Lone Star Legal Aid (LSLA) seeks proposals from qualified vendors to conduct a Cyber Risk Posture
Assessment, including penetration testing, preparation of a roadmap to address vulnerabilities, and help
with any policy enhancements to meet industry standards. The objective is to ensure that our
organization’s infrastructure is secure from cyber threats. For more information on Lone Star Legal Aid,
you can visit us at https://www.lonestarlegal.org.
All responses to this RFP must be received no later than 5:00 p.m. (US/Central) on April 30, 2025.
Respondents must be prepared to start as soon as possible upon selection due to the time constraints of
the project.
Project completion, including issue management, evaluation, final adjustments, and final reporting must
occur no later than April 30, 2026.
Approximately 300 users, with several hundred devices across the organization.
There are approximately 50 servers, a mix of physical and virtual, supporting internal operations.
We operate a multi-site network connected to a centralized datacenter, with redundant internet connections and VLAN segmentation.
We have deployed solutions for endpoint detection, network access control, and client protection.
We utilize a hybrid cloud environment that includes SaaS, CRM, and infrastructure services. Sensitive data may include client personally identifiable information (PII) and limited financial information.
User management is handled through a combination of on-premises and cloud identity platforms.
No formal cybersecurity posture assessments have been completed to date; only basic IT control reviews during annual financial audits.
Only external penetration testing is currently required. However, proposers may submit optional pricing for internal testing.
No. LSLA conducts phishing training and testing separately and does not require it for this engagement.
Several public-facing IP addresses and a limited number of externally accessible applications are included.
No, physical security is not in scope.
A small number of basic cybersecurity-related policies exist; these require updates and expansion.
Yes, remote execution is allowed. Site visits are optional but not required.
U.S.-based personnel are preferred, but offshore resources are acceptable if aligned with LSLA’s business hours (8:00 AM – 5:00 PM CST).
No. The focus should be on providing findings, recommendations, and a strategic remediation roadmap. Remediation work will be handled internally.
Executive-level awareness training where we go over the new policy changes with examples for our end users is expected, including one live session and a recorded version for onboarding future staff.
Both. Some policies exist but additional development is needed to align with cybersecurity best practices.
LSLA seeks to develop a risk management approach for AI tools, supporting both current initiatives and future projects.
LSLA is seeking assistance to establish a cybersecurity baseline and recommendations for meaningful KPIs moving forward.
LSLA is a medium-sized nonprofit organization.
LSLA operates more than a dozen physical office locations plus remote users.
All technology is centrally managed by LSLA’s IT team; departments are not siloed.
Yes, both are included in the external assessment scope.
No budget ceiling is disclosed. Proposers are encouraged to submit competitive pricing appropriate to the scope outlined in the RFP.