Specifications include, but are not limited to: The Alameda County Water District (District) invites qualified firms to submit proposals to provide consulting services for the implementation of a virtual Chief Information Security Officer (vCISO). The vCISO services will consist of executive and technical level consulting and information security expertise, similar to that which would be provided by a full-time, in-house Chief Information Security Officer. • Conduct Cybersecurity gap analysis based on review of existing cybersecurity program practices as well as documents developed by the District. • Identify applicable Governance and Practices frameworks (such as the NIST Cybersecurity Framework and Center for Internet Security controls) and develop an IT Cybersecurity Program document with the following sections at a minimum: Security charter Program Overview and Framework(s) Risk and Privacy Management and Compliance Enterprise Security Architecture Policies, Processes, Procedures and Controls Security & Privacy Policies and Procedures Threat and Vulnerability Management Incident Management and Response Configuration Standards Awareness and Training Roles and Responsibilities Cybersecurity Program Metrics • Develop risk matrix and strategic and tactical cybersecurity and privacy roadmap with projects and action plans. • Provide project management and implementation support for projects identified in the roadmap. • Develop applicable IT Security Policies and Procedures based on gap analysis findings. • Review existing Penetration Testing and Vulnerability Assessment results and recommendations and develop remediation processes action plan(s) • Review third-party Security Operations Center (SOC) vulnerability dashboard and assist ACWD staff in developing ongoing remediation processes and action plan(s)
