Addition 1

Posted: 9/28/2021

Type of Addition: RFP Opening

Overview:

The name of each Vendor and the identity of the RFP for which the Proposal was submitted will be publicly read and recorded in the presence of witnesses. The RFP will be opened on September 28, 2021 at 5:00pm (local, Avondale, Arizona time).  If you wish to witness the RFP opening, please follow the zoom link below.  PRICES SHALL NOT BE READ.

opic: FB 21-062 - IT Risk Assessment RFP Opening

Time: Sep 28, 2021 05:00 PM Arizona

Join Zoom Meeting

https://avondaleaz.zoom.us/j/86798753890?pwd=c3JIc25wcXhJdi91N3ZvQ0MyaHpkZz09

Meeting ID: 867 9875 3890

Passcode: 608676

One tap mobile

+17207072699,,86798753890# US (Denver)

+12532158782,,86798753890# US (Tacoma)

Dial by your location

        +1 720 707 2699 US (Denver)

        +1 253 215 8782 US (Tacoma)

        +1 346 248 7799 US (Houston)

        +1 646 558 8656 US (New York)

        +1 301 715 8592 US (Washington DC)

        +1 312 626 6799 US (Chicago)

Meeting ID: 867 9875 3890

Find your local number: https://avondaleaz.zoom.us/u/knuyU5zqb

Addition 3

Posted: 11/23/2021

Type of Addition: Intent to Award

Overview: Thank you to all respondents of the above referenced Request for Proposals. The City intends to enter into a contract for IT Risk Assessment Services. After scoring the submittals and interviews, the Selection Committee recommends an award be made to the highest ranked firm: SECURANCE CONSULTING If you have any further questions regarding the selection process you may contact the Procurement Office. We appreciate your interest in doing business with the City of Avondale. Brian Garcia, NIGP-CPP, CPPB Senior Buyer City of Avondale

Documents:

• FB 21-062-Notice of Intent to Award.pdf

Question 1

Posted: 8/31/2021

Question: Dear Mr. Garcia, We have some questions we hope you will be able to answer in your role as RFP Administrator. Specifically, we are inquiring about the RFP for the City of Avondale Solicitation Number: FB 21-062 (IT Risk Assessment). QUESTION 1 According to the aforementioned RFP, Section B, Page 32 (B-19), Paragraph 2 “3. Inventory IT and Data Assets Identify or verify all information assets and determine the criticality level to the City. With a complete, up-to-date inventory, make recommendations on how to further protect our most critical software and data assets with priority rankings.” Our question is: Acknowledging that one of the requested deliverables is an IT Asset Inventory, can you approximate how many devices are on the City’s network (i.e. approximate Network Size) ? QUESTION 2 According to the aforementioned RFP, Section B, Page 31 (B-18), Paragraph 4 “1. Assessment of the City’s Risk Profile Identify threats and rank risks based on the potential for harm. The risk profile shall include potential risks in detail, such as: The source of the threat (internal or external) The reason for the risk (uncontrolled access permissions, trade secrets, etc.) The likelihood that the threat will materialize Impact analyses for each threat The assessment will include a review of IT policies and standards. Outsourced functions to 3rd parties, department responsibilities, training, information systems environment, systems development and maintenance, disaster recovery plans and backup and others as deemed appropriate.” Our question is: How many locations, departments, and employees does the City have? From our online research we estimate there are approximately 10 locations/facilities, 15 departments, and 589 employees. Confirmation or correction of these estimates would be much appreciated. QUESTION 3 According to the aforementioned RFP, Section B, Page 31 (B-18), Paragraph 4 “1. Assessment of the City’s Risk Profile Identify threats and rank risks based on the potential for harm. The risk profile shall include potential risks in detail, such as: The source of the threat (internal or external) The reason for the risk (uncontrolled access permissions, trade secrets, etc.) The likelihood that the threat will materialize Impact analyses for each threat The assessment will include a review of IT policies and standards. Outsourced functions to 3rd parties, department responsibilities, training, information systems environment, systems development and maintenance, disaster recovery plans and backup and others as deemed appropriate.” Our question is: Could we receive some clarification on what is meant by “systems development and maintenance”? QUESTION 4 According to the aforementioned RFP, Section B, Page 25 (B-12), Paragraph 3 “15.15 Confidentiality of Records. The Consultant shall establish and maintain procedures and controls that are acceptable to the City for the purpose of ensuring that information contained in its records or obtained from the City or from others in carrying out its obligations under this Agreement shall not be used or disclosed by it, its agents, officers, or employees, except as required to perform Consultant’s duties under this Agreement.” Our question is: What policies and procedures does the City currently have in place regarding Information Security and Risk Management? A list would suffice. QUESTION 5 According to the aforementioned RFP, Section B, Page 16 (B-3), Paragraph 4 “8.4 Compromised Security. In the event that data collected or obtained by the Consultant in connection with this Agreement is believed to have been compromised, Consultant shall immediately notify the City Manager, or authorized City designee. Consultant agrees to reimburse the City for any costs incurred by the City to investigate potential breaches of this data by the Consultant and, where applicable, the cost of notifying and/or assisting individuals who may be impacted by the breach.” Our question is: Given that the associated costs would essentially represent unlimited liability for us, is it a reasonable alternative for us to guarantee/ensure that no City data will be directly collected, obviating the need for such a damage clause ?

Response: Answer to Question #1: Approximately 1000 devices. A#2: 36 Sites, 16 departments and 640 employees A#3: In house application development and maintenance on those applications. A#4: Will be provides once contract is awarded and NDAs are signed. A#5: Pending - Will answer soon.

Question 3

Posted: 9/3/2021

Question: Is having an "ARIZONA CORPORATION COMMISSION FILE NO." required for participating in the RFP or can we be a foreign LLC in New Jersey?

Response: Prior to the award of the Agreement, the successful Vendor shall be registered with the Arizona Corporation Commission.

Question 5

Posted: 9/7/2021

Question: For our Data Classification and Asset Inventory, in some cases we consider assets as a class, and do not inventory them granularly – for example, employee workstations would not have a list of all desktop computers, but rather consider them as a group’s access to sensitive data. Does the city require a granular asset inventory of every system or device?

Response: No; however, the consultant is expected to validate that the City has identified all systems on the network.

Question 7

Posted: 9/7/2021

Question: Is there existing documentation concerning the PCI environment, what is in scope, what testing has been performed against it and what segmentation controls are in place?

Response: See answer the question 6.

Question 9

Posted: 9/10/2021

Question: Does your organization have system and/or process certifications of HIPAA/NIST/PCIDSS/CJIS? If applicable, please provide current attestations. • FERPA • ISO 27001 • NIST/FISMA

Response: This information will be provided after the contract is awarded

Question 11

Posted: 9/10/2021

Question: Do you maintain vulnerability management procedures that include identifying and remediating technical vulnerabilities?

Response: This information will be provided after the contract is awarded.

Question 13

Posted: 9/10/2021

Question: Do you securely configure (harden) systems and devices using industry standard baselines? Systems and devices include: • Clients • Servers • Databases • Applications • Network Devices Please provide details if you are following any CIS (Critical security control) to harden the devices?

Response: This information will be provided after the contract is awarded.

Question 15

Posted: 9/10/2021

Question: Does your organization have an integrated SOC with SIEM solution (i.e. ArcSight, Splunk, etc.) to aggregate and assess threats and respond?

Response: This information will be provided after the contract is awarded.

Question 17

Posted: 9/10/2021

Question: Do you outsource any of your information security responsibilities? Or are these managed by internal IT personnel?

Response: This information will be provided after the contract is awarded.

Question 19

Posted: 9/10/2021

Question: Do you have a disaster recovery plan (DRP) and a business continuity plan (BCP) for all systems and business processes?

Response: This information will be provided after the contract is awarded.

Question 21

Posted: 9/10/2021

Question: Is there currently an incumbent company or previous incumbent, who completed similar contract performing these services? If so - can you please provide incumbent contract number, dollar value and period of performance?

Response: This information will be provided after the contract is awarded.

Question 23

Posted: 9/10/2021

Question: Can you please provide current number of infrastructure details (Physical Server, Virtual Server, Network Devices etc)? Is there any External Interface need to Pentest? If yes then please specify details?

Response: This information will be provided after the contract is awarded.

Question 25

Posted: 9/10/2021

Question: Do you manage your own data Center, or do you utilize any 3rd-party/colocation facilities?

Response: This information will be provided after the contract is awarded.

Question 27

Posted: 9/10/2021

Question: Good afternoon. Thank you for the opportunity to ask questions. We look forward to learning more about the City’s needs for this project. QUESTION 1 - Does the City intend for the selected vendor to perform vulnerability scanning and penetration testing to identify potential vulnerabilities? Or will the City provide the selected vendor with vulnerability scan and penetration test results? QUESTION 2 - Does the City intend for the selected vendor to perform network discovery scans to identify IT assets that are City’s network? Or will the City provide the selected vendor with a list of IT assets and inventory? QUESTION 3 - Does the City requirement the audit to be performed following Generally Accepted Government Auditing Standards (GAGAS)? QUESTION 4 - Can the City provide the budgetary number that is available to perform the audit? QUESTION 5 - Does the City require all work to be completed onsite or is partial remote work acceptable? QUESTION 6 - Does the City currently have a defined IT Risk Management strategy or is it the City’s intention for the selected vendor to develop an IT Risk Management strategy?

Response: A1: The City recently performed a vulnerability assessment that will be shared once the contract is awarded. A2: The consultant is expected to validate that the City has identified all IT assets and inventory. A3: Assessment of the City’s Risk Profile is required to use the NIST and ITIL framework. A4: The budget information will not be given out. A5: Primary cost proposal will have an expectation of work conducted online or onsite. A6: The City recently performed a vulnerability assessment that will be shared once the contract is awarded.

Question 29

Posted: 9/14/2021

Question: How many vulnerabilities did the initial Vulnerability Scan uncover, on how many systems?

Response: Information will be provided after the contract is awarded and non-disclosure agreements are signed.

Question 31

Posted: 9/14/2021

Question:

Response: N/A

Question 33

Posted: 9/14/2021

Question: In house application development and maintenance on those applications. Is the referenced application development systems, repos, policies & procedures also included in assets? Software assessments are a separate undertaking requiring additional skill sets.

Response: Yes.

Question 35

Posted: 9/14/2021

Question: Do you have a budget for this work that you can share?

Response: The budget will not be given out.

Question 37

Posted: 9/15/2021

Question: Have there been any security incidents to-date which negatively affected environment in anyway? a. If yes, what were the particular incidents and did you engage a third part to help resolve? b. If yes, can you please share the vendor who supported the resolution(s)?

Response: This information will be provided after the contract is awarded.

Question 39

Posted: 9/15/2021

Question: Can the City please share the results of any most recent audit performed?

Response: This information will be provided after the contract is awarded.

Question 41

Posted: 9/16/2021

Question: Would City accept a sample report included in the appendix of the proposal submission or as a separate document? If yes, will the sample report provided count toward the 15 page limit?

Response: Yes, the City would accept a sample report. The sample report will count towards the 15 page limit.

Question 43

Posted: 9/16/2021

Question: On page A-5 under section 1.10 Vendor Licensing and Registration and page A-7 under Section A. General Information subsection (3), City asks vendors to provide any documentation that supports the vendor’s authority to provide services in Arizona. Please confirm that vendors must only provide an attestation that we will obtain the required documentation by contract award.

Response: Per the solicitation, Prior to the award of the Agreement, the successful Vendor shall be registered with the Arizona Corporation Commission and authorized to do business in Arizona.

Question 45

Posted: 9/16/2021

Question: Please confirm that vendors are not expected to sign the attached Professional Services Agreement document until after contract award, and that the document does not need to be included in the proposal submission.

Response: You do not need to sign the attached Professional Service Agreement. It does not need to be included in the proposal submission.