Request for Proposal For: PCD-DSS Level 1 Service Provider St. Andrew's Parish Parks & Playground Commission Bid Deadline: August 17, 2015 at 12 Noon

Transcription

1 Request for Proposal For: PCD-DSS Level 1 Service Provider St. Andrew's Parish Parks & Playground Commission Bid Deadline: August 17, 2015 at 12 Noon

2 Request for Proposal P a g e 2 Table of Contents 1. Confidentiality Statement Submission Details...3 Pre-Submission Questions...3 Submission Deadlines...3 Submission Delivery Address...4 Submission Requirement Questions...4 Electronic Submissions Introduction and Executive Summary Business Overview & Background Scope of Work and Technical Requirements...5 General...5 Required Services...5 Scope and Methodology...5 Deliverables...6 Project Management Assumptions & Constraints Pricing / Monthly Billing Proposal Requirements Selection Criteria Process Schedule...8

3 Request for Proposal P a g e 3 1. Confidentiality Statement This document, and any attachments thereto, regardless of form or medium, is intended only for use by the addressee(s) and may contain legally privileged and/or confidential, copyrighted, trademarked, patented or otherwise restricted information viewable by the intended recipient only. If you are not the intended recipient of this document (or the person responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, distribution, printing or copying of this document, and any attachment thereto, is strictly prohibited and violation of this condition may infringe upon copyright, trademark, patent, or other laws protecting proprietary and, or, intellectual property. In no event shall this document be delivered to anyone other than the intended recipient or original sender and violation may be considered a breach of law fully punishable by various domestic and international courts. If you have received this document in error, please respond to the originator of this message or him/her at the address below and permanently delete and/or shred the original and any copies and any electronic form this document, and any attachments thereto and do not disseminate further. Thank you for your consideration, Please respond to financedirector@standrewsparks.com with any questions or concerns. 2. Submission Details Pre-Submission Questions Prior to submitting your response, you may contact the following person if you have any questions or require clarification on any topic or the scope of work covered in this Request for Proposal: Susan Klugman Finance Director Tel: ext financedirector@standrewsparks.com Submission Deadlines All submissions in response to this request must be submitted on paper and delivered to our office, as stated below, no later than: Friday, August 17, 2015 No later than 12 Noon Proposals must be submitted in a plainly marked and sealed envelop with the bidder's name and addressed Attn: PCI-DSS Level 1 Service Provider.

4 Request for Proposal P a g e 4 Any submission received at the designated location after the required time and date shall be considered late and non-responsive. Late proposals be rejected and will not be evaluated for award. Submission Delivery Address The delivery address to be used for all submissions is: 1095 Playground Rd Charleston, SC Attn: PCI-DSS Level 1 Service Provider Submission Requirement Questions You may contact the following person if you have any questions regarding the RFP submission requirements: Susan Klugman Finance Director Tel: ext financedirector@standrewsparks.com Electronic Submissions Electronic submissions in response to this Request for Proposal will not be accepted. 3. Introduction and Executive Summary (StAPPC) is currently seeking proposals from qualified Providers who will provide PCI-DSS audit and compliance services etrak-plus, a parks and recreation management software. 4. Business Overview & Background St. Andrew's Parish Parks & Playground Commission was created by the General Assembly of the State of South Carolina in In addition to three public parks and a full service fitness center, the Commission owns, manages and operates a server based, real time recreation management software system, etrak-plus, with clients in 15 states comprising of state, county and local parks and recreation departments.

5 Request for Proposal P a g e 5 5. Scope of Work and Technical Requirements General St. Andrew's Parish Parks & Playground Commission seeks to contract with a qualified supplier to prepare and submit a proposal to furnish professional consulting services related to payment card industry data security standards ( PCI DSS ) to be performed by a qualified security assessor and related payment card industry compliance services. Required Services ASV Services o PCI DSS Quarterly Scanning and Internal Network Vulnerability Assessment o Monthly Penetration Testing QSA Services o PCI DSS Self-Assessment Questionnaire Training, Support and Review o PCI QSA Services o Security Policy Review as it relates to PCI Compliance o Onsite Data Security Audits o Online Monitoring and Tracking of Compliance Status of Each Account per Merchant ID o Online Detailed Recommendations on Possible Solutions to Specific Non- Compliant Accounts per Merchant ID Scope and Methodology Include detailed testing procedures and technical details for these items: DIAL-IN / RAS SECURITY TESTING DMZ OR NETWORK ARCHITECTURE DESIGNS / REVIEWS VIRTUAL INFRASTRUCTURE SECURITY ASSESSMENT SERVER CONFIGURATION REVIEWS FIREWALL AND ROUTER CONFIGURATION REVIEWS VPN CONFIGURATION REVIEWS SOCIAL ENGINEERING ASSESSMENTS PHYSICAL SECURITY REVIEWS SOFTWARE SOURCE CODE REVIEWS APPLICATION THREAT MODELING AND DESIGN REVIEWS INFORMATION SECURITY POLICY AND PROCEDURE DEVELOPMENT OR REVIEW INFORMATION SECURITY RISK ASSESSMENT SECURITY AWARENESS PROGRAM DEVELOPMENT OR REVIEW INCIDENT RESPONSE PROGRAM DEVELOPMENT OR REVIEW SECURE SDLC PROGRAM DEVELOPMENT OR REVIEW PCI REPORT ON COMPLIANCE ASSESSMENT OR GAP ANALYSIS

6 Request for Proposal P a g e 6 FORENSICS REVIEW AND REPORTING PCI COMPLIANCE TRAINING (ONSITE AND ONLINE) PCI POLICIES AND CREDIT CARD PROCEDURE DEVELOPMENT OR REVIEW ENDPOINT PROTECTION REVIEW TWO FACTOR AUTHENTICATION SYSTEM WIDE REVIEW AND RECOMMENDATIONS Deliverables Include descriptions of the reports used to summarize and provide detailed information on security risk, vulnerabilities, and the necessary countermeasures and recommended corrective actions. Include sample reports as attachments to the proposal to provide an example of the types of reports that will be provided for this work. Project Management & Implementation Include the method and approach used to manage the overall project and client correspondence. Briefly describe how the engagement proceeds from beginning to end. Include a description and timeline for program implementation including any issues which may restrict or hamper a successful implementation. 6. Assumptions & Constraints I. The VENDOR shall assume responsibility for meeting project deadlines regardless of weather and shipping delays. II. The VENDOR will be required to comply with all applicable laws for the State of South Carolina including but not limited to Labor Laws, Wages and Workers Compensation. III. The VENDOR must be acquainted with the nature and location of the project; the local conditions, the condition of the facilities; and the character of equipment and facilities needed before and during the performance of the work. IV. The VENDOR is responsible for procuring all Federal, State and local permits and licenses, becoming familiar with, following and meeting all regulations and standards including those of South Carolina Department of Health and Environmental Control (DHEC) and Federal Occupational Health and Safety Administration (OSHA) and the American with Disabilities Act (ADA); paying all charges, fees and taxes; and giving and posting all notices necessary in performing the work. VENDOR shall supply a list of sub-contractors involved in the project. VENDOR shall show proof that all sub contractors are licensed and bonded. V. The VENDOR must be prepared to provide services beginning September 30, 2015.

7 Request for Proposal P a g e 7 VI. The VENDOR must be available to attend (either in person or via teleconference) the initial project meeting on Monday, August 31, 2015 at 9:00 am EDT. 7. Pricing / Monthly Billing I. Pricing shall be quoted on a three (3) year contract initial term, and include an option to extend for an additional two (2) year term. This shall be specified in the contract and purchase order. Maximum duration of the agreement, including all extensions, shall be five (5) years. 8. Proposal Requirements I. Proposal Cover Statement a. The RFP Response must include a cover letter with original signature of the authorized Vendor Representative, which must be attached to the original RFP response and must precede the narrative. II. Table of Contents RFP a. Please provide a table of contents for your RFP response. III. Organization s Narrative: a. State your organization s name (include parent name if applicable.) b. Give a brief history and description of your organization and the business(es) in which you are engaged. c. List any accreditation and/or affiliation your organization may have with local, state, or national oversight organizations. d. Describe the experience of your staff in delivering your service, including their credentials. e. Identify the Project Manager and other key personnel who will be administering the contracted services. f. Tell us anything else you would like us to know about your organization that is relevant to your RFP response. g. Provide three professional references for projects similar in scope and size. h. Please limit your organization narrative to no more than two pages. IV. Technical Details / Scope of Work: a. Detailed Testing Procedures b. Deliverables V. Project Management & Implementation a. Provide a detailed description and timeline for the program implementation b. Provide name and title of Project Manager

8 Request for Proposal P a g e 8 c. Provide name and title of on-site representative d. Specify your company's dispute resolution process and time frame VI. Cost/Fee Information: a. Normal Invoicing Procedures b. Invoice must include: i. Net cost of each item or service ii. Terms Net 30 days 9. Selection Criteria I. VENDOR selection shall be based on a two-part rubric that includes a Vendor Selection Scorecard and the Average Score given by provided references. II. This RFP does not commit the Commission to award a contract, pay any cost incurred in the preparation of a proposal in response to the RFP or to procure or contract for any services. III. This project will not necessarily be awarded to the lowest bidder. All responses to this RFP will be evaluated based on the response that is the most advantageous to StAPPC and will provide the highest quality of service at a fair and competitive price. Furthermore, St. Andrew's Parks and Playground reserves the right to award in whole or in part and / or reject any and all bids. 10. Process Schedule Release of Request for Proposal: Sunday, August 2, 2015 Deadline for Pre-bid Questions: Wednesday, August 5, :30 pm EDT RFP Sealed Submissions Due: Friday, August 21, 2015 at 12:00 noon EDT Vendor Evaluations: Friday, August 21, :00 pm - 4:00 pm EDT Letter of Award: Friday, August 28, :00 pm EDT Notice to Proceed and Project Meeting with Selected Vendor: Monday, August 31, :00 pm EDT