Security Assessment for PPA Portal

1. Objectives and desired results

 

1. 1. General objective

The primary objective of this engagement is to conduct a comprehensive security assessment of the Portal utilized by the PPA. This includes evaluating the portal’s overall security architecture, analyzing user roles and permissions, assessing database security, reviewing the data hosting environment, examining encryption practices for data at rest and in transit, and performing an in-depth source code audit.

 

1. 1. Specific objectives
2. Empower PPA in conducting its leading and focal role in supporting public administrations.
3. Enhance the security, efficiency, and long-term sustainability of the PPA's portal by identifying vulnerabilities, assessing resource requirements, and recommending cost-effective improvements.

 

1. 1. Anticipated results

Delivery of an Interim and Security Assessment reports As per action plan defined hereunder.

 

 

1. Requirements

 

1. 1. Scope of Work

 

The service provider is responsible for conducting a comprehensive security audit of the PPA Portal, covering all aspects of the system, including but not limited to user access mechanisms, application architecture, data storage, APIs, and the underlying infrastructure.

 

The audit must identify vulnerabilities, assess compliance with security standards, and provide actionable recommendations for remediation. A report should be generated encompassing screenshots and logs.

 

 Furthermore, collaboration with representatives from the PPA and Expertise France will be essential at every stage of the process to ensure a thorough understanding of the system's requirements, validate findings, and achieve consensus on recommendations. The service provider is also expected to provide a detailed audit report, including an executive summary, technical findings, risk assessments, and a prioritized action plan for addressing identified issues.

 

 

 

Roles and Permissions Management

 

1. Conduct a detailed review of roles, groups, and user permissions to ensure alignment with the principle of least privilege.
2. Analyze the use of high-privilege accounts and evaluate user authentication mechanisms.
3. Identify risks related to privilege escalation or permission misconfiguration that could lead to unauthorized access to sensitive data.

 

 

Data Hosting and Infrastructure Security

 

1. Assess the security of the data hosting environment, including server configurations, network security protocols, firewalls, and segregation of duties.
2. Evaluate resilience against threats namely: Distributed Denial of Service (DDoS) , phishing attacks, malware infections, ransomware attacks, insider threats, and zero-day vulnerabilities
3. Ensure compliance with internationally recognized standards (ISO 27001 , GDPR).

 

Database Security

 

1. Perform a thorough assessment of database security, including user access controls, configurations, and encryption mechanisms.
2. Validate the adequacy of encryption for data at rest and during transmission.
3. Review backup procedures and disaster recovery mechanisms to ensure alignment with best practices for data availability and integrity.

 

Source Code Security

 

1. Conduct static and dynamic code analysis to identify vulnerabilities like SQL injection, insecure object references, and cross-site scripting (XSS).
2. Review third-party modules, libraries, and extensions for potential security risks.

 

Application Security Testing

 

1. Perform extensive security testing, including:
   1. Penetration Testing: Simulate real-world cyberattacks to identify vulnerabilities.
   2. Automated Vulnerability Scanning: Use tools like Nessus or Burp Suite to detect and validate vulnerabilities through manual analysis.
   3. Common Vulnerability Assessments: Address risks such as Cross-Site Request Forgery (CSRF), insecure deserialization, improper session management, and insufficient logging.

 

Data Privacy and Compliance

 

1. Ensure compliance with relevant national and international data privacy regulations, such as Government of Lebanon data protection laws and GDPR.
2. Evaluate how personally identifiable information (PII) and other sensitive legal data are processed, stored, and protected.

 

Security Monitoring and Incident Response

 

1. Assess logging and monitoring capabilities to ensure all access, modifications, and security events are captured and stored for analysis.
2. Evaluate the authority’s incident response procedures, including breach isolation and post-incident reviews.
3. Provide recommendations for improving monitoring systems and implementing a formal incident response plan tailored to the PPA context.

 

Human resources and financial stability

 

Human Resource Assessment

 

1. Evaluate the current capabilities of personnel responsible for managing portal, identifying gaps in technical expertise necessary for maintaining system security and operational efficiency.
2. Offer recommendations for training programs and capacity-building initiatives to address skill deficiencies.

 

Financial Analysis

 

1. Analyze the financial requirements for maintaining the portal, including recurring costs for infrastructure, personnel, software updates, and security measures.
2. Provide a detailed cost estimation and sustainability plan, outlining strategies to optimize long-term operational costs while ensuring the system's continued effectiveness and reliability.

 

 

1. 1. Expected Deliverables

 

The service provider is expected to provide the following deliverables:

 

Preliminary Assessment Report

 

To be submitted within 10 days of project initiation, detailing the proposed approach, methodology, and project timeline.

 

Interim Report

 

A preliminary document highlighting critical vulnerabilities identified early in the assessment, along with initial recommendations. Includes an early evaluation of the human resources and financial management capacities required for long-term sustainability.

 

Final Security Assessment Report

 

A comprehensive report detailing all aspects of the security assessment, including identified vulnerabilities with risk prioritization framework such as a High-Medium-Low scale, prioritized mitigation strategies, and sustainability analysis for human resources and financial operations.

 

Remediation Plan

 

A clear and actionable roadmap outlining the steps, timelines, and resources necessary to address identified risks and ensure Portal’s security and operational sustainability.

 

Presentation

 

A presentation of findings and recommendations delivered to representatives of Expertise France and PPA. This presentation will include specific recommendations for system sustainability, cost analysis, and capacity building to support long-term management.

 

Reporting format

 

The provider must deliver the above security assessment findings in a structured and professional report, which should include the following key elements:

 

Executive Summary: A high-level overview of the security assessment, including a summary of findings, risks, and prioritized recommendations for the portal’s security improvements.

 

Detailed Vulnerability Findings: A detailed list of identified vulnerabilities, classified by severity (e.g., Critical, High, Medium, Low).

For each vulnerability, the following details must be provided:

1. Description of the vulnerability and the affected component.
2. Risk level based on likelihood and potential impact.
3. Exploitability (e.g., whether vulnerability can be easily exploited).
4. Evidence of vulnerability (e.g., screenshots, logs, or proof of concept).
5. Testing Methodology: Clear explanation of the testing techniques and tools used (both automated and manual), including any deviations from standard methodologies.

Remediation Recommendations: Actionable steps for mitigating or eliminating each identified risk, including best practices for security enhancements.

Risk Assessment: A risk matrix or similar visual representation showing the overall risk posture of the portal.

Executive Dashboard (optional): High-level visual summary of key findings, to be used by stakeholders for a quick assessment of the security status.

Compliance Assessment: If applicable, an evaluation of the portal’s alignment with relevant security standards (e.g., GDPR, PCI DSS, ISO 27001).

The report should be clear, concise, and tailored to both technical and non-technical audiences, ensuring stakeholders can easily interpret and act on the findings.

 

1. 1. Non-Disclosure Agreement (NDA)

To protect the confidentiality of sensitive information during the security assessment, the service provider must sign a Non-Disclosure Agreement (NDA).

 

The NDA includes the following key provisions:

 

1. Confidential Information: A clear definition of what constitutes confidential information, including any sensitive portal data, Database, source code, intellectual property, and findings of the security assessment.
2. Obligations of the Provider: The provider’s obligations to maintain the confidentiality of the information, including ensuring that any third parties involved in the assessment also sign appropriate confidentiality agreements.
3. Non-Disclosure Duration: The non-disclosure obligations will be unlimited in time thus the successful service provider must maintain it indefinitely.
4. Exclusions: Any exclusions to confidentiality (e.g., information that becomes public through no fault of the provider or was already known to the provider before the assessment).
5. Data Handling and Protection: The provider must agree to handle all data securely and ensure no unauthorized access or disclosure.
6. Return or Destruction of Data: Upon completion of the assessment, the provider must return or securely destroy any confidential data and assessment reports as agreed upon.

 

The NDA must be signed prior to the commencement of any work and remain in effect throughout the duration of the engagement and beyond.

 

 

1. 1. Project Plan and duration

 

The total duration of the project will be 8 to 10 weeks maximum, with the following milestones:

 

Milestone

Duration

Deliverables

Preliminary assessment

10 days from Kick off

Preliminary report

Interim assessment

4 weeks from Kick off

Interim Findings report

Final Assessment and Action plan

8--10 weeks from kick off

Final Security Assessment Report, Remediation Plan, and

Presentation

 

 

 

1. 1. Evaluation

The best value for money is established by weighing technical quality against price on a 40/60 basis.

The quality of each technical and financial offer will be evaluated in accordance with the following award criteria and the weighting:

CRITERIA

WEIGHTS

Requirements and experience

40

Service provider Experience & References

(10)

Technical and Methodology Capabilities

(25)

Proposed delivery timeline

(5)

Price (including TCO)

60

 

Tenders will be appraised and given a score of up to 100 points according to these criteria.

 

NB:

1. Only tenders with scores of at least 25 points on technical evaluation qualify for the financial evaluation.
2. No other award criteria will be used. The award criteria will be examined in accordance with the requirements indicated in the Terms of Reference.

 

 

1. Place, duration, and terms of performance.

 

1. 1. Hybrid and onsite at Public Procurement Authority (PPA)

 

1. 1. Start date: 25/3/2025

 

1. 1. Delivery date:25 /5/2025

 

 

1. Required expertise and profile.

 

1. Demonstrated experience in conducting comprehensive security assessments of Portals platforms, particularly open-source solutions.
2. Expertise in performing both automated and manual security testing, using recognized tools and methodologies.
3. The service provider must possess relevant certifications indicating expertise in security assessments and vulnerability testing. Acceptable certifications include, but not limited to:
   1. CISSP (Certified Information Systems Security Professional)
   2. CEH (Certified Ethical Hacker)
   3. CISA (Certified Information Systems Auditor)
   4. OSCP (Offensive Security Certified Professional)
   5. GIAC (Global Information Assurance Certification) for penetration testing or incident response
   6. ISO 27001 Lead Auditor/Lead Implementer certification
4. The service provider must provide evidence of at least 5 similar projects they have successfully completed. For each project, detailed descriptions of the work performed, the services provided, and the outcomes achieved should be submitted. This may include case studies, project reports, or client testimonials.
5. Experience with open-source security tools, such as OWASP ZAP, and others.
6. Extensive knowledge of database security, application security testing, and network infrastructure.