Request for Proposal. Data Exfiltration Risk Assessment

Similar documents
REQUEST FOR PROPOSAL. Compensation and Classification Study

Request for Proposal for IRC 457 (b) Deferred Compensation Plan Services

Request for Proposal. Endowment Management. for. Lower Columbia College Foundation

140 East Town Street Columbus, Ohio John J. Gallagher, Jr., Executive Director. REQUEST FOR PROPOSAL: Health Care Consulting Services

SCHOOL EMPLOYEES RETIREMENT SYSTEM OF OHIO. Request for Proposal

CHARTER TOWNSHIP OF SHELBY GOVERNMENTAL DEFINED CONTRIBUTION PLAN & ELIGIBLE DEFERRED COMPENSATION PLAN

Ohio Public Employees Retirement System. Request for Proposal. For: Actuarial Consulting Services. Date: October 21, 2016

Ohio Public Employees Retirement System. Request for Proposal

SECTION 115 PENSION TRUST ADMINISTRATION RFP #1828 December 2017

Request for Proposal for Actuarial Audit Services. March 20, 2017

Ohio Public Employees Retirement System. Request for Proposal

NEW YORK LIQUIDATION BUREAU REQUEST FOR PROPOSAL

Ohio Public Employees Retirement System. Request for Proposal

Ohio Public Employees Retirement System REQUEST FOR PROPOSAL (RFP) For. MEDICAL AUDITOR of OPERS HealthCare Vendors/Products

VENTURA COUNTY EMPLOYEES RETIREMENT ASSOCIATION (VCERA) REQUEST FOR PROPOSAL FOR ACTUARIAL AUDIT SERVICES

ORANGE COUNTY EMPLOYEES RETIREMENT SYSTEM MEMORANDUM

External Website Hosting Services

Executive Director Phone: (614) Fax: (614)

OHIO PUBLIC EMPLOYEES RETIREMENT SYSTEM. Hedge Fund Due Diligence Consultant Request for Proposal

Ohio Public Employees Retirement System. Request for Proposal

Healthcare Fraud, Waste, and Abuse Services

Request for Proposal for Open End Infrastructure Equity Fund

Request for Proposal Defined Contribution Consultant 2017

Request for Proposal. Outside Legal Counsel. July 2017

Request for Proposal to provide Actuarial Services to the City of Baltimore Employees and Elected Officials Retirement Systems

State Universities Retirement System of Illinois (SURS) Request for Proposal. Diversified Multi-Strategy Fund of Hedge Funds

ATTORNEY-CLIENT MEMORANDUM FOR POTENTIAL ENGAGEMENT OF COUNSEL

Request for Risk Management and Insurance Broker Services

West Hartford Housing Authority Request for Proposals (RFP) HQS Services

STATE UNIVERSITIES RETIREMENT SYSTEM OF ILLINOIS

Discretionary Purchase Table of Contents. Discretionary Purchase Instructions 1. Code of Business Ethics Certification 2

Request for Proposal for Non-Core Real Estate Investment March 2014

Request for Proposal. Real Estate Debt Investment. June 17, 2016

NEW YORK LIQUIDATION BUREAU REQUEST FOR PROPOSAL

KANSAS PUBLIC EMPLOYEES RETIREMENT SYSTEM REQUEST FOR PROPOSALS

Request for Proposal. MWDBE Real Estate Investment. July 31, 2017

REQUEST FOR PROPOSAL PENETRATION ( PEN ) TESTING SERVICES

IV. SERVICES TO BE PROVIDED See Exhibit A Statement of Work. V. PROPOSAL AND SUBMISSION INFORMATION

Request for Proposals for Agent of Record/Insurance Broker Services

August 12, 2016 N O T I C E O F R E Q U E S T F O R P R O P O S A L S GENERAL CONDITIONS AND INSTRUCTIONS TO OFFERORS. For

REQUEST FOR PROPOSAL

Data Science Platform

Austin Independent School District Contract and Procurement Services 1111 West 6th Street Suite A330 Austin, Texas

STATE OF FLORIDA DIVISION OF BOND FINANCE REQUEST FOR PROPOSALS FOR MUNICIPAL ADVISOR. RFP DISTRIBUTION DATE: March 1, 2018

N. SAMPLE FINANCIAL AUDIT REQUEST FOR PROPOSAL (RFP)

REQUEST FOR PROPOSAL ACTUARIAL SERVICES

CITY OF GAINESVILLE REQUEST FOR PROPOSAL

The Minnesota Workers Compensation Assigned Risk Plan (MWCARP) Servicing Carrier REQUEST FOR PROPOSAL ( RFP ) ISSUED.

SAN DIEGO CONVENTION CENTER CORPORATION

Request for Proposal Records Management and Storage September 1, 2017

FRIENDSHIP PUBLIC CHARTER SCHOOL REQUEST FOR PROPOSALS FOR RFP TEMPORARY STAFFING

REQUEST FOR QUALIFICATIONS (RFQ)

City of Beverly Hills Beverly Hills, CA

Request for Proposal. Legislative Consulting Services

Request for Proposal Real Estate Consultant 2018

Cheltenham School District

Request for Proposals Professional Actuarial Services. QUESTIONS AND INTENT TO RESPOND DUE DATE: April 12, 2017, 4:00 p.m. (CDT)

Producer Agreement DDWA Product means an Individual or Group dental benefits product offered by Delta Dental of Washington.

Sealed proposals will be received until 4 pm on Friday, March 16, 2018.

REQUEST FOR PROPOSALS FINANCIAL STATEMENT AUDIT SERVICES. Cumberland Mountain Community Services Board RFP#: AUDIT Issue Date April 23, 2018

Request for Information: Provider Directory Data Management Service for MNsure

COUNTY OF WISE, VIRGINIA REQUEST FOR QUALIFICATIONS FOR PROFESSIONAL CONSULTING SERVICES BROWNFIELDS GRANT. Date of Issue: September 25, 2017

REQUEST FOR PROPOSAL. Information Technology Support Services

REQUEST FOR PROPOSAL TO PROVIDE UNCLAIMED PROPERTY SECURITIES CUSTODY SERVICES TO THE STATE OF NEW HAMPSHIRE

Police Retirement System

NEW YORK LIQUIDATION BUREAU REQUEST FOR PROPOSAL

REQUEST FOR PROPOSAL WORKERS COMPENSATION CLAIMS ADMINISTRATION NEW YORK LIQUIDATION BUREAU BACKGROUND INFORMATION

STATE OF NEW MEXICO PUBLIC EMPLOYEES RETIREMENT ASSOCIATION 33 Plaza La Prensa Santa Fe, N.M

REQUEST FOR QUALIFICATIONS FOR THE PROVISION OF SERVICES GENERAL INSURANCE CONSULTANT. ISSUE DATE: December 18, 2017

FRIENDSHIP PUBLIC CHARTER SCHOOL REQUEST FOR PROPOSALS FOR RFP COMPENSATION DESIGN CONSULTANT SERVICES

Request for Proposal. Legal Counsel to Serve as Fiduciary Counsel

REQUEST FOR PROPOSAL FOR AUDIT SERVICES

SAN DIEGO CITY EMPLOYEES' RETIREMENT SYSTEM REQUEST FOR PROPOSAL (RFP) FOR GENERAL INVESTMENT CONSULTANT

REQUEST FOR PRICE PROPOSALS WITH FEES FOR BENEFITS PROGRAM MANAGER

REQUEST FOR PROPOSAL FINANCIAL AUDIT SERVICES RETURN TO:

REOUEST FOR PROPOSAL

REQUEST FOR PROPOSAL Compensation Consulting

REQUEST FOR PROPOSALS INSURANCE BROKERAGE SERVICES

Florida Healthy Kids Corporation

ARCHITECT OF RECORD & DSA CLOSEOUT CERTIFICATION SERVICES RFQ# 029

REQUEST FOR PROPOSALS

Request for Proposal RFP SUBJECT: EXECUTIVE SEARCH CONSULTANT FOR A VICE PRESIDENT ACADEMIC & PROVOST

140 East Town Street Columbus, Ohio John J. Gallagher, Jr., Executive Director. REQUEST FOR PROPOSAL: Telephony System RFP Number:

Request for Qualifications (RFQ) for Environmental Insurance Broker Services

REQUEST FOR PROPOSALS- INSURANCE BROKER AND CONSULTING SERVICES

REQUEST FOR PROPOSAL

Sample Request For Proposals

Chatham County Request for Proposals Biannual Customer Service Survey

NORWALK-LA MIRADA UNIFIED SCHOOL DISTRICT

EMPLOYEE BENEFITS INSURANCE PREMIUM QUOTATION REQUEST FOR PROPOSALS (RFP)

FORT WAYNE ALLEN COUNTY AIRPORT AUTHORITY REQUEST FOR PROPOSALS Air Service Development Consultant

Missouri Housing Development Commission

CITY OF GAINESVILLE INVITATION TO BID

Audit Services (RFP ) PROPOSAL DEADLINE: 4:00 PM EDT, October 10, 2016 SEALED PROPOSALS TO BE RETURNED TO:

MUNICIPAL EMPLOYEES ANNUITY AND BENEFIT FUND OF CHICAGO

REQUEST FOR PROPOSALS

REQUEST FOR PROPOSAL for Legal Services for the HIGH PLAINS LIBRARY DISTRICT Greeley, CO

REQUEST FOR PROPOSAL: Metro Bus Digital Advertising 2018

FAIRFIELD AREA SCHOOL DISTRICT

MEMORANDUM Municipal Way, Lansing (Delta Township), Michigan Enclosed for your consideration is MERS Request For Proposal (RFP).

Transcription:

Request for Proposal Data Exfiltration Risk Assessment March 2019 SCHOOL EMPLOYEES RETIREMENT SYSTEM OF OHIO 300 E. BROAD ST., SUITE 100 COLUMBUS, OHIO 43215-3746 614-222-5853 Toll-Free 866-280-7377 www.ohsers.org

Request for Proposal for Data Exfiltration Assessment Page 2 of 13 TABLE OF CONTENTS I. INTRODUCTION... 3 II. BACKGROUND... 3 III. SCOPE OF SERVICES... 4 IV. PROPOSAL SUBMISSIONS... 5 V. SELECTION PROCESS... 7 VI. TENTATIVE TIME TABLE... 8 VII. CRITERIA... 9 VIII. QUESTIONNAIRE... 9 IX. TERMS AND CONDITIONS... 10 X. Appendix A: QUESTIONNAIRE... 11

Request for Proposal for Data Exfiltration Assessment Page 3 of 13 I. INTRODUCTION The (SERS) is requesting proposals from vendors for providing an assessment of SERS risk due to data exfiltration. II. BACKGROUND SERS is a statewide defined benefit retirement system for non-certificated persons employed by the public schools within the state s cities, villages and counties, as well as local districts, vocational and technical schools, community colleges, and The University of Akron. SERS provides service retirement, disability and survivor benefits, and access to health care coverage for benefit recipients and their dependents. General administration and management of the plan is vested in the Retirement Board established under Chapter 3309 of the Ohio Revised Code. SERS maintains approximately 1.2 million member records including personally identifiable information (PII) and 135,000 healthcare-related records (also known as Protected Health Information or PHI) protected under the Health Insurance Portability and Accountability Act (HIPAA). SERS has an established Information Security Program and must comply with federal and state regulations for managing PHI, including diagnoses and examiner reviews as part of disability records, and PII, including SSNs, bank account information, and employment history as part of member records. SERS maintains these and other business data in both structured and unstructured formats, and utilizes administrative, technical, and physical controls to limit undesired movement of organizational data. SERS currently has approximately 180 employees that are centrally located in Columbus and span eight departments Administrative Services, Executive, Finance, Health Care, Human Resources, IT, Investments, and Member Services. The IT Department has 35 employees; the Information Security Program is administered by the Information Security and Privacy Officer, who reports to the Enterprise Risk Management Officer, and the Chief Audit Officer conducts all Internal Audit functions. More information about SERS may obtained at https://www.ohsers.org/aboutsers/.

Request for Proposal for Data Exfiltration Assessment Page 4 of 13 III. SCOPE OF SERVICES For the purposes of this engagement the following terms shall be defined as such: Data loss is any event in which data passes outside of organizational control without approval either by policy or exception. Data leakage is the intentional or unintentional transfer of data from a system of record to a complimentary system that enforces weaker controls. Data breach is the unauthorized access to data as the result of an active effort by a malicious actor. SERS is seeking a qualified vendor to provide the following services: 1. Review existing administrative, technical, and physical controls for managing data loss and data leakage. Examples: Organizational data management policies Email content filtering Network segmentation Physical access control for areas housing paper documents 2. Inventory existing data locations via a combination of automated scanning, staff interviews, manual inspection, system logging, and/or other techniques proposed by the vendor and approved by SERS. SERS will provide criteria for data classification. Any scanning/inspection must not alter original data. All scan data including the contents and/or locations of sensitive records must be secured as agreed by SERS and the vendor and disposed at the conclusion of the engagement. 3. Estimate the failure rates of current controls based on the results of electronic and physical inventorying. The vendor should enumerate: The control or control group evaluated The amount of data (quantified as files, records, etc.) found to be in compliance with organizational policies The amount of data found to be in non-compliance with organizational policies Any assumptions made if reliable data is unavailable (e.g., false negatives in a filtering control) 4. Perform a risk assessment for identified process failures and control gaps. Identify deviation from industry standard practices and quantify potential adverse impacts of these deviations.

Request for Proposal for Data Exfiltration Assessment Page 5 of 13 Create data flow diagrams to show existing control coverage and gaps. Where possible, the vendor should classify risks in accordance with SERS risk management policies. 5. Provide prioritized, risk-rated recommendations for remediating any findings identified as part of items 1 through 4. SERS does not expect the selected vendor to perform any of the following as part of this engagement: 1. Vulnerability assessment, although access to existing vulnerability scans can be provided if the vendor wishes to include this in the risk assessment. 2. Penetration testing of any systems or controls. 3. Assessment of controls or aspects of controls designed explicitly to prevent data breach. SERS will consider only proposals for the services as described above. Responses submitted for other services will not be considered. IV. PROPOSAL SUBMISSIONS A. Response Deadline The completed Response must be received by Wednesday, April 3, 2019 at 11:59PM, Eastern Daylight Time. Responses received after the Response deadline will not be considered. B. Delivery Contact person for all responses, and communications: Sean Thomas Information Security & Privacy Officer Enterprise Risk Management Department School Employees Retirement System 300 East Broad Street, Suite 100 Columbus, OH 43215 sersprocure@ohsers.org Responses should be submitted in PDF file format to the contact email address above. Faxed transmissions are not acceptable and will not be considered. C. Response Documents All of the following documents must be submitted together and in the order listed. 1. A Cover Letter submitting the vendor s Response on the vendor s letterhead signed by at least one individual who is authorized to bind the vendor contractually.

Request for Proposal for Data Exfiltration Assessment Page 6 of 13 2. The Questionnaire in Appendix A. with the question and/or request duplicated in the Response before the answer or response. D. Submitted Responses Any Response submitted will become the property of SERS. SERS reserves the right to retain all Responses submitted, and use any information contained in a Response except as otherwise prohibited by law. All Responses and the contents thereof will be deemed to be a public record which is open to public inspection after a vendor has been selected and contract has been executed, if any. A vendor may include one additional copy of its Response with any proprietary trade secret information redacted and marked as such with a brief written basis as to why it believes the information is protected from disclosure. In the event that SERS receives a public records request to which, in SERS sole discretion, any of a vendor s materials are responsive, SERS may release the vendor s redacted materials, or in the event no redacted materials are submitted, the vendor s unredacted materials without notice to the vendor. In the event any of the vendor s redactions are challenged, the vendor shall have sole responsibility to defend such redactions at its cost and expense. SERS will not institute any legal action to defend any of vendor s redactions, but will notify the vendor of such challenges. E. Communications with SERS Vendors which intend to submit a Response should not contact any member of SERS Staff or members of the Retirement Board. An exception to this rule applies to vendors who currently do business with SERS, but any contact made by such vendor(s) with persons should be limited to that business, and should not relate to this RFP. F. Questions Relating to this RFP All questions concerning this RFP must be received in writing by fax or email by the Contact person by Wednesday, March 27, 2019 at 11:59PM, Eastern Daylight Time. Answers to only emailed questions received by this deadline will be available to all vendors by a posting at www.ohsers.org. Questions submitted after this deadline or other than by email will not be considered.

Request for Proposal for Data Exfiltration Assessment Page 7 of 13 V. SELECTION PROCESS SERS staff will evaluate all timely and complete Responses. SERS reserves the right to request that any Response be clarified or supplemented. The selection process is as follows: A. Submission of Responses Vendors shall submit their Responses by Wednesday, April 3, 2019 at 11:59PM EDT. B. Selection of Final Vendor Candidates At the sole discretion of SERS, one or more vendors may be chosen as final candidates. All vendors will be notified as to their final candidate status by email by Friday, April 5, 2019 at 11:59PM EDT. C. Interviews with SERS Staff At the sole discretion of SERS, one or more final vendor candidates may be asked to interview with SERS staff. Invitations will be sent by email. Vendor interviews may be conducted at SERS offices in Columbus, Ohio, or by teleconference or videoconference. However, interviews at SERS offices are preferred. For the interview, vendors are strongly encouraged to have one or more members of their proposed project team in attendance. D. Vendor Selection After completion of the vendor interviews, SERS staff will select a vendor to enter into contract negotiations with for the requested services.

Request for Proposal for Data Exfiltration Assessment Page 8 of 13 VI. TENTATIVE TIME TABLE The following is the tentative time schedule for SERS search for vendors to provide the requested services. All dates are subject to modification by SERS without prior notice. All deadline times are 11:59PM Eastern Daylight Time on the dates specified unless otherwise noted. Issuance of RFP... March 18, 2019 Written Question Deadline... March 27, 2019 Response to Written Questions... March 29, 2019 RFP Response Deadline... April 3, 2019 Notification of Status Sent to Finalists... April 5, 2019 Interviews of Vendors and Candidates... April 8 April 12, 2019 Vendor and Candidate Selection... April 12, 2019 Projected Commencement Date:... May 1, 2019 Projected Report Draft Date... June 3, 2019 Projected Exit Conference Date... June 14, 2019 The vendor(s) selected must enter into a contract.

Request for Proposal for Data Exfiltration Assessment Page 9 of 13 VII. CRITERIA The following minimum criteria are preferred: Have in-depth knowledge of industry-best standards for data loss and data leakage prevention. Have expertise in validating security requirements for data loss and data leakage prevention. Have detailed knowledge in discovery techniques for data loss and data leakage. Have completed three (3) successful projects involving assessments of data loss and data leakage at mid-size or larger organizations over the past three (3) years. Have experience and familiarity with projects of similar size, scope, and business focus to this request. Have individuals assigned to SERS with professional experience in data loss and data leakage. The criteria for selection will include, but are not limited to, the following: Understanding of the project. VIII. Defined plan or approach for providing services. Availability of resources to commit to SERS. Stability and experience in providing the requested services. Stability and experience of the personnel assigned to SERS. Depth of knowledge, experience, and resources to provide required services. Positive feedback from all professional references. QUESTIONNAIRE Vendors must complete the Questionnaire appearing in Appendix A. Responses to the questions should repeat the question and be answered in order. Each response should be complete, clear, and of reasonable length.

Request for Proposal for Data Exfiltration Assessment Page 10 of 13 IX. TERMS AND CONDITIONS SERS makes no representations or warranties, expressed or implied, as to the accuracy or completeness of the information in the RFP and nothing contained herein is or shall be relied upon as a promise or representation, whether as to the past or the future. The RFP does not purport to contain all of the information that may be required to evaluate the RFP and any recipient hereof should conduct its own independent analysis of SERS and the data contained or referenced herein. SERS does not anticipate updating or otherwise revising the RFP. However, this RFP may be withdrawn, modified, or re-circulated at any time at the sole discretion of SERS. SERS reserves the right, at its sole discretion and without giving reasons or notice, at any time and in any respect, to alter these procedures, to change and alter any and all criteria, to terminate discussions, to accept or reject any Response, in whole or in part, to negotiate modifications or revisions to a Response and to negotiate with any one or more respondents to the RFP. SERS is not and will not be under any obligation to accept, review or consider any Response to the RFP, and is not and will not be under any obligation to accept the lowest offer submitted or any offer at all. SERS is not and will not be under any obligation to any recipient of, or any respondent to, the RFP except as expressly stated in any binding agreement ultimately entered into with one or more parties, either as part of this RFP process, or otherwise. Any decision to enter into a binding agreement with a respondent to this RFP is in SERS sole discretion. This RFP is not an offer but a request to receive a Response. SERS will consider a Response as an offer to develop an agreement based upon the contents of the Response. Respondents agree that the contents of their Responses are valid for one year from the date of submission. SERS will not be liable for any cost incurred in the preparation of a Response and will not reimburse any respondents for their submission. Expenses related to the production of a Response are the sole responsibility of the respondent.

Request for Proposal for Data Exfiltration Assessment Page 11 of 13 X. APPENDIX A: QUESTIONNAIRE Responses to the following questions should repeat the question and be answered in order. Limit each response to no more than one-half page. A. Vendor 1. Provide the vendor s name and the principal office s address, telephone number, and website. 2. Provide the name, address, telephone number, and email address of the vendor s primary contact for this proposal. 3. Describe the vendor s primary business focus. 4. Specify how many years the vendor has been in business. 5. Describe the vendor s relevant qualifications and experience. 6. Describe vendor s experience validating security requirements for data loss and data leakage prevention. 7. Describe vendor s experience using discovery techniques for data loss and data leakage. 8. List and describe four (4) successful projects performed by the vendor over the past three (3) years that are similar in size, scope, and business focus to this request at mid-size or larger organizations. For each project, include details of the projects including, but not limited to, size, scope, business focus, challenges, and successes. 9. Describe the level of liability insurance that the vendor carries. 10. Provide at least three (3) references for projects of similar size, scope, and business focus that SERS can contact. B. Personnel 1. Does vendor have sufficient, dedicated, qualified resources that can be committed to SERS for the project? 2. Identify how many staff will be assigned to this work and their location. 3. Describe the qualifications of the assigned staff (certifications, experience, etc.). 4. Describe the vendor s bonding process and coverage of employees. 5. Affirm that no staff assigned to work on this project has been convicted of a felony. 6. Affirm that key assigned staff are full-time employees of the vendor.

Request for Proposal for Data Exfiltration Assessment Page 12 of 13 C. Proposed Service 1. Clarify whether this service will be provided by the vendor, or by another company for which the vendor is acting as a broker or sales agent. If the latter, explain. 2. Describe vendor s plan or approach for performing the work and satisfying the scope of work outlined in Section III of this proposal. Be specific and thorough. Include any additional related or more indepth services that would benefit SERS in this assessment. 3. Describe vendor s project management approach specific to this project. 4. From the vendor s experience, what are the most important elements for successful projects similar to this? 5. From the vendor s experience, what are the most significant challenges for successful projects similar to this? D. Standards of Conduct 1. Does the firm have a firm written code of conduct or set of standards for professional behavior? If so, attach a copy and state how they are monitored and enforced. 2. Does the firm have a written anti-discrimination policy? If so, attach a copy and state how the policy is monitored and enforced. 3. How does the firm identify and manage conflicts of interest? 4. Are there any potential conflicts of interest that the firm would have in providing the requested services to SERS? If yes, explain. 5. List and describe any relationships and/or contacts the firm or its officers or employees have had with any SERS Retirement Board member and/or staff member within the last 12 months. 6. Has the firm or any officer or employee given any remuneration or anything of value directly or indirectly to SERS or any of its Retirement Board members, officers, or employees? If yes, identify the recipient and remuneration or thing of value. Additional information on the Ohio ethics law in this area may be found at: http://ethics.ohio.gov/education/factsheets/doing_business_with_reti rement_systems_in_ohio.pdf 7. Has the vendor or any officer, principal or employee given any remuneration or anything of value such as a finder s fee, cash solicitation fee, or fee for consulting, lobbying or otherwise, in connection with this RFP? If yes, identify the recipient and remuneration or thing of value.

Request for Proposal for Data Exfiltration Assessment Page 13 of 13 8. Within the last five (5) years: E. FEES a. Has the vendor, or any officer or employee of the vendor been a defending party in a legal proceeding before a court related to the provision of services? b. Has the vendor, or any officer or employee been the subject of a governmental regulatory agency inquiry, investigation, or charge? c. Has the vendor submitted a claim to the vendor s liability insurance carrier involving the type of services sought under this RFP? If yes to any of the above, describe the event and the current status or resolution; include any case citation. 1. Provide a not-to-exceed, fixed cost price quote, including any and all travel and reimbursable expenses, for each deliverable of the proposed project plan.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback