the signing of the NDA.

Along with hardcopies, please also send digital copies of the requested documents on CD disc.  

Please specify on a sealed envelope:

• Name of your company
  
• Contact information (responsible person, telephone and e-mail)
• Name of the tender
• Name of the receiving department: Procurement Unit
• Inscription CONFIDENTIAL
• Please sign and put your company seal on the envelope. 

Please deliver your tender proposal to the address at No 21 Al. Kazbegi Avenue and put it in the Tender Box on the first floor.

Interested parties can apply documentation in Georgian or in English languages.

Deadline for submission: 12 September 2024 before 16:00.