So as a government consultant I am subscribed to the Philippine Government Electronic Procurement System (PhilGeps), and I get an email whenever the keyword ‘consultant’ pops up on any requirement. A few days ago I was quite surprised when I got this:
When clicked it leads to this page, indicating the Social Security System’s (SSS) intention to hold a public bidding for Vulnerability Assessment and Penetration Testing with a budget of P2,500,000.
I cut and paste the criteria and rating system here :
- Quality, Experience and Availability of Personnel Project Manager 5 45 At least ONE (1) dedicated person for each discipline with at least three (3) years relevant experience. Years of experience in each discipline must be indicated in their resume.
- Database Expert 10
- Security Expert 10
- Enterprise Architect (Infrastructure) 10
- Enterprise Architect (Applications) 10
- Certified Ethical Hackers Less than 5-
- Disqualified At least FIVE (5) Certified Ethical Hackers; Certification must be current.
- Presentation of Approach and Methodology Approach, Methodology, Work Breakdown Structure, Deliverables and Sample Output of completed similar project 25 25 Must submit Approach, Methodology, Work Breakdown Structure, Deliverables and Sample Output of completed similar project
- Experience of the Service Provider Bidder (Company or JV partner) must have a Consultancy Contract of similar nature relative to the bid. 20 Must have a consultancy contract of similar nature and not less than P1.25M
- Total amount of contracts is greater than P 2.5 million 20
- Total amount of contracts is between P 1.25 million – P 2.49 million 15
- Total amount of contract is less than P1.25 million Disqualified
Service Provider Length of Operation a. Operational for more than 10 years 10 10 Length of Operation must not be less than 3 years
- Operational for 3 – 10 years 5
- Less than 3 years Disqualified
PASSING SCORE 75
What makes this interesting to me is that in this country, the concept of an IT executive even admitting that their system is conceivably open to vulnerability is tantamount to getting fired, let alone actually setting aside P2.5M to pay an outside party to try check if it is.
I can imagine the counter boardroom arguments ranging from ‘Isn’t it your job to keep it from being vulnerable?‘, to ‘Wouldn’t this expose us even more to hackers?‘ and may even go as far as indirectly assume connivance.
Assuming everyone is on board with it the idea that someone actually knows that such a service exists and that it is worth pursuing equally makes me shake my head in disbelief.
I mince no words here. Private or Government, many MIS and IT departments I have dealt with are set in the middle ages in both thinking and technology. There are a few ok ones of course, and one shining star that I think is just as innovative and at pace with the best of them internationally (or at least until the new Admin). But for the most part they ‘re all still a bunch of guys trying to figure out email. Believe me I’ve seen both ends.
So to see an agency and the SSS no less do this is actually quite heartening. The hope is that they will share their experience for other agencies who are thinking about it to follow suit. And that is a topic I have been itching to write about.