WIXLIB

SIEM Product- Security Information Event ManagementEvaluate real-time analysis of security alerts generated by the City’sapplications and network hardware. USB LockdownEvaluate unauthorized device detection for security incidents.Penetration Test Services DeliverablesThe vendor will provide the City of Cleveland with a detailed report on testing andattack scenarios used, test result log, and interruptions.Network Security Audit Services Device and Platform IdentificationThis service includes identifies all network assets and operating systems. Domain Name System Security Configuration AuditThis service includes an evaluation of DNS servers for the following: Verification, the guidelines within the DNS Security Requirements Guide(“SRG”), and the DNS Policy Security Technical Implementation Guide (STIG)are followed. Evaluation of systems to ensure compliance with applicable standards and todetermine if the environment is protected against known threats and currentattack vectors Audit of DNS vulnerabilities, including cache poisoning, DNS amplification,Open Resolvers, etc. Server Security Configuration AuditThis service includes an audit of server configurations against industry best practicesand applicable security standards.Page 12 of 58

Employee Training and Social Engineering Threat Prevention AuditThis service includes an evaluation of existing training materials applicable to securitypolicies and procedures to ensure employees are trained and compliant with thenecessary tools to prevent non-technical attacks, which often involves deceivingemployees to break standard security procedures. Security Policies and Procedures AuditAudit current state of security policies and standards and benchmark against businessneeds and commonly accepted industry standards to enhance the current policy setwhere there are gaps to the common standards. Build new policies to match whereexisting controls are in place, and to make recommendations for additional policiesthat may be needed. Backup Disaster and Recovery Audit Evaluate documented processes and procedures for ITS DisasterPreparedness Compliance to ensure the continuance of key business functionsin the event of a disruption. Ascertain the existence and effectiveness of the current ITS disaster recoveryplan and its alignment with the enterprise business continuity plan, policies, andprocedures. Evaluate ITS function’s preparedness in the event of process disruption. Determine compliance with applicable federal laws and regulations.Third-Party On-Site Security Audit3rd party security audit to confirm that security and data protection controls are inplace and compliant to business needs and in alignment with acceptable industrystandards. Security Incident Response AuditAudit relating to the effectiveness of security incident management processes,policies, procedures, and governance activitiesPage 13 of 58

Network Security Audit Services DeliverablesThe vendor will provide the City of Cleveland with a detailed report on findings. Findings document that details and demonstrate all threats andvulnerabilities that are identified. A risk analysis listing of recommendations based on risk severity, probability,cost, and scope of work. This should also include recommendations thataddress policy or procedural vulnerabilities A Security Roadmap that lists the technology recommendations for the next3-5 years and includes a strategic direction in support of the City’s securityinfrastructure.Connections to External Partners ServicesReview the City’s connection and security posture to the City’s external partnersthrough wide area networks, dedicated circuits, remote clients, and remote servertechnologies; Assess remote access and security of network connections and datatraffic to and from external partners.Connections to External Partners Services Deliverables Executive Summary with overall severity findings and risk exposure Remediation recommendations to close the vulnerabilities identified Detailed steps (wherever/whenever applicable) to be followed whilemitigating the reported vulnerabilitiesPage 14 of 58

III. General GuidelinesTask Request for ProposalWhen a Task is first initiated, the Program Manager for this contract shall issue a TaskRequest for Proposal (TRFP) to the Consultant. The TRFP may include the followinginformation: Background of the need for the task Goal and objective of the task Task priority relative to other contract tasks Listing of any scheduling and coordination restrictions that will affect the task Listing of known governmental regulations that may need to be addressed in the task Determining if legislation exists, will be needed, or will not be needed to proceed withthe task Known problems that may restrict design or implementation which must be addressed Task project management responsibilities Any other related information not listed Assigned task number Established task deliverables Intermediate milestonesTask ProposalThe consultant will take the information presented in the TRFP and prepare an estimate of: Disciplines needed Staff to be provided along with resumes (if requested) Hours needed by each Schedule Reimbursable Total not-to-exceed Task CostThe Consultant shall submit this information in the proposal form to the Program Manager.Task NegotiationThe Program Manager will review the Task Proposal as received from the Consultant anddetermine if the proposal is acceptable. If it is determined that adjustments are needed, thePage 15 of 58

manager will negotiate with the Consultant until both parties agree on the details in the TaskProposal. This process must be repeated until no new corrections are needed.Task AuthorizationWhen the Task Proposal is finalized, a formal Task Authorization Letter will be given to theConsultant by the Program Manager.Each authorized Task shall indicate a Total Not-To-Exceed funding cap. The Consultant shallutilize generally accepted Project Management processes, whereby consistent biweeklymilestone meetings will provide both a dollar/percentage spent and work remaining. Theseshall include documented and formalized issue log and change request processes that shallbe reviewed and approved by the City. The Consultant shall give The City at least one-monthadvance notice of when it thinks a Task’s funding will be exhausted prior to completion.Task Completion and Close-OutAll work by the Consultant shall conform to Generally Commercially Acceptable Standards.After the Consultant has completed the activities as authorized in each task, he/she shallsubmit, in hard copy, and where applicable, in electronic format (latest version of Adobe PDF,MS Word, Visio, or MS Excel), the following items to the Program Manager: Collected information Design notes and requirements documentation All Task correspondence All other defined deliverablesCompensation and Invoicing Support ServicesCompensation for services shall be based on hourly billing rates for the category of theindividuals assigned to each Task and approved reimbursable expenses as agreed uponduring negotiation of the Agreement. Billing rates shall remain unchanged throughout the lifeof this contract.The Consultant shall be compensated for reimbursable expenses incurred in the interest ofthe work in accordance with the City Expense Reimbursement Policy.Page 16 of 58

The Consultant shall be paid for services on a time-based method. The Consultant shallinvoice each month based on the actual hours, and approved hourly billing rates expendedfor the services. The invoice shall include only the staff titles listed in the Fee Proposal.The Consultant shall submit its invoice for progress payment to the Program Manager nolater than the close of business on the thirtieth (30th) calendar day of the month following themonth for which payment is requested. If the 30th calendar day would fall on a Saturday,Sunday, or holiday, then the submittal shall take place on the previous working day. TheConsultant shall not submit invoices more frequently than once per month.Invoices shall include a cover page, summary table, detailed invoice per task, summary tableof labor costs, timesheets, a summary table of reimbursable, original receipts, and otherinformation as deemed appropriate. Invoices shall include specific activities worked, on anhourly and daily basis by resource.Supporting information (receipts, timesheets, etc.) shall be attached in the appropriatesection of the invoice in alphabetical then chronological order. For example, timesheets shallbe attached alphabetically by individual name and chronologically by the individual.Each approved task shall be specifically identified and tracked.Invoices not submitted in the approved format may be rejected and returned to theConsultant. This includes incomplete information and missing documentation.Page 17 of 58

IV. Qualifications for ProposalEach proposer, regardless of the form of its business entity, must meet the followingminimum requirements. Failure to meet all requirements may be cause for rejection of aproposal. If a proposer is a partnership or a joint venture, at least one general partner orconstituent member must meet the requirements. Each Proposer must: Provide evidence that it has a minimum of 5 continuous years of experience within thelast 10 years of providing the services described in this RFP Provide evidence that it has a minimum of 5 continuous years of experience within thelast 10 years of Security Audit and Assessment engagements/implementations withcomparable cities Be authorized to conduct business in the State of Ohio, County of Cuyahoga, and theCity of Cleveland Proposer demonstrates qualification for all applicable licenses, certificates, permits, orother authorizations required by any governmental authority, including the City, havingjurisdiction over the operations of the successful Proposer and the proposed services. Submit with its proposal at least three (3) written, verifiable, references dated withinthe last two years from clients for which the Proposer has rendered servicessubstantially similar to those sought by this RFP, and recommending Proposer forselection for such services. (See Attachment “G” – Vendors Client References Form)Submission of ProposalEach proposer shall submit its proposal(s) in the number, form, manner, and by the date andtime and at the location required in Section I above.Each proposer shall provide all the information requested in this RFP. The proposer mustorganize its proposal package to address each of the elements in this RFP in the order listedin Section VI, Proposal Content. The proposer should carefully read all instructions andrequirements and furnish all the information requested. If a proposal does not comply with allterms, conditions, and requirements for submittal, the City may consider it unacceptable andmay reject it without further considerationPage 18 of 58

The City wishes to promote the greatest feasible use of recycled and environmentallysustainable products and to minimize waste in its operations. To this end, all proposalsshould comply with the following guidelines: Unless necessary, hard copies should minimizeor eliminate the use of non-recyclable or non-reusable materials. Materials should be in aformat permitting easy removal and recycling of paper. A proposer should, to the extentpossible, use products consisting of or containing recycled content in its proposal including,but not limited to, folders, binders, paper clips, diskettes, envelopes, boxes, etc. Do notsubmit any or a greater number of samples, attachments, or documents not specificallyrequested.If you find discrepancies or omissions in this RFP or if the intended meaning of any part ofthis RFP is unclear or in doubt, send a written request for clarification or interpretation toTiearra Hayes, 205 West St. Clair Avenue, 4th Floor, Cleveland, OH 44113, no later thanFriday, October 18th, 2019 at 5:00PM EST. Requests for clarification or interpretation maybe submitted via e-mail to thayes@clevelandohio.gov.Page 19 of 58

V. Proposal ContentEach proposal shall include the following parts in the order below. Please separate andidentify each part by tabs for quick reference. Each proposal should be organized to facilitateits evaluation.The Proposal submittal shall be no longer than 40 single-sided printed pages, excludingappendices.Page size shall be 8.5 x 11 inches (11x17 inch pages may be utilized for graphicalrepresentations, but each will be counted as two pages). Font size shall be no less than 12pt. Tabs, dividers, and appendices are excluded from the page count. The proposal shall besubmitted in 3-ring binders.The proposal response section shall consist of the following sections:Section 1: Cover Page and Executive SummaryThe Executive Summary should provide a complete and concise summary of the proposer’sexperience and ability to meet the requirements of this RFP. It should briefly state why theProposer is the best candidate for the engagement. The Summary should be organized so itcan serve as a stand-alone summary apart from the remainder of the proposal.Section 2: ProfileThe Proposer will provide a profile of its organization and all other sub-consultants who willbe providing services. At a minimum, the Proposer will provide the following information: Principal owners of the business Number of years in business Number of years involved with services as proposed Total number of employees Latest gross sales revenue Latest gross incomePage 20 of 58

Section 3: QualificationsIdentify the prime and each sub-consultant firm’s qualifications for providing professionalservices. Place specific emphasis on projects for government and/or utilities.In the Qualifications section, each Proposer should state in detail its qualifications, andexperience, and how its services and/or products are unique and best suited to meet therequirements and intent of this RFP. This should include the qualifications of sub-consultantsincluded in the proposal. The proposer may include as much information as needed todifferentiate its services and product(s) from other proposals. At a minimum, please includethe following: How Proposer meets or exceeds qualifications; A description of the nature of the firm’s experience in providing the service(s)and/or product(s) sought by this RFP and state the number of persons currentlyemployed for such purpose; The total number of such engagements and the clients comparable to The City forwhich the firm has provided like or similar services within the last five (5) years.Page 21 of 58

Section 4: List of Representative ServicesProvide a list of at least three similar consulting services that the proposer has completed withinthe last three years.Include a detailed description of the scope, responsibilities, services, and dollar value for eachcontract listed for the proposerProvide at least one client reference each (verified name and telephone number) of someoneclosely familiar with each client and your firm's performance.Each service description shall be presented in the format consistent with the table below.List of Representative Projects Table(One sheet per project)Project title:Project Description:Owner’s Name:Location of Project:Knowledgeable Contact’s NameContact’s Role in the Project:Verified Telephone Number for Contact:Project Manager’s Name*Key Team Member’s Names and Duties*:Prime Consultant:Sub consultant(s) and Percent of Total Project:*As proposed for that projectSHEETOFPage 22 of 58

Section 5: Environmental SustainabilityDescribe how the proposed serves/project/solution incorporates environmental sustainability.Section 6: Litigation:Disclose any current litigation(s) that the proposer or any of its subcontractors are currentlyinvolved or has been involved over the last 5 years.Page 23 of 58

VI. Proposal Evaluation and Vendor SelectionProposals received in response to this request will be reviewed and scored by an evaluationteam. The evaluation of proposals received will be carried out in three rounds and will bebased on but not limited to, the evaluation team’s assessment of the criteria defined underthe following evaluation rounds.Round 1 – Procedural Compliance and Quality AssuranceRound 2 – Proposal Technical Review and ScoringRound 3- Vendor Oral PresentationFees will not be considered in the technical evaluation. Proposals shall be evaluated firston qualifications and technical merit. Once rankings are established, the fee submittalsshall be considered.Round 1 – Procedural Compliance and Quality AssuranceRound 1 evaluation will be conducted to verify that the vendor has complied with thesubmission criteria listed below. This is a pass or fails round; therefore, vendors are toensure that they meet ALL of the following conditions: Vendor’s adherence to the City’s established process for communication Vendor submitted a proposal to the City on or before the submission deadline Cover of the Vendor’s submission package contains the appropriate contentdesignation, and all requested components of the submission package areincluded Adherence to City’s OEO requirements and correctly filing and submitting allCity’s Forms and Schedules The vendor has completed and submitted the Proposal Checklist –Attachment“D”

of procedural controls to prevent unauthorized physical and electronic access to the City's IT network. Internet Usage Asses URL/web filtering and access restrictions Host-Based Security Assess the security of critical systems at the operating system and database layers and associated identity and access management controls.