OVERVIEW. We seek consultative services that would deal with the following objectives:

Transcription

1 Massachusetts College of Art and Design - Framingham State University CISO and Managed Information Security Services RFP Attachment #1 - Specifications and Descriptions of Services OVERVIEW In an effort to better meet our risk management and compliance obligations, Massachusetts College of Art and Design ( MassArt ) and Framingham State University ( FSU ) (together referred to herein as the Participating Institutions ) wish to jointly engage a qualified Managed Security Service Provider (MSSP) to provide Chief Information Security Officer (CISO) services and to help advise on, and implement portions of, each institution s information security management program. We seek consultative services that would deal with the following objectives: Attain expert information security capabilities Independently validate the existing Information Security Program Create a risk, effort and cost prioritized gap analysis of the existing Information Security Program to direct the further implementation of the Information Security Program. Ensure the proper implementation of the Information Security Program based on our institutional needs. ABOUT THIS JOINT RFP As part of a continuing effort to establish partnerships with other higher education institutions that provide value of mutual benefit, the Chief Information Officers at both Framingham State University and the Massachusetts College of Art and Design have taken the initiative to jointly tackle information security issues. This initiative began by creating closely aligned written Information Security Program documents. Copies of these documents are available to interested bidders by contacting Sean Foley, Chief Technology Officer, Harvard Partners, LLP at Sean.Foley@harvardpartners.com. As a next phase, the two institutions intend to provide equal financial support to jointly engage a single provider of information security managed services. The intent is to identify a supplier with a shared commitment to a collaborative effort that will enable both organizations to fulfill their obligations to implement the provisions of a common written information security program (one they co-developed) in the most efficient way possible through a shared services arrangement. Therefore, beyond simply meeting the objectives stated in this RFP for both Participating Institutions, one of the most significant outcomes desired from this undertaking will be demonstrated value of the efficiencies gained through this joint arrangement. If this can be demonstrated, then it may be possible that other public higher education institutions within Massachusetts may also want to participate in a similar arrangement for shared information security managed services.

2 SCOPE OF WORK MassArt and FSU are seeking a senior level resource from a managed security services provider to fulfill the role of a part-time Chief Information Security Officer (CISO). The selected firm will administer the ongoing implementation of each institution s Information Security Program as well as fulfill the regular duties of a CISO on an ongoing basis. The CISO consultant will provide proactive security domain expertise to the two campus CIOs and the Information Security Councils on each campus on all aspects of Information Security on an ongoing basis. Leveraging such an expert will help ensure each institution meets its compliance and risk management obligations. The work is detailed below in two parts: Part 1 - CISO responsibilities, and Part 2 WISP Review and analysis (2A) and WISP implementation management (2B). In addition, the institutions may also have need of optional support or implementation services as a result of these two initiatives, some of which are detailed below. The request for pricing of these optional services is not a commitment to purchase them as part of this RFP. CISO Responsibilities (Part 1) The CISO will be required to fulfill the following duties and responsibilities on an as needed basis: Produce monthly status reports for the two CIOs [a single report for both is acceptable] noting status of work planned for, underway and completed with respect to fulfilling the provisions of the WISP, remediation of non-compliance with specific regulations, and any other information security initiatives designed to reduce risk exposure. This should include creating and maintaining a list of issues encountered since the prior reporting period, issues resolved, and a timeline for addressing any unresolved issues along with personnel or organizations with designated responsibility for taking corrective action. Participation, as required, in meetings convened by either CIO (by phone) Respond to and help resolve security issues on either campus which arise on an as needed basis Propose remediation projects to solve compliance gaps and reduce risk exposure as they are identified. Those projects would need to approved, rejected or deferred based on risk, compliance needs and budget. Provide input and direction on annual budgeting and planning for each campus to address security concerns Assist in qualifying external vendors from a security perspective Prepare and present one (1) high level presentation per year per institution (total two presentations annually) on the state of the institution s information security risk management and compliance to the appropriate senior leadership committee Prepare and present four (4) presentations per year on the state of each institution s information security program and any emerging compliance obligations and security risks. This presentation will be to CIO and Information Technology management team. These meetings may be held separately by campus or jointly, as deemed appropriate for the content. Be involved, on each institution s behalf, in at least one (1) security audit annually Interview potential new staff as may be appropriate Take responsibility for editing and updating the written information security program (WISP)

3 WISP Review and Analysis (Part 2A) and Implementation Management (Part 2B) Part 2A: The first initiative for the CISO is a review of the existing WISP, ensure that it properly serves each campus, and determine where gaps exist between the current security architecture and each institution s risk and compliance obligations. The CISO will work in conjunction with both CIOs and appropriate senior level IT staff in each institution (as well as other stakeholders as appropriate) to review the existing Information Security Program. This review should leverage existing policies, procedures, audit and compliance artifacts and systems architectures where applicable. The result of this review should be a report highlighting risk and compliance gaps in the existing Information Security program, based on industry best practices, and should also include remediation options prioritized by risk and level of effort with an estimate of resources required (time, money and personnel) associated with each remediation option. Part 2B: The institutions recognize that the implementation of a robust Information Security Program requires both information security and program management expertise. Using the WISP gap analysis created in Part 2A, and with the direction of both CIOs and the Information Security Council on each campus, the CISO will create a detailed remediation program. The remediation program is expected to contain some elements which apply generally to both Participating Institutions as well as some elements which apply uniquely to only one of the two Participating Institutions. Understanding that the individual institutions will then use internal and external resources, some of which may be from the bidder, the CISO will administer and manage the execution of the remediation plan. Optional Support Services The Participating Institutions recognize that through the course of implementing the Information Security program the need for additional services may arise. In turn, we seek cost estimates and solution details for the following list of services: A. 24 x 7 Security Monitoring Services including monitoring, analysis and alert escalation for the enterprise. (Cost per device, by device type required.) B. Vulnerability management for 60 servers per campus (total 120 servers). C. Managed IDS/IPS Services for each campus. D. Penetration testing per campus devices at MassArt, 500 devices at FSU. (Provide one time and quarterly cost options) E. Vulnerability scanning per campus devices at MassArt, 500 devices at FSU. (Provide one time and quarterly cost options) F. Security Awareness Training program for staff 500 staff at MassArt, 800 staff at FSU. Each institution s configuration of devices is dynamic and will change over the life of any contract. The two institutions have different network architectures and equipment and should be assumed to be entirely separate networks. Quantity pricing shall be identified as applicable. Price variances based on specific equipment shall be identified if needed. Pricing for varied scaling options will be accepted. If, during the review of the accompanying WISPs the bidder wishes to offer additional services beyond those listed, they may be included in the RFP response. CAMPUS CONTEXTS

4 MassArt Background: Massachusetts College of Art and Design is the only public, free-standing college of art and design in the US. As a member of the Massachusetts state university system, it enrolls approximately 2,000 students at both the undergraduate and graduate levels. MassArt offers the Bachelor of Fine Arts degree in nearly 20 fields of art and design, as well as in history of art and art education; the college also offers several master s degrees. The college has three residence halls with a total capacity of approximately 1000 students. MassArt Computing Environment: the computing environment at the university is comprised of sixty (60) servers, one hundred (100) switches, and a single (1), redundant firewall supporting the Boston campus. Staff and faculty use seven hundred and fifty (750) desktops and laptops and the student population uses one thousand nine hundred (1900) desktops and laptops. All of these systems are supported by one (1) on campus and one (1) remote datacenters where most enterprise application systems reside. Some enterprise applications, such as CRM, are cloud hosted. FSU Background: Framingham State University is a Massachusetts public four-year institution with enrollment exceeding 6,000 students. FSU is a vibrant, comprehensive liberal arts and sciences institution offering 25 undergraduate degree programs in arts, humanities, sciences, social sciences, and professional fields. Nearly 6000 students attend Framingham State University, including nearly 2000 graduate students. FSU offers graduate degrees in 23 fields, including an extensive graduate program for teachers in international schools. Currently, there are more than 1800 students residing in campus housing. FSU Computing Environment: The computing environment at the university is comprised of sixty (60) servers, one hundred (100) switches, three (3) firewalls, and three hundred (300) wireless access points supporting the single campus in Framingham. Staff and faculty use one thousand five hundred (1500) desktops and laptops as well as eight hundred (800) mobile devices (smart phones). The student population uses two thousand five hundred (2500) desktops and laptops. All of these systems are supported by two (2) on campus and one (1) remote datacenters where all enterprise application systems reside. As this is a dynamic computing environment these numbers can change at any time but these numbers accurately represent the scale of the environment. VENDOR INSTRUCTIONS AND EVALUATION CRITERIA The Participating Institutions request a time and materials bid cancellable by either party. The pricing should be summarized in the attached pricing appendix. Overall the bid should include: Both estimated hours and total cost per month for Part 1 - CISO consulting services, given the above responsibilities and initiatives. Hourly run rate for management and delivery of Parts 2A&B - WISP Review and Program Implementation Pricing for the optional services noted above. A blended hourly rate for optional security consulting services such as implementation or forensics services. Any expectations the bidder has of the Participating Institutions to be successful in providing the services, including, access to resources, identification of sources, tasks, information, etc. Bidders will be evaluated on their competency in IT security, level of certification of staff, and SOC certification. Bidders will also be evaluated on their company s financial stability, customer

5 satisfaction/retention, company position with respect to its competition, its scale (overall services offerings), risk mitigation strategy, track record and depth and breadth of experience working with higher education institutions. The following shall be included in the proposal: Resumes of the team member(s) to fill the CISO role A list of supporting team members (along with a project team organization chart) to be assigned to this relationship and their resumes, including experience on projects like this one and with institutions similar to the Participating Institutions. o Please note that the Participating Institutions will expect limited resource shifts from the team proposed. The awarded bidder must consult with the Participating Institutions regarding any replacements to the original account team outlined in the RFP response or otherwise provided during the selection process. Any team member replacement(s) must be mutually agreed upon and changes deemed unacceptable by the Participating Institutions after award of the contract may result in termination of the agreement. 2-3 case studies of similar projects the bidder has done, highlighting the bidder s process and results. Ideally, these projects will come from clients similar to the Participating Institutions in one or more of the following ways: o higher education or public sector institutions o similar size of IT infrastructure o similar geographic footprint o similar duration and complexity of relationship Bidders shall provide all references including names, addresses, and appropriate contacts. References should represent institutions described in case studies if at all possible. Billing instructions This RFP is issued by Massachusetts College of Art and Design (MassArt) and the response should be sent to MassArt as indicated elsewhere in this document. However, the awarded vendor will be required to sign individual contracts with, and send individual invoices to, each of the two Participating Institutions. Awarded vendor will invoice each institution separately for work specific to a particular institution. For work common to both Participating Institutions, time and materials costs should be split in half and each half billed separately. For example, if in a given billing period 5 hours are devoted to MassArt work, 8 hours are devoted to FSU work, and 12 hours are devoted to work commonly benefiting both institutions, MassArt should be billed 5+(12/2) = 11 hours and FSU should be billed 8+(12/2) = 14 hours for that period. REQUEST FOR PROPOSAL TIMELINE Bid Issued May 1, 2013 Deadline to submit written questions May 10, 2013 Contract addendum issued answering questions May 15, 2013 Bid Deadline May 23, 2013 at 3:00 PM In-Person Finalist Interviews June 10-21, 2013 Anticipated Bid Award June 28, 2013

6 Contracts will begin upon contract documents execution and end on June 30, The participating institutions reserve the option to extend the contract for up to three additional one-year periods with the same terms and conditions. Any changes must be agreed upon in writing. The participating institutions, or awarded company, may terminate this Agreement with or without cause upon thirty (30) days written notice to the consultant/firm. If this Agreement is terminated the participating institutions shall have no further obligations other than payment for services already rendered and for expenses previously incurred. PROPOSAL DEADLINE Bid proposals are due by 3:00 pm on Thursday, May 23, Please send five copies, each with an original signature to: Jim McDaid, Director Administrative Services Massachusetts College of Art and Design 621 Huntington Avenue, Room 401 Boston, MA The cost of producing proposals shall be borne by the candidates. Any questions regarding the bid must be submitted in writing to by Friday, May 10, An RFP addendum will be issued by end of day, Wednesday, May 15, 2013 containing written responses to questions received. The participating institutions will not be able to address additional questions received after May 10, After a review of proposals, it is anticipated that two to three selected contractors/firms will be asked to campus for an in-person interview with participating institutions representatives. During the interview, the firm principal or account manager must be accompanied by the person(s) who will lead the participating institutions project. The interviews will take place June 10-21, 2013 and will last for approximately one hour. There will be no travel stipends or reimbursements for in person finalist interviews/presentations.