March 25, 2023
The Ministry of Public Health, through the Directorate of Information and Communication Technologies, summons suppliers to participate in the process of elaboration of the Market Study for the “ETHICAL HACKING CONSULTANCY FOR SERVERS AND SYSTEMS OR APPLICATIONS IN THE PRODUCTION ENVIRONMENT OF THE MINISTRY OF PUBLIC HEALTH HEADQUARTERS”
This market study will be used to define the referential budget prior to the publication of the contracting process.
The referential price of the services should consider the following aspects:
- The technical specifications, scope and other requested requirements can be found in Annex 1 – or at https://almacenamiento.msp.gob.ec/index.php/s/D1lHIfzuMCbOvOR
- The validity of the quote must not be less than 120 days;
- The source of financing will be made with resources from the Inter-American Development Bank, so the bidders must belong to the IDB member countries;
- The offer must be submitted for the entire contract;
- This process does not contemplate the readjustment of prices.
DESCRIPTION OF THE CONSULTANCY
The ethical hacking consulting process will be carried out in intranet and internet environments based on box methodology (black box, gray box and white box) through both internal and external ethical hacks, its scope and methodology will be defined according to each activity.
The main objective of this consultancy is to execute penetration testing procedures on servers and systems or applications in the production environment of the MSP, with the purpose of identifying, analyzing and carrying out a risk assessment of computer vulnerabilities, carrying out exploitation tests of computer vulnerabilities found well-known or unknown vulnerabilities, classified as (critical, high, medium, low). Prepare a technical report (which will include screenshots and evidence of the findings) describing the findings and results, the strategies/recommendations based on the principles of information security (availability, confidentiality and integrity), which allows remedy any intrusive finding towards the institution’s servers and systems or applications.
- The consultant must deliver a Work Plan, which contains a schedule with the activities to be carried out as part of the consultancy. Planning of human and logistic resources, which allow the objectives to be met.
- The MSP through the Directorate of Information Technology and Communications (DTIC), will deliver the necessary inputs to contribute to the fulfillment of the requested objective, will select and define the servers and systems or applications in the applicable production environment to be executed in the consultancy . Penetration tests will be carried out using automated and manual tools, which will be provided by the
- The methodologies to be used during the hacking activities will be predetermined in conjunction with the MSP technical team and the company.
- A technical report and executive report must be delivered on the identification, analysis and performance of a risk assessment of computer vulnerabilities found in servers and systems or applications in a production environment, performance of the exploitation tests of computer vulnerabilities found well-known and unknown classified as critical, high or medium level, strategies/recommendations focused on the principles of information security (availability, confidentiality and integrity).
- Based on the results obtained from the ethical hacking procedure, the MSP will generate, together with the bidder, the action plan to mitigate the vulnerabilities found, so that the MSP can take the corresponding corrective actions. This documentation, as well as the findings found and any reference to this consultancy is understood to be of high confidentiality and therefore cannot be disclosed without the express authorization of the pertinent authorities of the Likewise, the consultants who participate in it must sign non-disclosure consents and information confidentiality, by signing a confidentiality agreement.
- The consultancy must have the tools that have current licensing, subscriptions, and technical support, which allow it to have all the functionalities and vulnerability analysis services.
- Finally, the consultancy must analyze the results obtained through the three black-box, gray-box and white-box modalities, present reports on the Work Plan, Technical Results and Executive by which they describe the strategies/recommendations that allow guaranteeing the principles of information security (availability, confidentiality and integrity), including conclusions and recommendations, in order that the MSP staff can remedy the vulnerabilities found in the servers and systems or applications in production environment. The consultancy and delivery time of all your products will be in a maximum period of 4 months.
EXECUTION PERIOD, SCHEDULE AND DELIVERABLES
The estimate for the execution of the contract is 120 days (4 months) broken down as follows:
The aforementioned deliverables and their delivery schedule are detailed below as of the day after the contract is signed (calendar days), as shown in the following table:
| Timeline | phases | expected product | |
| 15 days | Preliminary stage | Planning |
Work Plan Report. It consists of the schedule and activities to be carried out. Agenda of all the topics or activities to be developed |
| 60 days | Execution | Technical Results Report | |
| 15 days | Final stage | Control | Executive report. |
| 30 days | Presentation of results at the level of MSP authorities
Backups in magnetic media of vulnerability scanning in services and systems or applications in the production environment of the MSP Documentary preparation by the Contract Administrator for payment |
||
| 120 days | TOTAL | ||
PAYMENT METHOD:
The method of payment for this consultancy will be CODE after the signing of the final Act of Delivery/Reception.
Quotations must be sent in digital format (signed), to institutional emails consultorias@mspsalud.gob.ec y proyecto.bid@mspsalud.gob.ec until Friday March 31, 2023, with the following data:
Bidder data:
Business name:
RUC:
Address:
Telephone:
Way to pay: (Payment against delivery of the consultancy – Minutes / Delivery reception)
Consulting delivery time: (120 days)
Offer issuance date:
Offer Validity: (must not be less than 120 days)
Responsibility signature preferably electronically signed in QR format, for which it is suggested to use the FIRMA EC application https://www.firmadigital.gob.ec/descargar-firmaec/.
Data of the contracting party:
On behalf of: Ministry of Public Health
RUC: 1760001120001
Address: Quito, Av. Quitumbe Road and Av. Amaru Road, Government Platform
of Social Development.
Telephone: 593-2 381-4400 ext. 4008
Quotation Presentation Format:
Economic proposal:
| Item | Description | Subtotal (without VAT) | ||
| 1 | ETHICAL HACKING CONSULTING FOR SERVERS AND SYSTEMS OR APPLICATIONS IN THE PRODUCTION ENVIRONMENT OF THE MINISTRY OF PUBLIC HEALTH CENTRAL PLANT | |||
| IVA 12%: | ||||
| Total (includes VAT): | ||||
List of eligible countries
- List of member countries when financing comes from the Inter-American Development Bank: Germany, Argentina, Austria, Bahamas, Barbados, Belgium, Belize, Bolivia, Brazil, Canada, Chile, Colombia, Costa Rica, Croatia, Denmark, Ecuador, El Salvador, Finland, France, Guatemala, Guyana, Haiti, Honduras, Israel, Italy, Jamaica, Japan, Mexico, Nicaragua, Netherlands, Panama, Paraguay, Peru, Portugal, Republic of Korea, Slovenia, Spain, United States , Dominican Republic, People’s Republic of China, Sweden, Switzerland, Suriname, Trinidad and Tobago, Uruguay, and Venezuela.
Eligible Territories
- Guadeloupe, French Guyana, Martinique, Reunion – as they are Departments of France.
- US Virgin Islands, Puerto Rico, Guam – for being Territories of the United States of America.
- Aruba – for being a Constituent Country of the Kingdom of the Netherlands; and Bonaire, Curaçao, Sint Maarten, Sint Eustatius – as they are Departments of the Kingdom of the Netherlands.
- Hong Kong – as a Special Administrative Region of the People’s Republic of China.