WIXLIB

REQUEST FOR PROPOSALEXTERNAL AND INTERNAL PENETRATION TESTING SERVICESNo. FY18-0005Page 1 of 17

TABLE OF CONTENTSI. Summary . . 3II. Background . 3III. Scope of Work . 3IV. Timeline . 4V. Contact . 4VI. Term of Engagement . 5VII. Submission Guidelines . 5VIII. Proposal Content . 5IX. Written Questions. 9X. Proposal Evaluation . 9XI. Finalist Presentations . 10XII. RFP Withdrawal or Modification . 10XIII. Incomplete Proposals . 10XIV. Selection of Winning Bid. 11XV. Reimbursement for Proposal Preparation . 11XVI. Quiet Period . 11XVII. RFP Limitations and Conditions . 12XVIII. Minority Affiliation . 13XIX. Waiver of Claims . 13XX. Contract Negotiations . 13XXI Notice Regarding Illinois Public Records Laws . 13XXII Most Favored Terms . 14XXIII Disclosures . .14XXIV Agreement and Approval . 16Page 2 of 17

I. SUMMARYThis Request for Proposal (“RFP”) is being issued by the Public School Teachers’ Pension and RetirementFund of Chicago (“CTPF” or the “Fund”) to solicit proposals from qualified Information SecurityConsultants (“Bidder” or “Consultant” or “Firm” or “Respondent”), to perform Penetration (“Pen”)testing for system vulnerabilities within our IT Infrastructure.If you are interested in the proposed engagement, we welcome proposals from qualified firms.Respondents must satisfy the qualifications and requirements outlined herein.II. BACKGROUNDEstablished by the Illinois General Assembly in 1895 as the Public School Teachers’ Pension andRetirement Fund of Chicago, CTPF administers a multi-employer defined benefit public employeeretirement fund. CTPF is administered in accordance with Illinois Compiled Statutes (ILCS) Chapter 40,Articles 1, 17, and 20.CTPF is governed by a Board of Trustees made up of twelve (12) members. The Board of Trusteesoversees the Fund’s benefit programs, approves all benefits, makes investment decisions, and providesgeneral operational oversight.For more information about the Fund, please visit www.ctpf.org.III. SCOPE OF WORKCTPF is seeking proposals from qualified Respondents to perform comprehensive External and Internalpenetration testing of its IT Infrastructure, by probing servers, networks, internet, applications,operating systems, and device configurations.Please describe areas or processes, not included in the scope of this engagement that your firm mayexamine in order to provide more complete and thorough services. The following information should beconsidered relative to the scope of this project and your response should include applicable pricing foreach requested category of penetration testing.CTPF reserves the right to select all or some of the penetration testing services listed below orsuggested by a Respondent that best match CTPF’s needs and budget for the project.A. Scope of Penetration Testing Services:1. External Network Penetration Testing Assess the perimeter defenses of the hosts and services exposed to the Internet.Conduct a Firewall Assessment.Page 3 of 17

2. Internal Network Penetration Testing Assess the security of internal private networks and hosts to determine, once inside CTPF,what a malicious individual could potentially compromise within the various CTPF networks.3. CTPF Websites Penetration Testing Assess vulnerabilities within the website or web applications software.4. Wireless Security Scanning Assess the adequacy of wireless network infrastructure security from unauthorized access toCTPF’s wireless network.5. Social Engineering Assess vulnerabilities to various types of Phishing attacks.Determine adequacy of physical access security and protocols.6. Reporting Requirements Based on Penetration testing and scanning results, provide a comprehensive technical,detailed, Executive Summary and Report of vulnerabilities, by level of risk, withrecommended correlated remediation. Also provide best practices for software solutions toremediate the vulnerabilities identified.7. Special Requests Ad-hoc penetration requests may be necessary in conjunction with specific infrastructureprojects being completed at future dates. Describe your ability to respond to ad hocrequests.IV. TIMELINEEVENTDUE DATERFP DistributionWritten questions due fromRespondentsCompilation of questions and answers posted to www.ctpf.orgFriday, February 9, 2018Friday, February 23, 2018,12:00 p.m. (CST)Friday, March 2, 201812:00, p.m. (CST)RFP Due Date Wednesday, March 14,2018, 12:00 p.m. (CDT)V. CONTACTAny questions concerning this RFP must be directed to:Page 4 of 17

Name(s)Becky Z. Gonzales, Contract and Procurement AdministratorAddressPhoneChicago Teachers’ Pension Fund203 North LaSalle StreetSuite 2600Chicago, IL 60601-1210312-604-1202Emailgonzalesr@ctpf.orgVI. TERM OF ENGAGEMENTThe term of the engagement will be governed by the negotiated contract or agreement, as limited bythe Illinois Pension Code and CTPF’s administrative rules. CTPF may, in its sole discretion, terminate thecontract at any time during that term.VII. SUBMISSION GUIDELINESIn order to be considered for selection, proposals must be received via email, in PDF format, by BeckyGonzales at gonzalesr@ctpf.org no later than 12:00 p.m. (CDT), on Wednesday, March 14, 2018. Latesubmissions will be rejected as unresponsive. Paper submissions will be rejected as non-conforming. Anemail confirmation will be sent to the Respondent upon receipt of the proposal.VIII. PROPOSAL CONTENT AND FORMATAll information requested in the RFP must be addressed in the Respondent’s proposal. Proposals shouldprovide a concise explanation of Respondent’s qualifications and the proposed services to be rendered.Emphasis should be placed on completeness and clarity of content. Each proposal must be submitted inresponse to categories A through J outlined below and must be clearly labeled as such.A. Cover Lettera. Briefly state the Respondent’s understanding of the work requested and astatement why the Respondent believes it is best qualified to perform theengagement. The letter should be signed by the representative of the Respondentauthorized to contract on behalf of the Respondent.B. Title Pagea. Dateb. SubjectPage 5 of 17

c.d.e.f.g.h.i.j.k.Respondent’s name and chief executive officer (or the equivalent)Respondent’s addressRespondent’s website addressRespondent’s phone numberRespondent’s fax numberContact’s nameContact’s titleContact’s phone numberContact’s email addressC. Table of ContentsD. Project Plana. Address the various tasks, services, and deliverables outlined in Section III. Scope ofWork and describe the specific approach that will be taken in performing each taskor service or providing each deliverable.b. Describe how Respondent has the necessary staffing and bandwidth to take on thisengagement.c. Describe any deliverables or services, not included in Section III. Scope of Work thatyour Firm would suggest be provided in order to provide more complete andthorough services.d. Indicate the location of the office(s) from which the work on this engagement is tobe performed.e. Provide a percentage break down of how much of the engagement will beperformed on your site, CTPF’s site, or remotely.f. Identify tasks that will be performed by your Firm and tasks that will be performedby CTPF’s staff.g. What combination of Pen testing, scanning, and vulnerability assessment tools willbe used for this project? Identify possible impact of Pen testing on CTPF’s systemInfrastructure.h. Provide a timetable for each Penetration testing task including estimated hours andcompletion dates.E. Billinga. Provide billing by type of Penetration test along with hourly rates.b. State any special considerations with respect to billing or payment of fees andexpenses that Respondent offers and that you believe would differentiate your Firmfrom other proposals and make your Firm’s services more cost effective to the Fund.c. CTPF expects the lowest rate charged by Respondent for its governmental and nonprofit clients. If for any reason Respondent is unwilling or unable to charge thelowest rate, please explain why.d. The billing rate will be fixed for the term of this engagement.F. Firm’s Background, Qualifications, and Experiencea. Briefly describe Respondent’s background, history, and ownership structure,including any parent, affiliated or subsidiary company, and any business partners.The firm must be regularly-established in the industry of providing the servicesoutlined in Section III. Scope of Work, and have experienced personnel able toPage 6 of 17

b.c.d.e.f.g.h.i.j.provide the required services. CTPF may request information substantiating theabove requirements. Failure to provide this information may result in aRespondent’s proposal being declared non-responsive.Provide the size of the Firm including number of offices and number of full-timeemployees. Identify the key personnel proposed for the CTPF engagement,emphasizing specific experience on contracts similar in scope to the requirements ofthis RFP. Describe his or her position, current responsibilities, areas of expertise,experience, education, professional designations, and memberships. Include detailsregarding the proposed management of the personnel who would be assigned tothe CTPF engagement. CTPF expects a reasonable notice of key personnel beingremoved from the engagement and reserves the right to approve the replacementof key personnel.Provide the number of years that the Firm and any identified individuals have beenproviding the services requested in this RFP.Provide details on your Firm’s employee benefit industry experience/expertise andfinancial institution experience/expertise.Indicate the number and nature of part-time professional staff to be employed inthis engagement.Will your Firm use outside contractors (subcontractors) for this engagement? If so,what confidentiality agreement is in place to protect sensitive information fromdisclosure? What allocation of the scope of services will be assigned to outsidecontractors (subcontractors)?Indicate Respondent’s due diligence process in hiring, evaluating, and monitoring itsstaff and contractors, as applicable.List any known professional or personal relationships Respondent or its employeesor contractors may have with individual CTPF Board members and/or Fund staff.Identify any potential or actual conflicts of interest you have in providing services toCTPF. State whether you have ever provided services to CTPF, the City of Chicago,the Chicago Board of Education (“Chicago Public Schools” or “CPS”), the ChicagoTeachers’ Union (“CTU”), the Retired Teachers’ Association of Chicago (“RTAC”), theChicago Principals and Administrators Association (“CPAA”), any Chicago charterschool, or any employee group or trade organization related to the aforementionedentities. If so, please state the name of each such client or former client, contactinformation, and the nature and time frame of such representation. In providingsuch information you consent to and agree to release CTPF from any liability thatmay result from contacting such client(s) and communicating with such client(s)about your prior engagements, and soliciting an opinion regarding the workperformed for such reference. In addition, please state how you intend to resolveany potential or actual conflict of interest.Identify all public sector, ERISA fund, or financial institution clients who haveterminated their working relationship with you in the past five (5) years and providea brief statement of the reason(s) for the termination. Provide each client’s contactinformation. You consent to and hereby release CTPF from any liability that mayarise from contacting your former client(s) and communicating with them about thework you performed and the reason for your termination.Page 7 of 17