2.2 Background and Purpose Key State executives are decision makers that execute public policy and drive the will of the citizens of Maryland. While the existing State cyber security strategy is designed to ensure the protection of all employees, systems, and information, key executives may face risks above and beyond the threat types common to workforce at large. The successful execution of strategic security plans will allow State executives to deliver on the tasks they were elected to perform. 2.2.1 State Staff and Roles In addition to the Procurement Officer and Contract Monitor, the State will provide a: A. State Project Manager 1. The State Project Manager will: a. Oversee the project and provide direction and prioritizing of work, b. Monitor performance, review and accept Work Orders and approve invoices, c. Ensure services are delivered in accordance with the contract and that the outcome metrics and objectives are being met, d. Ensure the successful execution of the mission by enumerating all requested needs from the State, seeking authorization for delivery on those needs, and assisting with the procurement or delivery of the needs, e. Provide physical and logical access necessary to ensure successful service delivery, and f. Provide state contact lists for incident reporting and escalation criteria. 2.31 Prevention of misuse of Personally Identifiable Information (PII) and Sensitive Personal Information (SPI) The Contractor shall: A. Proactively monitor for use, disclosure, or loss of State executive PII or SPI in open source or dark web locations. B. Prevent use, disclosure, or loss of State executive PII and SPI. C. Detect attempts to exfiltrate State executive PII and SPI. D. Facilitate the permanent deletion, removal or obfuscation of State executive PII and SPI from all public, social media, or dark web locations. E. Detect mentions of State executives in open source, social media, and dark web locations. F. Notify State point of contact when State executive PII and SPI is at risk. 2.3.2 Imposter Identification The Contractor shall: A. Proactively monitor, prevent and/or detect the creation of imposter accounts, activities on social media, professional networking, and other platforms of State executives. If imposter accounts are detected, work to ensure the imposter accounts are immediately removed from the hosting platform. B. Facilitate the removal of imposter accounts and activities on social media, professional networking, and other platforms of State executives. 2.3.3 Asset Hardening The Contractor shall: Ensure all systems that are not provided by the State are hardened to prevent adversary attacks. Apply and maintain hardened configurations with minimal disruption to State executive’s daily functions in accordance with industry best practices. The type of devices that require hardening include personal computers, laptops, devices, and servers that are not currently owned or managed by the State. Hardening considers the following: A. Advanced endpoint protection, B. System configuration for automatic updates, C. Application of full disk encryption when and where possible.
