• No results found

OVERVIEW. We seek consultative services that would deal with the following objectives:

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "OVERVIEW. We seek consultative services that would deal with the following objectives:"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

Massachusetts College of Art and Design - Framingham State University

CISO and Managed Information Security Services RFP 13-07

Attachment #1 - Specifications and Descriptions of Services

OVERVIEW

In an effort to better meet our risk management and compliance obligations, Massachusetts College of Art and Design (“MassArt”) and Framingham State University (“FSU”) (together referred to herein as “the Participating Institutions”) wish to jointly engage a qualified Managed Security Service Provider (MSSP) to provide Chief Information Security Officer (CISO) services and to help advise on, and implement portions of, each institution’s information security management program.

We seek consultative services that would deal with the following objectives:

• Attain expert information security capabilities

• Independently validate the existing Information Security Program

• Create a risk, effort and cost prioritized gap analysis of the existing Information Security Program to direct the further implementation of the Information Security Program. • Ensure the proper implementation of the Information Security Program based on our

institutional needs.

ABOUT THIS JOINT RFP

As part of a continuing effort to establish partnerships with other higher education institutions that provide value of mutual benefit, the Chief Information Officers at both Framingham State University and the Massachusetts College of Art and Design have taken the initiative to jointly tackle information security issues.

• This initiative began by creating closely aligned written Information Security Program

documents. Copies of these documents are available to interested bidders by contacting Sean Foley, Chief Technology Officer, Harvard Partners, LLP at Sean.Foley@harvardpartners.com.

• As a next phase, the two institutions intend to provide equal financial support to jointly engage a single provider of information security managed services.

The intent is to identify a supplier with a shared commitment to a collaborative effort that will enable both organizations to fulfill their obligations to implement the provisions of a common written information security program (one they co-developed) in the most efficient way possible through a shared services arrangement.

Therefore, beyond simply meeting the objectives stated in this RFP for both Participating Institutions, one of the most significant outcomes desired from this undertaking will be demonstrated value of the

efficiencies gained through this joint arrangement.

If this can be demonstrated, then it may be possible that other public higher education institutions within Massachusetts may also want to participate in a similar arrangement for shared information security managed services.

(2)

SCOPE OF WORK

MassArt and FSU are seeking a senior level resource from a managed security services provider to fulfill the role of a part-time Chief Information Security Officer (CISO). The selected firm will administer the ongoing implementation of each institution’s Information Security Program as well as fulfill the regular duties of a CISO on an ongoing basis. The CISO consultant will provide proactive security domain expertise to the two campus CIOs and the Information Security Councils on each campus on all aspects of Information Security on an ongoing basis. Leveraging such an expert will help ensure each institution meets its compliance and risk management obligations.

The work is detailed below in two parts: Part 1 - CISO responsibilities, and Part 2 – WISP Review and analysis (2A) and WISP implementation management (2B). In addition, the institutions may also have need of optional support or implementation services as a result of these two initiatives, some of which are detailed below. The request for pricing of these optional services is not a commitment to purchase them as part of this RFP.

CISO Responsibilities (Part 1)

The CISO will be required to fulfill the following duties and responsibilities on an as needed basis:

• Produce monthly status reports for the two CIOs [a single report for both is acceptable] noting status of work planned for, underway and completed with respect to fulfilling the provisions of the WISP, remediation of non-compliance with specific regulations, and any other information security initiatives designed to reduce risk exposure. This should include creating and maintaining a list of issues encountered since the prior reporting period, issues resolved, and a timeline for addressing any unresolved issues along with personnel or organizations with designated responsibility for taking corrective action.

• Participation, as required, in meetings convened by either CIO (by phone)

• Respond to and help resolve security issues on either campus which arise on an as needed basis • Propose remediation projects to solve compliance gaps and reduce risk exposure as they are

identified. Those projects would need to approved, rejected or deferred based on risk, compliance needs and budget.

• Provide input and direction on annual budgeting and planning for each campus to address security concerns

• Assist in qualifying external vendors from a security perspective

• Prepare and present one (1) high level presentation per year per institution (total two presentations annually) on the state of the institution’s information security risk management and compliance to the appropriate senior leadership committee

• Prepare and present four (4) presentations per year on the state of each institution’s information security program and any emerging compliance obligations and security risks. This presentation will be to CIO and Information Technology management team. These meetings may be held separately by campus or jointly, as deemed appropriate for the content.

• Be involved, on each institution’s behalf, in at least one (1) security audit annually • Interview potential new staff as may be appropriate

(3)

WISP Review and Analysis (Part 2A) and Implementation Management (Part 2B)

Part 2A: The first initiative for the CISO is a review of the existing WISP, ensure that it properly serves each campus, and determine where gaps exist between the current security architecture and each institution’s risk and compliance obligations. The CISO will work in conjunction with both CIOs and appropriate senior level IT staff in each institution (as well as other stakeholders as appropriate) to review the existing Information Security Program. This review should leverage existing policies, procedures, audit and compliance artifacts and systems architectures where applicable.

The result of this review should be a report highlighting risk and compliance gaps in the existing Information Security program, based on industry best practices, and should also include remediation options prioritized by risk and level of effort with an estimate of resources required (time, money and personnel) associated with each remediation option.

Part 2B: The institutions recognize that the implementation of a robust Information Security Program requires both information security and program management expertise. Using the WISP gap analysis created in Part 2A, and with the direction of both CIOs and the Information Security Council on each campus, the CISO will create a detailed remediation program. The remediation program is expected to contain some elements which apply generally to both Participating Institutions as well as some elements which apply uniquely to only one of the two Participating Institutions.

Understanding that the individual institutions will then use internal and external resources, some of which may be from the bidder, the CISO will administer and manage the execution of the remediation plan.

Optional Support Services

The Participating Institutions recognize that through the course of implementing the Information Security program the need for additional services may arise. In turn, we seek cost estimates and solution details for the following list of services:

A. 24 x 7 Security Monitoring Services including monitoring, analysis and alert escalation for the enterprise. (Cost per device, by device type required.)

B. Vulnerability management for 60 servers per campus (total 120 servers). C. Managed IDS/IPS Services for each campus.

D. Penetration testing per campus - 200 devices at MassArt, 500 devices at FSU. (Provide one time and quarterly cost options)

E. Vulnerability scanning per campus - 200 devices at MassArt, 500 devices at FSU. (Provide one time and quarterly cost options)

F. Security Awareness Training program for staff – 500 staff at MassArt, 800 staff at FSU. Each institution’s configuration of devices is dynamic and will change over the life of any contract. The two institutions have different network architectures and equipment and should be assumed to be entirely separate networks. Quantity pricing shall be identified as applicable. Price variances based on specific equipment shall be identified if needed. Pricing for varied scaling options will be accepted.

If, during the review of the accompanying WISPs the bidder wishes to offer additional services beyond those listed, they may be included in the RFP response.

(4)

MassArt Background: Massachusetts College of Art and Design is the only public, free-standing college

of art and design in the US. As a member of the Massachusetts state university system, it enrolls approximately 2,000 students at both the undergraduate and graduate levels. MassArt offers the Bachelor of Fine Arts degree in nearly 20 fields of art and design, as well as in history of art and art education; the college also offers several master’s degrees. The college has three residence halls with a total capacity of approximately 1000 students.

MassArt Computing Environment: the computing environment at the university is comprised of sixty

(60) servers, one hundred (100) switches, and a single (1), redundant firewall supporting the Boston campus. Staff and faculty use seven hundred and fifty (750) desktops and laptops and the student population uses one thousand nine hundred (1900) desktops and laptops. All of these systems are supported by one (1) on campus and one (1) remote datacenters where most enterprise application systems reside. Some enterprise applications, such as CRM, are cloud hosted.

FSU Background: Framingham State University is a Massachusetts public four-year institution with

enrollment exceeding 6,000 students. FSU is a vibrant, comprehensive liberal arts and sciences

institution offering 25 undergraduate degree programs in arts, humanities, sciences, social sciences, and professional fields. Nearly 6000 students attend Framingham State University, including nearly 2000 graduate students. FSU offers graduate degrees in 23 fields, including an extensive graduate program for teachers in international schools. Currently, there are more than 1800 students residing in campus housing.

FSU Computing Environment: The computing environment at the university is comprised of sixty (60)

servers, one hundred (100) switches, three (3) firewalls, and three hundred (300) wireless access points supporting the single campus in Framingham. Staff and faculty use one thousand five hundred (1500) desktops and laptops as well as eight hundred (800) mobile devices (smart phones). The student population uses two thousand five hundred (2500) desktops and laptops. All of these systems are supported by two (2) on campus and one (1) remote datacenters where all enterprise application systems reside. As this is a dynamic computing environment these numbers can change at any time but these numbers accurately represent the scale of the environment.

VENDOR INSTRUCTIONS AND EVALUATION CRITERIA

The Participating Institutions request a time and materials bid cancellable by either party. The pricing

should be summarized in the attached pricing appendix. Overall the bid should include:

• Both estimated hours and total cost per month for Part 1 - CISO consulting services, given the above responsibilities and initiatives.

• Hourly run rate for management and delivery of Parts 2A&B - WISP Review and Program Implementation

• Pricing for the optional services noted above.

• A blended hourly rate for optional security consulting services such as implementation or forensics services.

• Any expectations the bidder has of the Participating Institutions to be successful in providing the services, including, access to resources, identification of sources, tasks, information, etc.

Bidders will be evaluated on their competency in IT security, level of certification of staff, and SOC certification. Bidders will also be evaluated on their company’s financial stability, customer

(5)

satisfaction/retention, company position with respect to its competition, its scale (overall services offerings), risk mitigation strategy, track record and depth and breadth of experience working with higher education institutions.

The following shall be included in the proposal:

• Resumes of the team member(s) to fill the CISO role

• A list of supporting team members (along with a project team organization chart) to be assigned to this relationship and their resumes, including experience on projects like this one and with

institutions similar to the Participating Institutions.

o Please note that the Participating Institutions will expect limited resource shifts from the team proposed. The awarded bidder must consult with the Participating Institutions regarding any replacements to the original account team outlined in the RFP response or otherwise provided during the selection process. Any team member replacement(s) must be mutually agreed upon and changes deemed unacceptable by the Participating

Institutions after award of the contract may result in termination of the agreement. • 2 - 3 case studies of similar projects the bidder has done, highlighting the bidder’s process and

results. Ideally, these projects will come from clients similar to the Participating Institutions in one or more of the following ways:

o higher education or public sector institutions o similar size of IT infrastructure

o similar geographic footprint

o similar duration and complexity of relationship

• Bidders shall provide all references including names, addresses, and appropriate contacts. References should represent institutions described in case studies if at all possible.

Billing instructions

This RFP is issued by Massachusetts College of Art and Design (MassArt) and the response should be sent to MassArt as indicated elsewhere in this document. However, the awarded vendor will be required to sign individual contracts with, and send individual invoices to, each of the two Participating Institutions.

Awarded vendor will invoice each institution separately for work specific to a particular institution. For work common to both Participating Institutions, time and materials costs should be split in half and each half billed separately. For example, if in a given billing period 5 hours are devoted to MassArt work, 8 hours are devoted to FSU work, and 12 hours are devoted to work commonly benefiting both

institutions, MassArt should be billed 5+(12/2) = 11 hours and FSU should be billed 8+(12/2) = 14 hours for that period.

REQUEST FOR PROPOSAL TIMELINE

Bid Issued May 1, 2013

Deadline to submit written questions May 10, 2013 Contract addendum issued answering questions May 15, 2013

Bid Deadline May 23, 2013 at 3:00 PM

In-Person Finalist Interviews June 10-21, 2013 Anticipated Bid Award June 28, 2013

(6)

Contracts will begin upon contract documents execution and end on June 30, 2014. The participating institutions reserve the option to extend the contract for up to three additional one-year periods with the same terms and conditions. Any changes must be agreed upon in writing.

The participating institutions, or awarded company, may terminate this Agreement with or without cause upon thirty (30) days written notice to the consultant/firm. If this Agreement is terminated the participating institutions shall have no further obligations other than payment for services already rendered and for expenses previously incurred.

PROPOSAL DEADLINE

Bid proposals are due by 3:00 pm on Thursday, May 23, 2013. Please send five copies, each with an original signature to:

Jim McDaid, Director Administrative Services

Massachusetts College of Art and Design 621 Huntington Avenue, Room 401 Boston, MA 02115

The cost of producing proposals shall be borne by the candidates.

Any questions regarding the bid must be submitted in writing to Sean.Foley@harvardpartners.com

by Friday, May 10, 2013. An RFP addendum will be issued by end of day, Wednesday, May 15, 2013 containing written responses to questions received. The participating institutions will not be able to address additional questions received after May 10, 2013.

After a review of proposals, it is anticipated that two to three selected contractors/firms will be asked to campus for an in-person interview with participating institutions representatives. During the interview, the firm principal or account manager must be accompanied by the person(s) who will lead the

participating institutions project. The interviews will take place June 10-21, 2013 and will last for approximately one hour. There will be no travel stipends or reimbursements for in person finalist interviews/presentations.

References

Download now ( PDF - 6 Page - 102.04 KB )

Related documents

Fast frequency response for effective frequency control in power systems with low inertia

A Generic System Frequency Response (GSFR) model based on the model reported in [6] has been developed to further consider the impact of the penetration of

Ringling College of Art and Design

Ringling College is required to respond to complaints from copyright holders, and entities representing copyright holders, regarding computers on campus that are

Theory of Instructional Management by Jacob Kounin

Overview of Instructional Management Philosophy Minimize behaviour problems Maintain instructional momentum Conducive environment for learning and behaviour Keep students

Noncognitive Skills, Internet Use and Educational Dropout

Our results show that noncognitive skills have a significant impact on educational success, on the employment probability and on wages after controlling for family background in

A review of global potentially available cropland estimates and their consequences for model-based assessments

We then synthesize these criteria and use them to produce a high, a med- ium, and a low potentially available cropland estimate, which are subsequently used to analyze the

Phallism (Crux Ansata)

In the year 389, when the Serapeum at Alexandria was destroyed by order of Theodosius, the Christians, who then first became acquainted with the meaning of the Cross among the

Stochastic stability of Pollicott–Ruelle resonances

[DyZw2] Semyon Dyatlov and Maciej Zworski, Mathematical theory of scattering resonances, book in preparation; http://math.berkeley.edu/~zworski/res.pdf.

BOARD OF HIGHER EDUCATION REQUEST FOR COMMITTEE AND BOARD ACTION

In October 2008, Massachusetts College of Art and Design (MassArt) submitted an expedited proposal to offer a new graduate program leading to a Master of Arts in Teaching/Art