Specifications include, but are not limited to: a complete Data Classification and Data Loss Prevention (DLP) solution; the City uses a hybrid solution for computer and user management. The City uses on-premise Active Directory, and Microsoft365 provides access to communication, productivity and storage applications. • There are 664 Office365 accounts broken down in the following license type: o F3: 176 o G1: 222 o G3: 266 • There is a total capacity of 10TB allocated to SharePoint used for file storage. • There is a current total of 11.1TB of OneDrive files • There is a current total of 10.3TB of on-premise storage • There are 630 end-user laptops and desktops, and 33 servers. OVERALL SCOPE OF PROJECT INCLUDES: General Requirements • Data stored on servers in United States • Able to complete vendor cybersecurity questionnaire • SAML integration with Azure / MFA capability • SLA information • Implementation assistance and training • Both Data Classification and Data Loss Prevention should apply to data in transit, data in use, and data in rest. • Executive Summary level reporting on both DC and DLP • Advanced reporting on both DC and DLP • Desirable: End user training if user is taking action that is not compliant with the sharing of sensitive information Data Classification Requirements • Service to classify all files within SharePoint, OneDrive and those locally stored on end user devices. o Data should be classified based on custom descriptions, such as Public, Internal, Sensitive, Confidential o Service should make it easy to define what type of data is Sensitive and Confidential o Service should be able to clearly state what data contains PII, PHI and PCI • Service to provide locations on where sensitive and confidential information is being stored. • Service to force users to choose a classification level when saving documents • Service to watermark documents identified as Sensitive or Confidential without affecting existing headers and footers (if applicable) • Integration with Office365 for email classification o Service to identify sensitive or confidential data prior to email being sent o Service should encrypt emails that contain confidential information if user forgets. Data Loss Prevention Requirements • Service to alert administrators when sensitive or confidential information is emailed • Service should have role-based ‘background’ as some employees (eg Human Resources) may be more likely to have access to sensitive information. • Service to prevent data defined as sensitive or confidential to be saved onto removeable media • Service to prevent data defined as sensitive or confidential to be uploaded onto the web • Service to identify users that are performing actions that may indicating attempts to expose, share, or remove sensitive or confidential data. • Service to be able to provide robust logging to aid in investigations regarding data loss
