Specifications include, but are not limited to: The City of Portland is seeking proposals from qualified vendors for a Data Security Posture Management (DSPM) platform. This includes demonstrated experience in implementing the platform, integrating any associated components, and providing maintenance or break-fix support to any backend, vendor-hosted services to keep the platform operational for the duration of the Contract. 1. The Data Security Posture Management (DSPM) platform is to be used primarily by the City’s Information Security division but may need have the capability for larger scope of access and RFP #00002326 Page 5 of 27 Project #13135 expandability across the City’s network. Other potential uses may include, but not be limited to: Data Custodians, Data Owners, and end-users who are responsible for sensitive data review, alerts, reports, metrics, etc. 2. The DSPM solution needs to be scalable from a functional, licensing, and financial perspective. It will allow the City of Portland to expand and align tool functionality to the increased and associated costs over time as the DSPM program progresses through the phased rollout or as the need dictates. Having scalable functionality and costs is of particular importance and may carry additional weight during the evaluation process. 3. The proposed solution should leverage existing single-sign-on identity stores for credential management simplicity and to avoid managing a separate set of credentials for user or admin login. 4. The proposed solution should search for regulatory, sensitive data (type I) and custom, business use-case related (type II) data. Data identification, document auto-classification, user self-serve features, and detailed reporting are desired as it pertains to primary objectives. This primarily includes unstructured data at rest including, but not limited to on-premises Hitachi network attached storage (HNAS) file shares, cloud SharePoint sites, cloud OneDrive MySites, cloud Groups/Teams SharePoint sites, cloud Outlook/Email (messages and attachments), and/or endpoints. The platform should also be able to easily display who has access to the sensitive data locations for any access corrections that need to be made.
