Specifications include, but are not limited to: The City desires security services in the specific areas listed below: 1. Threat and Vulnerability Management of Hosting Environment – Services to include but not be limited to: vulnerability scanning of server and network devices conducted on a quarterly basis. Results shall be analyzed and recommendations provided by the Contractor on remediation of critical and high rated findings. 2. Chief Information Security Officer (CISO) as a Service – Provide CISO as a Service for security overview services and recommendations to the City for up to twelve hours per month. Specific areas to include: review of file scans, Qualys external vulnerability scans and security audit reports. 3. Security Operations – Provide leadership for security incidents involving assets of the City. Advise the City on new and emergent threats the City should be aware of. A presentation of the new and emergent threats shall be provided to the City every quarter. 4. Penetration Testing – Organize annual penetration testing including defining the test target scope and obtaining permissions. After the test is completed, contractor shall assist with interpreting the results and provide recommendations (as a result of the test) to improve the security position. 5. Security Monitoring – Provide oversight for logging and alerting of potential security events on systems. Examples include: alerting on abnormal network performance thresholds, system CPU utilization spikes, alerting on file access/storage access abnormalities, and items that may impact the confidentiality, integrity or availability of the systems or data 6. Identity Management Access Management – Provide Identity Management and Access Management services for approved accounts managed in the City of Grand Rapids Active Directory instances. Accounts shall be created according to an agreed upon procedure between the City and the Contractor. Access to IT resources must be approved by an authorized City Project Manager. Account permissions will be set to according to the direction of the City Project Manager. Quarterly reviews of all accounts with elevated privileges shall be conducted. The account reviews for all other users shall be coordinated on a semi-annual basis. Accounts not used for 120 dates shall be disabled by the Contractor and the City Project Manager notified. 7. System Hardening and Patch Management Validation for Security Profiles – Configure window systems in accordance with the Microsoft Baseline Security recommendations. Parameters not in accordance with this baseline will be required to have an approved IT risk acknowledge form (provided by Contractor) completed. Contractor shall perform system patching using vendor supplied and approved patches (servers and workstations) and follow the approved deployment schedule. If any gaps are identified, the Contractor shall provide remediation recommendations.
