RFP 5885 8/26/14
REQUEST FOR PROPOSALS
RFP NO. 5885
Managed Information Security Services (MSSP)
for
MACOMB COMMUNITY COLLEGE
WARREN, MICHIGAN
PROPOSALS DUE NO LATER THAN
September 26, 2014 at 2:00 p.m.
Submit Proposal To:
Dennis Costello, Purchasing Department
14500 12 Mile Road
Warren, MI 48088-3896
(Mailing Address)
(586) 445-7308 – Phone (586) 445-7366 – Fax
1. PROJECT OVERVIEW
Macomb Community College supports its multi-campus operations using a variety of information systems and technologies. Through this RFP, the College desires to continue its use of a Managed Security Service Provider (MSSP) as part of its overall IT security strategy to perform Real Time Perimeter Monitoring:
Monitor the Colleges network security equipment and core servers provide real time analysis of perimeter services through aggregation and analysis of gathered information. The MSSP is expected to focus on actionable events for customer notification and real-time monitoring schemes which reduce/prioritize the volume of data that must be quickly analyzed. The MSSP must be able to apply their knowledge of external threats, and of the types and numbers of attacks they encounter across the devices monitored for all of their customers to add value to the analysis of alerts for Macomb Community College.
Except as noted in TABLE #14.2 of the bid response form, the College will retain management of the monitored devices. Vendor’s solution will employ a strategy to gather this data from monitored devices; forward such data to a secure operations center, filter/data mine this data in real time, and report findings to the appropriate College personnel based upon predefined trigger/escalation thresholds.
In addition, the College desires to augment real time monitoring with static Log Collection and analysis that provides security log aggregation, collection, retention, archival and analysis of such for compliance reporting and vulnerability/exploit remediation recommendations. Adoption of this optional service tier will be based upon the value proposition of such in the proposals received.
The College has three years of experience with MSSP-provided real-time perimeter monitoring services. This RFP seeks to continue and expand that coverage (scheduled to expire on Dec 31, 2014) with the vendor/platform that offers the greatest value illustrated in the proposals received.
Specific project requirements and deliverables are fully explained in section 11; bid response parameters and format are detailed in section #6.
2. PUBLIC STATEMENT
Macomb Community College (MCC) is the second largest community college in Michigan serving more than 43,000 degree-credit students. MCC also offers pre-college programs, continuing and professional education programs, customized workforce training and many cultural and community service programs.
3. TOPOLOGY STATEMENT
Communications and Networking
· 100% Cisco Gigabit Ethernet backbone
· Over 225 actively managed network devices in approx 65 locations across four (4) campuses including 62 stacks of 220+ individual switches.
· 90 VLAN segments
· Dedicated fiber plant between buildings. Dedicated redundant fiber between South and Center campuses. Leased fiber connects other campus and outreach locations.
· Systemax Gigaspeed copper cable from MDF/IDF to office and classroom locations; about 9,000 total drops.
· Aerohive 802.n wireless network deployed in all public areas. T
· Cisco IP telephony system. Includes Unity voice mail, CER, and Informacast paging application.
· Approximately 60 network servers in a native-mode Active Directory environment. Servers provide a wide array of services. Examples include web servers, print servers, network control servers, storage servers and application servers.
· Internet connection is through a dedicated (and redundant) 1 Gb fiber connection to the MERIT backbone. Macomb provisioning is currently capped at 140 Mb. Bandwidth shaping and traffic prioritization is accomplished with an Exinda bandwidth shaping device and CISCO Ironport cluster.
Business Applications
· Ellucian Colleague system used for Finance, Human Resource, Payroll and all Student records sub-systems, such as Admissions, Grading, Registration, etc.
· Job posting and candidate processing is handled through a hosted application (People Admin).
· Ellucian systems run on a Unidata database system. A separate SQL environment is used for its reporting and portal applications.
· Web services for the College’s three public websites are hosted externally.
4. RECEIPT OF PROPOSALS
To be considered for acceptance, all vendors wishing to bid must adhere to the following schedule:
Questions from bidders due / Date: September 10, 2014Answers disseminated to all bidders / Date: September 12, 2014
Final proposals due / Date: September 26, 2014 @ 2 P.M.
Proposals must be mailed, delivered, faxed or e-mailed by 2:00 p.m. EST time on the Final due date posted above. Proposals should be submitted to:
Dennis Costello, Purchasing Administrator
Macomb Community College
14500 12 Mile Road, Warren MI 48088-3896 (Mailing Address)
Fax: (586) 445-7366
E-mail:
Proposals submitted via email, should not include any zipped or executable files as these will be blocked by the College’s security system and may not be considered as received on time.
Proposals must be signed by an individual with authority to enter into a binding contract and the authority of the individual signing must be stated thereon.
5. INQUIRIES
Inquiries pertaining to this RFP are to be directed to:
Contractual Questions:
Dennis Costello, Purchasing Administrator
Scope of Services Questions (e-mail contact only, please):
Steve Yuenger, Director of IT: Networking and Infrastructure
Responses to clarifications will be shared with all organizations that were invited to submit a proposal. MCC will not be bound by any oral responses.
6. PROPOSAL RESPONSE FORMAT
Responses should be submitted in electronic format to the contact listed in Section 4. Acceptable electronic formats include Microsoft Word or PDF. Responses should address all of the numbered items listed below:
6.1 Provide a brief company overview including a copy of most recent annual report and financial statement and those of your investors and all third party subcontractors if they are not publicly available. Please provide information about any recent mergers and acquisitions, initiated by your organization or others.
6.2 Indicate the number of active monitored security service contracts, percentage of multi-year and single year contracts. How many years have you been providing Managed Security Services (MSS)?
6.3 Describe your annual rate or percentage of new, renewing, and terminating contracts over the last three years.
6.4 References – The RFP response shall include three customer references which must also include institutions of higher education. Vendors are expected to have experience in completing projects of similar scope.
6.5 Independent Evaluations - Please describe how your organization addresses the following aspects of independent evaluation for itself and all tiered providers involved in delivering requested services:
6.5.1 How information security risks are assessed, periodically and in relationship to the major changes in technology, internal or external threats, or your systems and operations.
6.5.2 Please describe how it is performed and communicated to the clients.
6.5.3 Identify any third party organization(s) responsible for conducting your latest security risk evaluation, security audit, and vulnerability assessment. Can you show documented policies, procedures and audit requirements that will ensure privacy and confidentiality of our data or data gathered about our environment?
6.5.4 Describe how often they are performed, outline results and provide date of most recent evaluation
6.6 Please describe your standard service-level agreement (SLA) performance assessment and reporting process and your problem resolution and escalation procedure, including escalation thresholds and timing.
6.7 Please describe your process and mechanisms for handling client inquiries and reported problems. Describe how you measure and report client satisfaction, and how satisfaction deficiencies are addressed and resolved. Include hours of staff availability and available communication mechanisms.
6.8 Provide an example of how your services detected and addressed a recent security incident.
6.9 Personnel:
6.9.1 Please describe the screening process and the level of background checks performed for prospective employees, for monitoring security operations center (SOC) personnel, and for providing initial and ongoing staff training.
6.9.2 For personnel who will be directly responsible for providing service requested in this RFP, please describe how many years of experience they have and in what fields.
6.9.3 Provide resumes for key personnel and for key executives and managers who will have oversight responsibility of this contract.
6.9.4 Please provide organizational and personnel accreditation and certification in networking, operating systems, security, audit, and evaluation. Describe how these credentials will be used in providing the requested service.
6.10 Sample of the services contract for review.
6.11 Provide evidence of any third party certification, attestation or other review of your MSS operations and physical operations center security.
6.12 Responses to questions in section 13.
6.13 Optional services/bid alternates. Detailed explanation of services itemized in section 14.4 of the bid response form and explained in section 11.3 of this RFP.
6.14 Completed MANDATORY Bid response form (from section 14).
7. CONTACT PERSON
Please identify by name, telephone number and e-mail address, the person or persons whom the College can address questions to during the evaluation of proposals.
8. AWARD OF PROPOSAL
The College may award a contract based upon the initial proposal without further discussion of such proposals. Accordingly, each initial proposal should be submitted with each respondent’s most favorable fee and service capabilities.
The College will award a contract to the one firm which it believes offers a proposal that is in the best overall interest of the institution. MICHIGAN law to govern final contract.
This contract will require approval by the College’s Board of Trustees.
9. Transitioning to Managed Security Services
Macomb Community College will provide MSSP with information required for the implementation of requested services, review and approve proposed design, perform physical installation of hardware on site, and validate deployment. MSSP is responsible for collection of information, designing requested solution, and implementing it.
10. Transitioning from Managed Security Services
Upon termination of the contract, MSSP will be required to provide Macomb Community College information related to all managed device configurations, including hardware and software versions and revisions, and any applicable security policies or configurations. MSSP will be required to return to the College all raw and aggregated log data collected for the period 90 days prior to the termination date on DVD media (or otherwise agreed) within 30 days. MSSP will be required to destroy all configuration data and customer information in the manner acceptable to both MSSP and the College. MSSP will be expected to fully cooperate with the College during transition.
11. SCOPE OF SERVICES
The College seeks a service provider who can add value to security information and log management by assessing real-time data (REAL-TIME PERIMETER MONITORING TIER) and optionally, stored logs (LOG COLLECTION AND ANALYSIS TIER) to add context to incident identification and response. Each service tier shall be quoted separately (bid response form, section 14).
In addition to the requirements set forth below, Macomb Community College requires MSSP to designate an account manager for the entire duration of the contract. The MSSP account manager will participate in quarterly status meetings, provide the College with SLA and other reports and escalate any issues according to defined escalation procedures, etc. Macomb Community College requires MSSP to have a Security Operations Center(s) (SOC) that operates 24 hours a day, 7 days per week. The SOC engineers shall be reachable by telephone and e-mail. The MSSP shall provide authorized College administration access to a web based SOC portal in order to obtain on-demand, real time views of its monitored devices. The MSSP shall record all incidents in an issue tracking system, and make such system available to appropriate College personnel. Individual contacts should be able to obtain real time and historical performance data for all monitored devices. They are also the primary contacts for the Managed Security Service Provider (MSSP) in case of security incidents, monitored device outages or scheduled maintenance notifications.
11.1 Real-time Perimeter Monitoring tier:
Monitor the Colleges network security equipment and provide real time analysis and alerts, focusing on actionable events for customer notification and real-time monitoring schemes which reduce/prioritize the volume of data that must be quickly analyzed. The MSSP must be able to apply their knowledge of external threats and attacks they encounter across the devices monitored for all of their customers to add value to the analysis of alerts for Macomb Community College.
The College seeks service providers that can offer an integrated dashboard of real-time monitoring and log analysis and reporting functions and workflow as well as regular operations status reports (SOC, or Secure Operations Center portal).
The operations status report/dashboard must include detailed statistics for the monitored security services. This may include overview of each ticket recorded during reporting period, device utilization graphs, etc. The incident report should contain overview of all security incidents detected within reporting period, including assessment and actions taken. Respondents must provide examples of reports they will use. Reports must be made available electronically through the SOC portal.
With the exception of its IDS modules where the vendor will be responsible for configuration, management and monitoring, Macomb Community College will retain management of the monitored devices. Vendor’s solution will employ a strategy to gather event data from monitored devices; forward such data to a secure operations center, filter/data mine this data, and report findings to the appropriate College personnel based upon predefined trigger/escalation thresholds which are to be recommended by the MSSP and agreed to by Macomb Community College.
11.2 Log Collection and analysis tier:
Provide security log aggregation, collection, retention, archival and analysis of such for compliance reporting and vulnerability/exploit remediation recommendations. Log collection is not subject to real-time alerts; it is considered analysis-after-the-fact. Regular inspection of collected log data is required with special attention given to identifying evidence of privilege escalation and unauthorized creation of accounts.
Log collection requirements shall include the acquisition of all log data and the retention of that data for 18 months, even after review and reporting, to meet the College’s auditing and compliance needs.
11.3 optional services/bid alternates:
Bidders are encouraged to detail additional services that are available in addition to the base requirements set forth in this document. For example, are there optional services available that specifically identify advanced, targeted threats? Optional services shall be itemized in section 14.4 of the bid response form and explained in section 6.14 of your proposal.
12. Devices to be Monitored/Managed:
See mandatory bid response form, section 14.
13. Services