RFP IT002PACE. Questions & Answers

Transcription

1 RFP IT002PACE Questions & Answers 1. Please provide the total number of devices at each campus required for the assessment i.e. inventory at the higher level along with its brief description. 2. Approximately how many devices are connected to the network across all 24 campuses under assessment? A. Control #1 is an inventory of authorized and unauthorized devices. 3. Will the full results of the IT001PACE initiative be made available to assist in the exam of IT002PACE? For example, hardware/software inventory of equipment and/or IT security exposure areas which came to light under IT001PACE. 4. Have IT assessments or audits been performed during the past 12 months? & Will these assessment and/or audit reports be available to SHI for review? 5. Will any prior assessments internal or external be provided at the start of the engagement? A What was the average and longest time each of the representative 24 CIO's, or their designate, was able to respond to provide the proper information and documentation needed to complete any IT001PACE questionnaires? A. This question is not germane to a Security Posture Assessment. 7. Will PACE co-executive directors assist the successful bidder with scheduling campus visits? A. Yes PACE staff will assist. 8. Does the required project completion date of 6/30/14 include the estimated 8 presentations to PACE Steering Committee, Presidents, CIOs, CFOs and all other stakeholders yet to be determined? A. Yes. However, PACE may decide to postpone presentations to accommodate the schedules of key stakeholders. 9. Do any of the 24 member institutions have an asset management database or configuration management database for reference as part of the IT002PACE engagement? A. Control #1 is an Inventory of Authorized and Unauthorized Devices. 10. Often technologies such as server, desktop, network, and application are managed by specialist with different policies and procedures. Is a deliverable of IT002PACE to evaluate each technology group within a PACE member against the SANS 20 Critical Controls or to evaluate at the CIO level within the organization? A. Please refer to section (Key Deliverables). PACE does not require staff evaluations of the CIO or technology groups at member campuses. 11. Will PACE consider bids from organizations that have no recent experience with the delivery of security assessments to higher education? A. See section 4.1 in IT002PACE for how PACE will score submitted bids. The Department of Higher Education reserves the right to award the contract in whole or in part in a manner that most effectively serves the RFP intent, to reject any or all bids, and to otherwise proceed with the award as necessary to protect the best interests of the Commonwealth. And see Addendum #1 Qualification and experience - Exhibited prior experience in higher education will be changed to Qualification and

2 experience - Exhibited prior relevant experience. 12. With the required completion date of 30JUN14, will each PACE organization be responsible for scheduling its site assessment visit independently or will the body be able to mandate schedules? A. PACE will assist, but will not mandate schedules. For each location, please complete the following questions: 13. Purpose and/or functions of this location? A. Colleges and Universities 14. List key business processes performed at this location. (HR, AR, AP, Payroll, Purchasing, Sales, Operations, Call Center etc.) A. Each PACE campus has the autonomy to implement technologies and business processes as allowed by MA law and regulations. 15. List key IT activities performed with number of staff for each activity at this location. (Data center, Network Admin, Database Administration, Help Desk, Software Development, IT Security, IT Audit etc.) A. This question is not germane to the assessment and deliverables. If IT staff members do not have access to third party systems and applications, then the contractor cannot assess the systems and applications within the framework of the 20 Critical Security Controls, and should be considered out of scope. 16. Approximately how many applications are hosted/outsourced by this location that are either critical for business operations or handle sensitive information? A. Control #2 is an Inventory of Authorized and Unauthorized Software. 17. Approximately how many databases are in use at this location that are either critical for business operations or contain sensitive information? A. Control #2 is an Inventory of Authorized and Unauthorized Software. Control #15 is Controlled Access Based on the Need to Know 18. Please specify how many locations, including data centers, we would need to visit within the scope of this project. 19. Please confirm number of in-scope locations by geographical area as 24? 20. Where are the locations of datacenters? 21. What is the location name? 22. City, State, and Country information? 23. Please provide the following information for each of the 24 PACE campuses: Geographic Locations Some work for this engagement may be performed remotely, as necessary and appropriate. The scope of this engagement includes travel to the following Areas: XYZ Company City, State Zip code SANS Top Twenty Critical Controls Assessment The scope of the engagement includes a controls assessment of a network of the following approximate size: Up to (?) physical and virtual Servers Up to (?) Workstations Up to (?) Firewalls Up to (?) Routers

3 Up to (?) interview/elicitation sessions will be conducted onsite Assessment will be performed from facilities listed in the Geographic locations above A. PACE expects the vendor to physically visit the 24 PACE campuses to perform the assessment. Berkshire Community College Pittsfield, MA Bristol Community College Fall River, MA Bunker Hill Community College Boston, MA Cape Cod Community College West Barnstable, MA Greenfield Community College Greenfield, MA Holyoke Community College Holyoke, MA Massachusetts Bay Community College Wellesley Hills, MA Massasoit Community College Brockton/Canton, MA Middlesex Community College Bedford/Lowell, MA Mount Wachusett Community College Gardner, MA North Shore Community College Danvers, MA Northern Essex Community College Haverhill, MA Quinsigamond Community College Worcester, MA Roxbury Community College Roxbury, MA Springfield Technical Community College Springfield, MA Bridgewater State University

4 Bridgewater, MA Fitchburg State University Fitchburg, MA Framingham State University Framingham, MA Massachusetts College of Art and Design Boston, MA Massachusetts College of Liberal Arts North Adams, MA Massachusetts Maritime Academy Buzzards Bay, MA Salem State University Salem, MA Westfield State University Westfield, MA Worcester State University Worcester, MA All work for this engagement must be performed on site unless the individual institution allows the contractor to perform the work off site. The number of devices that reside at each institution will vary. Control #1 is an inventory of authorized and unauthorized devices. Some organizations may not have inventories of authorized devices and the vendor selected will need to note that the organization was unable to produce an inventory. 24. Has Data Classification been completed for the various campuses? Has there been a decision concerning the risk level of the data overall (such as High, Moderate, Low according to FIPS 199) or has each campus done its own Risk Assessment? A. Control #15 Controlled Access Based on the Need to Know recognizes the importance of an overall data classification scheme for an organization. 25. Regarding Section 1.1 of the RFP: How many of each of the following are included in the scope of this project? If an exact number is not available, please provide a best estimate. a. Servers b. Networks c. Firewalls (include brand and description, if possible) d. Routers e. Switches A. Control #1 is an Inventory of Authorized and Unauthorized Devices. 26. Are the cost figures delivered as part of the recommendations expected to be a high level estimate of costs or a detailed cost breakdown? A. A detailed cost breakdown is not required.

5 27. Is there a budget allocated for this effort? If so, what is the budget? A. Yes. PACE will not make public the budget for this effort until they select a contractor. 28. The requested schedule to complete by the end of June is aggressive given our experience in the difficulties of matching schedules amongst this size group and the number of requested presentations. Is the completion date flexible? A. No. PACE will make the decision if the contractor needs to adjust the schedule for presentations to allow the attendance of key stakeholders. 29. Is there any shared infrastructure between the PACE member institutions, such as CRM systems, Commonwealth of Massachusetts systems, common service providers, etc.? A. No. Systems and applications managed by the Commonwealth of Massachusetts are not in scope for this assessment. 30. Are there alumni, fundraising and or foundation systems connected to any of the PACE institution networks? If so, should they be treated as college/university systems or s business partner systems? A. The contractor should assess systems as necessary to determine compliance with the 20 Critical Security Controls. 31. Are physical access control, campus police (e.g. parking enforcement), and OneCard-type systems (combined physical assess control and flexible spending card) in scope for this assessment? A. The contractor should assess systems as necessary to determine compliance with the 20 Critical Security Controls. Any observed deficiencies not cross-referenced to a CSC may be listed in an appendix. 32. Are 3 rd party systems like bookstore or cafeteria point-of-sale applications connected to any of the PACE institution networks? If so, should they be treated as college/university systems or as business partner systems? A. The contractor should assess systems as necessary to determine compliance with the 20 Critical Security Controls. If IT staff members do not have access to third party systems and applications then the contractor cannot assess the systems and applications within the framework of the 20 Critical Security Controls, and should be considered out of scope. 33. Across the PACE community, is there a common approach for credit card transaction handling and payment card industry (PCI) compliance? A. No. 34. For assessments of this type, scheduling face-to-face interviews and discussions often becomes problematic due to faculty and staff schedules. Is an approach that uses a combination of face-to-face interviews and remote meeting technologies like WebEx acceptable as a means to manage schedules? A. PACE requires that the vendor physically visit each campus. However, the use of remote technologies is at the discretion of the campus being assessed. 35. Would either ISO or NIST framework of controls be okay for this assessment provided that all observed deficiencies or exceptions are correlated to the CSCs? A. The vendor may decide to incorporate any standard or framework of controls into the assessment; however, the vendor must correlate and report using the CSCs. Any observed deficiencies not cross-referenced to a CSC may be listed in an appendix. 36. How many people would you anticipate us interfacing and/or interviewing with besides the 24 CIOs?

6 A. Each PACE campus can have a different organizational structure; therefore, the number of people the vendor may interface with will vary. 37. Does the assessment work need to spread across through the end date of June 30 th, 2014 or can all the work, including presentations and reports be done sooner if achievable? A. All of the work, including presentations and reports, may be done sooner if achievable. 38. Approximately how many devices are connected to the network across all 24 campuses under assessment? A. Control #1 is an Inventory of Authorized and Unauthorized Devices. 39. Approximately how many authorized software applications are running across all 24 campuses under assessment? A. Control #2 is an Inventory of Authorized and Unauthorized Software. 40. The Rfp states, The vendor awarded the bid must be prepared to perform control tests or technical validations if the evidence from screenshots or configuration files do not support compliance with control. Is the expectation that each of the 24 schools have already performed a pre-assessment (or gap analysis) prior to the formal vendor review and are operating under the belief that each control within the CSC has been satisfied? In other words, should the vendor selected expect that the technical testing will be required in the majority of cases, or should technical testing be an exception, reserved for those cases where a school has misinterpreted or incorrectly executed a test? A. Contractors should assume that gap analyses have not been performed at the institutions. 41. The nature of the environments under review indicates that 24 unique and distinct assessments are required. In other words, there are no commonalities between the environments that would allow for testing results from one environment to be inherited by some (or all) of the remaining environments. Is our understanding (one test, one report, no control inheritance) of these environments accurate? A. Yes. Each campus must be assessed individually. Results from one campus will not apply to another campus. 42. The RFP does not indicate which information assets at each PACE campus are the primary assets requiring protection under the school s information security governance program. Many of the SANS Top 20 CSCs require random selection of network segments within the environment against which to perform testing procedures. Without targeting specific asset types for protection, random testing can yield misleading results. While not identified specifically in the RFP, is the intention of the engagement to include a process by the vendor to identify and categorize the risks against specific information assets that require protection at each PACE campus? The vendor would use this information to appropriately select the samples for each of the testing criteria within the SANS Top 20. A. See Key Deliverables in Section Control #15 Controlled Access Based on the Need to Know recognizes the importance of an overall data classification scheme for an organization. The contractor may include any additional review, assessment, or report; however, the contractor must deliver all items in Section Do the PACE campuses rely on any vendors or third parties to perform or execute controls within the scope if this review? Are all systems in scope for review housed within data centers owned and operated by each of the PACE campuses? In other words, does the vendor need to incorporate a review of any third-party hosting, cloud services, or data center

7 providers? A. If IT staff members do not have access to third party systems and applications then the contractor cannot assess the systems and applications within the framework of the 20 Critical Security Controls, and should be considered out of scope. 44. Will a combination of higher education and customers from other market segments suffice? They can individually speak to technical capabilities, engagement goals, quality of deliverables and overall satisfaction with assessment results? A. All bids are scored based on the evaluation criteria in section 4.1 in the bid document. The Department of Higher Education reserves the right to award the contract in whole or in part in a manner that most effectively serves the RFP intent, to reject any or all bids, and to otherwise proceed with the award as necessary to protect the best interests of the Commonwealth. 45. How long ago were technical assessments completed across the PACE Campuses? In the past 6-12 months? (i.e. Vulnerability Assessment, Pen Test, Social Engineering, etc. A. Sharing information from previous assessments is at the discretion of the institution. See Section 1.3 for a list of items that PACE considers out of scope. 46. Are there deviations in configurations across PACE Campuses (from site to site)? Do they follow a standardized config. or are they significantly different from each other? A. Yes. Each PACE campus has the autonomy to implement technologies. 47. Key stakeholders for this project; are they located individually at each campus or central location? A. Key stakeholders for this project are not in a central location. 48. Generally, the ISO 27002:2013 generally accepted international security standards and framework identifies a comprehensive review of an organization's security posture. As part of the assessment, would PACE desire a mapping of the SANS Top 20 CSC to the ISO framework to understand areas they may not have assessed and may want to assess in the future such as Secure Application Development? A. The contractor may decide to incorporate any standard or framework of controls into the assessment; however, the contractor must correlate all observed deficiencies or exceptions to the CSCs 49. Does PACE require for the security posture assessment evidence-based assessments where formal control testing is done? For example, the aggregate and uniform controls are identified to determine completeness of population. Then, a random sample of the population (10%; not less than a sample of 5 and not more than 25) is taken with control tests performed? A. The vendor awarded the bid must be prepared to perform control tests or technical validations if the evidence from screenshots or configuration files do not support compliance with control. 50. Please confirm that all 20 domains in the SANS Top 20 CSC are in scope. A. YES. 51. How many stakeholders per in-scope domain (above) or in total would be part of the assessment process and available for interviews? A. Each institution will make the necessary personnel available to interview during the assessment. 52. Will a maturity assessment be part of the review?

8 A. No. However, the contractor may include any review or assessment tools in an appendix in the final report. See Section for the Key Deliverables. 53. Will web application vulnerability assessments be in scope? If so, please answer the questions in the attached form. A. Control #6 Application Software Security includes protecting web applications using a vulnerability scanner to test for each type of flaw identified in the regularly updated list of the 25 Most Dangerous Programming Errors by MITRE and SANS Institute 54. What is the total number of university employees? 55. Approximate number of employees at this location? 56. What is the total number of IT Staff? 57. List key IT activities performed with number of staff for each activity at this location. (Data center, Network Admin, Database Administration, Help Desk, Software Development, IT Security, IT Audit etc.) A. This question is not germane to the assessment and deliverables. If IT staff members do not have access to third party systems and applications, then the contractor cannot assess the systems and applications within the framework of the 20 Critical Security Controls, and should be considered out of scope. 58. Are there centralized information security standards for all locations? A. No. 59. Are there decentralized information security standards for different locations? A. No. 60. Can each location set its own information security standards? A. Yes. 61. Vendor relationships and vendor management could be considered in scope. If so, does your company have a relationship with one or more third-party service providers? If so, please provide a high level summary of relationships. A. Each PACE campus has the autonomy to implement technologies. If IT staff does not have access to third party systems and applications, then the contractor cannot assess the systems and applications within the framework of the 20 Critical Security Controls, and should be considered out of scope. 61. Does your organization process, store, transmit and/or receive credit card data at any of the locations? Please provide a high level summary. A. This question is not germane to the assessment and deliverables. However, credit cards are a consideration mentioned in Control #17 Data Loss Prevention. 62. Is your organization subject to any regulatory compliance requirements? Please list (i.e. FERPA, PCI DSS, HIPAA, Privacy, etc.) A. Yes. However, this assessment is for the SANS 20 Critical Security Controls; various laws and regulations are not germane to this assessment. 63. Is the location subject to any regulatory compliance requirements? Please list (i.e. FERPA, PCI DSS, HIPAA, FISMA, State Privacy Laws, etc.) A. Yes. 64. Are there other compliance requirements (PCI, FIRPA, etc.?) to pursue /maintain as a result of this engagement? A. No. The contractor may decide to incorporate any standard or framework of controls into the assessment; however, the contractor must correlate all observed deficiencies or exceptions to the CSCs. 65. Is it expected that the assessment will incorporate compliance requirements such as those from CMR 17, PCI, FERPA and HIPAA within the 20 SANS controls? (or) Is

9 PACE and/or each institution trying to meet compliance requirements through the assessment? A. No. However, any observed deficiencies not cross-referenced to a Critical Security Controls (CSC) may be listed in an appendix. 66. Does your organization develop applications internally? A. Answers will vary between PACE campuses. The contractor is expected to assess the individual campuses within the framework of the 20 Critical Security Controls. 67. Are internally developed applications used for critical business operations? A. Answers will vary between PACE campuses. The contractor is expected to assess the individual campuses within the framework of the 20 Critical Security Controls. 68. Do internally developed applications handle sensitive information? A. Answers will vary between PACE campuses. The contractor is expected to assess the individual campuses within the framework of the 20 Critical Security Controls. 69. Are there policies, standards, and / or procedures for access control around new hires, departmental transfers and terminations? A. Answers will vary between PACE campuses. The contractor is expected to assess the individual campuses within the framework of the 20 Critical Security Controls. 70. Will a physical security site review be in scope for the assessment (office(s) and / or data center(s))? If so, please answer the following questions for each location; A. Physical security is only in scope as it relates to SANS 20 Critical Security Controls. 71. Approximately how many applications are hosted/outsourced by this location that are either critical for business operations or handle sensitive information? A. Control #2 is an Inventory of Authorized and Unauthorized Software. 72. Approximately how many databases are in use at each location that are either critical for business operations or contain sensitive information? A. Control #2 is an Inventory of Authorized and Unauthorized Software. Control #15 is Controlled Access Based on the Need to Know 73. Are network architecture diagrams available for review? A. Control #19 is Secure Network Engineering 74. How many Demilitarized Zones (DMZ) are in scope? A. Control #19 is Secure Network Engineering 75. Briefly describe the remote access infrastructure used? A. Control #13 is Boundary Defense 76. Is a wireless network access environment deployed and in use? A. The majority of campuses have wireless networks. 77. Approximately how many servers are currently in scope? A. Control #1 is an "Inventory of Authorized and Unauthorized Devices". 78. Approximately how many workstations are currently in scope? A. Control #1 is an "Inventory of Authorized and Unauthorized Devices". 79. Approximately how many network devices (routers, switches, firewalls, etc.) are currently in use? Please list separately if feasible. A. Control #1 is an "Inventory of Authorized and Unauthorized Devices". 80. What operating systems are currently in use? A. Control #2 is an Inventory of Authorized and Unauthorized Software. 81. How many wireless access points are currently in use? A. Control #1 is an "Inventory of Authorized and Unauthorized Devices". Control #7 is Wireless Device Control 82. What types of Internet facing hosted services are in use (e.g., HTTP, HTTPS, FTP, etc.)?

10 A. Control #11 is Limitation and Control of Network Ports, Protocols, and Services. 83. How many standard images are in use for deploying server and client platforms? A. Control #3 is Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. 84. How many firewalls are deployed at ingress / egress points? What platform(s) is/are in use? A. Control #1 is an "Inventory of Authorized and Unauthorized Devices". Control #13 is Boundary Defense. Control #10 is Secure Configurations for Network Devices such as Firewalls, Routers, and Switches. 85. Do you use IDS/IPS at your ingress / egress points? If so, what platform(s) is/are in use? A. Control #1 is an Inventory of Authorized and Unauthorized Devices. Control #5 is Malware Defenses. Control #13 is Boundary Defense 86. Please list what DLP platforms are in use and how many devices are deployed and at what locations? A. Control #17 is Data Loss Prevention 87. What directory service(s) is/are in use? A. Each campus maintains its own autonomy and directory services used may vary. 88. How many external (Internet) IP addresses does this location have (total IP addresses from external ranges, not just those in use)? A. Each campus maintains its own autonomy and the number of IP addresses will vary. 89. Approximately how many live IP addresses (IP address with a port/service open) are in use within the external address range(s)? A. Control #1 is an "Inventory of Authorized and Unauthorized Devices". 90. Is there a Firewall, VPN, DMZ, IDS/IPS at this location? If so, please describe. A. Control #1 is an "Inventory of Authorized and Unauthorized Devices". 91. What would be the number IP addresses and subnet ranges would be used for an internal vulnerability scan, if applicable? Approximately how many are live? A. Control #1 is an "Inventory of Authorized and Unauthorized Devices". Control #2 is an Inventory of Authorized and Unauthorized Software. 92. Are you planning on awarding multiple vendors or just one? A. One vendor. 93. Re: page 4 -- Leading on what? Can we read this identify the campuses with the most appropriate IT security posture and practices? A. Yes. The contractor should acknowledge colleges and universities who lead the system in a particular control. 94. Re: page 4 -- Sans top 20 CSC although comprehensive enough are a shortcut to good security; however there are supporting solutions and processes pertaining Business continuity (BC) and Disaster recover (DR) that are only partially and/or tangentially assessed within SANS top 20 CSC. In the light of recent incidents that resulted in inability of performing business as usual due to improper BC and DR practices. We believe these should be included in the requested assessment (?) A. The contractor may decide to incorporate any standard, metric, or framework of controls into the assessment; however, the contractor must correlate all observed deficiencies or exceptions to the CSCs. Please see Section for the Key Deliverables. 95. What would be the accepted practice for the un-documented or processes or solutions (i.e. lack of network diagrams, lack of firewall documentation lack of documented configuration management, lack of written policies, etc)?

11 A. The contractor will assess the PACE campuses within the framework of the 20 Critical Security Controls. Any observed deficiencies not cross-referenced to a Critical Security Control may be listed in an appendix. 96. Is the consultant responsible for touching the systems in an attempt to gather configuration data or validate the configuration management documentation or only the PACE member employee can access systems and applications? Common audit methodology requires observation, analysis and validation in addition to evidence gathering, providing the audited material is normally auditee s responsibility will we follow the same practice? A. Yes. Each institution will make the necessary personnel available to interview during the assessment. 97. The Sans top 20 CSC lives in an integrated approach that can be outlined by the old adage you cannot manage what you cannot measure ; in the light of the above should the auditor determine that the first two SANS top 20 CSC recommendations are not properly handled or even inexistent Critical Control 1: Inventory of Authorized and Unauthorized Devices Critical Control 2: Inventory of Authorized and Unauthorized Software and as previously mentioned based on the integrated flow of the subsidiary requirements these could be by default would considered partial at best. Would it be accurate to say that the expectation is to assess what exists (and is documented?) and take note of the deviations from (??) in case there is no documentation available? A. The contractor will assess the PACE campuses within the framework of the 20 Critical Security Controls. Any observed deficiencies not cross-referenced to a Critical Security Control may be listed in an appendix. 98. What would be an educated estimate of the number of applications and systems in scope for each site? A. Control #2 is an Inventory of Authorized and Unauthorized Software. 99. Is measuring implemented control effectiveness part of the RFP? A. Yes 100. Describe the tools and or overall program implemented to measure security success at each PACE institution. A. This question is not germane to the assessment and deliverables. Please see section for Key Deliverables Describe each institutions capability to perform remediation of noted actions A. This question is not germane to the assessment and deliverables What is the global vision PACE has in bringing to light the proposed findings? A. Please see section 1.1 for Purpose and Overview, section 1.2 for Background, and section for Key Deliverables May PACE provide initial compliance percentages (for SANS CSCs) at each campus? A. No Does the June 30th deadline account for discovery, analysis, and completed delivery? A. Yes. However, PACE may decide to postpone presentations to accommodate the schedules of key stakeholders Regarding the requirements detailed in section 1.3.1; will campus IT personnel be willing to complete a questionnaire on the 20 Critical Security Controls (CSCs) in advance of our team s actual onsite assessment to help better prepare our personnel

12 for each visit and to assist with appropriate planning? A. All work for this engagement must be performed on site unless the individual institution allows the contractor to perform the work off site In order to make effective use of our onsite time, will campus IT personnel be willing to gather and submit advance documentation? Again, to make more effective use of our onsite time. A. All work for this engagement must be performed on site unless the individual institution allows the contractor to perform the work off site. Each institution will make the necessary personnel available to interview during the assessment Many of the Top 20 controls as specified by SANS indicate the proper way to test the controls is install software (i.e. an unapproved program to determine if system monitoring tools would detect the install) or run query-type tools on systems. The RFP clearly states this will not be permitted. If testing is required, how would PACE prefer we approach these issues? A. Each institution will make the necessary personnel available. If an institution does not provide evidence and will not allow a control test, then the vendor should make a note of it in the report Regarding the scope of services in RFP section 1.3, could PACE clarify the difference in expected procedures for evidence from screenshots or configuration files inspected during the assessment vs. control tests in the event of noncompliance with the control. A. If an institution does not have documentation and/or evidence to support the effectiveness of the control, then the vendor should be prepared to perform a control test Will each campus commit to making available their key IT/security personnel for 2-3 full days while our team is onsite for inquiries, demonstrations, and testing (if necessary)? A. Yes. Each institution will make the necessary personnel available to interview during the assessment The project timeline will happen around the timeframe of end-of-year operations and spring graduation at participating campuses. Will appropriate campus resources be made available throughout the project to ensure we can meet the June 30, 2014 deadline for this project? A. Yes Would PACE be amenable to risk-rating network systems and applications for testing and scoping our procedures only to high-risk and moderate risk rated systems? A. The vendor may decide to incorporate any standard or framework of controls into the assessment; however, the vendor must correlate and report using the CSCs. Any observed deficiencies or reporting tools not germane to the 20 Critical Security Controls may be listed in an appendix The SANS Top 20 controls is a framework for IT Controls not a standard. Does PACE have an expected approach to onsite procedures? Is PACE amenable to multiple options in the proposal to which you may select a preferred approach? A. No. Vendors may present multiple approaches in their bid Will PACE be providing a project coordinator/manager to oversee the project and provide guidance to the successful proposer? A. PACE staff will oversee the project.