Virtual Chief Information Security Officer Services

The vendor is required to provide expert virtual cybersecurity services up to twenty (20) hours a week during normal business hours which may be exceeded in the event of a security incident or breach.
•    Perform a detailed cyber risk assessment that includes the following, but not limited to:
o    Analyze and iterate upon previous risk assessment conducted in 2024
o    Identify, estimate, and prioritize potential information cyber security risks at college. 
o    Examine agency current technology, security controls, policies, and procedures to assess potential threats or attacks; and 
o    Evaluate agency threat landscape, vulnerabilities, and cyber gaps that pose a risk to its assets.
•    Be prepared to act as agency qualified individual (qi) to present quarterly reports to agency.
•    Board of trustees and leadership as required and specified by act. 
•    Enhance agency information security program using a framework such as, center of internet security (cis) critical security controls, or cis implementation group 1 (IG1) that protects agency in accordance with act security requirements:
o    Use industry standard benchmarks to track adherence to selected frameworks. 
o    If needed develop a step-by-step process for server hardening.
•    Perform third-party and partner evaluations higher education community vendor assessment toolkit (HECVAT). 
•    Review and update as needed, third-party vendor. management policy. 
•    Provide information security leadership, communication, investigation, mitigation, containment, and post-incident analysis in the event of a cyber incident. 
•    Update and enhance existing cybersecurity policies and procedures as required by act. 
•    The policies include but are not limited to:
o    Incident response plan
o    Information security plan
o    Third-party vendor management
o    Vulnerability management
o    Data management
o    Software management
o    Hardware asset management
•    Provide guidance when analyzing real-time threat analysis identified by agency security operations center. 
•    Develop and implement the strategy to conduct regular security audits and assessments to identify vulnerabilities and ensure compliance with security policies. 
•    Write a clear and concise incident response plan that meets industry standards. 
•    Develop business continuity and disaster recovery plans and conduct annual tabletop exercises. 
•    Review and provide guidance on existing security awareness and training materials and activities. 
•    Participate in meetings as needed. (i.e., weekly, monthly, quarterly, ad hoc, etc.). under normal circumstances, in-person meetings are not required. in the event of an incident or breach, an in-person meeting may be required. 
- Objectives
1. Security metrics and reporting
•    Define and track key performance indicators (KPIs) and key risk indicators (kris) for cybersecurity.
•    Provide monthly dashboards or scorecards to leadership.
2. Zero trust architecture (ZTA) guidance
•    Assess agency readiness for zero trust.
•    Develop a roadmap for implementing ZTA principles.
3. Cloud security posture management
•    Review and advise on the security configuration of cloud services.
•    Ensure alignment with cis benchmarks and shared responsibility models.
4. Security architecture review
•    Review and advise on network segmentation, identity and access management (IAM), and endpoint detection and response (EDR) strategies.
5. Data privacy and protection
•    Support compliance with FERPA, HIPAA, and state privacy laws.
•    Recommend data classification and data loss prevention (DLP) strategies.
6. Cybersecurity awareness program expansion
•    Develop or identify role-based training for faculty, staff, and students.
7. Tabletop exercises and incident simulations
•    Including ransomware and insider threat scenarios in exercises.
8. Emerging threat intelligence
•    Provide quarterly threat briefings tailored to higher education.
•    Integrate threat intelligence feeds into agency security operations.
9. Security budget and resource planning
•    Make recommendations for a multi-year cybersecurity budget.
•    Perform gap analysis to recommend staffing or managed services.
10. Cyber insurance readiness
•    Review current cyber insurance policies.
•    Ensure controls meet insurer requirements and reduce premiums.
- Cybersecurity incident or breach
•    Notify agency immediately upon the discovery of an incident or breach by telephone and in accordance with the agreed upon incident response plan. 
•    Implement the incident response plan, ensuring that all relevant teams are mobilized and aware of their roles and responsibilities. 
•    Oversee the initial assessment to understand the scope and impact of the incident or breach. 
•    Coordinate with the AVP and CIO or director of information security and infrastructure, to inform senior management and the board of trustees about the incident or breach and the steps being taken to address it. 
•    Lead the investigation to determine the cause of the incident or breach, how it occurred, and what data or systems were affected. 6. oversee the remediation efforts to fix vulnerabilities and restore affected systems
•    Ensure that all actions taken during the incident or breach response are thoroughly documented. 
•    Conduct a post-incident review to evaluate the response and identify lessons learned. 
•    Provide a full written report of the incident, nature of the breach, compromised information, and correction actions taken to prevent future incidents or breaches.

- Contract Period/Term: 3 years
- Pre-Proposal Conference Date: July 22, 2025
- Questions/Inquires Deadline: July 29, 2025