Transcription
Ohio Public Employees Retirement SystemRequest for ProposalOhio Public Employees Retirement SystemRequest for ProposalFor:Consulting ServicesDate:November 2, 2021Project Name:2021 IT Penetration Testing277 East Town StreetColumbus, Ohio 432151-800-222-PERS (7377)www.opers.orgPLEASE NOTE:NO RESPONDENT SHALL ATTEMPT TOCOMMUNICATE WITH OPERS CONCERNING THIS RFP IN ANYMANNER OTHER THAN AS SPECIFICALLY PROVIDED IN THE“RFP COMMUNICATION PROTOCOLS” SET FORTH INATTACHMENT 1 HERETO.RESPONDENT SHALL INCLUDE A STATEMENT IN THE COVERLETTER TO ITS RESPONSE (SEE SECTION D.1.4) THAT ITUNDERSTANDS AND ACKNOWLEDGES THAT RESPONDENTSHALL NOT COMMUNICATE WITH OPERS CONCERNING THISRFP IN ANY MANNER OTHER THAN AS SPECIFICALLYPROVIDED IN ATTACHMENT 1 HERETO.
Ohio Public Employees Retirement SystemRequest for ProposalTable of ContentsA. BACKGROUND1. Retirement Board2. Financial InformationB. OVERVIEWC. SCOPE OF ENGAGEMENTD. PROPOSAL CONTENT1.2.3.4.5.6.7.8.9.10.Cover LetterQuestionnaireUnderstanding of EngagementProject/Work PlanProposed DeliverablesVendor PersonnelReferencesCostSample ContractAdditional InformationE. SELECTION CRITERIAF. GENERAL TERMS AND CONDITIONS FOR SUBMITTING PROPOSALSG. INSTRUCTIONS for SUBMITTING PROPOSALSATTACHMENT 1 – RFP COMMUNICATION PROTOCOLS2
Ohio Public Employees Retirement SystemRequest for ProposalA. BACKGROUND1. Retirement BoardIn 1935, the Ohio Public Employees Retirement System (OPERS) began a tradition of providing excellentretirement benefits for state employees. With approximately 114.3 billion in net assets, OPERSprovides retirement, disability, and survivor benefit programs for public employees throughout the statewho are not covered by another state or local retirement system. OPERS serves over 1,184,000 membersof approximately 3,700 public employers including 216,000 retirees, disability recipients and survivingbeneficiaries who receive monthly benefits.2. Financial InformationThe most recent OPERS Comprehensive Annual Financial Report is available on the OPERS websiteat: https://www.opers.org/financial/reports.shtmlB. OVERVIEWOPERS is seeking proposals for services of a qualified firm to perform an IT penetration testing engagement.OPERS anticipates beginning services during the fourth quarter of 2021. The objective of the engagementwill be to:1. Provide an independent assessment of the effectiveness of OPERS’ external and internal network securityand its alignment with leading practices of system network security processes and procedures.2. Identify any issues that affect the security of OPERS’ external and internal network.3. Submit findings and recommendations in executive and technical level reports.C. SCOPE OF ENGAGEMENTThe scope of the engagement will include the following:1. Perform an external penetration test and port scan of OPERS’ network perimeter.This should include all public facing systems (web, email, FTP) with the exception of certain specifiedwebsites.2. Perform an internal penetration testing from the perspective of an attacker with internal access to theOPERS’ network. Initially this would be from an ethernet connection only. If no credentials arediscovered, we would like to repeat with basic (“Domain Users”) authority only.3. Perform a wireless LAN penetration test. There is one wireless controller and 3 SSID’s (employee,employee personal device, and guest – the latter 2 being primarily Internet access only)4. Items out of scope will include: 3Volumetric network-based DOS/DDoS attacks are not permitted; however, non-volumetric denialof-service is allowed, i.e., disabling a web service, if possible on non-Production environments withthe pre-approval of the CISO.Attacks based on Social Engineering, except as further discussed in section D.3.3 of this RFPdocument.
Ohio Public Employees Retirement SystemRequest for ProposalAdditional information regarding scope:OPERS owns a full class C routable network which is not shared by others. Specific hosts and IP rangeswill be provided to the vendor selected. It is expected the entire class “C” would be in scope unlessotherwise restricted.Non-intrusive testing (nothing that might cause interruption of services) can be done at any time. Test IP’scan be done at any time, including those that could cause a denial of service. Testing that has more thanmarginal risk for disruption of services on production IP’s need to be scheduled, during a pre-scheduledwindow typically starting 6:00pm EST Saturday evenings through 7:00am EST Sunday mornings.D. PROPOSAL CONTENTAt a minimum, the proposal must include the following information. For ease of review by OPERS, eachrequirement should be addressed in a separate section of the proposal, preceded by an index tab to identifythe subject of the section. The proposal should be formatted on consecutively-numbered pages and includea table of contents. Proposals shall be limited to a maximum length of 30 pages for the main responseand no more than 20 pages for additional appendices.1. Cover LetterThe Vendor must include a cover letter, which will be considered an integral part of the proposal, in theform of a standard business letter, and must be signed by an individual who is authorized to bind theVendor contractually. It must include:1.1 A statement identifying the Vendor’s legal structure (e.g., an Ohio corporation), Federal taxidentification number, and address of the principal place of business.1.2 Vendor’s primary contact on this RFP, who has authority to answer questions regarding theproposal:1.2.11.2.21.2.31.2.41.2.51.2.6Firm NameContact’s NameAdditional ContactsContact’s AddressContact’s Phone and Facsimile NumbersContact’s E-mail Address1.3 A statement that the Vendor’s proposal meets all the requirements of this RFP.1.4 A statement that the Vendor acknowledges and agrees that any communication with OPERSconcerning this RFP shall be in compliance with Attachment 1, the “RFP CommunicationsProtocols.”1.5 A statement that the Vendor has not submitted its proposal with the assumption that there will bean opportunity to negotiate any aspect of its proposal.1.6 A statement that the Vendor acknowledges that all documents submitted to OPERS pursuant tothis RFP may be subject to disclosure by OPERS under Ohio’s Public Records Act (see SectionF(1) of this RFP).4
Ohio Public Employees Retirement SystemRequest for Proposal1.7 An acknowledgement that OPERS shall possess full ownership and all rights and interests,including copyright interests, in all deliverables (the “Project Deliverables”) under its contractwith the Vendor, including in all software, documentation, and other project-related work, asapplicable.1.8 An acknowledgement that the Vendor will ensure that the Vendor’s subcontractors shall assign toOPERS all ownership, rights, and interests in any Project Deliverables.2.QuestionnairePlease provide the following information:2.1 Vendor’s United States office locations, identifying which location(s) will be assigned this project.2.2 Vendor’s organizational structure, including subsidiary and affiliated companies, and joint venturerelationships.2.3 How many years has Vendor been in business?2.4 Yes/No: Has Vendor undergone any material change in its structure or ownership within the last18 months? If yes, please describe.2.5 Yes/No: Is any material change in ownership or structure currently under review or beingcontemplated? If yes, please describe.2.6 If available, please provide a report, study, or assessment of your company, prepared by anunbiased independent third-party source, concerning client satisfaction and measures of yourfirm’s strengths and weaknesses vis-à-vis your key competitors.2.7 Please provide your most recent financial statements, including a statement of financial position,an annual income statement, and a balance sheet.2.8 Please describe any material litigation to which your company is currently a party. In addition,please describe any material litigation that your company has been involved in over the last 3years.2.9 Please provide a list and describe litigation brought or threatened against your company byexisting or former clients over the past 5 years.2.10 Please describe any relationships that your company has with any potential or existing vendorsof OPERS, including any potential fees or other remuneration your company may receive forrecommending their products or services.2.11 Please provide a description of your IT security program and certifications, especially any of thefollowing, along with a copy of your most recent report for each applicable certification:2.11.1 SSAE 16 / 18 SOC2 (including a Type 2 report utilizing the following trustprincipals: Security, Availability, Confidentiality, Processing Integrity, and Privacy(preferred)2.11.2 CSA STAR2.11.3 ISO 270015
2.11.42.11.52.11.62.11.72.11.83.Ohio Public Employees Retirement SystemRequest for ProposalISAE 3402 (including a Type 2 report)Health Information Technology for Economic and Clinical Health Act (HITECH)FedRampPayment Card Industry Data Security Standards (PCI DSS)BS 10012Understanding of Engagement3.1 Please describe in detail your organization’s understanding of the services requested in this RFPby OPERS and describe the procedures and methods that will achieve the required outcomes.a. Please describe your methodology for vulnerability and manual penetration testing.b. Please identify commercial and/or custom tools that will be used during testing.c. Please explain how you limit the reporting of false positives.d. Please explain how you identify new classes of vulnerabilities and test for them.3.2 Please list how many engagements you have completed in the past three years involvingpenetration and web application testing.3.3 Please provide a supplementary test approach to review the organization’s susceptibility andvulnerability to social engineering attacks, excluding phishing. A separate not-to-exceed, fixedcost price quote should be provided. This work will be considered as an optional addition to theEngagement Scope outlined in Section C. above.3.4 Please describe any additional areas or processes not included in this RFP that you recommendexamining in order to provide more complete services.3.5 Please provide a narrative that supports why your company believes that it is qualified to undertakethe proposed engagement.4. Project/Work Plan (including timeline with details of hours)The proposal should set forth a project plan for delivering the services and deliverables described inthis RFP, further consideration should include:4.1 An example of a project plan to assist in the execution of the project that is inclusive of a proposedtimeline and anticipated hours to be incurred.4.2 Prior to the start of the project, OPERS wishes to have a scoping meeting to confirm the finalscope, rules of engagement, and tools to be used as part of the engagement.4.3 Provide description of how the Vendor will communicate with and/or make presentations toOPERS staff during the engagement. This would include both informal communication as wellas formal kick-off and closing meetings. Note: It is our expectation that the Vendor should providequick notification during penetration testing if critical vulnerabilities are discovered.6
Ohio Public Employees Retirement SystemRequest for Proposal4.4 A description of the service management and quality control procedures to be utilized by theVendor. These should identify and describe any anticipated potential problems, the Vendor’sapproach to resolving these problems, and any special assistance that will be requested fromOPERS.4.5 Vendor should allow ample time to review all existing documentation pertaining to the servicesbeing procured.5. Proposed DeliverablesWith respect to engagement deliverables, please describe and provide sample documentation for thefollowing:5.1 Please provide an example of the format that would be used for communicating identified“trophies.” Please include illustrative information to demonstrate the information that would beincluded as part of this reporting.5.2 Please provide a sample report from a previous penetration testing and/or web application testingengagement. Client name and any non-public sensitive information should be redacted.The report should include:(a) An Executive Summary Report which includes an overview of all testing results,including a summary of the scope and approach, risk, findings, and recommendationsdirected towards Senior Management.(b) A detailed Technical Report which includes:a. A deep dive into the testing methodology, strengths and weaknesses observed,detailed findings matrix, associated risk ratings of each finding, technicalrecommendations, and appendices providing supporting documentation foreach vulnerability identified.b. These reports must include “trophies” obtained with any sensitive information(i.e. specific passwords, social security numbers, etc,) redacted. This wouldinclude a detailed step by step illustration of how the trophy was identified aswell as specific remediation recommendations. These reports and findingsshould be delivered in draft form electronically.(c) The final report including management responses should be delivered electronicallyand in hard copy.5.3 Please describe and provide examples of any other relevant deliverables associated with thisproject.6. Vendor Personnel6.1 For each individual that you propose to assign to this engagement, please provide a narrative withthe following information:6.1.16.1.26.1.36.1.46.1.57Employee name and title.Proposed position on this engagement (manager, supervisor, officer, etc.)The month and year that the employee began working for your organization.Employee work history.Relevant certifications and/or training
Ohio Public Employees Retirement SystemRequest for Proposal6.2 Vendor is required to provide all goods and perform all services requested by the RFP, and may notsubcontract to provide such goods or services without the written consent of OPERS. For each ofthe Vendor’s potential subcontractors, please provide a narrative with the following information:6.2.16.2.26.2.3The proposed subcontractor’s (firm) name and address.A brief description of the goods or services the subcontractor might provide.A statement that Vendor acknowledges and agrees that it will remain liable for theprovision of any Goods supplied by and/or Services performed by such subcontractor.6.3 Please describe your firm’s procedures in the event that a contact person assigned to thisengagement leaves your firm during the term of the engagement.7.References7.1 Please provide the names, addresses and telephone numbers of five (5) current clients similar in sizeto OPERS.7.2 Please provide the name and telephone number of a responsible official who may be contacted as areference.7.3 Please provide a summary description of the scope of work provided to the clients.8Cost8.1 Please provide a not-to-exceed, fixed-cost price quote for this project, stating the total cost for theproject, including any and all reimbursable expenses.8.2 If applicable, provide a cost per hour for additional service work, or if hourly costs are notapplicable, the fixed cost associated with each deliverable proposed in response to 3.2.8.3 State whether Vendor will negotiate its proposed cost if OPERS decides negotiation is appropriateas to any aspect of the proposals, including the cost, with the finalist(s). In no case, however, willthe negotiated cost be higher than the cost submitted by the Vendor in its proposal.9Sample contractPlease provide a sample contract with your proposal for consideration if you are selected for thisengagement, along with a copy of your certificate of insurance. The contract should reflect the specificscope and deliverables of this engagement as well as hourly fees for any potential work outside the scopeof this engagement and response times.10 Additional InformationThe Vendor should provide any other information it believes relevant to the engagement.8
Ohio Public Employees Retirement SystemRequest for ProposalE.SELECTION CRITERIAProposals will be evaluated, and OPERS will make any final decision to award the contract.During the evaluation process, OPERS management may, in its sole discretion, request any or allvendors to make oral presentations. Such presentations will provide Vendors with an opportunity toanswer questions regarding the Vendor’s proposal. Not all Vendors may be asked to make such oralpresentations.Proposals will be evaluated based on the following criteria, (each criterion may be weighted):1.2.3.4.5.6.Understanding of the project & scopeQuality of project plan and approachProposed deliverablesVendor qualificationsIndividual qualifications of the assigned staffCostAfter evaluation of the proposals, OPERS may determine a list of up to three (3) finalists, and maycommence sequential negotiations on any aspects of the proposals OPERS deems appropriate,beginning with the highest-scoring finalist. If OPERS does not reach agreement with the highestscoring finalist within seven (7) calendar days, or if in the opinion of OPERS negotiations with thatfinalist reach an impasse, OPERS may decide not to award the contract or may begin negotiations withthe second-highest scoring finalist. OPERS may choose to continue such negotiations with subsequentfinalists on the same basis until a contract is negotiated, no other finalists remain, or OPERS decidesnot to award the contract pursuant to this RFP.F.GENERAL TERMS AND CONDITIONS FOR SUBMITTING PROPOSALS1. Vendor acknowledges that OPERS is subject to the Ohio Public Records Act, and the documentssubmitted pursuant to this RFP may be subject to a public records request. Accordingly, Vendorshould submit, along with its response to this RFP, a copy of its response in which any informationthat is trade secret or is otherwise exempt from disclosure under the Ohio Public Records Act isredacted, along with a reference to the statutory basis upon which Vendor is relying for the redaction.For example, the Ohio Public Records Act is ORC Section 149.43 and allows protection of trade secretinformation as set for in ORC 1333.61(D) or any federal statutes that might apply. If a request forrecords is made that includes information Vendor has submitted pursuant to this RFP, OPERS willprovide the requestor with the redacted version of Vendor’s response provided pursuant to this section.If the position taken by Vendor in its redactions hereunder results in OPERS suffering any damages,fees or other losses of any kind, Vendor shall indemnify OPERS for such losses. If no documents ormaterials are identified and marked by Vendor as confidential, Vendor will be deemed to haveconsented to the release of the document or material, and to have waived any cause of action againstOPERS resulting from the release of the documents or materials.2. Regardless of cause, late proposals, in whole or in part, will not be accepted by OPERS and willautomatically be disqualified from further consideration. It shall be the Vendor’s sole risk to ensuredelivery of its proposal at the designated office by the designated time. Late proposals will not beopened and may be returned to the Vendor at the expense of the Vendor or destroyed by OPERS.9
Ohio Public Employees Retirement SystemRequest for Proposal3. OPERS reserves the right, in its sole discretion, to reject any or all proposals submitted, and to waiveas to any Vendor or as to all Vendors, any informality or irregularity in a proposal or proposals or anyfailure to conform to the instructions in this RFP.4. OPERS reserves the right to modify any dates stated in this RFP at its sole discretion and accepts noliability to the extent the actual schedule differs from the dates set forth herein. In the event a changeis made to the RFP Schedule, a revised schedule will be posted on the OPERS website.5. This Request for Proposal is not a contract, is not intended to serve as a contract, and does not constitutea promise to enter into a contract.6. OPERS shall not have any responsibility or liability whatsoever with respect to any costs incurred byany Vendor in preparing a proposal or responding to this RFP.7. OPERS does not make any representation or warranty regarding the accuracy or completeness of anyinformation contained in this RFP, its Attachments, or any statements my by representatives of OPERSduring the RFP process. Each Vendor is responsible for making its own evaluation of the informationand data contained in this RFP and in preparing and submitting responses to this RFP. OPERS’issuance of this RFP and receipt of information in response to this RFP will not, in any way, causeOPERS to incur any liability (whether contractual, financial, or otherwise) to any Vendor participatingin the RFP process.8. All documents, proposals and other materials submitted in response to this RFP will become theproperty of OPERS and will not be returned to Vendor.9. Vendor agrees to comply with all terms, conditions and requirements described in this RFP. Anyfailure by any responding Vendor to so comply shall be grounds for rejection of that Vendor’sproposal, as determined by OPERS in its sole discretion.10. If a contract between OPERS and Vendor results from this RFP, neither the successful respondingVendor, nor anyone on its behalf (including its agents, affiliates, subcontractors, and/or vendors), shallpublish, distribute or otherwise disseminate any press release, advertising, and/or publicity matter ofany type or kind (collectively “Advertising Material”) having any reference to OPERS, this RFP, orthe resulting contract, unless and until such Advertising Material first shall have been submitted to andapproved in writing by OPERS.G. INSTRUCTIONS FOR SUBMITTING PROPOSALS1. Please provide four (4) hard copies (including one (1) redacted copy for public records requests asdescribed in Section F.1 of this RFP) and two (2) electronic copies via email (including one (1)redacted copy for public records requests as described in Section F.1 of this RFP) of your proposal by2:00 pm Eastern Time, on November 24, 2021 to:Nicole ParsellProcurement AgentOhio Public Employees Retirement System277 East Town StreetColumbus, OH 43215-4642nparsell@opers.orgPlease note that certain submissions made via email may be blocked due to file size limitations on eitherVendor’s or OPERS’ email servers. Please submit your proposals with enough time in advance of the10
Ohio Public Employees Retirement SystemRequest for Proposaldeadline to ensure the transmission goes through in its entirety, and to re-submit by the deadline ifnecessary. If submissions are not received by OPERS by the deadline for whatever reason, including dueto non-transmittal due to size limitations, they will be rejected.2. Questions concerning this Request for Proposal must be submitted via e-mail to nparsell@opers.org. Thequestion and answer period will be from November 3 - 10. Questions must be submitted no laterthan 4:00 PM ET on November 10th. Questions and answers will be posted on the OPERS website.3. All communications with OPERS concerning this Request for Proposal must be conducted incompliance with Attachment 1, “RFP Communication Protocols” attached hereto.4. This Request for Proposal is issued on November 2, 2021. OPERS reserves the right, in its solediscretion, to amend or cancel this RFP.11
Ohio Public Employees Retirement SystemRequest for ProposalOhio Public Employees Retirement System Request For ProposalATTACHMENT 1: Communication Protocols for CommunicationsBetween RFP Vendors and OPERSThis RFP includes and imposes certain restrictions on communications between OPERS and vendorsresponding to the RFP (“Vendors”).Vendors are restricted from communicating with OPERS in any manner, whether oral, written,electronic or otherwise, that a reasonable person would infer constitutes an attempt to unduly influencethe award, denial, or amendment of a contract, from the time this RFP is issued through the final awardand approval of the contract or termination of this RFP. Any communications with OPERS inviolation of this Attachment 1 may result in immediate disqualification of such Vendor.The following communications channels are permissible for Vendors to communicate with OPERS toensure that no violations of these Communication Protocols occur: Question and Answer Period: See Section G.2 of the RFP. Supplemental Questions: OPERS may, after an RFP has been posted, post to the OPERS websitesupplemental RFP questions for Vendors to answer. If such supplemental questions are posted byOPERS, Vendors shall respond to such questions according to the instructions included with thesupplemental questions. Additional Information: OPERS may, but is not obligated to, request additional information andmaterials from any Vendor for evaluation of its proposal. Information submitted by a Vendor absenta request by OPERS that is not in the nature of a correction or clarification to the proposal will not beconsidered. A Vendor must immediately notify OPERS if any information in a proposal becomesinvalid or untrue prior to the completion of the RFP process. OPERS may disqualify a Vendor fromfurther consideration if the Vendor fails to immediately notify OPERS of invalid or untrueinformation, or fails to respond to OPERS’ request for additional information and materials. OPERSshall have no obligation to inform any Vendor of any deficiency in its proposal.12
Request for Proposal . For: Consulting Services . Date: November 2, 2021 . Project Name: 2021 IT Penetration Testing . 277 East Town Street . Columbus, Ohio 43215 . 1-800-222-PERS (7377) www.opers.org . PLEASE NOTEO RESPONDENT SHALL ATTEMPT TO : N COMMUNICATE WITH OPERS CONCERNING THIS RFP IN ANY
