REQUEST FOR PROPOSAL: Security Assessment … Assessment RFP.pdfREQUEST FOR PROPOSAL: Security...

REQUEST FOR PROPOSAL: Security Assessment

RFP Number: 041414-01 April 14, 2014

140 East Town Street Columbus, Ohio 43215 John J. Gallagher, Jr., Executive Director

_____________________________________________________________________2

Ohio Police & Fire Pension Fund - Request for Proposal SECURITY ASSESSMENT RFP Number RFP041414-01

NOTICE EXCEPT AS NOTED IN THIS “REQUEST FOR PROPOSAL: SECURITY ASSESSMENT: RFP041414-01 (THE RFP),” PRIOR TO THE TIME OF A DECISION BY OHIO POLICE & FIRE PENSION FUND (“OP&F”), THERE SHALL BE NO COMMUNICATION OF ANY TYPE REGARDING THIS RFP, ANY ASPECT OF A RESPONSE TO THIS RFP, OR THE AWARDING OF A CONTRACT RELATED IN ANY WAY TO THIS RFP BETWEEN ANY PROPOSER OR PROSPECTIVE PROPOSER (THE “PROPOSER”) AND ANY (1) OP&F BOARD MEMBER, (2) OP&F EMPLOYEE, (3) CONSULTANT CURRENTLY ENGAGED BY OP&F OR EMPLOYEE OR OTHER PERSON AFFILIATED WITH OR PROVIDING SERVICES TO OR ON BEHALF OF SUCH CONSULTANT’S STAFF, (4) ELECTED OFFICIALS OR THEIR STAFF MEMBERS OR (5) OTHER PERSONS IN A POSITION TO INFLUENCE OP&F’S DECISION AT ANY TIME DURING THE RFP PROCESS IN REGARDS TO THIS RFP, A PROPOSAL, OR THE AWARDING OF THE CONTRACT UNTIL THE AWARD IS ANNOUNCED, EXCEPT AS REQUESTED BY OP&F OR AT THE TIME SPECIFIED FOR ORAL PRESENTATIONS BY SELECTED FIRMS. ANY COMMUNICATION BY A PROPOSER IN VIOLATION OF THE FOREGOING TERMS SHALL BE CONSIDERED GROUNDS FOR AUTOMATIC DISQUALIFICATION OF THE PROPOSER.

_____________________________________________________________________3


Table of Contents Sections References Page Section 1 General RFP Information: 4

1.1 Contact Person for RFP Inquiries 4 1.2 Questions Regarding this RFP 4

Section 2 General Overview of OP&F 4 Section 3 General Overview of the Project 5

3.1 Project Overview 5 3.2 Infrastructure Scope 5 3.3 Overview of Security Assessment 7 3.4 Expectations 20

Section 4 Detailed RFP Information 20 4.1 Clarifications Regarding this RFP 20 4.2 Statement of Confidentiality 20 4.3 RFP Contents 20 4.4 Response Format 20 4.5 Response Submission Instructions 21 4.6 RFP Schedule 22 4.7 Selection Process and Oral Presentations 22 4.8 Analysis/Evaluation Criteria 22 4.9 Additional Information 22

Section 5 General Questionnaire 24 Section 6 Costs 25 Section 7 References 25 Section 8 Terms and Conditions 26 Appendix A Vendor Disclosure and Restrictions to Board of Trustees 27 Appendix B Reporting and Registration Requirements under Ohio Law 28

_____________________________________________________________________4


Section 1 – General RFP Information:

1.1 OP&F Contact Person for RFP Inquiries The contact person at OP&F for inquiries concerning this RFP is the Purchasing Manager. The Purchasing Manager’s contact information is:

Janeane N. Mayesky, C.P.M., A.P.P., CM Purchasing Manager Ohio Police & Fire Pension Fund 140 East Town Street Columbus, Ohio 43215 E-mail: [email protected]

Except as otherwise directed in this RFP, all inquiries, notices or other communications from a proposer to OP&F concerning this RFP shall be directed IN WRITING to the Purchasing Manager via e-mail. TELEPHONE INQUIRIES CONCERNING THIS RFP WILL NOT BE ACCEPTED OR RETURNED. 1.2 Questions Regarding this RFP All questions submitted should include the name of the proposer’s contact person and that person’s telephone number and e-mail address. All questions must be received by 4PM (EDT) on April 25, 2014. Questions received after that time will not be considered.

Each question, or in OP&F’s discretion, a paraphrased form of a question, and OP&F’s response will be posted to OP&F’s website (www.op-f.org.) All written questions that are properly and timely submitted will be answered by May 2, 2014. All posted questions and responses will become an addendum to the RFP and become part of the RFP as fully set out therein. It is the proposer’s responsibility to periodically check the OP&F website until the posted RFP Response Due Date to obtain any issued addenda. OP&F will not respond directly to a proposer concerning an inquiry about this RFP. Section 2 – General Overview of OP&F. The Ohio Police & Fire Pension Fund (OP&F) is one of the five Ohio retirement systems and provides pension, disability, survivor benefits, and sponsors health care and prescription drug coverage (through contracts with providers) to retired eligible police officers, and firefighters and their dependents and survivors in the state of Ohio. OP&F’s plans are not subject to the Employee Retirement Income Security Act of 1974.

http://www.op-f.org/

_____________________________________________________________________5


Section 3 General Overview of the Project 3.1 Project Overview The Ohio Police & Fire Pension Fund is searching for a company to conduct a security assessment of its infrastructure. This should include a complete internal and external testing and a full audit of security measures and policies. Any vulnerabilities and recommended changes should be reported. 3.2 Infrastructure Scope OP&F's present core services computing architecture is composed of: One data center at the 140 E Town St. Columbus, OH location with

a Gigabit Local Area Network running on Cisco switches with a Class A network of 10.0.0.0/8

10.0.1.1 - 10.0.1.50 for Network Device Static IP Addresses 10.0.1.51 - 10.0.1.100 for Printer Static IP Addresses 10.0.1.101 - 10.0.1.254 for Server Static IP Addresses 10.0.2.1 - 10.0.2.25 for Static IP Addresses for PC Range 10.0.2.26 - 10.0.3.254 for Dynamic PC IPs Addresses

a Class C network of 192.168.0.0/24 192.168.0.1 - 192.168.0.254 for DMZ Static IP Addresses

a Class C network of 172.16.14.0/24 172.16.14.1 - 172.16.14.10, 254 for Network Device Static IP Addresses for BoardBook Portal 172.16.14.11 - 172.16.14.20 for Server IP Addresses for BoardBook Portal

a Class C network of 192.234.215.0 192.234.215.1-192.234.215.254 for Telecom Range

Spread over six floors with their own network closets each with a switch (4507, 3550, 3750, stacked at floors where possible) and network UPS devices

_____________________________________________________________________6


~200 user workstations running Windows 7 ~65 Servers (physical and virtual) running Windows Server 2003 and 2008

MS Exchange 2007 Active Directory Sharepoint DNS, DHCP ESXi 4.1 & 5.1 MS SQL server 2005 & 2012 Oracle 11g r2 WSFTP server Business web application Employee remote access over Clientless SSL VPN Partner L2L tunnel over IPSec

~7 Servers running Linux for the BoardBook Portal (plan to migrate to Windows; however, timeline unknown at this time) an external network of XX.XX.XX.160/28

XX.XX.XX.162 - XX.XX.XX.174 Public IP Addresses with Gateway: XX.XX.XX.161 XX.XX.XX.162 - Firewall's external IP address also VPN IP XX.XX.XX.163 - Firewall's external IP failover address XX.XX.XX.164 - SMTP, FTP&SFTP, HTTP&S, SSH, BlackBerry XX.XX.XX.166 - BoardBook portal XX.XX.XX.167 - SFTP portal XX.XX.XX.168 - SelfService portal XX.XX.XX.169 - SelfService portal XX.XX.XX.170 - SelfService portal (QA) XX.XX.XX.171 – SelfService portal (QA) XX.XX.XX.174 - Pitney Bowes Connect+

an external internet presence of OP-F.ORG domain WWW.OP-F.ORG pages with links to

Employer pension self service at XXX.XXX.OP-F.ORG running Java & Oracle PL/SQL


_____________________________________________________________________7


Member pension self service at XXX.XXX.OP-F.ORG running Java & Oracle PL/SQL an internal SharePoint presence and a pension system comprising an OHS (Oracle Apache HTTP server) front end, Oracle Application Server, and an Oracle database. The pension system is written in Java and Oracle PL/SQL. a Mobile device operating/management system - Blackberry Enterprise Server an application control engine load balancer pair a pair of ASA5520s in active-standby a pair of FortiGate800s in failover a CodeGreen Networks DLP appliance

a FortiMail Email Security Virtual appliance 3.3 Overview of Security Assessment (please note this is not an all-inclusive list and any additional recommendations by the vendor are welcomed with a cost breakdown structure) Tasks Sub-Task

1. Physical Security Test

(A) Location, layout and security of facility

Are the servers/network equipment located in a secure, environmentally controlled facility?

Is the server/network room located away from heavy traffic areas and outside of public view? Are server/network facilities inconspicuously located? (No identifying signs or directions)

Are the server/network facilities free from risks of plumbing, equipment, or issues stemming from occupants of upper and lower floors?

Does the placement of server/network room walls and windows limit access by unauthorized individuals?

Is the general structure of the interior walls secure and constructed from the floor to the true ceiling, and not just the false one?

Are resources located in an area that can be locked during non-business hours?

_____________________________________________________________________8


Are appropriate devices used to control access to sensitive data?

Are the surrounding areas protected by perimeter security?

Is access to the server/network facilities limited to authorized personnel?

Is a pass, key lock, badge system or other control used to positively identify employees, suppliers, and visitors that have access to the server/network room?

Is a control system established to ensure identification of individuals having possession of the keys, cards, and badges at any given time?

Is access to the server/network room for maintenance and other facilities personnel controlled?

Is there a system established for the control of packages or containers entering or leaving restricted areas?

If an employee is terminated, are appropriate restrictions and loss of access rights immediately in place to prevent unauthorized access to the server/network room?

Are the work areas clear of software in various media, and locking keys properly secured during non-business hours?

Are master workstations with KVMs, that can change the access rights of other workstations or users, in secure areas only?

Are all communication lines located in areas out of sight?

Are communication lines within the equipment room and elsewhere, where justified by data sensitivity and potential exposure, labeled with a code rather than with a physical description maintained by telecommunications personnel?

Are access, fire, and other controls for the communications closets appropriate and consistent with the procedures used in the main server/network room facilities?

Are procedures established in situations where privacy of data is of great importance that requires the shielding of cables and workstations to prevent electrical emanations that could be intercepted and read by an unauthorized person?

_____________________________________________________________________9


(B) Offsite Media Storage

Does media storage meet the archival and/or rotational access needs?

Are there procedures for logging data in and out of the media library?

Is the storage of paper and/or magnetic media allowed? Is that location secure?

Does the media storage area meet the organization’s requirement for common vaulting, safe-deposit boxes, and/or electronic vaulting?

Is the media encrypted? Are you able to extract pertinent information from a “found” media?

Are storage security needs satisfied through the use of guards, TV monitors, third-party surveillance, and/or automated security systems?

Does the storage-building environment provide adequate protection from fire, electrical problems, civil disturbance, and natural disasters?

(C) Mobile/Remote Computing Security Control

Is the use of laptops and mobile computing devices properly controlled? What types of controls?

Are employees aware of the risks of stolen or compromised remote computing devices and understand policies and procedures for reporting loss?

Is two-factor authentication being used for remote access?

Are you able to gain access to our network using a “found” laptop?

Is the mobile email secure?

(D) Inventory Control

Are there standards/procedures for introducing approved equipment types, such as workstations, into the network? Is the network configured to ensure only authorized and compliant workstations can connect to it?

_____________________________________________________________________10


Are workstation installations physically verified by checking the actual workstation?

Are procedures established for adding a new workstation or changing a LAN port?

Are there schedules and procedures for authorizing the introduction of communication lines, network addresses, and workstations inside and outside normal operating hours?

Is a formal testing procedure established covering the introduction of any new equipment or changes to the telecommunications network? Are formal testing procedures followed and verifiable?

Are network diagrams used to document both physical and logical connections between telecommunications and other data processing equipment? Are network diagrams stored in a location protected from unauthorized access?

Are items of network and telecommunications equipment, wherever located, verified and traced to inventory records and to network diagrams to determine that records are accurate?

Are asset tags or other I.D. markings used on all server/network equipment?

Is the accounting department’s fixed asset records of server/network equipment and the actual physical equipment compared on an annual basis?

2. Evaluate Data Security and Integrity

(A) Organization Data Security Policy Statements

Does the data security policy statement address ownership, custodial, and user information security responsibility?

Does the data security policy statement address protection of intellectual property?

Does the data security policy statement address automated information access control?

Does the data security policy statement address appropriate use of secure network sessions?

Are security policies and procedures in place and are they enforced?

_____________________________________________________________________11


Is a Standard Operational Procedure framework in place, or is being considered?

Are the regulatory guidelines being addressed?

(B) Access Control Techniques

Are policies and procedures established for data access?

Is user responsibility for data file access and use defined?

Are access authorization requirements defined?

Is sensitive data identified and access rights specified?

Are procedures for authorization for non-routine access and use established?

Are system access violations for subsequent actions monitored and do controls exist to limit such access attempts?

Are there procedures to enact appropriate disciplinary actions or measures for personnel security breaches, including such items as termination of access rights or, reassignment?

(C) Logon and Password Controls

Is all system access controlled through passwords and authorization codes that are validated by security software?

Are written requests required for Logon IDs?

Are Logon IDs shared among users?

Is concurrent use of Logon IDs allowed?

Is workstation access terminated when a workstation has been inactive for a specific length of time?

Are Logon IDs created for specific people rather than groups of individuals?

_____________________________________________________________________12


Is it required that passwords be changed as soon as they expire with a limit of one grace logon?

Are owners of Logon IDs allowed to change their own password? Is complexity being enforced?

Is it required that users must change their password after their first logon?

Are users prevented from displaying or sharing their passwords?

Are passwords unable to be reused for a minimum of five iterations?

Are Logon IDs cancelled, deactivated or reassessed and modified when an individual leaves the organization or has a change of responsibilities?

Are Logon IDs that have been inactive for more than six months deleted or deactivated?

(D) Distribution or introduction of data

Are there procedures for bringing data and program files into the server/network system and controlling the risk of exposure to computer viruses through the introduction of such files?

Are there controls covering the import and export of data through any LAN gateways to other computerized systems beyond the LAN, the use of office automation equipment for non-business applications, and the introduction of non-authorized software into the network?

Are procedures established for introducing new software to computer systems?

Is there a policy, acknowledged by employees, that prohibits the introduction of unauthorized programs to any computer system?

Are passwords associated with security software changed on a periodic basis?

Is there a policy to control the general downloading of programs from sources such as Peer-to-Peer (P2P) Networks, Intranets, Partner networks and the Internet?

Do all connections pass through firewalls and are all connections from the organization network to external networks approved and managed by the delegated Security personnel?

(E) Data and program back-up and media protection

_____________________________________________________________________13


Are there specifications for data and programs that require no back-up?

Are there specifications for data and programs that require a secure on-site back-up?

Are there specifications for data and programs that require both on-site and off-site back-up?

Are back-ups of critical files, documentation, and forms stored in a secure, offsite location?

Are there procedures for determining what records will be needed to restore service for various levels of system failures?

Are there procedures established for the creation, maintenance, verification, and emergency use of back-up data?

Are there procedures for the control and erasure of scratch media?

Are there procedures for the control of checkpoint/restart data?

Are there procedures for the control of log and journal files?

Are there procedures for the control of media library?

Are there procedures for the permanent deletion of data or removal of storage media from surplus equipment?

Are there procedures for handling old media that have exceeded their lifetime, error rate or use of form factor?

(F) Malware prevention, detection and removal

Is virus detection software installed on computer systems and are procedures established for the use of this software?

Does the security training plan provide appropriate content regarding the threat of viruses?

Are off the shelf scanning tools used on servers and desktops with appropriate scanning intervals?

Are there appropriate response mechanisms in place if/when a virus is found, including

_____________________________________________________________________14


communication to the delegated Security personnel and other users who may be at risk?

Are there appropriate mechanisms in place to deal with detected viruses that cannot be deleted?

Is virus scanning at the server or firewall level appropriate?

Does the delegated Security personnel review virus-scanning logs on a regular basis?

(G) Control of Interactive Internet Technology

Does the security training plan contain information regarding the potential risks of downloading applets?

Are there procedures for configuring browsers to accept applets from only trusted servers?

Are there procedures for blocking reception and distribution of applets as required?

Are there procedures for conducting regular audits by the delegated Security personnel?

3. Evaluate Network Security

Is the network layout and architecture secure?

(A) Ability to access our network

Are you able to access/hack into our network resources externally?

Are you able to access/hack into our network resources internally?

Are any vulnerabilities discovered during testing?

Do any unknown entry points exist on the network?

_____________________________________________________________________15


(B) Website and Custom Application Security

Are you able to identify if any open services are visible from the Internet?

Are you able to access any privileged information without providing required authentication?

Is the website open to parameter tampering such as URL manipulation?

The websites run on Java, Oracle 11g EE, jPDFWriter (Qoppa Software), ViewOne Pro (Daeja) and Jasper for reports. Is there a susceptible vulnerability present?

Is there susceptibility to cross-site scripting?

Is the site susceptible to SQL injection? Are the database servers configured for security?

Is the site susceptible to buffer overflows?

Does the site employ cookies? Is the site susceptible to cookie poisoning?

Do any development backdoors or debugging options exist?

Are the Load Balancers configured securely and effectively?

Do any other website vulnerabilities exist?

Is the web application vulnerable to any kinds of exploits? Does it pass the code review?

(C) Use of dial-up lines

Are there procedures for the use of any dial-up lines?

Are dial-up lines controlled to prevent unauthorized access attempts?

Have all dial-up lines been identified and reviewed to determine whether they are necessary and approved?

_____________________________________________________________________16


Does the system log all unsuccessful password or authorization code access attempts?

(D) Use of Virtual Private Networks

Is the appropriate use of Virtual Private Networks (VPN) documented?

Are requirements documented for a Virtual Private Network and how the organization will plan to review them?

Is the management of security policy equivalency between networks regularly reviewed and updated?

Is there a process to provide backup connections for high impact applications in the event of an ISP outage or denial of service?

Is there a weakness in the encryption, where applicable?

Is the integration of centralized authentication and validation services supported?

Are personnel records checked to determine former employees’ access rights have been deleted?

(E) Monitoring of manufacturer, software vendor, and third-party access lines to the

computer system

Are there procedures for orientation and monitoring of the activities of contractors and service personnel?

Is the use of manufacturer, software vendor, and third-party access to the computer system monitored?

Are access numbers, codes and passwords changed frequently?

Are procedures established for reporting unauthorized entry or unauthorized attempts to the delegated Security personnel?

(F) Network Security Breach Detection

_____________________________________________________________________17


Is the Operating System and application software logging process documented?

Are alarm and alert functions documented?

Are daily reviews of audit logs from access control mechanisms documented?

Is the process of reporting anomalies documented?

Is the firewall configured securely?

Is the UTM configured securely? Is the Email Security appliance configured securely?

Is a properly configured intrusion detection/prevention software/hardware used on the network?

Is supplemental intrusion detection/prevention software/hardware used on critical servers?

Is a Data Leakage Prevention software/Hardware solution in place? Is it configured correctly and efficiently?

Is the application control engine load balancer configured correctly and efficiently?

Are audit logs on internal protected servers reviewed on a weekly basis?

Is redundant intrusion detection used on highly critical servers?

Are tools used to monitor traffic patterns at known concentration points?

Is there an integrity assurance process to prevent the unauthorized modifications of the firewall configuration?

Is the firewall configured to log all reports on daily, weekly, and monthly basis, so that the network activity can be analyzed when needed?

Is there a procedure established for the periodic examination of firewall logs to determine if attacks have been detected?

Are security related events recorded on the firewall’s audit trail logs?

_____________________________________________________________________18


Are the following items logged: hardware & disk media errors, login/logout activity, connect time, use of system administrator privileges, inbound/outbound email traffic, TCP network connect attempts, inbound/outbound proxy traffic?

Is the firewall configuration documented and set to reject any kind of probing or scanning tool that is directed to it so that the firewall does not leak protected information?

Is the firewall configuration documented and set to block all software types that are known to present security threats to a network (such as ActiveX and Java) to better tighten the security of the network?

Is the firewall configuration documented and set to notify the Security Officer at any time of any security alarm by email, pager, or other means so that they may immediately respond to such alarms?

Are there any vulnerabilities in our telecom system that may lead to unauthorized information dissemination? Can the vulnerabilities be used to compromise the network?

Are switches configured securely? Can you gain access to the network by plugging yourself into an open port?

(G) Network Security Breach Response

Is there a documented process of restoring service after a network break-in?

Is there a process that end users can report anomalies in system performance?

Is there a process of reviewing trouble reports for possible indications of intrusion activity?

Is there a process for coordinating potential intrusion activities with the Security Officer?

Does the process of restoring the firewall to a working state when a break-in occurs include provisions for disabling Internet access or using a secondary firewall to keep internal systems connected to the Internet?

Does the process of restoring the firewall to a working state when a break-in occurs include provisions to have the Security Officer reconfigure/patch the firewall to address any vulnerability

_____________________________________________________________________19


that was exploited?

Are there procedures and guidelines for how to handle computer crimes?

Are actual or suspected hostile acts promptly reported to the appropriate security or law enforcement agency?

(I) Servers Security

Are the patch levels (OS and Apps) within the safe zone?

Are there unnecessary services running?

Is there a weakness in the encryption, where applicable?

Is there a weakness in authentication?

Are there remotely exploitable vulnerabilities on the public facing and relational servers?

Are the Virtual environments configured securely?

Are the Active directory structure and associations secure?

Is the Active directory vulnerable to LDAP injection, DoS attack, etc?

Is the Exchange environment setup securely?

Are the databases used secure?

4. Social Engineering

Are you able to gather information from our users that would help you compromise our systems?

Are you able to gain access into our office space without use of an access card? While walking the floor, does anyone question why you are there?

_____________________________________________________________________20


3.4 Expectations OP&F expects to utilize an independent vendor to perform the work specified. This RFP is for a security assessment only and should not be construed as an opportunity to sell any proposer-represented products. While OP&F expects to have only a single point of contact, the successful bidder may propose the use of a subcontractor(s) or joint venture partner(s). In such case, the successful bidder will be expected to include in any agreement with a subcontractor or joint venture partner a provision that OP&F is intended to be the third party beneficiary under such agreement with rights to enforce the agreement without joinder of the successful bidder, which must be in a form acceptable to OP&F.

Section 4 - Detailed RFP Information: 4.1 Clarifications Regarding this RFP OP&F, at any time, has the right to modify and make any clarifications to this RFP and will post such modifications and/or clarifications on our website at www.op-f.org. The proposer is responsible for periodically checking the website for any additional information.

4.2 Statement of Confidentiality All information in this RFP is the property of OP&F. In consideration of your access to this information in this RFP, you agree that all information in this RFP is the property of OP&F, is confidential and will not be shared beyond the proposer’s need to prepare and submit a response to this RFP. 4.3 RFP Contents The RFP references the following items: RFP, including:

• Appendix A: Vendor Disclosure and Restrictions to Board of Trustees • Appendix B: Reporting and Registration Requirements under Ohio Law

4.4 Response Format Proposal MUST include the following sections: Introduction/experience including:

• Cover letter, which should be signed by a least one individual is authorized to bind the firm contractually;

• Overview of the proposer and its business along with the same information for any proposed subcontractor(s) or joint venture partners(s) (should include a brief history, size of company, number/locations of office(s) and other pertinent information);


_____________________________________________________________________21


• Summary of the firm’s experience (should include experience providing similar services to public pension funds and/or quasi-governmental sectors);

• List of proposed key team members and bios and/or resumes for the proposer and any proposed subcontractors or joint venture partners; and

• Response to questionnaire outlined in Section 5. Technical Proposal

• The proposed methodology; • The proposed implementation plan including work plan, timeline and

implementation team; and • The resources expected of OP&F personnel, specifically the individuals needed

and corresponding time commitments of each, during the implementation process and throughout the remainder of the project

Cost Proposal • Detailed breakdown of anticipated costs as provided in Section 6 of this RFP.

Summary • Summary of why your firm should be selected to complete the security

assessment for OP&F. Attachments

• Appendices, if applicable • A copy of your proposed contracts; and • Work product samples (i.e., sample report), including communication materials.

4.5 Response Submission Instructions Proposers must submit six (6) hardcopies of their proposal plus an electronic copy on compact disc in a .PDF or Word format (attachments need not be included in the electronic version) in accordance with the following:

If by Mail Delivery (via Postal Service/Overnight Carrier) to:

Ohio Police & Fire Pension Fund Attn: Janeane N. Mayesky, C.P.M., A.P.P., CM

Purchasing Manager 140 East Town Street

Columbus, Ohio 43215

If by Hand Delivery to: Ohio Police & Fire Pension Fund

Attn: Janeane N. Mayesky, C.P.M., A.P.P., CM Purchasing Manager

140 East Town Street, Mail Services (Lower Level) Columbus, Ohio 43215

_____________________________________________________________________22


OP&F must receive your proposal by the stated deadline as set forth in Section 4.6 below regardless of the postmarked date or delivery method. Please be advised that OP&F will not be responsible for delays in mail, overnight and/or hand deliveries. Late proposals will not be accepted and will be returned to the proposer.

4.6 RFP Schedule Significant dates for this RFP are as follows:

RFP issued April 14, 2014 Questions submitted in writing (final date/ time) 4PM (EDT), April 25, 2014 OP&F posts responses to OP&F website May 2, 2014 RFP response due 4PM (EDT), May 16, 2014 Presentations, if necessary June 2-5, 2014 Contract Award June 2014 Target project start date July 15, 2014

Please note that the schedule is subject to revision at OP&F’s discretion due to unforeseen circumstances.

4.7 Selection Process and Oral Presentations A review panel led by the Purchasing Manager will analyze and evaluate the proposals received in response to this RFP and, when appropriate, present recommendations to the Board of Trustees through the Executive Director. Finalist firms may be asked to make oral presentations to the review committee and/or the Board of Trustees. Such presentations will provide firms with an opportunity to answer questions regarding the proposal. All finalists and non-finalists will be notified by the Purchasing Manager.

OP&F reserves the right to clarify proposals after proposals are opened by contacting any proposer for clarification, if such is deemed necessary by the Purchasing Manager in his/her sole and absolute discretion.

4.8 Analysis/Evaluation Criteria

Understanding and compliance with RFP requirements/technical proposal

5 points

Firm’s experience in providing similar services 15 points Quality of proposed methodology 30 points Overall reporting, accountability, guarantee of work, etc.

30 points

Cost Proposal 20 points Total Points Available 100 points

4.9 Additional Information EXCEPT AS NOTED IN THIS “REQUEST FOR PROPOSAL: SECURITY ASSESSMENT: RFP041414-01 (THE RFP),” PRIOR TO THE TIME OF A

_____________________________________________________________________23


DECISION BY OHIO POLICE & FIRE PENSION FUND (“OP&F”), THERE SHALL BE NO COMMUNICATION OF ANY TYPE REGARDING THIS RFP, ANY ASPECT OF A RESPONSE TO THIS RFP, OR THE AWARDING OF A CONTRACT RELATED IN ANY WAY TO THIS RFP BETWEEN ANY PROPOSER OR PROSPECTIVE PROPOSER (THE “PROPOSER”) AND ANY (1) OP&F BOARD MEMBER, (2) OP&F EMPLOYEE, (3) CONSULTANT CURRENTLY ENGAGED BY OP&F OR EMPLOYEE OR OTHER PERSON AFFILIATED WITH OR PROVIDING SERVICES TO OR ON BEHALF OF SUCH CONSULTANT’S STAFF, (4) ELECTED OFFICIALS OR THEIR STAFF MEMBERS OR (5) OTHER PERSONS IN A POSITION TO INFLUENCE OP&F’S DECISION AT ANY TIME DURING THE RFP PROCESS IN REGARDS TO THIS RFP, A PROPOSAL, OR THE AWARDING OF THE CONTRACT UNTIL THE AWARD IS ANNOUNCED, EXCEPT AS REQUESTED BY OP&F OR AT THE TIME SPECIFIED FOR ORAL PRESENTATIONS BY SELECTED FIRMS. ANY COMMUNICATION BY A PROPOSER IN VIOLATION OF THE FOREGOING TERMS SHALL BE CONSIDERED GROUNDS FOR AUTOMATIC DISQUALIFICATION OF THE PROPOSER.

Upon completion of the analysis of the proposals, OP&F reserves the right to negotiate the final terms and conditions with the respondent selected. Any conflict between the RFP and any response shall be resolved in favor of the RFP. Any conflict between the RFP, the response, and the contract shall be resolved in favor of the contract. OP&F reserves the right to mail/e-mail the RFP to firms that are qualified to perform the services requested herein, even if such firm does not, on its own accord, request a copy of the RFP. By submitting a properly executed proposal, the proposer is certifying to OP&F that the proposal submitted is valid for 120 days after the RFP Response Due Date, as set forth in Section 4.6 above, for receipt of the proposal and the proposer acknowledges that it is in agreement with all terms and conditions presented in this RFP, the exhibits, and addenda to the RFP. OP&F reserves the right, without prejudice, to reject any or all proposals submitted. OP&F also reserves the right, without prejudice, to award only a portion of the RFP and/or select multiple vendors using various products that have been proposed. There is no express or implied obligation for OP&F to reimburse responding firms for any expense incurred in preparing proposals in response to this request. Proposals will not be made available for public inspection until OP&F has made a final award. All proposals received in response to the RFP will be maintained by OP&F and are a matter of public record and subject to public inspection.

_____________________________________________________________________24


This RFP is not a request for services, a contract or commitment of any kind on behalf of OP&F. This RFP is not an offer on behalf of OP&F but rather a request to receive a response. The submission of a response to this RFP does not in any way obligate or commit OP&F to purchase services or products or enter into an agreement or contract with the proposer. OP&F will consider the response as an offer to develop an agreement based upon the contents of the response. All responses become the property of OP&F.

Section 5.0 General 5.1 Questionnaire

1. Provide information on the bidder’s governing body as well as principal officers

along with their relevant biographical information.

2. List any adverse criminal, civil, regulatory or government actions against any

director or principal officer in last the 5 years or any investigation that has

occurred within the past 36 months along with the outcome of that investigation.

Indicate whether you have received notice or have any reasonable basis to believe

that any criminal regulatory or similar investigation of the proposer is likely to

commence in the next 12 months.

3. List the holdings of the bidding party as well as any director or principal officer of

bidding party of (a) 5% or more on any publicly traded entity or (b) of any

amount in any privately held entity from which plan or bidding party purchases

supplies or services.

4. List all members of consolidated, controlled or affiliated group of corporations or

other business entities of which bidding party is a member.

5. Provide a general overview of Sarbanes – Oxley related policies and procedures.

6. Provide the mission statement of your organization.

7. Provide information on whether your organization has been involved in any

recent acquisitions or mergers within the last 5 years and if this applies, provide

specific details on whether the acquisition or merger has been consummated and

the status of such consolidation.

8. Identify the ownership structure of your organization and state of incorporation.

_____________________________________________________________________25


9. Describe your errors and omissions insurance and commercial general liability

insurance and specify coverages.

10. Describe your records retention policy for the records that would be related to the

services/products offered under this RFP.

11. Provide copies of the firm’s most recent audited financial statements and auditor’s management letter for the bidder and any proposed subcontractors.

12. Address whether the bidder or any subsidiary or any proposed subcontractor is

currently in default on any loan agreement or financing arrangement with any bank, financial institution, or other entity. If yes, specify date(s), details, circumstances, and prospects for resolution.

13. Generally describe your disaster recovery program.

14. Generally describe any lobbying or third party marketing fees that will be paid

since OP&F will expect the proposer to represent and warrant under its agreement with OP&F that the proposer has not and will not pay any remuneration directly or indirectly to any third party in connection with this Agreement, including, but not limited to a finder’s fee, cash solicitation fee, or for consulting, lobbying, advising on obtaining business from OP&F or otherwise.

15. Generally describe any objections to the proposer acknowledging receipt of and its willingness to comply with OP&F's Vendor Disclosure and Restrictions to Board of Trustees, which is attached as Appendix A.

Section 6.0 Costs Please provide a detailed breakdown of all anticipated costs to complete the security assessment, which may not be increased after the contract has been awarded and will be subject to final negotiations. Section 7.0 References Vendor shall provide a minimum of three (3) major client references and a list of all similar engagements over the past five (5) years. At least one (1) reference should be of similar size to OP&F. Each reference should include: company name, company address, company contact and phone number, brief description of services rendered, and completion date of the project. In addition, vendor should provide the names of three (3) terminated clients over the past five (5) years. If not applicable, please state not applicable within your proposal.

_____________________________________________________________________26


Section 8.0 Terms and Conditions OP&F makes no representations or warranties, expressed or implied, as to the accuracy or completeness of the information in the RFP and nothing contained herein is or shall be relied upon as a promise or representation, whether as to the past or the future. The RFP does not purport to contain all of the information that may be required to evaluate the RFP and any recipient hereof should conduct its own independent analysis of OP&F and the data contained or referenced herein. OP&F does not anticipate updating or otherwise revising the RFP other than described herein. This RFP may be withdrawn, modified or re-circulated at any time at the sole and absolute discretion of OP&F. OP&F reserves the right, at its sole and absolute discretion and without giving reasons or notice, at any time and in any respect, to alter these procedures, to change and alter any and all criteria, to terminate discussions, to accept or reject any response, in whole or in part, to negotiate modifications or revisions to a response and to negotiate with any one or more respondents to the RFP. OP&F is not and will not be under any obligation to accept, review or consider any response to the RFP, and is not and will not be under any obligation to accept the lowest offer submitted or any offer at all. OP&F is not and will not be under any obligation to any recipient of, or any respondent to, the RFP except as expressly stated in any binding agreement ultimately entered into with one or more parties, either as part of this RFP process, or otherwise. Any decision to enter into a binding agreement with a respondent to this RFP is in OP&F’s sole and absolute discretion.

_____________________________________________________________________27


Appendix A

Vendor Disclosure and Restrictions to Board of Trustees

1. A vendor shall disclose any of the following to the Board of Trustees and the Internal Auditor:

A. Campaign contributions valued in excess of $100 made to any State officeholder, who appoints a member of OP&F’s Board of Trustees; or

B. Any charitable contribution valued in excess of $50 made at the request of any

member of OP&F’s Board of Trustees. 2. All vendor disclosure of contributions and gifts shall be made as follows:

A. Upon submission of an initial application or proposal to do business with OP&F, a summary of contributions for the previous twelve months shall be submitted.

B. Within 30 days of an award of a contract by OP&F, the vendor must disclose

contributions made from the award date to the date of initial application or proposal to do business that was submitted to OP&F.

C. Annually, for the previous calendar year, which is consistent with the reporting to

the Ohio Ethics Commission under Ohio Revised Code Section 742.115, in accordance with the deadlines determined by OP&F.

3. Any violation of this policy may lead to the Board of Trustees declaring the vendor

disqualified from doing business with the OP&F and terminating any existing business relationship.

4. Nothing in this policy supersedes any applicable provision of the Ohio Revised Code

or the terms of any agreement between the vendor and OP&F. 5. These policy requirements will be included in all contracts on or after the effective

date of this policy.

_____________________________________________________________________28


Appendix B

Reporting and Registration Requirements under Ohio Law The operation of the Ohio public pension plans is governed by specific statutes under Ohio law. These can be found in Chapters 101∗, 102, 145, 742, 3307, 3309 and 5505 of the Ohio Revised Code. Persons/entities doing business, or seeking to do business, with any of the Ohio public pension plans or making campaign contributions to, or on behalf of, a Board member or candidate for a Board position are governed by, and may be required to register or file reports with, the Joint Legislative Ethics Committee, the Ohio Ethics Commission, and/or the Ohio Secretary of State. The Ohio public pension plans cannot provide guidance about these requirements. To determine if these provisions apply to you, please contact the following agencies: Joint Legislative Ethics Committee 50 West Broad Street, Suite 1308 Columbus, Ohio 43215 614-728-5100 http://www.jlec-olig.state.oh.us

Ohio Ethics Commission 8 East Long Street, 10th Floor Columbus, Ohio 43215 614-466-7090 http://www.ethics.ohio.gov

Ohio Secretary of State 30 East Broad Street, 14th Floor Columbus, Ohio 43266 614-466-4980 http://www.state.oh.us/sos/

The Ohio state retirement systems advocate full compliance with all applicable laws, registration and reporting requirements. The duty to comply, and to register or report as applicable, is the sole responsibility of the individual or entity conducting the activities described above.

∗ According to Section 101.97 of the Ohio Revised Code, a copy of which is the next page, third party marketing fees are prohibited with limited exceptions.

_____________________________________________________________________29


R. C. 101.97 Contingent compensation agreements prohibited; incentive compensation plan.

A. Except as provided in division (B) of this section, no person shall engage any person to influence retirement system decisions or conduct retirement system lobbying activity for compensation that is contingent in any way on the outcome of a retirement system decision and no person shall accept any engagement to influence retirement system decisions or conduct retirement system lobbying activity for compensation that is contingent in any way on the outcome of a retirement system decision.

B. Division (A) of this section does not prohibit and shall not be construed to

prohibit any person from compensating the person's sales employees pursuant to an incentive compensation plan, such as commission sales, if the incentive compensation plan is the same plan used to compensate similarly situated sales employees who are not retirement system lobbyists.

REQUEST FOR PROPOSAL: Security Assessment … Assessment RFP.pdfREQUEST FOR PROPOSAL: Security...

Documents

Transcript of REQUEST FOR PROPOSAL: Security Assessment … Assessment RFP.pdfREQUEST FOR PROPOSAL: Security...