To be a leading petroleum and mineral regulatory authority in the region


REQUEST FOR PROPOSAL – IT Vulnerability Assessment and Penetration Testing


IT Vulnerability Assessment and Penetration Testing



Autoridade Nacional do Petróleo e Minerais (ANPM) is Timor-Leste public institution, created under Decree Law No. 1/2016 of 9th February, 1st amendment of Decree-Law No. 20/2008 of 19th June, on the Autoridade Nacional do Petróleo, responsible of managing and regulating petroleum and mining activities in Timor-Leste area, both offshore and onshore and in the Joint Petroleum Development Area (JPDA) in accordance with the Decree Law on the establishment of the ANPM, the Timor-Leste Petroleum Activities Law, the Timor Sea Treaty and the Mining Code.

IT Department has supported various information services with significant investment value to facilitate the company’s daily operation, together with internal and third parties support. Since the value of information has become essential asset in capital of investment, then it could become more risk and costly when data breach or access violation from inside or outside threats


ANPM wants to conduct Vulnerability Assessment and Penetration Testing (VAPT) with intent to secure their externally visible IT infrastructure. The main objective of the RFP is for vulnerability assessment and penetration testing off the following location:

  1. MoF office
  2. Downstream office

The scope of vulnerability assessment and penetration testing (VAPT) are:

  1. Network and IT security infrastructure
  2. Server infrastructure (Windows and Linux including VMware virtualization)
  3. Remote access and VPN
  4. Wireless infrastructure
  5. Mail infrastructure (IBM)
  6. Web application testing
  7. Databases
  8. Storage infrastructure
  9. Reporting / recommendation



Interested external auditor is requested to provide following information in their proposal:

  1. A statement confirming the capacity to perform the scope of work;
  2. Statement of skills, qualifications and experience of personnel to be involved;
  3. Proposed methodology;
  4. Work program and timelines;
  5. Statement of any potential conflicts of interest;
  6. Business registration;
  7. Declaration of any affiliation Companies;
  8. Company organisation structure;
  9. Financial Proposal:
  • Quotation for performing the task with the following details:
  • The fee proposed must be a total fixed price quoted indicating a total gross amount in USD which is 10% withholding tax included.
  • Any incidental out of pocket expenses, such as travel and accommodation must be included in the overall fixed price fees submitted (for non-resident company)
  • No amount other than the proposed total fixed price shall be paid.



Rules and responsibilities of auditor would be as follows but not limited to:

  1. Attempting to guess passwords using password-cracking tools
  2. Attempting penetration through perceivable network equipment/addressing and other vulnerabilities
  3. Check if any Vulnerability exists in the Servers, Database, Applications, wireless Network and Security devices in scope without disturbing operations
  4. To check whether there is any vulnerability present in all IT assets in scope
  5. To ascertain IDS is configured for intrusion detection, suspicious activity on host are monitored and reported to server, firewall and IDS logs are generated and scrutinized
  6. Effectiveness of Tools being used for monitoring systems and network against intrusions and attacks
  7. The assessment should include but not limited to following sections:
  8. DMZ Zone
  9. Remote Access and VPN
  10. Network and IT Security Assessment
  11. ANPM Server Infrastructure (Windows and Linux operation system vulnerability including VMware virtualization) Assessment
  12. Active Directory and Group Policy Assessment.
  13. Wireless Security Assessment
  14. VoIP Communications Network
  15. Website Application
  16. Mail system
  17. Databases
  18. Provide scheduled updates regarding the project
  19. Provide documents / diagrams detailing the project information in a timely manner.
  20. Provide the final report that include but not limited to:
    1. Management Summary with overall severity graph, this summary will be a comprehensive and easy to understand by management.
    2. Detailed results for vulnerabilities discovered, exploited vulnerabilities and proof of concepts/screenshots.
    3. Detailed explanations of the implications of findings, business impacts, and risks for each of the identified exposures
    4. Remediation recommendations to close the deficiencies identified.
    5. Detailed steps (wherever/whenever applicable) to be followed while mitigating the reported deficiencies. Security issues that pose an imminent threat to the system are to be reported immediately.
    6. Vulnerabilities Report would be delivered in a password protected Adobe Acrobat (PDF) document format.



The auditor should possess the requisite experience, resources and capabilities in providing the services necessary to meet the requirements. The auditor should have impeccable reputation and good will, based on consistent delivery of professional services with the highest technical and ethical standard. Auditor not meeting the Eligibility Criteria will not be considered for further evaluation.


The invitation to bid is open to all Bidders who qualify the Eligibility Criteria as given below, Failure to provide the desired information and documents may lead to disqualification of the Bidder.

  1. The Auditor should be certified to conduct VAPT.
  2. The Auditor has completed at a minimum of three commercial VAPT
  3. The consultants conducting the VAPT should be Certified Penetration Testers and their registration/certificate should be current. (Attach Proof).
  4. The consultants conducting the VoIP testing should be certified to conduct such testing.
  5. Bidder will certify in writing that there is no conflicts of interest of ANPM’s current providers or vendors


The application should be marked ‘Confidential’ and for the attention of: Mr. Humberto Pereira, Procurement Section – Corporate Services Directorate of ANPM and submitted by E-mail through  / or by hand or courier in sealed envelope to:

Autoridade Nacional do Petróleo e Minerais (ANPM)

Andar Térreo Ala Leste do Palácio do Governo,

Edifício nº 1, Avenida Marginal

PO Box 113

Dili, Timor – Leste

ANPM website;



The bidding process will be closed on 27th of September 2017 at 16.30 Timor-Leste time. Late applications will not be considered.



Question or requests for further information should be made by email or directed to Mr. Mario Gusmao, IT Manager on or Ms. Lidya Fatima, IT Network Administrator Officer on  or on +670 3324098/3317215/3317216/3312735.


Dili, 11th of September 2017


Pamela Simões

Admin & Procurement Manager