Information Technology Security and Compliance Consulting Services

The vendor required to provide information technology security and compliance consulting services on an as-needed basis.
- Requirement:
•    Payment card industry (PCI) services
•    Health insurance portability and accountability act (HIPAA) services
•    Information technology audit services
•    Cyber security penetration testing services
•    Cyber security incident response (CIR) services
•    Public safety network and systems audit services
•    Information technology project management
•    Cyber security, risk, regulatory, technology managed services
- Payment card industry (PCI) services
•    Services within this category include activities related to PCI compliance. Examples of specific activities may include but not be limited to PCI auditing, web application assessment from approved scanning providers (ASV), risk assessment, remediation consulting, gap analysis, training, credit card data breach response, evaluating point-to-point encryption (p2pe) systems and implementations.
- Health insurance portability and accountability act (HIPAA) services
•    Services within this category require a thorough understanding of HIPAA regulations and include activities related to HIPAA compliance. 
•    Examples of specific activities may include but not be limited to HIPAA auditing, risk analysis and assessment, gap analysis, technical and policy assessments, vulnerability scanning, penetration testing, and remediation consulting. 
•    Vendor must demonstrate thorough understanding of HIPAA privacy rule, security rule, breach notification rule and enforcement rule and provide detailed information on how their services ensure compliance with these regulations.
- Information technology audit services
•    Services within this category include it audit and review services. 
•    Examples of specific activities may include but not be limited to evaluation of it general and application controls, it governance, security strategies and systems, general network topologies, connections to external parties, inbound and outbound remote access, it security policies and procedures, network device security (e.g., switches, routers, firewalls, wireless access points) – firmware and patching standards, endpoint devices (servers, workstations) – patching and antivirus checks, physical security, software code security (e.g., secure coding), data and configuration backup and disaster recovery, network management, provider and contractor access management, system administration and privileged access management, and network documentation creation and maintenance, and it audit frameworks such as national institute of standards and technology cyber security framework, control objectives for information and related technologies (COBIT),
- Cyber security penetration testing services
•    Services within this category include security penetration testing services. 
•    Examples of specific activities may include but not be limited to internal network penetration testing, external network penetration testing, web application testing, wireless network penetration testing, and social engineering test cases.
- Cyber security incident response (CIR) services
•    Services within this category include security architecture design, security incident response, policy review, and digital forensics. 
•    Incident response and management must be a core business function of provider. 
•    Providers must be capable of supporting county (where requested) to eradicate an attacker, secure county’s environment, help rebuild affected systems and perform root cause analysis of how the incident occurred (where possible).
- Public safety network and systems audit services safety industry
•    Services within this category include public safety network and systems audit and review services. 
•    Examples of specific activities may include but not be limited to evaluation of it general and application controls, it governance, security strategy and systems, general public safety network topology, connections to external parties, inbound and outbound remote access, it security policies and procedures, external network penetration testing, network device security (i.e. Switches, routers, firewalls, wireless access points) – firmware and patching standards, endpoint devices (servers, workstations) – patching and antivirus checks, physical security, data and configuration backup and disaster recovery, network management, provider and contractor access management, system administration and privileged access management, and network documentation creation and maintenance.
- Information technology project management
•    Services within this category include information technology project management services. 
•    Examples of specific activities may include but not be limited to, project planning and scheduling, budget management, risks and issue management, quality assurance and testing, technology implementation, project plans, agile and hybrid methodology management, compliance and governance, performance monitoring and reporting.
- Cyber security, risk, regulatory, technology managed services
•    Services within this category include risk, regulatory, technology managed services. 
•    Examples of specific activities may include but not be limited to, business managed services (i.e., finance and ERP), risk and regulatory managed services (i.e., cybersecurity, audit), technology managed services (i.e., AI governance, AI cybersecurity and risk mitigations, cloud operations), digital and enterprise services management.