Asset Management Consulting Services

The vendor is required to provide asset management services for projects carried out by any of the health authorities.
- Facilities, systems, database and device security
•    Ensure that adequate physical controls and processes are implemented to ensure that only authorized persons have physical access to the facilities and systems.
•    The contractor must develop, document, and disseminate a physical and environmental protection policy that it reviews at least annually.
- Systems (including servers) hardening
•    Harden all systems against attack and misuse, using appropriate security best practices for the hardening of the specific deployed platform, before placing those systems into production;
•    Ensure that all unsecured and unneeded ports, services, applications, protocols and network communicating applications are uninstalled or disabled on all systems;
•    Applying least privilege, ensure that the contractor only configures and makes operational ports, services, applications, protocols and network communicating applications based on the functional requirements of the respective systems; 
•    Ensure that default passwords and shared accounts are not used for any systems; and 
•    In relation to systems, implement server hardening using configuration security best practices (for example, center for internet security, inc. (CIS) benchmarks or equivalent) for any server operating systems, server virtualization, server middleware (for example, web servers and database servers) and application servers.
- Perimeter controls (firewall and intrusion prevention system) and network security
•    Implement stateful packet inspection firewalls to control traffic flow to and from systems and tenancy at all times, and configure the stateful packet inspection firewalls applying security best practices and least privilege;
•    Implement an intrusion prevention system to control and filter traffic flow leaving and entering systems and tenancy at all times, and configure the intrusion prevention system applying security best practices; and
•    Implement a secure network perimeter and network segmentation for systems, with ingress and egress points that are known and controlled.
- Application firewall
•    At such level of protection as the health organization may instruct; and
•    To detect and mitigate application attacks
- Management network
•    The management network remains logically separated from any other zone and is not directly accessible from the internet;
•    The management network is internally segmented, with each server’s dedicated network interface on its own segmented network and that interfaces on the management network do not have visibility to each other; and 
•    All access to the management network is strictly controlled and exclusively enforced though a secure access gateway, bastion host or equivalent.
- Remote management and secure access gateway
•    Perform any remote management of systems or devices in a secure manner, using encrypted communication channels and adequate access controls.
- Database security
•    Database maintenance utilities that bypass controls are restricted and monitored;
•    There is a formal approval process in place for handling requests for disclosure of database contents or for database access, including steps to evaluate privacy impacts and security risks of such requests; and 
•    Methods to check and maintain the integrity of the data are implemented (for example, consistency checks and checksums)
- Device security and antivirus scanning
•    Have antivirus and malware protection as appropriate for the particular device active at all times;
•    Are configured to perform antivirus scans at least once per week; 
•    Have host-based firewall configured, enabled and active at all times; and 
•    Have all patches and appropriate security updates installed for the operating system and all installed software.
- Asset disposal
•    All disposals of assets used in providing or relating to the services are done in a secure manner that ensures that protected information cannot be recovered.
- Asset management
•    Asset management and disposal policies that are followed, and reviewed and updated regularly in line with security best practices, and that address hardware, software and other critical business assets. 
•    Asset management inventory that includes the name of the system, location, purpose, owner, and criticality, with assets added to inventory on commission and removed on decommission.

- Contract Period/Term: 3 years
- Questions/Inquires Deadline: September 12, 2025