In a request for proposal (RFP) released Feb. 24, the California State University Office of the Chancellor (CSUCO) wants to hear from IT vendors capable of providing it with a “Risk Assessment and Collaboration Tool” – an “information security risk management tool that can identify, assess and address information security risks and provide a platform for collaboration and communication that will aid in operational efficiency,” according to the RFP. Among the takeaways:
- CSUCO seeks a “forward-thinking tool that can be integrated with other business processes” including Higher Education Community Vendor Assessment Tool (HECVAT) review, assessment of information security risks, delivering reports and “dashboards/registers,” vulnerability statuses; and, generally, can be incorporated into existing office processes. The tool should be able to easily incorporate assessments including documents from HECVAT and Educause Information Security Program Assessment Tool, as well as other risk assessments/surveys; have a process for inventorying sensitive data; and have the capability to integrate with other business processes. The tool may also be used for assessing risks associated with Health Insurance Portability and Accountability Act or Payment Card Industry compliance and collaboration initiatives.
- Business problems needing to be addressed by the contractor selected include the current “manual nature of the risk assessment processes,” which makes it difficult to “consistently identify, assess and address risks”; the decentralized nature of assessments, leading to “ineffective management of the reassessment life cycle and the inability to collaborate”; the “inconsistent management of risk acceptances and exceptions”; the need for enhanced operational efficiency and to move assessments away from a dependency on spreadsheets. Additionally, a “decentralization of risk assessments” now leads to duplication of efforts with third-party vendors, and the decentralization of assessment data presents “versioning issues” relative to the assessment life cycle. CSU also lacks an “efficient centralized and automated process” for assessments and an efficient process to track risks, and control local versus central access to assessment data. The system has also had difficulty aggregating risk assessments and security surveys at the campus and chancellor levels. More specifically on risk reporting, CSU needs to be able to analyze and aggregate current and past assessment data at campus and system levels, communicate assessment status with business stakeholders, and separate requests by data classification. Collaboration needs include the ability to communicate with stakeholders during assessment, “keep up” with vendor change from a risk management vantage point, know which campuses or teams are working with which vendor, and understand the progress on risk assessments/HECVATs.
- Minimum qualifications include at least three years’ experience in “development, deployment, operations and maintenance of a risk assessment system or systems similar in nature with comparable functions”; in developing solutions with the platform/tool proposed; and having worked on at least three projects with similar solutions and services during the last five years. Contractor must also show “thorough knowledge and experience” mapping risk assessment and business processes to “functional systems.”
- The RFP’s overall objective is to enable selection of a contractor capable of providing “the best solution” within a $100,000-$150,000 budget and with a three-year contract. Questions are due by 2 p.m. March 15. Proposals are due by 2 p.m. April 1, with finalist interviews/demonstrations taking place later that month. Finalists will be required to demonstrate a simultaneous implementation in at least five campuses and the Chancellor’s Office. A notice of intent to award is expected in May-June, followed by award in June and start of services July 1.
