Request for Information (RFI) # 98000-001382
Information Technology (IT) Governance, Risk, and Compliance Management (GRCM) Solutions
RFI Response Submission Due Date: March 31, 2:00 PM, Eastern Time (EDST)
Instructions to Offeror: Submit RFI response including appendices & attachments to Nanci Glazer-Gay, GTA Issuing Officer Georgia Technology Authority 47 Trinity Avenue, Suite 300 Atlanta, GA 30334 “RFI Number and Title” must be in message subject line for any email correspondence to
[email protected]
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
1.0
Purpose of Solicitation
This Request for Information (“RFI”) is being issued to solicit information from interested suppliers with respect to Information Technology (IT) Governance, Risk, and Compliance Management (GRCM) solutions for the Georgia Technology Authority (hereinafter, “GTA”) as further described in this RFI. GTA may use the information generated by this RFI in conjunction with other information available to GTA to determine a couse of action that it is in the best interests of the State Entity to fulfill this need. 1.1
Background
GTA currently manages the delivery of IT infrastructure services to 85 Executive Branch agencies and managed network services to 1,300 state and local government entities. IT infrastructure services encompass mainframes, servers, service desk, end user computing, disaster recovery and security; 15 agencies receive all of these services through GTA, while the remaining agencies may receive two or three of these services. Managed network services include the state’s wide area network and voice. In 2009, GTA transitioned IT infrastructure services to IBM and managed network services to AT&T as part of an initiative begun in 2007 to move the state’s IT operations into the 21st century by turning to private-sector leaders in technology service delivery. The privatization initiative, known as Georgia Enterprise Technology Services (GETS), is projected to save the state $181 million over the life of the contracts with IBM and AT&T. GTA’s Sourcing Management Organization (SMO) oversees the state’s service providers. Meanwhile, GTA’s Enterprise Governance and Planning (EGAP) promotes an enterprise approach to technology by establishing statewide policies, standards and guidelines based on industry best practices and federal requirements. EGAP works closely with the Governor’s Office of Planning and Budget and state agencies to ensure an individual agency’s IT strategy aligns with its overall business strategy and business continuity planning. EGAP is involved in managing the state’s portfolio of technology projects to ensure they meet established goals and are completed on schedule and within budget. The current state of Georgia's IT is one that is in transformation. The state for many years had a non-integrated environment. The state is making improvements to IT while controlling costs and continuing to support the various functions performed by the state; in Georgia, almost all of the state functions performed use IT. During FY2014, the state made significant progress in the governance of its technology enterprise. However, progress can still be made in how the state makes decisions about technology investments. Many decisions are reached without adequate information to understand the potential costs, risks, and impacts of new technology solutions. GTA has worked to ensure that investments are implemented efficiently, but we now need to focus on whether those investments deliver the services and benefits needed by the state while considering the overall governance, risk and compliance matters. GTA believes a strong IT Governance program for the state's IT enterprise will ensure the best decisions possible are being made about investments in both technology infrastructure and services in support of the business and Georgia's citizens.
Page 2 of 16
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
Information about GTA and GTA's EGAP Office of Information Security can be found at the following website links: http://gta.georgia.gov/about-gta http://gta.georgia.gov/enterprise-governance-and-planning-main-page http://gta.georgia.gov/office-information-security 1.2
Overview of the RFI Process
The objective of the RFI is to gather information to assist GTA OTIS in its investigation of marketplace information with the intent of making an informed decision about IT GRCM solution(s). The RFI method is not a competitive solicitation method and, as a result, does not satisfy the requirement for competitive bidding. However, GTA may use the information generated by this RFI in conjunction with other information available to GTA to investigate a possible future outcome that it is in the best interests of GTA to fulfill this need. The RFI method is no more than an information gathering tool and such information gathered may or may not be used by GTA to develop a competitive solicitation. Suppliers are not required to respond to an RFI and a supplier’s failure to respond to an RFI will not prohibit the supplier’s participation in any competitive solicitation that may result from the RFI. However, suppliers are strongly encouraged to respond to RFIs as this is a great way to ensure GTA is aware of the suppliers’ available goods and services. GTA, at its sole discretion, may or may not extend invitations to suppliers in order to obtain further information. 1.3
RFI Schedule of Events
The schedule of events set out herein represents GTA’s best estimate of the schedule that will be followed. However, delays to the procurement process may occur which may necessitate adjustments to the proposed schedule. If a component of this schedule, such as the close date, is delayed, the rest of the schedule may be shifted as appropriate. Any changes to the dates up to the closing date of the RFI will be publicly posted prior to the closing date of this RFI. After the close of the RFI, GTA reserves the right to adjust the remainder of the proposed dates on an as needed basis with or without notice. Description Release of RFI Deadline for RFI Questions Deadline for RFI Answers Posted to GPR
Page 3 of 16
Date March 09, 2015 March 20, 2015 March 24, 2015
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
Close Date - RFI Response to GTA Response Reviews Oral Presentation Invitations Oral Presentations
March 31, 2015, 2:00 PM EST April 01 - 10, 2015 April 13 – April 17, 2015 (if required) May 04 - 08, 2015 (if required)
GTA, at its sole discretion, may or may not extend an invitation for an Oral Presentation. GTA Official Issuing Officer: Nanci Glazer Gay,
[email protected]
Page 4 of 16
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
2.0
Overview
GTA is seeking information from IT GRCM solution providers who have provided such solutions to an identified public sector entity, such as U.S Federal Government and/or one or more identified US state or US local government. 2.1
Public Sector
Solutions described that have been offered to the Private Sector may be consided; however, this RFI is focused on solutions delivered to US governmental entities. 2.2
Methodology
GTA is also interested in descriptions that contain an explanation of the methodology and industry best practices used by the IT GRCM solution providers. 2.3
Industry Best Practices
GTA is presuming that the IT GRCM solution described shall be performed utilizing the best available industry practices. GTA expects that the IT GRCM solution(s) described are delivered in a comprehensive, expeditious and efficient manner. 2.4
Description Tools
GTA’s interest in the tools utilized in a described solution is centered on whether the tool is of a proprietary or Commercial of the Shelf (COTS) nature. Also important is if the tool(s) requires additional resources to be deployed and any other important barriers or considerations for deployment. GTA is presuming that the IT GRCM solution described shall be performed utilizing the best available tool sets.
Page 5 of 16
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
3.0
RFI Areas of Interest
GTA realizes that the IT GRCM marketplace contains solution providers that may have core compentencies. GTA is focused on 12 Areas of Interest. The 12 Areas of Interest are: 1. Support for Use Cases 2. Architecture 3. Administration 4. Policy Library and Mapping 5. Policy Distribution and Training Attestation 6. IT Controls Self-Assessment and Measurement 7. GRC Asset Repository 8. Remediation and Exception Management 9. Automated IT Control Measurement 10. Compliance Reporting 11. IT Risk Evaluation and Compliance Dashboarding 12. Cost/Price model 3.1
Areas of Interest
GTA is seeking a description(s) of a solution(s) that addresses any/all of within the broad area of interests. 3.1.1 Support for Use Cases A. Describe support for the use of the solution to implement the following use cases: 1) 2) 3) 4) 5) 6) 7)
Automated Compliance Reporting and Management Enterprise IT Risk Management Audit Management Operational Risk Management Vendor Risk Management Business Continuity Management Policy Management
B. Describe how the solution supports additional user defined use cases. 3.1.2 Architecture A. Describe the overall solution including components comprising the product’s architecture. B. Describe how each component is packaged (e.g., software, appliance, virtual appliance, etc.)
Page 6 of 16
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
C. Describe deployment architecture of your solution (e.g., SaaS, customer premises, hybrid, etc.). D. Describe scalability and flexibility in supporting deployment across multiple business units (agencies) in the state. E. Describe how your solution integrates with other enterprise applications. 3.1.3 Administration Describe how the solution provides support for: 1) Centralized administration in a geographically dispersed deployment 2) Role-based access and delegated administration 3) Integration with Active Directory and other repositories for role definitions, and groupings of users and resources 3.1.4 Policy Library and Mapping Describe the solution’s ability to map an organization's specific IT controls and policies into defined control objectives including: 1) 2) 3) 4) 5)
Policy library and assessment content Policy authoring capability including workflow Supported control standards Regulation specific policy content Security configuration
3.1.5 Policy Distribution and Training Attestation A. Describe how the solution provides for the distribution of relevant policies and other information, including: 1) the attestation that the policy was read and understood 2) the attestation that the user will comply B. Describe how reporting is available to track responses and compliance. 3.1.6 IT Controls Self-Assessment and Measurement
Page 7 of 16
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
A. Describe the solution’s ability to create, distribute and manage control self-assessments in the enterprise. The function should include: 1) vendor-supplied reference content 2) survey functions 3) workflows to manage the collection of self-assessment data B. The reference content should encompass IT administrative processes, business use of assets, etc. 3.1.7 GRC Asset Repository A. Describe solution’s ability to define IT assets and group them according to the business processes that they support, and to classify them according to requirements for confidentiality, integrity and availability. B. Describe the solutions’s ability to populate (import) and maintain the GRC Asset Repository from an externally maintained enterprise asset repository so that it is a benefit. 3.1.8 Remediation and Exception Management Describe how the solution supports the function to track the life cycles of identified gaps and authorized exceptions. Include information on: 1) embedded workflow capabilities 2) integration capabilities with other problem management system and external directories 3.1.9 Automated IT Control Measurement A. Describe how the solution provides the ability to address the following compotents in a way that results in a repeatable automated process: 1) directly measure configuration settings 2) vulnerability 3) identity auditing informationother control information B. Include information on platforms and OS’s supported C. Describe how the solution integrates with third-party tools like: 1) security configuration assessment 2) vulnerability assessment
Page 8 of 16
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
3) event and log management 3.1.10 Compliance Reporting Describe the solution’s support for compliance reporting. Include information on: 1) Pre-defined reports 2) Support for user-configurable reports 3) Support for web based access to reports 4) Role-based views 5) Levels of reporting (Management level, operational level, technical level, etc) 6) Regulation specific reporting 3.1.11 IT Risk Evaluation and Compliance Dashboarding Describe how the solution provides compliance dashboard functions. 3.1.12 Cost / Price Model - [Do not include actual pricing] Describe how the solution is priced, including information on pricing model applied to: 1) 2) 3) 4) 5) 6)
User licenses Appliances Hardware & Software Functional Modules Integration Modules Continuing Maintanance
Page 9 of 16
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
4.0
RFI Release Information and Submittal Instructions
Listed below are key action items related to this RFI. The Schedule of Events identifies the dates and time for these key action items. This portion of the RFI provides instructions regarding the: 4.1
process for reviewing the RFI preparing a response to the RFI submitting a response to the RFI RFI Release
The release of this RFI is formally communicated through the posting of this RFI on the Georgia Procurement Registry, which is accessible online as follows: http://ssl.doas.state.ga.us/PRSapp/PR_index.jsp 4.2
RFI Review Process
The RFI consists of the following:
This document, entitled “IT Governance, Risk, and Compliance Management (GRCM) Solutions”, and
Any and all documents provided by GTA as attachments to the RFI or links contained within the RFI or its attached documents.
Please carefully review all information contained in the RFI, including all documents available as attachments or available through links. Any difficulty accessing the RFI or opening provided links or documents should be reported immediately to the Issuing Officer. 4.3
Preparing a RFI Response
4.3.1 Area of Interest Checklist – Appendix B On Appendix B, please indicate with an “X” the appropriate Areas of Interest of your RFI response. 4.3.2 RFI Response Worksheet Instructions – Appendix C GTA expects the company responding to this RFI solicitation to use Appendix C to record the RFI response. For example: Area of Interest 4, Policy Library and Mapping, GTA expects to see a separate narrative to address each Sub Area of Interest that align with the number/letter scheme as appropriate. When preparing a response, the supplier must consider that the response must be in a readable font size with reasonable margins. Also, please follow these additional instructions:
Page 10 of 16
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
Ensure response is accurate and readily understandable
Limit response to 1 page per Area of Interest and one page for each letter and Sub Area of Interest.
Clearly label the each section of the response so that GTA can easily organize and navigate the supplier’s response.
Clearly label attachments and supplemental information at the end of the response
4.4
Copies Required
Supplier must provide the following number of copies: 4.5
One Paper Original One CD-ROM copy of the paper original Electronic Copies
Use caution in creating electronic files (i.e., make sure files do not contain viruses, etc.).
GTA has the capability of viewing documents submitted in the following format: Microsoft Word or Microsoft Excel, portable document format file (PDF), and plain text files with the file extension noted in parentheses (.txt).
4.6
Submitting the RFI Response
Mark the outside of shipping package as follows: Name of Company Point of Contact for Company and Phone Number RFI # 98000-001382 IT GRCM Solutions Mail to the following location: Georgia Technology Authority Nanci Glazer-Gay, Issuing Officer 47 Trinity, Avenue, Suite 300 Atlanta, Georgia 30334 404-463-6539
Page 11 of 16
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
Appendix A Definitions for the purpose of this RFI Automated IT Control Measurement: This function provides the ability to directly measure configuration settings, vulnerability, identity auditing information and other GCC control information in a way that results in a repeatable automated process. Additionally, this function also provides the ability to import configuration settings, vulnerability, identity auditing information and other control information in a way that results in a repeatable automated process. Compliance: The process of adherence to policies through related controls. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and contractual agreements. Compliance Reporting: The ability to roll up compliance data in a form that is acceptable to auditors to reduce the cost of compliance reporting. Governance: The process, by which policy and decision rights are set, maintained and effectively communicated throughout an organization. Governance, risk and compliance (GRC): A set of processes, supported by enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks. GRC Asset Repository: The ability to define IT assets and group them according to the business processes that they support, and to classify them according to requirements for confidentiality, integrity and availability. Also, the ability to populate (import) and maintain the GRC Asset Repository from an externally maintained enterprise asset repository so that it is a benefit. IT Control Self-Assessment and Measurement: The ability to create, distribute and manage control self-assessments in the enterprise. The function also includes vendor-supplied reference content, survey functions and workflows to manage the collection of self-assessment data. The reference content should encompass IT administrative processes, business use of assets, etc. IT GRC:
Page 12 of 16
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
The management, measurement, monitoring, automation and reporting of IT controls, including traditional security controls, such as firewalls and antivirus tools; control automation and monitoring tools, such as configuration auditing; identity and access management; disaster recovery; and security information and event management. IT Risk Evaluation and Compliance Dashboarding: The ability to provide a comprehensive and easy to understand view of compliance and risk information based on user role. This includes the ability to define and customize risk calculations. Policy Distribution and Training Attestation: This function provides for the distribution of relevant policies and other information, including the attestation that the policy was read and understood, and that the user will comply. Reporting should be available to track responses and compliance. Policy Library and Mapping: The ability to map an organization's specific IT controls and policies into defined control objectives. Remediation and Exception Management: This is the function to track the life cycles of identified gaps and authorized exceptions. Risk Management: The process for ensuring that important business decisions and behaviors remain within the overall risk appetite and acceptable risk tolerances associated with the strategic objectives of an organization. Use Case: A series of related set of iterations between a user (or user group) and a system that work toward achieving a predefined goal.
Page 13 of 16
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
Appendix B Area of Interest Checklist In the chart below, please provide which Area of Interest you are responding to. Indicate with an “X” the appropriate areas. Additionally, please provide your narrative response on the appropriate Area of Interest page. Area of Interest 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.
Page 14 of 16
Support for Use Cases Architecture Administration Policy Library and Mapping Policy Distribution and Training Attestation IT Controls Self-Assessment and Measurement GRC Asset Repository Remediation and Exception Management Automated IT Control Measurement Compliance Reporting IT Risk Evaluation and Compliance Dashboarding Cost/Price model
Indicate the appropriate area with “X”
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
Appendix C RFI Response Worksheet Instructions GTA expects the company responding to this RFI solicitation to use Appendix C to record the RFI response. For example: Area of Interest 4, Policy Library and Mapping, GTA expects to see a separate narrative to address each Sub Area of Interest that align with the number/letter scheme as appropriate. When preparing a response, the supplier must consider that the response must be in a readable font size with reasonable margins. Also, please follow these additional instructions:
Ensure response is accurate and readily understandable
Limit response to 1 page per Area of Interest and one page for each letter and Sub Area of Interest.
Clearly label the each section of the response so that GTA can easily organize and navigate the supplier’s response.
Clearly label attachments and supplemental information at the end of the response SAMPLE AREA OF INTEREST
Appendix C-4 Narratives are limited to one page.and Narratives over one page will not be read. Sub Areas of Area of Interest: Policy Library Mapping Interest should use the same format as above. Please be concise and straightforward. Company Name: Brighter Day Company SUB AREA OF INTEREST SAMPLE Appendix C-4 - A1 Area of Interest: Policy Library and Mapping - Policy Library and Assessment Content Company Name: Brighter Day Company
Page 15 of 16
IT Governance, Risk, and Compliance Management (GRCM) Solutions RFI # 98000-001382
RFI Response Worksheet Appendix C - ___ - ____ Company Name:_____________________________________ Area of Interest:_______________________________________________________
Page 16 of 16
