Specifications include, but are not limited to: Through this ITQ, the State seeks proposals from Responsible Respondents for the following services. To be considered for inclusion in the listing, the Respondent must separately address each category of services with a narrative response. In addition, letters of reference addressing the categories of services are required: 4.1.1 Cybersecurity Risk Assessments, including but not limited to risk assessments performed pursuant to HIPAA, NIST SP 800-53, SOC 2 Type 2, ISO 27001, MARS-E, CJIS, etc. 4.1.2 Breach Notification Assistance, including assisting Purchasing Entities in the event of a data breach by providing expertise in navigating the regulatory obligations associated with breach notifications. This would potentially include preparing required notifications, coordinating with relevant oversight authorities and other crisis communication assistance, and coordinating or providing credit monitoring. 4.1.3 Incident Response Planning and Execution, including collaborating with Purchasing Entities to develop a robust incident response plan, and potentially assisting in the execution of the plan to contain an incident and facilitate recovery efforts. 4.1.4 Vulnerability Assessment and Penetration Testing, which may include conducting regular vulnerability assessments and penetration tests to identify weaknesses in a Purchasing Entity’s systems and networks. 4.1.5 Security Awareness Training, which may include designing and delivering cybersecurity training programs, including the ability to conduct phishing tests, for Purchasing Entities. 4.1.6 Security Monitoring and Threat Detection, including implementing advanced monitoring tools and technologies to continuously monitor the Purchasing Entity’s network and systems for unusual activities and potential security breaches, as well as providing real-time alerts and insights to enable rapid response. 4.1.7 Security Policy and Procedure Development, including collaborating with Purchasing Entities to develop comprehensive cybersecurity policies and procedures tailored to a Purchasing Entity’s specific needs, thereby establishing guidelines for security practices, access control, data handling, incident response, and compliance requirements...
