The vendor is required to provide that PCI, GLBA, and CIS audit services for the state 15 community colleges and 9 state universities
-Services include:
•PCI (payment card industry) audit:
o initial assessment and planning:
- must develop an implementation plan for performing PCI audits in accordance with the timeline specified in, with all deliverable’s.
o Audit:
-The successful bidder(s) will be provided with contact information for each of the 24 campuses and will coordinate directly with the chief information officer (CIO) of each campus, or their designee, to conduct the PCI audits at each institution
o Final audit report:
-Successful bidder(s) will produce a detailed audit report for each institution.
-Executive summary: Overview of the audit’s scope, objectives, and methodology, along with a summary of the institution’s compliance with PCI data security standard (DSS), highlighting key findings, concerns, and recommendations for 5 next steps.
-Scope and methodology: The areas assessed, and an explanation of the audit approach and the frameworks used for the PCI DSS audit.
-Findings and compliance with PCI DSS requirements: findings related to data protection, encryption, access control, monitoring, incident response, and employee training.
-Also evaluate the institution's compliance with the PCI DSS requirements, specifically the areas related to securing payment card data, fraud prevention, and unauthorized access protection.
-Risk assessment and recommendations: evaluation of risks to payment card information and suggestions for mitigating those risks.
-The report will include actionable steps for improving compliance, strengthening data protection, and enhancing security practices, with timelines for addressing any identified gaps or vulnerabilities.
-To avoid conflicts of interest, vendors may not recommend their own products or services to the campuses.
-Conclusion: A checklist of PCI DSS compliance requirements and whether they were met. the conclusion should also include a list of the audit team members, their roles and qualifications, and a list of individuals or departments from the institution who assisted in the audit process.
o Aggregate report:
-Successful bidder(s) will also produce an aggregate audit report summarizing trends across all institutions without identifying them individually.
-The audience will be the campuses and EOE.
-Be similar in structure to the detailed audit report for each institution.
• GLBA audit (gramm-leach-bliley act compliance)
oInitial assessment and planning:
-Successful bidder(s) must develop an implementation plan for performing GLBA audits per the timeline set out in section 3 with all deliverable’s due no later may 30, 2025.
oAudit:
-Successful bidder(s) will be provided with contact information for each of the 24 campuses and coordinate directly with the chief information officer (CIO) of each campus, or their designee, to perform the audits of each campus.
