Virtual Chief Information Security Officer Services

The Vendor is required to provide a virtual chief information security officer (vCISO) on a part-time basis to support the college’s strategic security.
- Provide expert virtual cybersecurity services up to twenty (20) hours a week during normal business hours which may be exceeded in the event of a security incident or breach.
- The vCISO will also be responsible for leading college efforts to address the nine (9) elements of the Act for compliance purposes.
- Analyze and iterate upon previous risk assessment conducted in 2024.
- Identify, estimate, and prioritize potential information cyber security risks at college.
- Examine college current technology, security controls, policies, and procedures to assess potential threats or attacks; and
- Evaluate college threat landscape, vulnerabilities, and cyber gaps that pose a risk to its assets.
- Provide information security leadership, communication, investigation, mitigation, containment, and post-incident analysis in the event of a cyber incident.
- Provide guidance when analyzing real-time threat analysis identified by college security operations center.
- Develop and implement the strategy to conduct regular security audits and assessments to identify vulnerabilities and ensure compliance with security policies.
- Write a clear and concise incident response plan that meets industry standards.
- Develop business continuity and disaster recovery plans and conduct annual tabletop exercises.
- Review and provide guidance on existing security awareness & training materials and activities.
- Security metrics & reporting
• Define and track key performance indicators (KPIS) and key risk indicators (KRIS) for cybersecurity.
• Provide monthly dashboards or scorecards to leadership.
- Cloud security posture management
• Review and advice on the security configuration of cloud services (e.g., Microsoft 365, AWS, azure).
• Ensure alignment with cis benchmarks and shared responsibility models.
- Security architecture review
• Review and advise on network segmentation, identity and access management (IAM), and endpoint detection and response (EDR) strategies.
- Cybersecurity awareness program expansion
• Develop or identify role-based training for faculty, staff, and students.
- Tabletop exercises & incident simulations
• Including ransomware and insider threat scenarios in exercises.
- Emerging threat intelligence
• Provide quarterly threat briefings tailored to higher education.
• Integrate threat intelligence feeds into college security operations.
- Security budget & resource planning
• Make recommendations for a multi-year cybersecurity budget.
• Perform gap analysis to recommend staffing or managed services.
- Cyber insurance readiness
• Review current cyber insurance policies.
• Ensure controls meet insurer requirements and reduce premiums.
- Lead the investigation to determine the cause of the incident or breach, how it occurred, and what data or systems were affected.
- Oversee the remediation efforts to fix vulnerabilities and restore affected systems.
- Ensure that all actions taken during the incident or breach response are thoroughly documented.
- Conduct a post-incident review to evaluate the response and identify lessons learned.
- Provide a full written report of the incident, nature of the breach, compromised information, and correction actions taken to prevent future incidents or breaches.
- Contract Period/Term: 1 year
- The Pre-Proposal Conference Date: July 22, 2025
- Questions/Inquires Deadline: July 29, 2025