Silicon Valley Clean Energy (SVCE) is seeking qualified consultants to conduct a comprehensive top-to-bottom audit of SVCE's IT infrastructure, network, and data storage. The audit should identify potential weak spots, vulnerabilities, and provide specific implementable recommendations for improvements. The scope includes: (1) Penetration Testing - Internal Network Pen Test, External Network Pen Test, Web Application Pen Test, Insider Threat Pen Test, Wireless Pen Test, Physical Pen Test, Advanced Persistent Penetration Testing; (2) Vulnerability Assessments - External Vulnerability Assessment, Internal Vulnerability Assessment, Network Security Assessment, Web Application Assessment, Operating System Assessment, Firewall Assessment, Active Directory Assessment; (3) Security posture snapshot including architectural weaknesses, access control vulnerabilities, network control and auditing weaknesses, detection and response weaknesses, policy configurations, and password analysis; (4) Review of current IT policies including Disaster Recovery Plan, Incident Detection/reporting/response capabilities, and Incident Response Plan (IRP); (5) Review and update of data security practices; (6) Assessment of Asset Protection processes, Compliance processes (ensuring regulatory requirements compliance), Risk Management processes, and Risk Mitigation processes; (7) Framework alignment with NIST Cyber Security Framework and CIS Security top 20 Critical Security Controls. Deliverables must include results of all tests, potential weak spots, vulnerabilities categorized by severity (critical, high, medium, low), specific implementable recommendations for improvements, updated policies and procedures, a final report suitable for Board presentation, and a possible Zoom presentation to the Board. SVCE aims to maintain industry standard protections for a public utility while complying with California Public Utilities Commission D.12-08-045 regarding privacy protections.