Response to Questions CML 15-018 Managed Information Security

Response to Questions CML 15-018 Managed Information Security 1. What are the most critical aspects that need to be provided for this RFP, in light of the comment that multiple awards might be provided? The Library is seeking proposals from firms which can provide security consulting / practice development and/or managed security services. Multiple awards could be provided if the Library feels this is the most advantageous approach. 2. What are the decision criteria and weighting criteria being used for this RFP? Please see page 7 of the Managed Information Security Services RFP. Quality and comprehensiveness of the proposal. Quality of the proposed solution. Stability and viability of the product and Offeror. Offeror s experience on projects of similar scope. Input from reference contacts. 3. Do you want the partner to implement Office 365 as part of this contract? No. We are currently an o365 customer. 4. What are the total number of IT Staff who are managing the Network and Security operations of the Library currently? 2 5. How long does the library take to identify and valid a security incident from false positives? This varies based on incident. We believe an Infosec partner could help us in the areas of threat intelligence, incident management, and incident response. 6. How many people and man hours are typically spent in remediating a valid IT Security Incident ( infection of machine, etc )? This varies based on incident. We believe an Infosec partner could help us in the areas of threat intelligence, incident management, and incident response.

7. Please provide us data points / feedback on internal gaps analysis performed regarding the IT Security / Risk Management / Compliance posture of the library that will allow us to understand your current maturity model from a people / process / technology perspective. We will provide information related to prior assessments once a partner is selected. 8. Can we be provided a copy of the IT Strategic plan to help formulate response? No, this information will be provided once a partner is selected. 9. Does the library have a written IT Security policy in place? Please provide a copy for review if possible. Yes. The Library may seek input and guidance on policy, procedure, and practice creation to develop a more formalized security program. 10. Does the library currently use any threat intelligence data feeds as part of the security operations? What are the sources of the threat intelligence? ( name, vendor, etc ) The Library leverages threat intelligence today through various mediums. In the future the Library envisions having a partner as a primary go-to to fill this need. 11. How often does the library desire to have penetration testing performed? Annually 12. What cloud services are you using and what are planned cloud services over next 3-5 years? Example ( O365,Amazon,Box, Dropbox, etc ) The Library is currently using o365. The Library is evaluating IaaS options and our assessment of cloud based services and applications is ongoing. 13. What are the current IT Security technologies deployed and the applicable version running of the solution ( for desktop and laptop, servers, email filtering and security, web application firewalls, firewalls, network IDS / IPS, advanced threat solutions, web filtering solutions? The Library has standard Information Security technology in place including firewall, antivirus, web filtering, malware protection, and log/event management. 14. Does the library want to deploy new solutions IT Security technologies that are for the differing platforms: Desktops, Servers, Mobile Devices We are open to further discussions and receiving proposals for replacement.

15. Does the library have a vulnerability scanning tool? What is the platform / vendor and current release of version running? No. Scans are performed on an as needed basis through a MSSP. 16. How often does the vulnerability scanning currently take place for the library? It is performed on an as needed basis through a MSSP. 17. How long does it take to remediate findings of vulnerabilities? This varies based on vulnerability. 18. What are is your length of storage requirements from a time aspect for log management and compliance purposes? (90 days for logs for example?) (1 year for PCI compliance data for example?) We will be looking for recommendations from our selected partner to ensure we are in compliance. 19. What is your current log management solution? The Library is using Solarwinds Log and Event Manager. The Library is seeking recommendations as part of this engagement. 20. Do you currently have a SEIM, Security Event Identification Management Solution, in production? What is platform and release information? The Library is using Solarwinds Log and Event Manager 21. How many total IP addresses ( physical and virtual IPs) does the library have for their network and systems? We have approximately 200 virtual servers. We have approximately 300 IP addresses allocated to network devices including WAPs. 22. What is expected growth rate for IP addresses for the library over next 3-5 years? ( Best estimate ) Approximately 10% per year.

23. Per each library location please provide the number s for total servers and desktops / laptops? Each location has 1 branch server which supports public computing technologies. Approximately 90 end user devices per locations. 24. How many total desktops & laptops & tablet computers are under library management? What are the current Security solutions deployed to these devices. What is the current version of the Security solution in production Approximately 1,800. antivirus, web filtering, malware protection 25. Is a Security tool platform change in scope for this RFP? We are open to further discussions and receiving proposals for replacement. 26. How man total server operating systems are deployed at the library and what are their operating systems and release level? What are the current Security solutions deployed to these server assets? What is the current version of the Security solution deployed to server assets? The Library runs a mix of Windows and Linux. Additional details will be provided once a partner is selected. 27. How many servers are virtualized versus physical servers? What are the virtualization technologies deployed for servers and desktops? What vendor version and software release are running for the virtualization platform(s)? What is the management platform in use? The Library is 95% virtualized. The Library uses VMware ESX for server virtualization. 28. Please describe your network topology and a provide a network diagram and denote ingress and egress points of internet traffic. How many total number of egress points? How many total number of ingress points? Please see page 3 of the RFP. Additional details will be provided once a partner is selected. 29. What aspects of your network design represent the biggest concern or risk to the library?

30. Who are your internet and telecom vendors? OPLIN, TWC, XO 31. What are the total number of routers deployed? What are the vendor model number and software release running? Please denote each distinct active/ active and active / passive pair clusters deployed. How many active / active pairs? How many active / passive pairs? What is the management platform in use? Approximately 25. 32. What are the total number of switches you have deployed? What are the vendor model number and software release running? Please denote each distinct active/ active and active / passive pair clusters deployed. How many active / active pairs? How many active / passive pairs? What is the management platform in use? Approximately 80. 33. What are total number(s) of firewalls and / or UTM devices deployed? What are the vendor model numbers and software release running on your firewalls and / or UTM device? Please denote each distinct active/ active and active / passive pair clusters deployed. How many active / active pairs? How many active / passive pairs? What is the management platform in use? 34. What are the total number of network based IDS and IPS systems deployed? 35. What are deployed behavioral analysis tools deployed within network? Please provide vendor platform information and software release deployed in production? Please denote each VPN device active / active and active / passive pair clusters deployed. What is the management platform in use? 36. What type of VPN solution do you have deployed an in production? Please denote platform / vendor and software release running in production? What is the management platform in use?

37. What is your web filtering platform? What are the vendor model numbers and software release running? Please denote each active / active and active / passive pair clusters deployed. How many active / active pairs? How many active / passive pairs? What is the management platform in use? OpenDNS. 38. Do you deploy a web proxy / gateway solution? 39. Do you have a web application firewall solution deployed? 40. Do you have deployed a host based intrusion detection / intrusion prevention solution deployed to endpoint servers, desktops, laptops? 41. What is you endpoint security platform deployed on servers. desktops, laptops, and mobile devices? 42. What are your mission critical applications and the server operating systems running on? Please list and describe. i. Financial application ii. Web server environment iii. Staff Intranet iv. Public computing / print management v. ADFS/DirSync 43. What are your mission critical services and their operating underlying operating systems? AD, file, print, DCHP, DNS 2008, 2012 44. Please list all server operating systems deployed? The Library runs a mix of Windows and Linux. Additional details will be provided once a partner is selected.

45. Please list all desktop / laptops / tablet operating systems deployed? What is the total count of these systems? Windows 7 (1500), 8 (300) 46. What database platforms and releases you have deployed? SQL Server, MySQL 47. Do you have in production any advanced anti-malware such as Fireeye, PaloAlto, or Symantec ATP platforms? 48. Please provide information if load balancers are deployed and the platform and software release running? 49. Are you using netflow collectors? 50. Please provide any key contextual details and additional information that will help us understand your key objectives for your Managed Security Services. Please see page 3 5 of the RFP. 51. We need the number of external IP s currently being utilized at Columbus Metropolitan Library. Thank you in advance for your timely response. Approximately 40. 52. First, can you clarify the goal of the security consulting work? The goal of the security consulting work is to work with a chosen partner who will support the Library to enhance its IT security posture as well as reduce Information Security risk. We see this happening through general advising, policy and procedure development, threat intelligence, and incident management and response. Is it meant specifically to identify gaps in the program that will impede the managed services transition?

No, this should be performed as a discovery function as part of a managed services proposal. Or is it meant to help shore up additional security program elements that will remain a responsibility of Library staff? Yes. The consulting partnership will help to enhance security program elements that will remain a responsibility of the Library. 53. Are you looking to add outside resources to assist in developing and operating the security program? Not outside of the selected partner(s) recommendations or resources. 54. Can you also give us a better understanding of the current program and its major components? You list it as security practices in the Appendix A can you list those out for us to better understand your intent? This includes governance, incident response, policies, procedures, and standards. The Library has standard Information Security technology in place including firewall, antivirus, web filtering, malware protection, and log/event management. 55. What drives the program today? What compliance initiatives are you concerned about? Compliance and organizational risk drives the program today. 56. If already developed, what security framework are you following (ISO, NIST, etc)? The Library is seeking recommendations as part of this engagement. 57. How many full time IT security resources are there and their responsibilities? IT security is a duty that all technical staff are responsible for. We do not have an FTE 100% focused on Information Security. 58. Can you give us a list of policies, procedures, standards that already are in existence? No. This will be shared once a partner is selected.

59. Do you leverage threat intelligence already today? In what forms do you take in threat intelligence? If so, in what capacity/tools? How are you envisioning it in the future? The Library leverages threat intelligence today through various mediums. In the future the Library envisions having a partner as a primary go-to to fill this need. 60. Generally speaking, what type of incidents do you experience? Are these generic issues such as malware infection and cleanup? Or are they insider or outsider threat type of issues? Recent events include malware, virus, and phishing attempts. 61. Appendix A Section 1 seems to imply that you are looking for someone to assess the library and its overall practice, provide guidance to the program through a set of projects and reassess as deemed appropriate. Much of this falls into the category of security management. Who would the outsourcer be advising through this series of practice improvements? Advising would be delivered to various stakeholders including, but not limited to, the project team, the Library s Strategic Planning Team, and/or the Library s Board of Trustees. 62. Is this feeding your own risk management practices? Do you follow a specific risk management framework and if so, which one? Yes. More details about the Library s risk management will be shared once a partner is selected. 63. What is your expectation for the scanning activities? Can you give an estimate to the frequency and scope of the following types of scans: External vulnerability scan - Annually Internal network vulnerability scan - Quarterly Network penetration testing - Annually Web application assessment - Annually

64. What type of output are you expecting? Something on line? Automated and formatted data from the scan? Or are you looking for analysis from security consultants and a tailored/custom report for each? Not all reports would need to be tailored / customized. As long as the output can be downloaded / exported we are open to various mediums. 65. Can you please elaborate on the technical specifications around the IaaS scenario that you are trying to describe (ie. what type of network resources and operations would you foresee moving to an IaaS environment?). The Library is currently investigating IaaS solutions. In the future, the Library may move its virtual server infrastructure to an IaaS provider. 66. Are you looking for a single provider to cover all aspects? The Library is seeking proposals from firms which can provide security consulting / practice development and/or managed security services. Multiple awards could be provided if the Library feels this is the best most advantageous approach. 67. What is the initial term for this contract if selected? The contract term will be discussed once a partner is selected. Appendix B of the RFP states pricing for a 12 month period should be provided. 68. Are you expecting to award this contract in phases for ex. the security consulting/development phase would be selected first and then based on how the findings from that project turn out then the managed services part of the project would be phase 2, etc., can you provide more guidance here? The Library will move forward with an approach that is deemed most advantageous based on the responses received. 69. Are all Services Centralized for the 25 locations? Yes. 70. Can you provide an overview of your current IT architecture firewall, network devices, IPS/IDS, wireless, etc.? What requirement will the old architecture place on this bid and the associated services to be delivered? Please see page 3 of the RFP. Additional details will be provided once a partner is selected.

71. What services are you referencing here? - This partner would provide implementation resources that would work closely with the Library infrastructure resources. Are the Services to be part of the contract? The Library is stating that if there will be implementation work as part of the proposed solution, the Library would expect partner resources to work with Library resources to implement the solution. Services should be detailed in the proposal. 72. If there are 25 locations as stated on Page 3, lower on the Page it says there are 22 Branch locations. If the operations Center is the 23rd, what are the other two? The other locations support administrative functions. The Library currently has 22 branch locations. 73. Is the Cisco Wireless Meraki? No. 74. How old is the Cisco Network Infrastructure Equipment? If the plan was first put together in 2003, this would (most likely) infer that the infrastructure needs to be updated. Is the design and architecture to be handled outside the RFP Information Security Consulting? The Cisco Infrastructure equipment is 4-6 years old. None of the Library s network infrastructure is EOL. 75. Do you currently have policies and procedures that the winning bid will maintain, update and create and new policies? Yes. The Library may seek input and guidance on policy, procedure, and practice creation and updates. 76. Do you currently have an incident management and response plan? Will the winning bidder be responsible for maintaining and updating, keeping current? Yes. The Library may seek input and guidance on maintaining and updating its incident management and response plan. 77. Are you using any log management application currently? Solarwinds Log and Event Manager. 78. What products are being used under Desktop and Server Protection? Antivirus, malware protection, and Web filtering.

79. Page 5, the contractor shall complete a discovery phase to capture the current state of their infrastructure is this billable? Service rates and charges shall be all inclusive. 80. What does MBE/DBE/WBE stand for (page 5) I assume Minority/Disabilities/Women? Minority Business Enterprise Disadvantaged Business Enterprise Women Business Enterprise 81. On-going/regular vulnerability scanning, what is the goal for performing this service? To mitigate risk and meet compliance standards. 82. Database security, what does that mean? Ensuring security controls to protect databases are in place. 83. What is your current definition of penetration scanning for ex. authenticate versus nonauthenticate scanning? The Library would be seeking recommendations from the selected partner as to which level of penetration scan should be performed. 84. Page 10, what is your definition of persistent default (can you provide some examples)? Contractor repeatedly misses deadlines. Contractor fails repeatedly to meet requirements of the contract. Repeated breaches by contractor to agree-to terms and conditions. 85. If select, when do you want to start this effort? ASAP once a partner is selected and a contract is in place. 86. There was no specific discussion on SLA s anywhere; do you have any specifics in mind here? Please provide your capabilities in your response.

Goal of the Engagement: 87. Clarify: what do ""Security Services"" and ""Highly Secure"" mean to CML (Setting our Expectations) Security Services are to include points 1-6 on page 4. Highly secure means working with a partner to help ensure CML is meeting compliance standards and cost effectively developing and delivering an Information Security program to meet the needs of the organization while mitigating risk. 88. We expect that there are publicly usable Internet workstations, but are there other services and applications in scope (i.e. Online catalog, e-library, fee collection that may fall under PCI-DSS requirements, etc.) Yes. 89. Is there currently, an existing security program and staff or are security responsibilities loosely defined and security operations best effort?"" The Library may seek input and guidance on policy, procedure, and practice creation to develop a more formalized security program. IT security is a duty that all technical staff are responsible for. We do not have an FTE 100% focused on Information Security. 90. Is there a manager, who has or will assume responsibility, for information security oversight? Yes 91. Have there been any prior assessments within the past 3-5 years and will those reports be provided?" Yes. Those reports can be provided once a partner is selected. 92. Could we obtain a Network Diagram? No. Please see page 3 of the RFP. Security Consulting/ Practice Development 93. Is there an existing security program and/or existing policies or procedures that provide some guidance? Yes, there are. The Library may seek input and guidance on policy, procedure, and practice creation to develop a more formalized security program.

94. Is there a particular program/control framework they have familiarity with (ISO, NIST, etc)? The Library is seeking recommendations as part of this engagement. 95. How many and what type of "publicly-facing services are in scope? Primarily web and authentication services. 96. Are there any system interconnections to other libraries or external entities/partners that would need to be considered? Yes 97. Log Management under Security Monitoring is called out, but there is no reference to the Log Management system being used. Can we please be provided with additional information around the Log Management platform? (Model, Version, etc ) The Library is using Solarwinds Log and Event Manager. The Library is seeking recommendations as part of this engagement. 98. In the section for Desktop and Server Protection Data Base Security is referenced. Can we better understand the infrastructure housing the data base? Would this be already what the customer called out to us as a critical server? The Library primarily uses Microsoft SQL Server and MySQL. 99. For Vulnerability Scanning can you verify the number of internal and external ip addresses would you like to have vulnerability scanning done for? (Most enterprises will have critical servers and network infrastructure devices included in this scanning) External 40 Internal 200 100. For Vulnerability Scanning if we place one scanner will we be able to scan all internal address space in scope for this RFP? Yes 101. For the internal scanner appliance, would you prefer a physical appliance or a virtual appliance? (The virtual appliance runs on VMWare, Oracle VirtualBox, Citrix XenServer, and Microsoft Hyper-V) Physical appliance if not cost prohibitive.

102. For pen testing, we often utilize a sampling methodology to help an organization complete a cost effective penetration test of their environment. For example, if 100 web servers are all running Windows 2008R2 with IIS 7.0, the same vulnerabilities will likely be detected on all servers running the same software. By utilizing sampling, we can assess a smaller number of hosts and reduce the time and cost to the organization. With this knowledge, consider approximately how many live, "unique" hosts would be in scope for the penetration test to answer the next two questions. Total number of unique internal servers / IP addresses in scope for penetration testing? i. 150 Total number of unique externally reachable servers / IP addresses in scope for penetration testing? i. 30