Specifications include, but are not limited to: The Vendor shall provide services in these Task Areas across City departments, as further detailed in letters of authorization (LOA) developed and approved by the HITS Director/COH Chief Information Officer (CIO) or COH Chief Information Security Officer (CISO). Individual LOAs shall include, but is not limited to, specific definitions of the scope of work, deliverables or milestones, constraints, skills and timelines, and an Not To Exceed (“NTE”) price in alignment with the stated hourly Bill Rates for the specific Task Area. The Vendor shall ensure that the Program Team for each LOA has Subject Matter Experts (“SMEs”) with the knowledge and capabilities to perform the Task Areas stated in this SOW. 3.1.1 PROJECT EVENTS AND TASKS Task 1 – City of Houston Cybersecurity Program Support Task 1, Further Defined: The assigned Vendor’s technical Project Team shall assist the City with support of various cybersecurity program initiatives. Activities proposed under this task include but are not limited to: A. Map critical systems communications and data flows. B. Develop systems security plans for City critical systems. C. Work with City to assess and review technology project priorities ensuring security engineering is considered. Task 1 – Deliverables: The assigned Vendor’s technical Project Team shall provide the following deliverables as required by the CISO or Handling COH Director, and memorialized and submitted to the City in written documents, reports, studies, guidelines, test results, or plans associated with the risk assessment and technology planning services: A. Systems security plans for critical City systems (~20 systems) B. Plan of Actions and Milestones (POAM) for missing controls C. Data and information flow diagrams Task 2 – Ongoing Security Monitoring and Support of Security Initiatives Task 2, Further Defined: The assigned Vendor’s technical Project Team shall assist the City in the ongoing security monitoring and initiative support where the various, individual City departments have established the need for these ongoing services. Activities proposed under this task include but are not limited to: A. Monitor and support the City of Houston Payment Card Industry (PCI) environment B. Identify information systems that process and store privacy data and sensitive information such as PCI and develop a strategy to deploy the NIST privacy controls where appropriate C. Analyze the complexity for deployment of security framework/tools/processes to the City’s functional departments at various locations Task 2 – Deliverables: The assigned Vendor’s technical Project Team shall provide the following deliverables as required by the CISO or Handling COH Director, and memorialized and submitted to the City in written documents, reports, studies, guidelines, test results, or plans associated with the ongoing security monitoring and support of security initiatives: A. Identify the continuous monitoring requirements of information systems that take into account all City department requirements as stated in previous sections of this SOW. B. Run vulnerability scan tools in department approved methods and specific targeted areas that guarantee no business operations impacts and with required department IT involvement and provide analysis of the results C. Write plans of actions to mitigate security deficiencies and maintain the corresponding milestones to their completion D. Monitor and work with City departments to update the system authorization boundary E. Develop security authorization documentation with City departments for assigned systems F. Implement gap analysis and knowledge transfer for department’s self-sufficient operation in assessing, monitoring, and management of environment
