All correspondence must be made through the Vendor Portal. Specifications include, but are not limited to: SERVICE GROUP 1: Cyber Security GRC Business Requirements Vendor led and LES assisted installation Vendor would create and turn over the instance to LES Describe the Cyber Security implementation process Include anticipated schedule and timeframe. Describe Implementation Process Responsibilities: Include Vendor Responsibilities Include LES Responsibilities Describe post-project implementation vendor continuing support for LES. Training and Implementation Hours Include training for 2 Cyber GRC platform administrators Hourly cost for implementation fees Hourly cost for additional training Technical Requirements Required capabilities Cyber Security - Controls Support for Control Frameworks: NIST 800-53rev5, CIS Controls version 8 Ability to perform control mapping between common Control Frameworks Cyber Security - Risk Management Support for Qualitative Risk Frameworks: NIST 800-30, 800-37, 800-39 Qualitative Risk Scoring for completed assessments Included Risk Assessment Documentation Templates Risk Register for logging identified and assessed risks Cyber Security – Audits Audit Process Lifecycle Management Included Audit Documentation Templates Support for Audit Activity Planning Support for Audit Issues/Findings Management Cyber Security - Threats and Vulnerabilities Ability to connect to Tenable. Please describe native and non-native integrations capabilities. Ability to pair Tenable Vulnerability Assessment results to Risk Assessment and/or Audit Activities Ability to define internal risk ratings to customize criticality to specific assets/systems. Cyber Security - Policy and Program Management Program Frameworks: NIST Cyber Security Framework (CSF) Ability to perform Policy Life Cycle Management Ability to assess Cyber Security program maturity Ability to produce automated reports or platform dashboards Cloud Hosted GRC Platform Single Sign on to be integrated into our Azure IDP Requirement to deploy in the cloud Ability to assign distinct roles for separate business functions (Cyber Security GRC and Enterprise Risk Management (ERM)). Preferred capabilities Ability to create multiple dashboards based on user account Intuitive and customizable user interface Support for Quantitative Risk Framework: FAIR Support for Program Frameworks: ISO 27000 Series Ability to compare assessed enterprise Cyber Security (non-NERC) maturity against industry peers and non-industry peers. Ability to manage NERC Reliability Standards compliance Ability to conduct and/or track vendor risk assessments Miscellaneous Identify and describe power utility specific capabilities Identify and describe capability for integration with other tools Identify and describe any Third-Party Risk Management (TPRM) features. Please list out asset management tools that can be integrated natively into your solution and if not natively, then describe the process to customize integration System Specifications What elements of the solution can be configured by the system administrators? Does your solution provide the ability to search across all modules or within specific areas? Does your system allow for associations to be easily made across the organization in a visual manner? Describe the system’s ability to correlate and integrate risk relationships across the entire enterprise. Does your solution offer integration with standard email solutions such as O365?? Describe your document management features.
