Specifications include, but are not limited to: Perform an administrative gap analysis. Purpose: Identify areas within the District’s information security governance framework that may not adhere to regulatory and third-party requirements or “best practices”, as noted in Section II of this exhibit. Desired Elements: The selected Respondent will: Review relevant documentation including (but not limited to) policies and procedures, training and educational programs, technical documents (network diagrams, hardware and application technical standards), and evidence of monitoring activities (reports, corrective action plans, et. al.); Interview key stakeholders across multiple departments and specialties including (but not limited to) information technology, clinical/ambulatory care, ancillary services, compliance, human resources, law enforcement, and facility maintenance; and Evaluate gathered evidence via transaction testing, observation, document review, or other appropriate analytical method(s). Expected Outcome: A detailed descriptions of issues, potential risk(s) of exploitation, and recommended corrective actions. Severity and impact rating criteria must be employed, and illustrations (charts, graphs, or other descriptions) may be used where appropriate.
