II.Nature and Scope of the Project

Attachment A

WORK STATEMENT

I.Objectives.

A.General

1.The Commonwealth of Pennsylvania (COPA), Office ofAdministration, Office for Information Technology (OA/OIT), Enterprise Information Security Office (EISO) is implementing an Enterprise Governance, Risk, and Compliance (E-GRC) program to manage risk and compliance efforts across the agencies, boards, and commissions under the Governor’s jurisdiction.

B.Specific

1.The OA/OIT EISO licensed RSA’s Archer Policy, Risk, Enterprise, and Security Operations Management modules to establish the foundation of the E-GRC program. In order to do this, the OA/OIT EISO is looking for a RSA Archer Consultant Services Team (CST) to help it implement the modules.

II.Nature and Scope of the Project.

As part of the E-GRC initiative OA/OIT EISO procured 5 RSA Archer Software Modules to help it form the foundation of its E-GRC program. These modules include:

A.RSA Archer Enterprise Management - Software that provides a centralized repository of information of the Commonwealth’s business hierarchy and operational infrastructure. Enterprise Management enables organizations to model their organizational hierarchy to enable enterprise governance, risk, and compliance (GRC) reporting and accountability at every level of your business.

B.RSA Archer Policy Management - Software that provides a consistent process for managing the lifecycle of corporate policies and their exceptions. It offers a centralized infrastructure for creating policies, standards, and control procedures and mapping them to corporate objectives, regulations, industry guidelines, and best practices. Policy Management enables organizations to author policies, communicate them to users, conduct training, and view exceptions from a single view.

C.RSA Archer Risk Management- Software that enables organizations to deploy a systematic and methodical approach to identify, assess, decision, treat, and monitor risks and optimize the management of risk consistent with the organization’s risk appetite.

D.RSA Archer Threat Management- Ensure that agencies are using and deploying security technology and products such as antivirus, content filtering, and network intrusion prevention solutions in a consistent manner.

E.RSA Archer Security Operations Management – Software that enables enterprises to orchestrate people, process, and technology to effectively respond to security incidents and prepare for a data breach. By leveraging industry bestpractices, Security Operations Management provides a framework for customers building a security operations center (SOC).

F.On Demand Application (ODA) –ODAs are used to build incident management applications, specialized workflows, risk frameworks, etc.

In order to implement these modules, the OA/OIT EISO is looking to procure a qualified RSA Archer CSTto define and automate information security risk management process through the implementation of the RSA Archer modules. As part of this effort, RSA Archer CST will work closely with the OA/OIT EISO Staff to provide project management, architectural guidance, business analysis, application development, and database management.

The goal of the project is to establish a standardized an automated risk assessment process, reporting engine, security operations management system, and dashboard to report and manage the agencies risks. The RSA Archer CST will work closely with COPA’s staff, at COPA’s location to identify and obtain direction on the actual tasks with which the assigned RSA Archer CSTpersonnel will provide assistance.

III.Requirements.

A.The RSA Archer CST needs to be able to assemble a team of professionals who have a minimum of 7 years’ experience in:

1.Enterprise Governance, Risk, and Compliance

2.IT Architecture

3.Web Application Development

4.Database Administration

5.Business Analysis

6.Project Management

7.Security Operations

8.Risk Management

9.IT Security Control Assessments and Auditing

10.Web Vulnerability Management

11.Threat Management

B.Once the project team members have been established, no changes to the project team members may occur without prior approval from the CISO.

C.All raw data from any test will be the property of the Commonwealth. All IT Assets, information, Data, and Documentation, deliverables, and records residing with the Contractor will be returned to the Commonwealth no later than June 30th 2015. Contractor copies of all IT Assets, information, Data, and Documentation, deliverables and records shall be destroyed in the manner and on the timeline directed by the Commonwealth, and a certification shall be made in writing as to their destruction.

IV.Handling of IT Assets, information, Data, and Documentation

A.All IT Assets, information, Data, and Documentation provided to, or collected or produced on behalf of the Commonwealth by, the selected Contractor is to be considered confidential information. This requirement serves as notice in accordance with Section 26 of the IT ITQ Terms and Conditions of the confidential status of the IT Assets, information, Data, and Documentation. The selected Contractor shall prevent access to, copying of and/or distribution of such IT Assets, information, Data, and Documentation except as necessary and permitted for work on this project.

B.The selected Contractor is responsible for proper disposal (i.e. shred, surrender) of both hard and electronic working copies of such sensitive and confidentialIT Assets, information, Data, and Documentation during work on this project, as well as any remaining IT Assets, information, Data, and Documentation upon the completion of the project.

C.The Contractor must certify in writing to the disposal of sensitive and confidentialIT Assets, information, Data, and Documentation. The requirements of this provision will survive the termination of the Purchase Order and the contract.

D.A draft of all deliverables shall be submitted to the CISO no later than June 23, 2015for review and approval.

E.The Contractor shall comply with the Information Technology Policies (ITP’s) issued by the Office of Administration, Office for Information Technology (OA-OIT). ITP’s maybe found at:

All proposals must be submitted on the basis that all ITPs are applicable to this procurement. It is the responsibility of the Contractor to read and be familiar with the ITPs. Notwithstanding the foregoing, if the Contractor believes that any ITP is not applicable to this procurement, it must list all such ITPs in its technical submittal, and explain why it believes the ITP is not applicable. The Issuing Office may, in its sole discretion, accept or reject any request that an ITP not be considered to be applicable to the procurement. The Contractor’s failure to list an ITP will result in its waiving its right to do so later, unless the Issuing Office, in its sole discretion, determines that it would be in the best interest of the Commonwealth to waive the pertinent ITP.

F.All work for this project must start by June 1, 2015 and be completed byNovember 30, 2015.

V.Tasks.

RSA Archer CST will work closely with COPAs staff, at COPA’s location to identify, prioritize, finalize, and direct actual tasks and deliverables to be completed as part of this Statement of Work. At COPA’s discretion, services provided may include support of the following activities, as well asothers yet to be defined per the implementation plan:

A.Create Road Map complete with milestones and deliver dates.

B.Create detailed project plans which identify tasks, milestones, due dates, etc.

C.Create project risk matrix which identifies all risks to the project and the mitigating control to ensure risks do not interfere with delivery dates.

D.Schedule weekly meeting to brief CISO, Managers, Business Partners, etc. on the status of the project.

E.Deliver Design Binder for each of the solutions.

1.Configuration of data feeds from web vulnerability scanning devices (NexPose, Web Inspect, etc.) to create web vulnerability dashboards.

2.Create progress reports and deliver them to the Enterprise Risk Manager, Commonwealth Chief Information Security Officer (CISO), and other appropriate management.

3.RSA Archer CST must be onsite Monday – Friday, from 8:30 AM – 5 PM and will have to conform to the Commonwealth’s holiday schedule.

VI.Deliverables associated with the Security Assessment tasks include:

A.Define enterprise E-GRC Archer requirements and work plan

1.RSA Archer CST will facilitate approximately workshops to perform the following activities:

a)Development a commonwealth wide ITB on Risk Management

b)Utilize NIST standard to define assessment questionnaires

c)Analyze risk assessment import process and required Archer modules

d)Design and establishment of the security framework

e)Complete a knowledge transfer to ensure Commonwealth personnel can administer, use, maintain, support, and update the E-GRC product and the applications they create within it.

2.Deliverable:

a)Commonwealth E-GRC Archer Requirements and ProjectPlan

B.Operationalize Existing RSA Archer Modules and ODAs

1.Validate current installation is installed and working correctly.

2.Ensure the installation is using our directory services and complies with the policies and procedures identified in ITP_SEC007 - Minimum Standards for User IDs and Passwords.

3.Perform Business Analysis to design and Implement for the Policy, Risk, Enterprise, and Threat solutions.

4.Create incident management application using security operation management module.

5.Deliverable:

a)Fully integrated / operational RSA Archer product with functional modules.

C.Security Operations Management

1.Create an ODA that will enable OA/OIT EISO to receive, assign, forward, and track to COPA specific incident response tickets. The ODA needs to replace the current OA/OIT EISO incident management system hosted on the COPA portal.

2.Create an ODA that will enable OA/OIT EISO to receive, assign, forward, and track to Verizon incident response tickets. The ODA will be needs to replace the current OA/OIT EISO incident management system hosted on the COPA portal.

3.Create an executive dashboard that shows management incident response numbers, types, organization, impact, etc.

4.Deliverable:

a)Create an incident response system that will replace / enhance the current OA/OIT EISO portal and Verizon incident management systems.

D.Create Enterprise Asset Table for Enterprise Module

1.Work with EISO staff and business partners to identify critical assets (Personnel, Buildings, Assets, etc.)

2.Import assets into RSA Enterprise Module.

3.Deliverable:

a)Fully integrated / operational RSA Archer Enterprise Module.

E.Define Assessment Processes and Risk criteria

1.Develop standardized and consistent evidence requirements for self-assessment Including:

a)Identify/Define common risk language

b)Identify/Define common risk ratings

c)Define process to record the corrective action plan

d)Define reporting and dashboard

2.Establish standardized risk framework: leveraging the framework designed for Public Welfare, complete a gap analysis to determine the additional integrated risk and controls required to meet the regulatory and risk requirements for each agency

3.Design the production implementation process, including risk framework, assessment process, corrective action plan process and the reporting requirements

4.Deliverable:

a)Standardized assessment scenarios (i.e. assessment types), corrective action plans and reporting requirements required for production deployment

b)Design specification for master integrated risk framework

F.Prepare and Implement Enterprise Risk Dashboard

1.Deploy NIST 800-53 risk assessment questionnaire

2.Facilitate risk assessment using self-assessment questionnaire for up to 40 agencies.

3.Conduct webcasts to demonstrate the Archer risk assessment question to the agencies stakeholders.

4.Capture and document high level risk assessment results.

5.Analysis of the results to identify major risks present in the current operating environment.

6.Implement the corrective action tracking and remediation management process.

7.Enterprise wide risk comparison and a prepare a risk dashboard

8.Conduct and document a formal lessons learned process from the production assessment task. This will provide the ability to formalize the lessons learned and resulting action plans for the broader rollout of the GRC functionality and processes to all of the remaining agencies.

9.Deliverable:

a)Deployment of the NIST risk assessment result and enterprise risk dashboard

G. Web Vulnerability Dashboard and Remediation

1.Use XML feeds from EISO web vulnerability scanners (Nexpose, Web Inspect, etc.) to identify potential vulnerabilities from existing websites.

2.Create an import application which will import OA/OIT conducted infrastructure assessments results into the RSA Archer solution. This includes 3rd party assessments as well as assessments provided by business partners such as the PA Compute Service contract.

3.Create dashboard that will show vulnerabilities broken down by agency and their current remediation status.

4.Leverage RSA SecOps incident response to assign remediation tickets to agency ISO.

5.Deliverable:

a)Create XML feeds for EISO web vulnerability scanners.

b)Create web application that will enable vendors and business partners the ability to upload assessments.

c)Create remediation application that will enable EISO to assign remediation activities to agencies.

d)Create executive dashboard that shows the current web vulnerabilities along with the status of remediation activities.

VII.Reports and Project Control.

The Contractor shall provide project management services throughout the life of the purchase order. The Contractor shall provide the following:

A.Task Plan. The Contractor shall update and maintain its proposed work plan. Identify the work elements of each task, the resources assigned to the task,the time allotted to each element and the deliverable items to be produced.Include a PERT or GANTT chart display should be used to show project, task, and time relationship.

B.Weekly Status Meeting. The Contractor shall prepare for and lead a weekly status meeting with the CISO. The weekly status report described in IV-5.c shall serve as the agenda.

C.Weekly Status Report. The Contractor shall create and submit a weekly progress report covering, at a minimum, activities completed in the reporting period, activities scheduled for the upcoming reporting period, issues and recommendations. This report should be keyed to the work plan the Contractor developed in its proposal, as amended or approved by the Issuing Office.

D.Issue Identification Report. The Contractor shall provide an “as required” report, identifying problem areas. The report should describe the issue and its impact on the overall project and on each affected task. It should list possible courses of action with advantages and disadvantages of each, and include Contractor recommendations with supporting rationale.

VIII.Definitions

Information technology (IT) assets are the processes, procedures, systems, infrastructure, data, and communications capabilities that allow each agency to manage, store, and share information in pursuit of its business mission, including but not limited to:

A.Applications.

B.All data typically associated with IT systems regardless of source (agency, partner, customer, citizen, etc.).

C.All data typically associated with IT systems regardless of the medium on which it resides (disc, tape, flash drive, cell phone, personal digital assistant, etc.).

D.End-user authentication systems.

E.Hardware (voice, video, radio transmitters and receivers, mainframes, servers, workstations, personal computers, laptops, and all end point equipment).

F.Software (operating systems, applications software, middleware, microcode).

G.Infrastructure (networks, connections, pathways, servers, wireless endpoints).

H.Services (data processing, telecommunications, office automation, and computerized information systems).

I.Telecommunications hardware, software, and networks.

J.Radio frequencies.

K.Data computing and telecommunications facilities.

Attachment B

DOMESTIC WORKFORCE UTILIZATION CERTIFICATION

To the extent permitted by the laws and treaties of the United States, each proposal will be scored for its commitment to use the domestic workforce in the fulfillment of the contract. Maximum consideration will be given to those Contractors who will perform the contracted direct labor exclusively within the geographical boundaries of the United States or within the geographical boundaries of a country that is a party to the World Trade Organization Government Procurement Agreement. Those who propose to perform a portion of the direct labor outside of the United States and not within the geographical boundaries of a party to the World Trade Organization Government Procurement Agreement will receive a correspondingly smaller score for this criterion. In order to be eligible for any consideration for this criterion, Contractors must complete and sign the following certification. This certification will be included as a contractual obligation when the contract is executed. Failure to complete and sign this certification will result in no consideration being given to the Contractor for this criterion.

I, ______[title] of ______[name of Contractor] a ______[place of incorporation] corporation or other legal entity, (“Contractor”) located at ______

[address], having a Social Security or Federal Identification Number of ______, do hereby certify and represent to the Commonwealth of Pennsylvania ("Commonwealth") (Check one of the boxes below):

 All of the direct labor performed within the scope of services under the contract will be performed exclusively within the geographical boundaries of the United States or one of the following countries that is a party to the World Trade Organization Government Procurement Agreement: Aruba, Austria, Belgium, Bulgaria, Canada, Chinese Taipei, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hong Kong, Hungary, Iceland, Ireland, Israel, Italy, Japan, Korea, Latvia, Liechtenstein, Lithuania, Luxemburg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Singapore, Slovak Republic, Slovenia, Spain, Sweden, Switzerland, and the United Kingdom

OR

 ______percent (_____%) [Contractor must specify the percentage] of the direct labor performed within the scope of services under the contract will be performed within the geographical boundaries of the United States or within the geographical boundaries of one of the countries listed above that is a party to the World Trade Organization Government Procurement Agreement. Please identify the direct labor performed under the contract that will be performed outside the United States and not within the geographical boundaries of a party to the World Trade Organization Government Procurement Agreement and identify the country where the direct labor will be performed: ______

______

[Use additional sheets if necessary]

The Department of General Services [or other purchasing agency] shall treat any misstatement as fraudulent concealment of the true facts punishable under Section 4904 of the Pennsylvania Crimes Code, Title 18, of Pa. Consolidated Statutes.

Attest or Witness:______

Corporate or Legal Entity's Name

______

Signature/DateSignature/Date

______

Printed Name/TitlePrinted Name/Title