Cyber Security Managed Services

The vendor is required to provide cyber security managed services in order to enhance the security of the city's network, systems, and applications.
- Penetration testing services
•    Provide penetration testing services, including but not limited to:
o    Develop a detailed plan of testing protocols and timelines in collaboration with the city’s information security team.
o    Conduct internal network penetration testing (approximately 8000 devices/IPS), starting with unauthenticated testing and progressing to authenticated testing if required.
o    Test wireless networks.
o    Conduct penetration tests on other identified security vulnerabilities.
•    Upon completion of testing, provide a penetration testing report containing but not limited to the following information:
o    Executive summary of findings
o    Detailed documentation of all findings and testing
o    Classification of findings based on industry standard risk models
o    Remediation recommendations for findings
- Cybersecurity assessment
•    The assessment will cover all city departments, with an initial focus on:
o    Public safety: police, fire, and emergency management
o    Public works: water service
o    Department of transportation
•    The assessment deliverables will include:
o    Identification of key cybersecurity risks across departments
o    Prioritization of risks based on impact and likelihood
o    Recommendations for mitigation strategies
o    Comparative analysis of initial vs. follow-up results (as applicable)
- Cybersecurity tabletop exercise
•    Plan, schedule, and conduct annual cybersecurity tabletop exercises with ISD and other designated city staff which must include, but is not limited to:
o    Design the exercise based on current real world cybersecurity incidents
o    Lead the exercise
o    Provide a post-mortem report with recommendations for improvement
- Disaster recovery and incident response
•    Review and update the disaster recovery (DR) plan, ensuring alignment with industry best practices.
•    Assist the city in performing a DR exercise
•    Support post-exercise analysis and improvements
•    Develop an incident response (IR) plan, including:
o    Conducting a tabletop IR exercise
o    Providing post-exercise analysis and recommendations
- Risk management
•    Develop a third-party risk management program to assess and mitigate cybersecurity risks associated with external vendors, suppliers, and service providers. 
•    This program will include:
o    Risk assessment of third-party entities handling city data
o    Evaluation of emerging threats, including risks associated with AI and generative AI (gen AI)
- Risk acceptance framework
•    Establish a framework for evaluating and accepting risks related to:
o    New technologies and technology initiatives
o    Legacy systems and technical debt (in coordination with the business application and risk review process)
- Business application and risk review
•    Conduct security risk assessments for key business applications and systems used by the city. 
•    Identify vulnerabilities and assess potential security risks associated with these applications. 
•    Provide recommendations for risk mitigation, including best practices for securing applications. 
•    Work with city’s information security team to prioritize applications for review based on risk factors. 
•    Provide a report summarizing risk levels, vulnerabilities, and recommended security controls. 
•    Review and update the disaster recovery and business continuity plans based on these findings.
- Cybersecurity training and phishing simulation management
•    Assist the city information security and other ISD staff managing phishing simulations and cybersecurity training
o    The city currently utilizes knowbe4 for phishing simulations and cybersecurity training, but that may change in the future. 
o    Configuring the phishing simulations 
o    Assigning cybersecurity training to users
•    Provide reports on simulation results 
•    Provide reports on training status
- Vulnerability management services
•    Manage and operate the city's vulnerability scanning system 
•    Work with the city's information security team to define and implement a vulnerability scan schedule 
•    Provide scheduled and ad-hoc vulnerability reports for specific city resources 
•    Provide detailed remediation guidance.

- Contract Period/Term: 5 years
- Questions/Inquires Deadline: September 29, 2025