All correspondence must be made through the Vendor Portal. Specifications include, but are not limited to: 4.4 Project A - Governance, Risk and Compliance Project: The City plans to select, purchase, implement and apply a governance risk and compliance (GRC), or similar solution, to manage cybersecurity compliance and risk management practices including the tracking and management of computer systems and applications, cybersecurity requirements (at the system, business process and enterprise levels), cybersecurity controls (both planned and implemented), cybersecurity control testing and assessments, cybersecurity assessment findings, gaps and risks and actions to remediate gaps and risks.; 4.4.1 The City plans to use the GRC solution to support the activities of RFQ022363 projects B, C, D and G. ; 4.4.2 DoT plans to manage administration of the GRC solution and use the GRC solution for ongoing management of DoT security planning, assessment and compliance management activities for DoT provided applications and supporting IT systems.; 4.4.3 DoT plans to use the GRC solution to support optional use services to City departments and agencies for: • Security planning, assessment and compliance management; • Cybersecurity risk management; • Supply Chain and Vendor risk management; • Governance management.; 4.4.4 DoT plans to integrate the GRC solution with its Cherwell TechDesk application to eliminate duplicate maintenance of shared data elements and with Spunk to provide system security categorizations to the SIEM.; 4.4.5 A more detailed description for the GRC project is included in RFQ022363 Attachment A. However, Offerors are encouraged to suggest additions or deletions within their Understanding of the Project/Project Approach if they believe changes will better meet the objectives of the project.; 4.5 Project B – IT Security Governance Assessment Project: The City plans to assess citywide IT security governance.; 4.5.1 The City plans to use the GRC solution to manage the IT Security Governance Assessment and related information.; 4.5.2 The IT Security Governance Assessment will serve as an assessment of the City’s overall direction and control of its IT security and include assessment of: information security authority, leadership and other roles and responsibilities; information security program, strategies and planning; information security policies; legal and regulatory compliance; security awareness and training; personnel security; IT acquisition; etc.; 4.5.3 The City plans to assess IT security governance at the citywide, department, agency and, in some cases, division level. Agency, department and divisional security governance assessments will include: City Agencies: 1) City Council; 2) City Treasurer’s Office; 3) City Auditor’s Office; 4) Income Tax Division; 5) City Attorney’s Office
