Security Consulting Services

The Vendor is required to provide security consulting services to strengthen the county’s security posture, reduce cyber risk, support regulatory and policy compliance, and protect county information systems, data, and critical services through a risk-based, standards-driven approach.
- Governance, risk, and compliance (GRC)
• Enterprise and system-level cybersecurity risk assessments and remediation plans aligned to NIST cybersecurity framework (CSF) identify (id) functions.
• Security program and control maturity assessments and remediation using NIST CSF profiles
• Development and maintenance of risk registers mapped to NIST 800-53, 800-73, 800-171 controls, where applicable.
• Policy, standard, and procedure development or review and updates to support adoption and adherence to NIST controls and county governance objectives
• Support for compliance initiatives and audits using NIST 800 -53, 800-73, 800-171 as the baseline control families.
• Third-party and vendor security risk assessments aligned to NIST CSF supply chain risk management (id.sc)
- Security assessments and testing
• Network, application, and system security assessments mapped to NIST technical and operational controls
• Vulnerability assessments with risk-based remediation guidance aligned to NIST CSF protect (PR) and detect (de) functions
• Penetration testing coordination, oversight, and results interpretation with findings mapped to NIST 800 53 controls
• Secure configuration, architecture, and design reviews for on-premises, cloud, and hybrid environments including endpoint threat detection and response, identity access management, and network access controls.
- Incident response and readiness
• Incident response plan development and review aligned to NIST 800- 61 and NIST CSF respond (RS) and recover (RC) functions
• Tabletop exercises and simulations based on realistic threat scenarios affecting public sector environment s
• Breach response advisory support, including coordination with legal, communications, and executive stakeholders
• Post incident analysis, root cause assessment, and remediation recommendations mapped to NIST CSF outcomes.
• Technical response to data breach, intrustions, ransomware, or other attacks requiring system cleaning, recovery and restoration efforts working with county personnel.
• Incident response on-site coordination and oversight of investigation, recovery, and communications efforts working with county personnel.
- Identity, access, and data protection
• Identity and access management (IAM) strategy and technical assessments aligned to NIST 800-53, 800-73 access control (ac) and identification and authentication (IA) families.
• MFA, privileged access management, and role-based access control reviews.
• Data classification, data protection, encryption, and loss prevention strategies aligned to NIST 800 -53 and NIST CSF protect (PR) categories.
- Strategic security advisory services
• Development of NIST CSF profiles, cybersecurity roadmaps, and multiyear security strategies including system or program level detailed plans.
• Gap analysis between current state and target state it control implementations.
• Security architecture reviews and security tool rationalization aligned to NIST principles.
• Budgetary planning and cost benefit analyses tied to risk reduction and control maturity improvements.
• Executive, senior leadership, and board level security briefings using NIST aligned metrics and visuals.