Information Technology Security Audit

Transcription

1 Missouri State Employees Retirement System REQUEST FOR PROPOSAL (RFP): Information Technology Security Audit GARY FINDLAY Executive Director Project Manager: Stacy Gillmore, Chief Technology Officer Phone: (800) Ext Date Distributed: August 1, 2014 DUE DATE FOR RESPONSES TO RFP: September 4, :30 p.m. Central Daylight Time

2 TABLE OF CONTENTS SECTION I: INTRODUCTION A. Nature of Request...4 B. Deadline for Receipt of Proposals...4 C. For More Information on RFP...4 D. Background Information...5 SECTION II: PROJECT SCOPE Objective 1: Penetration Audit...7 Objective 2: Social Engineering...8 Objective 3: Security Strategy and Systems...8 Objective 4: Network Technology...8 Objective 5: General Network Topology...9 Objective 6: Connections to External Partners...9 Objective 7: Inbound and Outbound Remote Access Strategy...9 Objective 8: Security Policies...9 Objective 9: Virus Protection...9 Objective 10: Physical Security...9 Objective 11: Application Control Vulnerabilities - Member Service Systems...10 Objective 12: Application Control Vulnerabilities - Accounting Systems...10 Objective 13: Data Back-up and Recovery...10 SECTION III: REPORTING AND DELIVERY REQUIREMENTS A. Audit Plan...10 B. Deliverables...11 SECTION IV: RESPONDENT QUALIFICATIONS Respondent Qualifications...11 SECTION V: INSTRUCTIONS FOR COMPLETING AND SUBMITTING PROPOSALS A. General Requirements Inquiries Schedule of Procurement Activities Submission of Proposals...13 B. Proposal Format and Content Title Page Table of Contents Transmittal Letter Executive Summary Respondent Qualifications Project Costs

3 TABLE OF CONTENTS SECTION VI: SELECTION PROCESS AND EVALUATION CRITERIA A. Selection Process...16 B. Evaluation Criteria...16 SECTION VII: MISCELLANEOUS TERMS AND CONDITIONS A. Contractual Agreement...17 B. Right to Reject...17 C. Open Records...18 D. Competitive Negotiation of Proposals...18 E. Confidentiality...19 EXHIBITS Exhibit A Letter of Intent to Bid...20 Exhibit B Pricing Page...21 Exhibit C MOSERS Environments...22 Exhibit D Political Contribution Policy...23 Exhibit E Federal Work Authorization Policy

4 SECTION I INTRODUCTION A. Nature of Request The Missouri State Employees Retirement System (MOSERS) is issuing a Request for Proposal (RFP) for the purpose of hiring a well-qualified consulting/auditing contractor ( contractor ) to conduct an information technology security audit ( audit ). Through this audit, MOSERS is pro-actively seeking ways to determine if all reasonable controls and procedures are in place to ensure security of MOSERS information technology assets. The objectives of this audit are described in the section titled Section II Nature of Services Being Requested. B. Deadline for Receipt of Proposals The proposal must be received by 4:30 p.m. Central Daylight Time on September 4, 2014 for the respondent s proposal to be considered. MOSERS reserves the right to reject any or all proposals received. There is no expressed or implied obligation for MOSERS to reimburse responding contractors for any expenses incurred in preparing proposals in response to this request. MOSERS also reserves the right to request additional information or clarifications from respondents, or to allow corrections of errors or omissions at any time during the evaluation process. Proposals meeting the requirements set forth in this document will be evaluated by MOSERS staff, culminating with recommendations to the executive director for final approval. C. For More Information on RFP If you are interested in responding to this RFP and need additional information to complete it or have specific questions, please contact Stacy Gillmore at (573) or via at [email protected]. Any paper correspondence including your submission of a response to this RFP should be addressed as follows: Mailing: MOSERS P.O. Box 209 Jefferson City, MO Shipping: MOSERS 907 Wildwood Drive Jefferson City, MO All questions must be in writing and those questions and written answers will be shared with all other parties that have indicated an interest in submitting a proposal. The questions and answers will be placed on MOSERS website under bidding opportunities. The name of the party submitting a question will remain anonymous

5 D. Background Information MOSERS is an instrumentality of the State of Missouri vested with the powers and duties specified in state law. MOSERS provides retirement, disability, and life insurance benefits to its members. MOSERS has approximately 110,000 members, including 51,000 actives, 40,000 benefit recipients, and 19,000 terminated vested members. MOSERS is responsible for managing a $9 billion dollar portfolio of investments held in trust for the payment of member benefits. MOSERS also administers the State of Missouri Deferred Compensation Plan for state employees and retirees and the College and University Retirement Plan (CURP), a defined contribution plan for higher education faculty employees. The CURP has approximately 2,200 members. MOSERS is governed by an 11-member board of trustees. The executive director is appointed by and reports to the Board. The Board delegates its authority for the daily administration of the system to the executive director. Through direct reports, including the deputy director of operations, chief investment officer (CIO), chief counsel, chief auditor, legislative & policy coordinator, and human resources coordinator, the executive director is responsible for the day-to-day administration of MOSERS. The CIO reports to the executive director, but the executive director does not have investment responsibilities other than ensuring that the investment program complies with the Board s governance policies. For a complete organization chart, see MOSERS operates within a strong organizational governance model, which establishes long-horizon value creation. The Board governs with an emphasis on: Outward vision. Encouragement of diversity in viewpoints. Strategic leadership more than administrative detail. Clear distinction of board and chief executive roles. Collective rather than individual decisions. The future rather than the past or present. Being proactive rather than reactive. The Board, through its governance policy, delegates to staff the responsibility to implement broad policy decisions and achieve Board goals. Operations staff is focused on customer service and cost-effective administration of plan benefits. Operations staff does extensive benchmarking against other public pension plans in the areas of customer service, processes, cost, and productivity and has consistently demonstrated high performance in all areas. The senior management team has a high performance mindset, which instills intense levels of energy and loyalty among high-performing employees

6 Investment staff has achieved returns exceeding the total fund policy benchmark in 12 of the last 15 years. MOSERS s investment success can be attributed to: Broad diversification of investments expected to perform differently in various economic environments. A willingness to be contrarian in approach. A high degree of flexibility allowed by the governance model in implementing investment policies and strategies. A culture that expects and rewards high performance. For additional general information about MOSERS, please refer to our website at and specifically to our Comprehensive Annual Financial Report for the fiscal year ended June 30, 2013, which is available on our website at: Mission MOSERS exists to advance the financial security of its members. Vision We endeavor to: Exceed customer expectations Educate stakeholders Ensure sound investment practices Encourage responsible funding of the plan through a commitment to EXCELLENCE ALWAYS. Values Quality - Strive to exceed the expectations of internal and external customers through innovation, competence, and teamwork. Seek to "do it right" the first time. Respect - Be sensitive to the needs of others, both within and outside of the organization. Be courteous, considerate, responsive, and professional. Integrity - In all endeavors, act in an ethical, honest, and professional manner. Openness - Be willing to listen to, and share information with, others. Be receptive to new ideas. Be trusting of others. Accountability - Take ownership of and responsibility for actions and their results. Learn from mistakes. Control system risks and act to protect the security of member information and system assets

7 SECTION II PROJECT SCOPE The contractor shall objectively and systematically examine MOSERS information technology systems (hardware and software) and procedures to provide an independent assessment of information technology security. The contractor should specifically determine whether or not MOSERS take effective measures to prevent unauthorized parties from compromising the confidentiality, integrity, or the availability of its IT systems. The contractor shall use judgment, experience and creativity in conducting this information technology security audit. The contractor is authorized to review any policy, process, or procedure typically reviewed when completing this type of project. At a minimum, the following tasks shall be included in the scope of the project: Objective 1 Penetration Audit The contractor will perform non-volatile exploit procedures designed to determine how well MOSERS security systems can withstand up-to-date malicious exploits launched via Internet and internal network connections. These procedures should be performed without the knowledge of IT systems staff at a time to be communicated and coordinated with Internal Audit. Tests and procedures should include all typical tests normally used in such penetration audits. However, the following rules shall be observed during the penetration analysis of MOSERS network: 1. Denial-of-service attacks shall not be used. 2. No untested tools or techniques shall be used. All tools and techniques shall have been extensively reviewed and tested in a lab environment by the penetration team before they are tried in the exercise. 3. No active backdoors or Trojan horse programs shall be left behind. 4. No sensitive data shall be read, deleted, copied, modified, released or destroyed. 5. Only knowledgeable engineers shall be used during this exercise to minimize the inherent risks of penetration analysis. Convicted hackers shall not be used during any phase of the engagement. 6. Whenever possible, the team shall utilize tools that require less bandwidth to ensure only minimal impact on network traffic. 7. MOSERS desires to have the penetration audit performed in an ethical manner

8 The contractor, as a specialist in this area, shall recommend a strategy to conduct the vulnerability assessment, focusing on all of the above areas and any other areas not listed above that may provide exposure to MOSERS. The strategy should describe the contractor's approach, including tools and techniques to be used during the assessment. The contractor's team shall work closely with Internal Audit. Internal Audit shall monitor this project and shall be made fully aware of the contractor's activities, including but not limited to, the scope of testing, the techniques used and the timing of such tests. The contractor shall brief MOSERS personnel, and produce a written report detailing any identified exposures as well as any successful attempts to actually penetrate the system. The report shall contain recommended solutions, which should address infrastructure, hardware, software and procedural concerns. Objective 2 Social Engineering The contractor will perform social engineering procedures to verify the existence and effectiveness of procedural controls to prevent unauthorized physical and electronic access to MOSERS IT systems. These procedures should be performed without the knowledge of Systems staff at a time to be coordinated with Internal Audit. The contractor shall outline their approach to this objective in their response to this proposal. Objective 3 Security Strategy and Systems The contractor will evaluate MOSERS security strategy and systems, including firewall and network hardware, software, placement and utilization. The contractor should perform an in-depth security scan and threat assessment to identify vulnerabilities. This should include, but not be limited to, port scans, host enumeration, and application/system identification. Objective 4 Network Technology The contractor will: 1. Evaluate the hardware and software running on the network 2. Identify if MOSERS is running any nonstandard software, protocols or systems. 3. Review the use of T1/T3 lines and Metropolitan Ethernet connections. 4. Perform a threat assessment to identify vulnerabilities

9 Objective 5 General Network Topology The contractor will: 1. Evaluate MOSERS network infrastructure. 2. Review the protocols that are supported and the rules or conventions used to govern the exchange of information between networked nodes. 3. Review file server and workstation security, network operating system security, and access control. 4. In addition, review the network management, resilience, and stability. Objective 6 - Connections to External Partners - The contractor will review our connection to our external partners through wide area networks, dedicated circuits, ASP s, remote clients, and remote server technologies. The contractor will determine if there are any vulnerabilities with these types of connections to MOSERS systems. Objective 7 Inbound and Outbound Remote Access Strategy The contractor will: 1. Evaluate administration of remote access, both inbound and outbound. 2. Review implications associated with the level of access that has been granted to authorized users. 3. Examine security issues in remote data transfer and the extent of network access available remotely. 4. Perform a threat assessment to identify vulnerabilities with existing remote access. Objective 8 Security Policies The contractor will evaluate how MOSERS security policies (including password policies) secure sensitive data and applications. The contractor will review current logon procedures and logon auditing practices. The contractor will examine current practices with regard to machine restrictions. The contractor will be expected to identify any potential weaknesses and perform a threat assessment to identify vulnerabilities. Objective 9 Virus Protection - The contractor will evaluate the processes used to prevent impact from viruses and malware. The contractor will perform a threat assessment to identify vulnerabilities. Objective 10 Physical Security- The contractor will evaluate physical and environmental controls including, but not limited to, physical access restrictions, surveillance, and incident response. Physical security should be evaluated at both office locations and the third-party warm site

10 Objective 11 Application Control Vulnerabilities - Member Service Systems - The contractor will assess the risk that a single trusted user, third-party administrator or contractor of MOSERS information systems can accomplish and/or conceal the improper diversion of assets using vulnerabilities found in MOSERS member service systems (known as MIBS). It should be noted that the optional life insurance and long-term disability insurance provider has access to MOSERS systems. Objective 12 Application Control Vulnerabilities - Accounting System - The contractor will assess the risk that a single trusted user, administrator or contractor of MOSERS Information Systems can accomplish and/or conceal the improper diversion of assets using vulnerabilities found in MOSERS accounting systems. MOSERS uses PeopleSoft for the general ledger accounting system and uses BNYMellon as the custodian bank for investable assets. Objective 13 Data Back-up and Recovery The contractor will assess the risks associated with MOSERS off-site back-up procedures. SECTION III REPORTING AND DELIVERY REQUIREMENTS A. Audit Plan All work shall be in accordance with an approved audit plan. Within thirty (30) calendar days after the award date of the contract, the contractor shall develop and submit to Internal Audit a detailed audit plan describing how they intend to meet the work requirements in Section II of this RFP. The audit plan is subject to approval by Internal Audit. The audit plan shall include: The specific tasks to be performed (the tasks should follow the Objectives described in Section II of this RFP and any additional tasks needed to properly conduct the audit), The tools and techniques to be used, especially the types of penetration attacks that are planed; The audit plan should describe the goal of each type of intrusion attack, how it will be determined that the attack was successful, and when the attack will be stopped, and Any on-site requirements or support the contractor will need. (This includes hardware and software requirements, MOSERS support staff, designation of user and technical contacts, etc.)

11 B. Deliverables The following deliverables are required: An audit plan as specified in Section III-A. An entrance conference to be coordinated by MOSERS and the contractor. Two interim progress reports that include a summary of preliminary findings, specific accomplishments achieved during the reporting period, and projected completion dates for specific tasks remaining to be completed. An exit conference at a time to be determined by MOSERS and the contractor. A draft audit report that includes the following: An executive summary of all issues, findings, and recommendations as a result of all work required by the contract and audit plan, Detailed descriptions of the work performed, conclusions/findings and recommendations, Comments or responses to recommendations from MOSERS staff, Specific proposals to achieve any improvements recommended by the contractor, and Citations of industry best practices when applicable. MOSERS staff shall have 30 days to respond in writing to the draft report. The timeframe for the due date for the draft audit report will be negotiated between MOSERS and the successful respondent. A final audit report. The timeframe for the due date for the final audit report will be negotiated between MOSERS and the contractor. SECTION IV - RESPONDENT QUALIFICATIONS Respondents must satisfy all of the following mandatory minimum qualifications as outlined below in order to be considered for the contract award: A. The Respondent must agree to accept a written contract. The respondent will provide a template for the contract that reflects the standard industry practices. B. The Respondent must agree to provide the minimum services as detailed in Section II, as well as comply with all the requirements stated in the RFP. C. The Respondent must provide assurance that the key professionals and/or that their organization does not have, nor could they potentially have, a material conflict of interest with MOSERS or any MOSERS service providers. D. The Respondent must provide profiles or bios (with photographs) of the key professionals assigned to the audit

12 E. The Respondent must demonstrate a special combination of proficiency and experience in conducting information technology security audits; and the Respondent must have extensive knowledge of the information technology industry in relationship to intrusion detection, ethical hacking, vulnerability assessment, and internal controls. F. The Respondent must agree to comply with the Political Contribution Policy as noted as Exhibit D. G. The respondent should have a current SOC-2 audit and provide the result to MOSERS upon request. In the absence of a SOC-2 audit, the respondent must demonstrate that adequate controls are in place. H. The respondent should provide documented assurances that no one working on the project is a convicted felon. SECTION V- INSTRUCTIONS FOR COMPLETING AND SUBMITTING PROPOSALS A. General Requirements 1. Inquiries Please refer to Section I, Paragraph C for contact name and address. A Letter of Intent to Bid, in the format of Exhibit A, and any questions regarding this RFP must be submitted in writing ( and faxes are acceptable), set forth on the Respondent s letterhead, and must be received at MOSERS by August 13, 2014 at 4:30 p.m., Central Daylight Time. In order to ensure that all Respondents have the same information and instructions concerning the preparation of the proposal, all questions received will be responded to in writing and provided to all RFP recipients who have submitted a timely Letter of Intent to Bid. Contractors that either choose not to submit a Letter of Intent to Bid or fail to meet the deadline for its submittal may submit a proposal in response to this RFP, but must do so without the benefit of the written questions submitted and the written responses thereto. 2. Schedule of Procurement Activities Event Date Publish RFP August 1, 2014 Respondent s Questions and Letters of Intent to Bid Due August 13, 2014 MOSERS to Responses to Written Questions August 20, 2014 Proposal Due Date September 4, 2014 Announcement of Successful Contractor September 17,

13 3. Submission of Proposals The proposals can be ed, mailed, or hand-delivered but must be received by the following address by 4:30 p.m. Central Daylight Time, September 4, 2014: Mailing: Respondents mailing proposals should allow sufficient mail delivery time to ensure timely receipt of their proposals. Hand carried responses to the RFP may be delivered between 7:30 a.m. and 4:30 p.m. Central Daylight Time through the due date. All responses must be in a sealed envelope with the respondent name, address and RFP subject shown on the outside. Proposals, that contain a signature of an authorized representative, may be transmitted via in Adobe Portable Document Format (PDF) format. All proposals and accompanying documentation become the property of MOSERS and will not be returned. Each proposal must conform to the requirements of this RFP. Conciseness and clarity of content are emphasized and encouraged. Vague and general proposals will be considered non-responsive and may result in disqualification. Failure to provide the required information may also result in disqualification. MOSERS reserves the exclusive right to determine compliance with these requirements and to exclude from consideration proposals which, in its judgment, do not so conform. A Respondent s preparation and submittal of a proposal or subsequent participation in presentations or contract negotiations creates no obligation for MOSERS to award a contract or to pay any associated costs. B. Proposal Format and Content Proposals should be designed so as to cover the content requirements identified within this RFP. All pages of the proposal must be numbered. Each proposal must be organized in the manner described below: 1. Title Page MOSERS P.O. Box 209 Jefferson City, MO Shipping: MOSERS 907 Wildwood Drive Jefferson City, MO Include the subject, name of your contractor, address, telephone number, contact person, and date

14 2. Table of Contents (self explanatory). 3. Transmittal Letter The signed transmittal letter should briefly identify the Respondent and specify that the proposal is submitted in response to the RFP issued by MOSERS. General information should be included such as: 1) Firm name, primary contact person s name, position, mailing address, phone number, and fax number; 2) The legal status of the organization; 3) The location of the facility from which the Respondent will operate; 4) The language required by Section VII, Paragraph A regarding the authority of the contractor representative to submit the proposal; 5) A statement to the effect that the proposal is a contractor and irrevocable offer good for at least sixty (60) days from the date of the transmittal letter; 6) A statement expressing the understanding of the services to be provided or performed and a willingness to perform the services required; 4. Executive Summary The Respondent must provide an executive summary of its proposal which consists of a brief narrative overview of the audit to be performed. The executive summary should also identify any suggested services to be provided which are beyond those specifically requested. If the Respondent proposes to provide services which do not meet the specific requirements of this RFP, but in the opinion of the Respondent are equivalent or superior to those specifically requested, any such differences must be expressly noted. However, the Respondent should recognize that a proposal which does not respond to the specific services requested may be subject to disqualification. 5. Respondent Qualifications The proposal must satisfactorily address the Respondents ability to meet the mandatory minimum qualifications as outlined in Section IV of this RFP. The proposal shall identify by name and title each key staff member that may potentially be assigned to the audit and describe their demonstrated competence, knowledge, and qualifications, with particular emphasis upon expertise and experience related to information technology

15 The proposal shall include a list of references relating to similar engagements, identifying for each reference a contact person by name, title, address, and telephone numbers, to whom MOSERS may make inquiries regarding the contractor s prior engagements. The proposal shall identify any services with MOSERS, MOSERS Trustees, or any of its agents, officials, or employees that have been provided during the past five years by the Respondent or its personnel. In addition, the proposal shall identify any officer or employee of MOSERS, or any of the Trustees, who has a financial interest in the Respondent s contractor or who is related within the second degree by consanguinity or affinity to a person having such financial interest, together with a full disclosure of the nature of such financial interest, and the relationship, if applicable. If there is no such person, the Respondent should so state in the proposal. 6. Project Costs MOSERS intends to purchase a comprehensive external information technology security audit within the budgetary constraints established for the project. If the cost exceeds our project estimate, we will restrict our purchase to the most critical test elements during the current fiscal year and consider performing the remaining tests in subsequent fiscal years. Using the Pricing Page form (Exhibit B) or a very similar form, indicate the costs to audit each separable objective as listed under Section II Nature of Services to be Provided as well as a discounted price for tests that can be logically bundled together. Also, include a total price for the entire package. In addition, please rank the tests in terms of importance using the following scale: A. Must do B. Highly recommended C. Would do, if funding is available MOSERS may elect to contract for the entire services outlined in this RFP, but reserves the right to negotiate services for only a portion of the Tasks outlined in Section II. Failing to prepare the itemized costs list similar to the format shown in Exhibit B may eliminate the respondent from consideration of the partial services negotiations

16 Total consideration under the contract will be limited to professional costs, travel costs, and ancillary costs actually incurred, not to exceed an aggregate fixed dollar ceiling amount as finally negotiated and specified by contract. Any contract executed will legally obligate the Respondent selected to fully and completely perform all review services under the contract for no more than the fixed dollar ceiling amount specified by contract, irrespective of whether the Respondent incurs costs which exceed such fixed dollar ceiling amount. SECTION VI - SELECTION PROCESS AND EVALUATION CRITERIA A. Selection Process Designated MOSERS staff will review proposals timely submitted by Respondents and provide the executive director with an analysis and ranking of proposals submitted for his use in the final selection of the contractor, subject to successful contract negotiations. The Respondents and MOSERS representatives may discuss the respondent s proposal as part of the evaluation process. B. Evaluation Criteria Proposals submitted in response to this RFP may be accepted as submitted, or may be used as a basis for further negotiation of specific project details with Respondents. In evaluating proposals, MOSERS staff will consider: the demonstrated competence, knowledge, reputation, and qualifications of the contractor as a whole and of the professional staff who will work on the audit; the contractor s technical expertise and experience; the contractor s ability and willingness to meet the requirements and needs of MOSERS with respect to the audit as outlined in this RFP and as demonstrated in the response; the adequacy of the proposed audit approach and staffing plan for various segments of the review; and the reasonableness of costs for the services proposed. If all other considerations are equal, a contractor whose principal place of business is within the State of Missouri, or who will manage the engagement wholly from one of its offices within the State of Missouri, will be given preference. Minority and female-owned businesses are encouraged to submit or participate in the submission of proposals

17 SECTION VII - MISCELLANEOUS TERMS AND CONDITIONS A. Contractual Agreement The Respondent will include certification that the person signing the response to the RFP is authorized to represent the contractor, empowered to submit the bid and authorized to sign a contract with MOSERS by including the following wording: I hereby certify that I have read all items of this RFP and fully understand the requirements listed herein. I further certify that I am an authorized agent of the Respondent empowered to submit the response to the RFP, and authorized to sign a contract with MOSERS. A copy of this RFP as well as the successful response to the RFP will be attached to a completed contract. The contract terms will be negotiated between MOSERS and the successful bidder. The successful bidder will be asked to provide a contract template that is customary in their industry. MOSERS legal counsel will review the contract prior to signature by the executive director. B. Right To Reject Submission of a response to the RFP indicates acceptance by the Respondent of the conditions contained in this RFP unless clearly and specifically noted in the response submitted and confirmed in the contract between MOSERS and the Respondent selected. MOSERS reserves the right to reject any and all responses to the RFP submitted without any obligation or payment for costs incurred by proposing Respondents. MOSERS reserves the right, where it may serve MOSERS' best interest, to request additional information or clarification from any Respondent, to allow corrections of errors or omissions, or to discuss points in the response to the RFP before and after submission, all of which may be used in forming a recommendation to the executive director. MOSERS reserves the right to waive any and all formalities contained within this RFP except for the deadline for filing. Responses to the RFP received late will not be considered. MOSERS reserves the right to retain each response submitted and to use any aspect of the response to the RFP regardless of whether that respondent is selected

18 C. Open Records Copyrighted proposals are unacceptable and will be disqualified as nonresponsive. Following the award of a contract, responses to this RFP are subject to release as public information unless the response or specific parts of the response can be clearly shown to be exempt from the Open Records law of the State of Missouri. If there is concern about this issue, respondents are advised to consult with their legal counsel regarding disclosure issues and take the appropriate precautions to safeguard proprietary information. MOSERS assumes no obligation or responsibility for asserting legal arguments on behalf of any respondent to this RFP. D. Competitive Negotiations of Proposals The Respondent is advised that under the provisions of this RFP, MOSERS reserves the right to conduct negotiations of the proposals received or to award a contract without negotiations. If such negotiations are conducted, the following conditions shall apply: Negotiations may be conducted in person, in writing, by , by fax, or by telephone. Negotiations will only be conducted with contractors that have submitted potentially acceptable proposals. MOSERS reserves the right to limit negotiations to those proposals which received the highest rankings during the initial evaluation phase. Terms, conditions, prices, methodology, or other features of the Respondent s proposal may be subject to negotiation and subsequent revision. The mandatory requirements of the RFP shall not be negotiable and shall remain unchanged unless MOSERS determines that a change in such requirements is in the best interest of MOSERS. In such case, the change(s) shall apply to all proposals. As part of the negotiations, the Respondent may be required to submit supporting financial, pricing and other data in order to allow a detailed evaluation of the feasibility, reasonableness, and acceptability of the proposal. All qualifying Respondents involved in the negotiation process will be invited to submit a best and final offer

19 E. Confidentiality Contractor shall maintain all files and any other information provided by MOSERS necessary to provide the services herein in a secure and limited access area, under the strictest confidence, and accordingly, will not alter or disclose such files or other information except as provided herein. Upon the completion of the services, all such information and materials provided by MOSERS (hereafter Confidential Information ) will be returned to MOSERS unless otherwise directed by MOSERS. The contractor will not disclose any of the Confidential Information in whole or in part without the prior written consent of MOSERS, unless required to do so by a court order or by law, in which case the contractor shall notify MOSERS in writing prior to making any such disclosure. The contractor shall further limit access to Confidential Information to those of its employees, officers and directors who reasonably require such access in the performance of their duties for MOSERS and shall take all such necessary precautions and exercise the same duty of care that contractor would undertake to prevent the disclosure of its confidential and proprietary information. In the event that contractor breaches any provision of this confidentiality provision, MOSERS will be entitled to seek any relief and remedy available at law or in equity. In the event that contractor discloses any Confidential Information in breach of this provision or applicable law, the parties recognize and agree that MOSERS will suffer irreparable injury and that MOSERS will, therefore, be entitled to obtain injunctive relief. The remedies herein provided and those otherwise available at law or in equity shall be cumulative, and no one remedy will be construed as exclusive of any other

20 Exhibit A Contractors Letterhead Letter of Intent to Bid On behalf of my contractor, I hereby certify that we intend to submit a proposal to provide information technology audit services to the Missouri State Employees Retirement System. I have read the Request for Proposal for the procurement of these services and accept the conditions set forth therein. Our contractor will provide a proposal for the following projects: Contractor Name Legal Name Contractor Address Approving Authority Name Approving Authority Signature Approving Authority Title Date

21 Exhibit B Pricing Page Please indicate for each separable test listed below (and as described in Section II) your firm s proposed price, as well as a discounted price for tests that can be logically bundled together. Please note which tests or objectives should logically be bundled together. Include a total price for the entire package. In addition, please rank the objectives in terms of importance with the following scale: a. Must do b. Highly recommended c. Would do, if funding is available Rank Objective No. Objective Cost 1 Penetration Audit $ 2 Social Engineering 3 Security Strategy and Systems 4 Network Technology 5 General Network Topology 6 Connections to External Partners 7 Inbound and Outbound Remote Access Strategy 8 Security Policies 9 Virus Protection 10 Physical Security 11 Application Control Vulnerabilities - Member Services Systems 12 Application Control Vulnerabilities - Accounting Systems 13 Data Back-up and Recovery Total cost if all services are purchased $ Attach additional sheets or information, if necessary

22 Exhibit C MOSERS Environments Physical Environment MOSERS has approximately 75 employees working at two locations in Jefferson City, MO. MOSERS also utilizes a warm-site at third location in Jefferson City, MO. Technical Environment The foundation of our information systems environment is an IBM System i, which hosts our custom-built, pension administration system (PAS). This system is augmented by a virtual server/san environment utilizing VMware and Microsoft Windows Servers. Our PAS was originally written in 1986 using RPG with a DB2 database and has been diligently updated since its original rollout. It is enhanced by a compliment of Microsoft Windows and browser-based applications written in.net with a Microsoft SQL Server database. We have a FileNet-based document imaging system with custom workflow processing that was developed with Visual Basic. This existing system is currently being migrated from FileNet to docstar Eclipse. Our telephony infrastructure is voice over IP (VoIP) with CAT-6a cabling and power over Ethernet (PoE). We use Interactive Intelligence s Customer Interaction Center as our unified communication system. It provides voice, faxing, voic , call center management, call recording, and automated surveys

23 Exhibit D Political Contribution Policy The Executive Director shall advise all external service providers in writing that the Board of Trustees has taken the position that it is inappropriate and unethical for any outside service provider to make any political contribution with the intent of influencing a purchasing, hiring or firing decision made at MOSERS and shall provide a copy of this policy to all current service providers. The Executive Director shall also notify all external service providers that a violation of this policy may lead to termination of employment or prohibition from hiring. If the Executive Director has reason to believe that this policy may or will be violated by an external service provider, the Executive Director shall require the external service provider (including owners and key employees) to disclose political contributions made to any incumbent or candidate for state office in the last two years and shall provide written notice to the Board in the event the disclosure reveals any such contributions were so made. Exhibit E Federal Work Authorization Policy The executive director shall advise all external service providers where the purchase of goods or services is in excess of five thousand dollars that as a condition for the award of contract, the external service provider shall be enrolled and participate in a federal work authorization program with respect to the employees working in connection with the contracted services and shall not knowingly employ any person who is an unauthorized alien in connection with the contracted services End of Document