IT Maintenance Services

The Vendor is required to provide for the management and monitoring of the fund’s information technology (IT) systems, applications, network, and data.
- Maintenance Services – on call maintenance support services must be available Monday-Friday 8am – 6pm EST excluding City recognized holidays for the users, systems, network, and applications located in state.
- The support must include access to a 24-hour help desk (not an answering service and a call back method to reach the assigned technical or service desk team) as well as available on-site technical support for IT issues that arise.
- The Fund must have a direct line for IT staff to IT staff vs. user to IT staff.
- The users and devices to be supported at this location include (but are not limited to) the following:
• Currently Seventy (70) Users which is expected to grow
• 2 Host Xen-based hypervisor environment
• Switches, POE Switches
• SonicWALL Firewall
• 4 x UPS
• Firewall
• 120 monitors
• 100 endpoints
• Wireless Access Points
• 2 x Scanners
• 2 large format multifunction copiers, 8 network printers.
- Backup and recovery – Provide backup monitoring and support for Azure Infrastructure, Desktops and all virtual machines and file stores.
- provide a service level guarantee of response time of the following:
• Critical Issues – 30 minutes
• General Support – 2 hours - Services include:
• Maintain VPN connectivity to agency, city net and oracle cloud infrastructure. 
• There may be more VPNs in the future.
• Maintain our FWaaS deployment that connects all networks together as well as remotely administer firewall policies.
• maintain our small mobile device management deployment
• Administrative access is required to be shared by both parties for all systems we need to operate.
• It's generally understood that our office staff will not make any changes. 
• Various auditors expect separation of duty and activity to be recorded. 
• This applies for firewalls, domain controller, network equipment, etc.
• Maintenance of security posture that is dictated by cyber insurance, agency OTI and by other industry standards or norms.
• DR/BCP rehearsals with documentation furnish able to auditors and cyber insurance carrier upon request. 
• Random file and VM restores unless these are utilized frequently enough.
• There will be independent penetration testing annually (minimum). 
• If security issues are found, it will need to be remediated within 60 days of report issuance.
• The fund may have specialized tools for cyber security. 
• We will provide training and usage guidance for these tools at no cost to the winning vendor.
• Security and patching - it is a mandatory requirement that the fund is current with patches. 
• We do not want to be constantly remediating. 
• This overhead should be built into the monthly fee as it should be routine. 
• OTI has monitoring teams also assisting us with guidance. 
• If instead the fund decides to use an automated tool that also has definitions for patching, the cost of the overhead should not be built into the monthly fee since the fund would be paying for these tools separately. 
• We will also provide timely alerts on where patching is needed. 
• There's also a cost where there's time needed for troubleshooting software issues, such as updating in tune with a deployment package and why it might not be deploying.
• Proactive monitoring and any initiatives taken to secure the network must be carried out promptly.
• Proactive rolling out policies (e.g. MFA) based on industry trends and developments in government administration (e.g. doxing).
• All credentials must be utilizing password-less or MFA login through azure ad.
• All endpoint devices and traffic must be secured through provided FWaaS. 
• This is not negotiable unless the technical reason makes this unfeasible and there are no reasonable alternatives. 
• Servers have restricted internet access needed to retrieve files from designated addresses. 
• All other internet access is blocked at the perimeter. 
• Logging setup of any services must be made available to a syslog cyber security server. 
• This is required to be provided for auditing and cyber insurance compliance.
• All permissions need to be handled by group policy or group containers. 
• Unless there are extraordinary circumstances, there should be no single person configured in a standalone policy.
• No mass change is allowed by command line or batch files at workstation start up unless these are one time changes. 
• If something needs to be applied periodically, you cannot send a onetime command to the machines. 
• These have to be group-policy based and cannot be done as a batch or command line at start up.
• Routine scuba gear runs and remediation across various cybersecurity disciplines. 
• Expect penetration test remediation annually. 
• This should be built into the monthly fee for services. 
• It is assumed that expertise provided would yield a clean penetration test pass every year.
• Routine documentation of user account review and clean up (for auditing purposes).
- Contract Period/Term: 2 years
- Pre-Proposal Conference Date: July 7, 2025
- Questions/Inquires Deadline: July 11, 2025