Procurement Department
Date: April 17, 2014
REQUEST FOR PROPOSAL (RFP)
SGC-0032-14TB
BID DESCRIPTION:
Information security penetration testing and
vulnerability assessments.
BID DEADLINE:
Friday April 25, 2014 5:00 pm EST
The Seneca Gaming Corporation Procurement Department is requesting bids for the above mentioned services. All communications regarding this bid should be addressed to:
Seneca Gaming Corporation - Procurement Department Attn: Tara Budd – Buyer
310 Fourth Street Niagara Falls, NY 14303
Telephone: (716) 501-2666 tbudd@senecacasinos.com
All questions should be submitted in writing and answers will be distributed to all bidders. Proposals must be received by the Procurement Department on or before the date stated above by 5:00 pm EST. Proposals received after the deadline will not be considered. SGC recognizes E-mail as a sealed response in relation to this RFP.
I.Scope and Intent:
Seneca Gaming Corporation (hereinafter referred to as SGC) seeks to
engage a partner who can perform information security penetration
testing and vulnerability assessments.
Vendor qualifications and references:
All vendors must provide the following information in order for
their proposal to be considered.
1.
A brief outline of the vendor company and services offered, including:
a.
Full legal name of the company.
b.
Year business was established.
c.
Number of people currently employed and credentials of project team
d.
Qualifications and Credentials of project team: PCI QSA, CISM, CISSP,
etc.
2.
An outline of the managed security services they currently support.
3.
A description of their geographic reach and market penetration.
4.
An outline of their partnerships and relationships to date.
5.
An outline of their current and future strategies in the marketplace.
6.
Information on current managed security service clients, including:
a.
Total number of current clients.
b.
A list of clients with similar needs managing the same security functions.
c.
Evidence of successful completion of a project of a similar size and
complexity.
7.
References: Contact information for three references (if possible) from projects
similar in size, security functions, and scope, and a brief description of their
implementation.
Business Requirements: please complete the below questions.
Business Requirement # Description Yes: company can perform this service. No: company does not perform this service
Partner: this service can be performed by a business partner: list name of partner
Yes No Partner:
BR1 Internet / Web Penetration Testing / Vulnerability Assessments
BR2 Database Audit / Penetration Testing BR3 Vulnerability Management
BR4 Social Engineering Engagements BR5 Web Application Assessments
Business Requirement # Description Yes: company can perform this service. No: company does not perform this service
Partner: this service can be performed by a business partner: list name of partner
Yes No Partner:
BR6 Wireless Network Penetration Testing BR7 Physical Security Assessments BR8 Data Loss Prevention Experience BR9 Secure Network Architecture Design
& Implementation
BR10 Endpoint Security Assessments BR11 Mobile Device Security Assessments BR12 Mobile Device Penetration Testing BR13 Mobility Security Strategy Experience
BR14 PCI DSS Control Assessments
BR15
PCI - Report on Compliance
BR16 Mobile Application Security Assessments
Respondents must have the requisite capabilities and
experience in performing security audits, penetration testing
and vulnerability assessment in the following areas:
Capability Requirement #
Description
Yes: company has requisite
experience/capability
No: company does not have experience/capability Partner: this is available thru a business partner: list name of partner Yes No Partner:
CR1 Class III Casino & Hospitality Experience
CR2 Qualified Security Assessor (QSA) on staff
CR3 Point of Sale Security Testing
CR4 Incident Response CR5 IBM iSeries Platform
II. S
pecifications
The enclosed details related to the services in this RFP are based upon the operating department’s requirements. All questions regarding this RFP should be submitted in writing to Tara Budd, Buyer, tbudd@senecacasinos.com
III. Schedule of Events:
Request for proposal issued
April 11, 2014
Request for proposal due
April 25, 2014 5:00 pm EST
IV.
Vendor Requirements:
Performance: Bidders must have the necessary experience, knowledge, abilities, skills, and resources to satisfactorily perform the terms, conditions and requirements of the
RFP. Subcontracting of services is not permitted without advance, express written consent. Goods/services must be provided by the entity submitting proposal. Insurance: At all times, during the fulfillment of any resulting Purchase Order or
Contract, the Awarded Vendor(s) shall obtain and keep in force insurance coverage acceptable to SGC’s Risk Management Department. SGC’s insurance requirements for vendors vary according to the nature of the contract and degree of risk, but normally include general liability, automobile liability, and workers’ compensation coverage. In addition, in appropriate cases, SGC may require professional liability/errors & omissions coverage and/or network security/data privacy coverage. Proof of insurance coverage must be provided to SGC Risk Management department. For any questions regarding insurance, please contact the Risk Management Department at
SGCRiskManagementDepartment@SenecaCasinos.com Please reference the Request For Proposal (RFP) number and Bid Description
Failure to maintain requisite insurance will entitle SGC to immediately rescind and/or terminate any resultant business relationship and contract with Awarded Vendor. Vendor Registration: Awarded Vendor(s) agrees to submit a completed Vendor
Registration Form and designated fees as required by SGC’s regulator, the Seneca Gaming Authority (SGA). It is the Awarded Vendor(s) responsibility to fulfill the requirements, submit information and cooperate with any SGA investigation into its business functions, structures and principals when sales by said Awarded Vendor may reach or exceed Seventy Five Thousand Dollars ($75,000); and to maintain the
registration/license through the duration of any purchase order or contract resulting from this RFP. Failure to do so will entitle SGC to immediately rescind and/or terminate any resultant contract or business relationship and may result in the suspension of payments to the Awarded Vendor.
The SGA may also, in an appropriate case, require the licensure of individual employees of the Awarded Vendor who perform certain services that are or may be closely
associated with SGC’s casino operation. As SGA retains the discretion to make this type of determination on a case-by-case basis, SGC is unable at the RFP point in the bidding process to state definitively whether such licensure will be required in any particular case.
Seneca Nation of Indians Business License: In addition to SGA licensure, Awarded Vendor(s) with a calendar year spend of over $10,000 are required to obtain a Seneca Nation of Indians (SNI) business license throughout the course of any contract or business dealings with SGC. It is the Awarded Vendor(s) sole responsibility to maintain and renew the SNI business license in accordance with the terms set forth in the “Seneca Nation of Indians Business Code”. The cost of the license is currently $150 per calendar year. The Awarded Vendor must submit the application, together with the requisite fee, within 30 days following award of contract, to the following address: Seneca Nation of Indians, Business Permit Office, 12837 Rte. 438, Irving, NY 14081. To obtain the application form, and for any questions, please contact the SNI Business Office at (716) 532-4900, ext. 5033 or visit the SGC website at
http://www.senecagamingcorporation.com/corp_standards.cfm. A copy of the Awarded Vendor’s application should contemporaneously be sent to Seneca Gaming Corporation - Procurement Department, 310 Fourth Street, Niagara Falls, NY 14303.
Confidentiality: This document contains information (and Bidders may have access to) confidential information of the SGC and/or its affiliate. Bidders are authorized to use this information solely in connection with the preparation of a response to this RFP and
fulfillment of any resulting purchase order or contract award. In submitting response(s) to this RFP, Bidder(s) agree and represent that the Bidder(s) will not directly or
indirectly use the Confidential Information beyond the scope of the authority granted by SGC or disseminate, disclose or in any way reveal the Confidential Information or any part thereof, except upon the express written approval of SGC. SGC will keep all
documents received from Bidders on a confidential basis, save to the extent disclosure is required to comply with requirements of SGC’s corporate Charter, as regards the
approval of SGC’s Audit Committee, Board of Directors and Council of the Seneca Nation of Indians, if applicable.
Disclosure of Potential Conflicts of Interest: If Bidder, or any director, officer, employee or owner of Bidder has a business or personal relationship with a director, officer or employee of the Seneca Gaming Corporation (or its affiliates) that may create a conflict of interest, or appearance of impropriety, for or relating to such director, officer or employee in connection with the entry into, or ongoing performance of, the
transaction(s) or service(s) contemplated under this RFP, Bidder must disclose such conflict to the Corporation, in writing, to the extent Bidder has knowledge thereof. Kickback Covenant: SGC will not tolerate Kickbacks in any form. A “Kickback” shall
be defined as any cash, fee, commission, credit, gift, gratuity, thing of value or
compensation of any kind in exchange for favorable treatment in obtaining or retaining any purchase order or contract servicing SGC. Bidder agrees that its officers or
employees have not and will not provide or attempt to provide, either directly or indirectly, any Kickback to any employees of SGC, the Seneca Nation of Indians (the “Nation”) or their respective officers, directors, employees or agents, nor to any citizens of the Nation.
Conditions: Bidders shall question the conditions under which the goods and/or services will be used by SGC to guarantee the goods and/or services will be of sufficient quality and fit for the purposes of the bid specification. To proceed with the supply of goods and/or services shall mean acceptance of site conditions. Failure to comply with this clause shall in no way serve as the basis of any claims by the Bidder against SGC. No allowances will be made for failure to make proper site investigations or to completely understand the full nature of the requirements involved.
Tribal Employment Rights Office (TERO): The Seneca Gaming Corporation and its subsidiaries comply with the Seneca Nation of Indians TERO Ordinance which may require a TERO Compliance Plan to be submitted to the TERO Office prior to completing any work on-site. Contact the Seneca Nation of Indians TERO Compliance Office at (716) 532-1033 ext.5413 or Route 438 Irving, NY 14081. The intent of the TERO Ordinance is to increase employment for Native American workers and businesses. A copy of the TERO Ordinance may be obtained from the TERO Office. SGC shall not be responsible for providing notice or information to Awarded Vendors concerning TERO matters; rather, it is the Awarded Vendors’ sole responsibility to contact the TERO Compliance Office to ensure compliance, when applicable.
Monetary threshold: At no time will the Awarded Vendor’s aggregate fees, billings, requests for reimbursement and/or invoices (collectively, “Billings”) to SGC exceed two million nine hundred ninety-nine thousand nine hundred ninety-nine dollars
($2,999,999) (the “monetary threshold”) unless and until advance written authorization to exceed the monetary threshold is granted by the Council of the Seneca Nation of Indians. SGC will not be liable for Billings which exceed the monetary threshold unless the requisite approval of the Council of the Seneca Nation of Indians has been obtained, Awarded Vendor must notify SGC when aggregate Billings reach the level of two million five hundred thousand dollars ($2,500,000). For this purpose, the term “SGC” includes
the Seneca Gaming Corporation and all subsidiaries.
Intellectual Property Indemnification: Awarded Vendor, at its own expense, will defend, indemnify and hold SGC harmless in any third party action brought against SGC to the extent that it is based on a claim that all or part of the goods or services supplied by Awarded Vendor and used as directed infringe any third party trademarks, copyrights, patents, or other intellectual property rights.
Standard Service Agreement: Awarded Vendor will be expected to sign SGC’s standard services agreement, subject to such changes as are necessary to reflect the terms of this RFP and Awarded Vendor’s bid or proposal, and such further changes as the parties, acting reasonably, may agree.
Standard Consulting Agreement: Awarded Vendor will be expected to sign SGC’s standard consulting agreement, subject to such changes as are necessary to reflect the terms of this RFP and Awarded Vendor’s bid or proposal, and such further changes as the parties, acting reasonably, may agree.
Standard Supply Agreement: Awarded Vendor will be expected to sign SGC’s standard supply agreement, subject to such changes as are necessary to reflect the terms of this RFP and Awarded Vendor’s bid or proposal, and such further changes as the parties, acting reasonably, may agree.
Exclusivity: Awarded Vendor will be expected to agree not to consult or provide any services in any manner or capacity to a direct competitor of SGC during the term of its contract with SGC unless express written authorization to do so is given by SGC. A direct competitor of SGC is defined as any individual, partnership, corporation and/or other business entity that engages in the business of casino gaming (including racinos).
Data Security: Awarded Vendor must use the highest applicable industry standards for sound data security and software development practices to resolve critical security issues as quickly as possible. The term “highest applicable industry standards” shall be defined as the degree of care, skill, efficiency, and diligence that a prudent person possessing technical expertise in the subject area and acting in like capacity would exercise in similar circumstances. Awarded Vendor shall be responsible for verifying that all members of its development team who perform any programming or software development for SGC have been successfully trained in secure programming techniques. Upon request, Awarded Vendor will supply a current SAS 70 compliance report issued by an independent auditor or “Statement on Standards for Attestation Engagements 16 [SSAE 16]”. Software supplied must not contain any code that weakens the security of SGC’s IT systems and applications, including computer viruses, worms, time bombs, back doors, Trojan horses, Easter eggs, and all other forms of malicious code. Awarded Vendor must share with SGC in writing all security-relevant information regarding the vulnerabilities, risks and threats to its software immediately upon identification. SGC reserves the right at any time during the term of the contract, to conduct an audit of Awarded Vendor’s data security measures, either by means of its own personnel or through a service provider retained by SGC. Should the audit reveal that Awarded Vendor’s data security processes and procedures are inadequate or that Awarded Vendor is in breach of this provision, the cost of the audit shall be borne by Awarded Vendor, and SGC may, in its discretion, forthwith terminate the contract or any business relationship between SGC and Awarded Vendor.
V.
Bid Information:
This RFP does not commit SGC to award a contract, to pay any costs incurred in the preparation of the RFP, nor to procure or contract for services or supplies.
Alternate Proposals (if applicable) are accepted based on the following conditions: SGC will consider alternative proposals from Bidders provided they have submitted a response based on the original requirements. The alternative Proposal will be submitted separate and apart from the basic Proposal. It is assumed that the materials included in the alternate Proposal meet all of the qualifications of the original Proposal. Bidders must apply in writing for SGC permission to use substitute materials or methods. In such circumstances, the Bidder must state the return on investment/benefit(s) in increased efficiency, longevity and or monetary value to be derived through use of substitute materials or methods.
Proposal- Awarded Vendors should expect that their response to the RFP and any accompanying supporting materials (collectively, the “Proposal”) will be incorporated into any contract signed with Seneca Gaming Corporation.
Substitutes Any recommended substitutions should be attached separately. Products may require testing before acceptance. Bidder’s pricing must include the conversion calculations if your size, pack, weight, etc. is not the same as the specified product(s). Without requiring disclosure of confidential information, SGC solicits Bidders’
recommendation(s) for new products and/or services leading to lower costs. Bidders are advised that the actual items and quantities which may be required are
subject to change based on the needs of the SGC departments or business units for which the goods and/services are destined.
Tax Exempt Status: Seneca Gaming Corporation is a governmental instrumentality of the Seneca Nation of Indians and will provide a New York State tax exemption certificate issued in the name of the Seneca Nation of Indians, as applicable.
Minority Bidders: SGC encourages Bidders to solicit Native American, minority or women-owned businesses and small disadvantaged businesses as potential product suppliers. If your company falls into any of these categories, please note as such on your proposal.
Payment Terms:
Please provide your most competitive pricing and any additional offers. SGC will compensate Awarded Vendors based on submitted invoices according to payment and cycle dates mutually agreed upon and stated in the contract. SGC standard payment terms are FOB destination, Net 45 days after delivery of goods and/or services and receipt of a correct invoice. Bidder is encouraged to indicate any additional early payment/ discount terms in its Proposal. It is the policy of SGC not to provide deposits unless significant discounts or special circumstances apply.
SGC believes that the American Express Buyer Initiated Payment (BIP) Solution is a cost-effective payment method for acquiring products and services and encourages our vendors to consider accepting the American Express BIP in payment for your products and services. If you would like to obtain information regarding the American Express BIP payment process, please contact American Express at 1-800-825-3272
SGC Standard Terms and Conditions: Any purchase order or contract flowing from this RFP is subject to the terms and conditions hereof as well as to SGC Terms and Conditions which are available on the following website:
http://www.senecagamingcorporation.com/corp_standards.cfm. Reference to, or inclusion of, the Bidder’s preprinted terms and conditions with Bidder’s Proposal will not be considered as exception to SGC Terms and Conditions.
Audit/Performance Review: SGC must be permitted to conduct financial or inventory audit(s) with any or all of its Procurement, Financial and/or Internal Audit resources (or using a third party accounting/auditing firm )during or after the term of the contract with Awarded Vendor. Contract audits may also be performed periodically to evaluate performance against pre-determined metrics and focus on what can be improved.
Business Continuity: For RFP’s involving strategic commodities/services, provide an overview of your disaster recovery/business continuity plan (the “Plan”). The Plan indicates how Bidder minimizes the risk of interruption to Bidder’s ability to provide the goods and/or services contemplated in this RFP in the event of specified occurrence ; Bidder’s critical supplier strategy to ensure continuity of suppliers in such event; and Bidders process or criteria for prioritizing customer demands during a crisis.
It is the policy of SGC that all Proposals are to be held unopened and confidential until after the closing date and time. At the bid opening, Proposals will be opened by the RFP contact and are reviewed by a compliance representative.
SGC reserves the right to assess damages for the non-delivery of goods/services.
SGC reserves the right to terminate or rescind any agreement, contract or purchase order if, in its opinion, there is a failure by the Awarded Vendor (s), at any time, to
perform/supply adequately the stipulations of the Scope of Work, as stipulated in this RFP, the contract or purchase order, or if the goods or services supplied by the Awarded Vendor are, in the opinion of SGC of unacceptable quality.
Bid Validity: Bidder’s bid submission shall remain valid a minimum of ninety (90) days from the bid closing date.
VI
. Proposal Evaluation/Vendor Selection:
Proposals will be evaluated to determine their completeness and compliance with the mandatory requirements and qualifications specified throughout this document. Failure to comply with one of more of these requirements may result in the proposal being judged responsive. SGC reserves the right to waive deviations it deems non-material and/or to reject any and all Proposals in its sole discretion.
It is SGC’s intent to identify those providers: deemed best qualified based on experience and capabilities; that have demonstrated the ability to conform to the requirements defined herein; that can assist SGC in reaching ultimate patron and team member satisfaction; and that have the best quality product/service for the most competitive pricing. When applicable,a weighted evaluation table with different percentages for each factor will be used. Proposals will be evaluated using a scorecard on the following factors including, but not limited to: adherence to the scope of work, price, service, terms,
quality, technology, incentives, history, completeness and overall responsiveness to this RFP.
Those Bidders whose Proposals are judged most suitable will be considered high-ranking contenders for contract award and may be asked for additional information to verify financial stability, emergency response/business continuity plans, and other pertinent questions to validate the viability of the business relationship. Bidders at this point, may also be asked to interview with (or present to) the SGC commodity team or management dependent on goods/services.
A final Bidder (occasionally Bidders) will be selected and will have the opportunity to discuss provisions of their Proposal with SGC. Should negotiations fail, SGC will return to the finalist list and initiate negotiations with one or more alternate Bidders.
VII.
Bid Submittal Checklist:
1. Email copy of proposal 2. Email Pricing
3. Additional Offers/Bid Notes: Discounts, rebates, marketing funds, etc should be listed separately.
4. Evidence of current insurance is to be provided. If current levels do not meet the RFP requirements listed in Section IV, please list what the additional cost would be to meet them as a separate line item in bid.
5. Sign and date bid (section VIII Certifications and Representations). 6. Include three comparable references including contact information. 7. Where applicable, include the following documents: Standard contract or
agreement, Service Level agreement, Hosting agreement, Statement of Work Contract, Technical Services contract, Support Services Agreement, Master Service Agreement, Maintenance Agreement, Warranty information or any similar contract or agreement. SGC reserves the right to and generally utilizes its own standard forms of contract and agreements.
VIII.
Certifications and Representations- the Bidder certifies the
following:
Bidder is a reputable company fully qualified and regularly engaged in providing products and/or services necessary to meet the terms, conditions and requirements of the RFP.
Bidder is aware of, is fully informed about, and is in full compliance with all applicable federal, state and local laws, rules, regulations and ordinances.
Bidder understands the requirements and specifications set forth in this RFP and affirms that no compensation has been received for participation in the preparation of the specifications for this RFP.
Bidder represents and warrants that all articles and services quoted in response to this RFP will meet or exceed the safety standards established and promulgated under the Federal Occupational Safety and Health Law (Public Law 91-596) and its regulations in effect or proposed as of the date of this solicitation.
All statements, information and representations prepared and submitted in response to this RFP are current, complete, true and accurate. Bidder acknowledges that SGC will rely on such statements, information and representations in selecting the Awarded Vendor. If selected by SGC as the Awarded Vendor, Bidder will notify SGC immediately
of any material change in any matters with regard to which Bidder has made a statement or representation or provided information.
I, the undersigned, hereby certify that I am authorized to sign as a representative for the Bidder listed below:
Legal Name of Bidder: _____________________________________ DBA (if applicable): _________________________________________ Address: __________________________________________________ Telephone: ___________________ Fax: _______________________ E-Mail: ______________________________________________ Website: _________________________________________ Representative’s Signature: _________________________________ Representative’s Printed Name: _____________________________ Representative’s Printed Title: ______________________________ Date: __________________ NAICS code # ___________________
Seneca Allegany Casino & Hotel Salamanca, NY Seneca Buffalo Creek Casino Buffalo, NY Seneca Niagara Casino & Hotel Niagara Falls, NY Seneca Hickory Stick Golf Course Lewiston, NY