rfr response part a - title page, table of contents and

RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007TITLE: PAYMENT CARD INDUSTRY (PCI)

DATA SECURITY STANDARDS (DSS) COMPLIANCE

COMMONWEALTH OF MASSACHUSETTS

RESPONSE SUBMITTED FOR THEREQUEST FOR RESPONSES (RFR) FOR:

TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE

RFR # CTRPCI2007

BIDDER NAME: Lighthouse Computer Services, Inc.

Bidder Name: Lighthouse Computer Services, Inc. of 34.



INSTRUCTIONS: 1. The Written RFR Response must be submitted using this “RFR Response

Template” as posted on the “Forms & Terms” Tab of Comm-PASS. This Template is being used so that all Responses appear uniform and consistent for selection purposes and to enable posting on Comm-PASS once selection is completed.

2. This WORD document must be used and may not be altered, reformatted or changed in any way or the Response will be subject to rejection.

3. Bidders must enter, or copy and paste information into the spaces provided for each question. The space will expand to accommodate the data entered. The Bidder may open the “footer” and add the Bidder’s Name to print on each page of the Response.

4. Bidders may not refer to outside attachments for key information related to answering the questions unless the Attachment is one of the Required Attachments for the RFR Response or is an attachment that must be completed as specified under the “Forms and Terms” tab for this RFR on Comm-PASS.

5. Each item must be addressed specifically by entering information in the required space. If an item is inapplicable, the Response must indicate "N/A" or “Not applicable” or other appropriate explanation.

6. Bidders are responsible for reviewing the “Forms & Terms” tab under this RFR in Comm-PASS for all the listed specifications and the required Forms that must be submitted with the RFR Response (in order to be considered for selection) or upon contract award and execution. Failure to submit the required Forms with the RFR Response, as specified, will be considered sufficient grounds for rejection of the Bidders Response.

Submission Of Responses

Number Of Copies Of Responses

1. (1) One Original hard copy of the Response. All Attachments with original signatures must be included with the Original.

2. (2) Two Photocopies of the Response, including attachments. 3. (10) Twelve CDs each with a copy of the entire Response (attachments do not

have to be included).Format Of Hard Copy Responses:

1. Bidders must submit RFR Response using the WORD document “RFR Response Template” posted on Comm-PASS using a standard (10 point or higher) font. See INSTRUCTIONS above.

2. Printed hard paper copy format; 8½ x 11 paper. All Responses and copies should minimize or eliminate use of non-recyclable or non re-usable materials such as plastic report covers, plastic dividers, vinyl sleeves and GBC binding. Responses should be bound in such a way that allows easy access for copying and recycling of paper materials, such as 3-ring binders, folders clips or staples.

3. All copies should be printed double sided.




4. Submittals if possible should be printed on recycled paper with a minimum post-consumer content of 20% or on tree-free paper (i.e., paper made from raw materials other than trees, such as kenaf). Bids should note whether recycled paper or tree-free paper is being used.

5. Marketing materials, samples, attachments or documents should not be submitted unless specifically requested in this RFR.

Deadline for Submission: Submit Responses by mail, hand delivery by the submission date listed in the RFR, or as amended, to:

COMMONWEALTH OF MASSACHUSETTS RFR # CTRPCI2007Title: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS)

COMPLIANCEc/o Eric Berman, Procurement Team Leader

Office of the ComptrollerOne Ashburton Place – 9th Floor

Boston, MA 02108

FAX OR ELECTRONIC RESPONSES ARE NOT ACCEPTABLE




RFR RESPONSE PART A

BIDDER AUTHORIZED CONTACT, INTRODUCTION AND CERTIFICATIONS

A-1. Authorized Representative and RFR Contact. Please complete the information below for the Individual who is an Authorized Representative of the Bidder, who can legally bind the Bidder during the RFR Interview and subsequent negotiations, and who shall serve as the RFR Contact for any questions or communication necessary during the procurement. Bidder Name: Lighthouse Computer Services, Inc.Mailing Address:6 Blackstone Valley Place, Suite 205 Lincoln RI 02865Authorized Representative/RFR Contact Name: Timothy BernardTelephone: (508) 254-2804TTY/TTD: N/AEmail Address: [email protected]: (401) 334-0719A-2. INTRODUCTION: Please provide not to exceed 3 pages in length the Bidder's understanding of the request for response, the requirements of the work the firm is bidding on, the work to be performed and bid upon, and provide an overview summary of the Bidders' qualifications and experience to perform the work requested. Please reference if the Bidder is, or will intend to subcontract with or use resources from small, minority or women business owned entities.Answer:

After reviewing the Commonwealth of Massachusetts RFR # CTRPCI2007 for Payment Card Industry (PCI) Data Security Standards (DSS) Compliance, Lighthouse Computer Services, Inc. is pleased to respond with the services outlined in this document.

Lighthouse Computer Services, Inc. approved by PCI as a Qualified Security Assessor, believes that this proposal of services, presented in combination with Janus, a Qualified Security Assessor authorized to perform required onsite PCI Data Security Standard (DSS) Assessments and certified as a woman business enterprise by the Commonwealth of Massachusetts, State Office of Minority and Women Business Assistance (SOMWBA), and Qualys, a leader in vulnerability management and approved PCI scanning vendor, fully certified to help merchants and service providers assess and achieve continuous compliance with the PCI DSS, will offer to the Commonwealth of Massachusetts and its entities a competitive bid, with the technical skills and expertise required to assist them to be compliant with PCI-DSS.

All personnel assigned for the consulting services have more than five years experience with security evaluations. For the Scanning service, we will use the product QualysGuard PCI, a demand Web application with no need for hardware or software installation and with a Six Sigma level of accuracy made possible by the industry's most complete vulnerability knowledgebase, an encyclopedic inventory of thousands of known vulnerabilities that covers all major operating systems, services and applications.

This RFR was printed on recycled paper with a minimum post-consumer content of 30%.




A.3 Bidders are not authorized to condition execution of a contract with the Commonwealth upon the Commonwealth’s execution of a Bidder contract form, or require that other Bidder Terms and Conditions automatically apply to this contract. Any additional terms and conditions that the Bidder seeks to apply to this Contract must be specified below.

ANSWER:

N/A

A.4 It is expected that any legal review of the required contract forms and attachments will be done prior to submission of the RFR Response and that objections to any language in the RFR, RFR Response or attachments will not be raised after selection and during contract negotiations. Therefore, if the Bidder has any questions related to the interpretation of any language in the required forms or Attachments, these questions must be identified as part of the on-line forum for this RFR and may not be raised at a later date. Any issues or concerns with the language in the Contract forms or Attachments, or proposed additions or clarifications must be identified below, which will be evaluated as part of the selection process, and may not be raised after selection.

ANSWER:

N/A




A.5 Please list the following information if applicable. Failure to identify such contingencies as part of a Response will be considered sufficient cause for immediate termination from the Statewide Contract if such information is discovered during the life of the Contract:

a) Penalties and Bankruptcy: A list of all bankruptcy and other similar proceedings within the past five years relating to the Bidder, any officer, director, partner or member thereof, any affiliate or any related entity.

b) Litigation: List any outstanding contingencies, such as lawsuits or other claims or charges against the Bidder related to performance of the services sought under this RFR.

c) The Bidder shall submit a description of any and all investigations, indictments or pending litigation by any federal, state or local jurisdiction relating to the Bidder, any officer, director, partner or member thereof, any affiliate or any related company. A list of all criminal convictions within the last five years relating to the Bidder, any officer, director, partner or member thereof, any affiliate or any related entity.

d) A list of all civil penalties, judgments, consent decrees and other sanctions within the last five years, as a result of any violation of any law, rule, regulation or ordinance in connection with its business activities relating to the Bidder, any officer, director, partner or member thereof, any affiliate or any related entity.

e) A list of all actions occurring within the last five years which have resulted in revocation or suspension of any permit or authority to do business in any jurisdiction relating to the submitting entity, any officer, director, partner or member thereof, any affiliate or any related entity.

f) A list of all actions occurring within the last five years that have resulted in the barring from public bidding relating to the Bidder, an officer, director, partner or member thereof, any affiliate or any related entity.

ANSWER:

a) N/A b) N/Ac) N/Ad) N/Ae) N/Af) N/A

A.6 Defaults: The Bidder shall provide a description, in detail, of any situation in which the Bidder’s firm (either alone or as part of a joint venture), or a subsidiary of the Bidder’s firm, defaulted or was deemed to be in noncompliance of any contractual obligations, explaining the situation, its outcome and all other relevant facts associated with the event described. Please also provide the name, title and telephone number of the principal manager of the contract user who asserted the event of default or noncompliance.

ANSWER:

N/A

A.7 Other Adverse Situations: The Bidder shall provide a description of any present facts known




to the Bidder that might reasonably be expected to affect adversely either its ability to perform any aspect of this Contract.

ANSWER:

N/A

A.8 Bidder must confirm that if selected for final contract negotiation and execution the Bidder must be willing to begin performance no later than the week of August 6, 2007.

ANSWER:

Lighthouse Computer Services, Inc. has the resources required for this PCI – DSS Compliance and is willing to start no later than the week of August 6, 2007.

A-9. RESPONSE CERTIFICATION: By signing in the space provided below, the Bidder through its Authorized Representative certifies that the Response will remain in effect for a period of 120 days from the submission deadline and thereafter until either the Bidder withdraws it, a Contract is executed, or the procurement is canceled, whichever occurs first, and that this Response is being submitted in good faith and without any collusion or fraud, and that the information provided is accurately represented and that the Bidder is ready, willing and able to perform the work required as specified in any resulting contract on schedule and should state that they agree to perform the work as put forth in this RFR. Signature also confirms that the Bidder selected for final contract negotiation is willing to have authorized signatories meet during the period for final negotiation and contract execution as identified in the Procurement Calendar to execute the contract.

Authorized Representative Signature:

Authorized Representative Printed Name and Title: Anthony N. Fiore, Jr., Chief Financial Officer

Date: 07/18/2007




RFR RESPONSE PART B - BIDDER QUALIFICATIONS

B.1 Firm Profile

a) Provide your company name, company address, company phone number, company fax number, and Internet address.

b) State whether the firm is local, national, or international and the total number of employees.

c) State your Commonwealth Vendpr/Customer number’ (if known): VC .

d) A short firm history

e) State the location of the office(s) from which the work is to be managed and the location from which the work will be performed and the number of principals/ partners, managers, supervisors, or other seniors and professional staff employed at the office

f) State the types of work performed by the office and the percentage of effort devoted to each type.

g) Include a description of the firm philosophy in providing PCI compliance services to clients, as well as an overview that summarizes the procedure your company uses when providing PCI compliance services.

ANSWER:

a) Lighthouse Computer Services, Inc. 6 Blackstone Valley Place, Suite 205 Lincoln RI 02865 Phone: (401) 334-0799 Fax: (401) 334-0719 www.lighthousecs.com

b) Lighthouse Computer Services, Inc. is a local professional services firm, with presence in the East Coast. Currently the company has 75 employees.

c) N/A

d) Lighthouse Computer Services, Inc. headquartered in Lincoln, Rhode Island, was founded in 1995 as a regionally-based organization, staffed with the most experienced people in the industry. Today, Lighthouse is known throughout the Northeast as a leader in IT consulting and as a technical services provider and a trusted advisor to mid- to large-sized businesses in the financial, health care, retail, education, insurance, and utility industries.

Each consultant has a minimum 15 years experience, and collectively holds over 150 certifications. The company offers a range of hardware, software, technical consulting, support, and education services to a broad range of industries in all stages of growth.

Lighthouse Computer Services, Inc. is ranked among the top IT services firms in North America, and currently the 11th fastest growing IT solutions provider as measured by the 2006 VARBusiness listing.


http://www.lighthousecs.com/



Lighthouse Computer Services, Inc. maintains close access to technology sources through active partnerships with IBM, Microsoft, Cisco, Enterasys, Avamar, Brocade, Tivoli, Symantec, NetApp, VMware, SEPATON, Acopia, APC, Oracle and other technology providers.

e) The main office is located in Lincoln, RI, from where this project will be managed and performed. Lighthouse Computer Services, Inc. has 50 consultants to perform projects in the different areas of services.

f) The services provided by Lighthouse are classified in the following six practice areas, including the percentage of effort:

IT Governance, Auditing & Compliance (20%)

Storage & Backup (20%)

Enterprise Servers (10%)

Microsoft Solutions (20%)

Networks & Security (15%)

Content Management (15%)

g) Lighthouse PCI – The Compliance service group consist of seasoned IT Auditors all CISA/QSA-ASV certified, each possessing over 10 years of experience. Lighthouse’s expertise in IT Governance, Assurance, and Compliance spans multiple industries, software platforms, and applications.

See Methodology in section C1.B5 below.


http://www.lighthousecs.com/Practices/ITRegulatoryCompliance/IT_Compliance

http://www.lighthousecs.com/Practices/ITRegulatoryCompliance/IT_Assurance

http://www.lighthousecs.com/Practices/ITRegulatoryCompliance/IT_Governance

http://www.lighthousecs.com/Practices/ContentManagement/

http://www.lighthousecs.com/Practices/NetworksAndSecurity/

http://www.lighthousecs.com/Practices/MicrosoftSolutions/

http://www.lighthousecs.com/Practices/EnterpriseServers/

http://www.lighthousecs.com/Practices/StorageAndBackup/

http://www.lighthousecs.com/Practices/ITRegulatoryCompliance/



B.2 Overall Qualifications.

a) For CONSULTING SERVICES, the vendor/partner must provide evidence that it is a certified Qualified Security Assessor (QSA) approved by the PCI Security Standards Council: https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm as of the date of this RFR to perform on-site PCI Data Security Assessments for a Level 1, 2, 3, or 4 merchant; and Level 1, 2, or 3 service providers:

Must be United States firm able to perform on-site work in Massachusetts

b) For SCANNING SERVICES, the vendor/partner must provide evidence that it is a certified Approved Scanning Vendor (ASV) approved by the PCI Security Standards Council: as https://www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm of the date of this RFR to perform network scans for all merchants and service providers with externally-facing IP addresses.

Must be United States firm able to perform on-site work in Massachusetts

c) Describe and document the ability / success of Bidder in providing PCI compliance services to prior large-organization clients, defined as organizations with above $1.0B in annual spending.

List relevant work performed within the last five years, the scope of the work and for whom the work was performed.

Include information demonstrating a minimum of three (3) consecutive years experience in PCI compliance services, or key personnel with a minimum of five (5) years experience in data security services immediately preceding submission of the RFR in PCI compliance services.

Describe specific projects and contracts, specifically government engagements.

d) Because the Commonwealth conducts business via Internet technology, contractor must have demonstrated ability to communicate, send files, download files, etc. from the Internet at all times. Describe how the Bidder meets this requirement and what security is in place to guarantee Commonwealth data and systems.

e) Identify resources that Bidder has to ensure adequate security of its own employees’ conduct and behavior while working with Commonwealth information and / or in Commonwealth locations.

Note: Bidder must remain in good standing on the PCI Security Standards Council certified Qualified Security Assessors (QSAs) and Approved Scanning Bidders (ASVs) provider list for the duration of the contract.

ANSWER:

a) Lighthouse Computer Services, Inc. is a United States firm able to perform on site work in Massachusetts and is certified as a Qualified Security Assessor approved by the PCI Standards Council, Certificate # 111 to perform on-site Data Security Assessments for a Level 1,2,3, or 4 merchant: and Level 1, 2, or 3 service providers.

For the consulting services, Lighthouse will partner with JANUS Associates, Inc., which is certified as woman business enterprise by the Commonwealth of Massachusetts, State Office of Minority and Women Business Assistance (SOMWBA), renewal status effective March 23, 2007, as well as a Qualified Security Assessor approved by the PCI Standards Council, to perform on-site Data Security Assessments for a Level 1, 2, 3, or 4 merchant: and Level 1, 2, or 3 service providers.


https://www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm

https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm



b) Lighthouse Computer Services, Inc. is partnering with Qualys Inc., a United States firm able to work in Massachusetts that is certified as an Approved Scanning Vendor approved by the PCI Standards Council, Certificate # 3728-01-02 to perform network scans on site for all merchants and service providers with externally-facing addresses.

c) Following is a list of relevant work performed over the last three years by the IT Governance, Auditing & Compliance team:

IT Risk Assessment: Bank of Rhode Island FMFB

Application Audit: Pawtucket Credit Union

Policies and Procedures review: Bank of Rhode Island

Business Continuity Planning: Mechanics Savings Bank Dexter Credit Union Westerly Community Credit Union (BIA, Risk Assessment, IT Audit)

Disaster Recovery Planning/Testing: Pawtucket Credit Union

SOX and Application Audit: Mohegan Sun

The FDIC audited Lighthouse’s work at a client site, and commented that it was superior work. As a result, Lighthouse was asked to speak to the FDIC Examiners at their national convention in Washington, DC in September 2006, about the approach using the COBIT Framework.

All LCS personnel are CISA certified and have more than 10 years experience in data security. See resumes in section B4 below

Specific projects:

Marine Corp Community ServicesRandy L. HarrisManager, Network [email protected]


mailto:[email protected]



ASV Scanning since 7/2005 Wildlife Conservation SocietyPaula Simonwww.wcs.org/PCI compliance services from May 2007 - ongoing

Twin Oaks Software Development, Inc.M.J. Lalibertewww.tosd.com/PCI compliance services from May 2006 - ongoing

d) Lighthouse Computer Services, Inc. currently uses, for communication purposes with its clients, email (Outlook) as well as Cisco Meeting place. For transfer of documents the use either PGP encryption or secure ftp, via VPN, using SharePoint 2007 portal. The following controls are in place to protect our communications with clients and third parties:

Regular email communications are performed via Microsoft Outlook. The email server and information residing in the LCS network, including client information is located behind the firewall. No customer data resides on Internet accessible systems.

Physical controls are in place to protect facilities and documents through the use of personalized badges and locked cabinets.

The logical access is restricted through user profiles and permissions based on employees’ responsibilities and needs.

All employees must comply with the Confidential Information policy. As part of the hiring process, all LCS employees and contractors must sign a “Non-competition and Proprietary Information Agreement” to ensure information confidentiality.

All laptops for the IT compliance group have PGP software and all the content of their hard drives are encrypted.

Transmission of files and sensitive information is performed securely via email with PGP encryption or secure FTP using the SharePoint server.

e) All employees must comply with the Confidential Information policy. As part of the hiring process, all LCS employees and contractors must sign a “Non-competition and Proprietary Information Agreement” to ensure information confidentiality.

Lighthouse Computer Services, Inc. conducts background checks on all new personnel, contractors and temporary staff through Accu-Screen, a third party based on Florida, as a condition of employment and then upon customer request if it has been more than a year since the initial check.

This process is conducted to verify the accuracy of the information provided by the


http://www.tosd.com/

http://www.wcs.org/



candidate and determine his/her suitability for employment. The information to be collected includes, but is not limited to:

Criminal background check,

Verification of satisfactory character references,

Check of the applicant’s resume,

Confirmation of claimed academic and professional qualifications, verification of current employer and last known employer.

Independent identity checks (passport or similar documentation).

Results of the background check are sent directly to Human Resources. If results contains information upon which it is determined that the candidate does not possess the qualifications required, an offer of employment will not be made.

A background check was performed for the QSA and SAV consultants, according with company’s background check policy. No exceptions were found.

B.3 Provide a listing of the Bidder’s concurrent material engagements, as well as its current outstanding proposals or bids that could impact the available resourcesANSWER:

N/A




B.4 Qualifications - Key Personnel Assigned To Contract. Key personnel include principals/partners, managers, and onsite supervisors; all other staff are considered non-key personnel. The Bidder must certify that all named key personnel in the Response are the Bidder's employees or subcontractors. These specific individuals shall perform the Contract services unless they becomes unavailable for performance under the Contract for reasons of the individual's death, disability, incapacity, relocation, retirement, resignation or termination of the underlying employment relationship. The Bidder will be required to notify the Office of the Comptroller immediately in the event of the unavailability of any key personnel. Key personnel designated or assigned to the valuation engagement must perform as designated in the absence of termination from the firm or other unavoidable circumstances. Bidders submitting a response to this RFR shall be considered to have accepted this condition.

During the period of the Contract, key personnel assigned to the performance of the Contract services may be removed or replaced from work on this Contract by the Bidder only upon the prior written approval of the engaging agency. A significant change in the key personnel listed in the Response prior to, or after, the execution of the Contract, which is unsatisfactory to the engaging agency, shall be grounds for disqualification of the Response or termination of the Contract. Key personnel designated or assigned to the engagement must perform as designated in the absence of termination from the firm or other unavoidable circumstances. Bidders in response to this RFR shall be considered to have accepted this condition. Bidders should describe resources available to replace or supplement assigned personnel should circumstances dictate at some stage of the multi-year contract period.

In the spaces provided below, list the key personnel who will be assigned to this project and identify the following information for each individual. Do not refer or attach resumes. All relevant information must be contained here for the Contract Manager and separate cells for all principals/partners, managers and on-site supervisors.

CONTRACT MANAGER NAME: Jerry HughesTitle: IT Governance, Auditing & Compliance LeaderTelephone: (860)228-5074Email Address: [email protected]: (401) 334-0719

PCI Qualifications and Experience:

PCI – QSA CISA Certified – ISACACOBIT 4 Certification – ISACA

Areas of expertise: Information Technology Governance, Auditing and Compliance Information Technology Security Controls Information Technology Risk Assessments Business Continuity Planning & Testing Sarbanes-Oxley Gramm-Leach-Bliley Act HIPAA (Privacy & Security Rules) Records Management Change Management




Project Management Software Development

Experience:

IT Compliance Practice Leader for Lighthouse Computer Services, Inc., Jerry Hughes has over 20 years of experience helping companies become compliant with internal industry and government regulations such as Sarbanes-Oxley, HIPAA and GLBA. Mr. Hughes, a Certified Information Systems Auditor (CISA), has extensive IT auditing experience—especially within the financial industry—and has participated in dozens of customer, corporate, federal and state audits.He has developed Lighthouse into one of the Northeast’s premier consulting firms in the area of IT Governance, Assurance and Compliance services. His team of CISA-certified auditors, all certified in the international framework called Control Objectives for Information and related Technologies (COBIT), offers a full suite of IT Compliance services within the banking, insurance, health care, energy and education sectors, and has received 100% client satisfaction feedback.

Project tasks:Jerry will be the liaison contact with CTR and will coordinate and supervise the task to be performed. He also will be presenting the updates for the project.The percentage of time devoted to the project will be 1 % of the time defined for consulting services per entity.

Individual Name: Bill FranklinTitle: IT Governance, Auditing & Compliance ConsultantTelephone: (978) 821-4863Email Address: [email protected]: (401) 334-0719



Areas of expertise: Information Technology Governance, Auditing and Compliance. Information Technology Security Controls Information Technology Risk Assessments Change Management Project Management Software Development




Experience:

Masters prepared, CISA certified and COBIT 4 Certified Senior Information Technology professional with 20 plus years experience. Proven ability to connect business objectives with technology to create solutions aligned with the goals of the organization. Strengths include leadership capabilities and excellent communication and interpersonal skills with clients, business leaders, and staff. Expertise includes IT audit process based on the COBIT 4 framework, team building, project management, change management, and use of the full system life cycle from identifying needs through 24x7 support and maintenance of production systems. Experience includes Sarbanes-Oxley IT audit process from identification of controls through remediation of weaknesses, IT risk assessments and remediation, project management of enterprise wide system development and implementation, leadership and management of IT staff in US and international locations, and the financial services industry.

Project tasks:Bill will perform the QSA on site review according with the scope defined (SAQ support, Initial interviews, pre-assessment, testing, presentation of recommendation and submission of ROC).The percentage of time devoted to the project will be 100% (80 hours) for QSA per entity assigned.

Individual Name: Elkin Castano Title: IT Governance, Auditing & Compliance ConsultantTelephone: (401) 338 -4580Email Address: ecastano@ lighthousecs.com Fax: (401) 334-0719



Areas of expertise: Specializes in IT Audits of financial and industrial companies. Wide experience as a consultant for data security and information technology. Focused on the following core competencies:

- COBIT- Sarbanes Oxley Act- Compliance regulation- Security Policies- Physical Security- Network and System Security




Experience:

Mr. Castano has thirteen years of experience in the audit field. Ten of them working in PWC. Elkin has been responsible for the evaluation of information technology controls in various IT environments. Including; evaluation of IT Key controls, audits to production and development applications, implementation of audit tools, compliance regulation audits, assessment, design and implementation of risk management solutions for electronic business, COBIT 4 Framework Implementation and application, application of Sarbanes Oxley framework, test and documentation IT Key controls for Sarbanes Oxley Act, design of security frameworks and infrastructure, analysis security measures implemented in Windows 2000/XP, AS/400, SQL, IIS, Cisco Routers and Cisco PIX. He has also been responsible for evaluating telecommunications platforms for the financial sector and the analysis of security measures implemented in internet banking.

Project tasks:Elkin will perform the QSA on site review according with the scope defined (SAQ support, Initial interviews, pre-assessment, testing, presentation of recommendation and submission of ROC).The percentage of time devoted to the project will be 100% (80 hours) for QSA per entity assigned.

Individual Name: Matthew LaneTitle: QSA JANUS Associates, IncTelephone: (203) 251-0200Email Address: [email protected]: (203) 251-0200


PCI Qualified Security Assessor (QSA). INFOSEC Assessment Methodology (IAM) - National Security Agency PCI Qualified Payment Application Security Professional (QPASP)

Areas of expertise:

C++, Java, Visual Basic, Perl, LISP, SQL, HTML, Active Server Page (ASP), Common Gateway Interface Programming (CGI), FTP, Telnet, TCP/IP, Mandrake Linux, Yellow Dog Linux, Red Hat Linux, NTServer/Workstation, Windows2000 Server, Windows2000 Professional, Windows 2003 server, Windows XP, Microsoft Distributed File System (DFS), Microsoft Active Directory (AD) Administration, Microsoft Exchange 5.0/5.5/6.0 (2003), Microsoft DNS Server 2.0, Microsoft DHCP Server, Microsoft Proxy Server, Microsoft IIS, Microsoft Active Server Pages, Microsoft Internet Security Accelerator (ISA), Microsoft SQL 7.0/8.0, Sendmail 8, Apache Web Server, 3 Tier Architecture, Flexes z390 Emulator, Avocent AV works, VMWare, Checkpoint VPN-1/Firewall-1 Next





Generation (NG), Network Associates Gauntlet, Network Associates Certificate Server/Public key server, CyberCop Scanner, Nmap, Sniffer Pro, SATAN, 3COM Netserver, Cisco 2611/2610/4000 router (IOS 11.5-12.2), Digex CSU/DSU, CORBA, RMI, DCOM, Enterprise Java Beans, Security Certification and Authorization Package (SCAP) Documentation, Digital Performer, ProTools, MAX, Sample Cell, Galaxy Librarian

Experience:

Nine years with JANUS Associates, Inc. Mr. Lane has conducted network analyses for multiple commercial and federal entities. Specializing in the security aspects of e-commerce and development of secure application code, he has identified vulnerabilities in many e-commerce web sites and has implemented customized solutions to properly secure those systems. As a developer, he has created global supply and demand tracking tools for the chemical industry and contributed to the development of biometric authentication systems. He has designed VPNs, anonymous Internet connectivity, and a database security wrapper. He is a former instructor of Advanced Software Engineering at Columbia University, where he graduated Cum Laude with a degree in computer science. He has performed Payment Card Industry (PCI) Scans and Audits for corporate clients, Trained JANUS staff in Penetration testing techniques and Application testing techniques, Identified threats and vulnerabilities for the Federal Deposit Insurance Company, Performed security reviews on a prototype IBM Websphere/Webseal/Policy, Completed components of Security Certification and Accreditation for the FAA, Developed security tools, solutions to evaluate various security elements within Windows NT environment, Analyzed network traffic and modified routing/firewall procedures to meet security standards.

Project tasks:Matthew will perform the QSA on site review according with the scope defined (SAQ support, Initial interviews, pre-assessment, testing, presentation of recommendation and submission of ROC).The percentage of time devoted to the project will be 100% (80 hours) for QSA per entity assigned.

Individual Name: Michael D. MeyerTitle: QSA JANUS Associates, IncTelephone: (203) 251-0200Email Address: [email protected]: (203) 251-0200


PCI Qualified Security Assessor (QSA) PCI Qualified Payment Application Security Professional (QPASP) – test passed





Areas of expertise:

MVS JCL and UTILITIES; SPUFI; BATCH QMF; TSO/QMF; BMC UTILITIES; DB2 SQL; DB2 DDL; DB2 DBA for production system support; COMPARE-X; Control-M; CICS; relational database design; TSO/ISPF; IBM utilities; EDI (electronic data interchange); OMEGAMON (DB2 performance monitor); Strobe; COBOL; COBOLII; EZTRIEVE; File Aid ; MICRO FOCUS COBOLII WORKBENCH; Abend Aid; Syncsort; Lotus Notes; Windows 98 and NT; Inter Test; MVS; OS390, VSAM, Install/1, Design/1, Clists/ISPF, CA7, Natural/Adabas, Panvalet, DB2 UDB V7.1., DB2 Administrative ools, Platinum and Microsoft Office Suite

Experience:

Mr. Meyer has more than seventeen years of experience in the IT industry, performing security assessments of organizations throughout U.S., certification and accreditation tasks for federal clients, Compliance with NIST SP 800-53 to agency security policies, network interconnection agreement documentation for secure connectivity of large government agency, Team lead on QA project at major telecommunications company to evaluate network traffic analysis operation, Implementation of logical database design, Scheduled and maintained DB2 utilities, designing, creating and executing test scripts (plans) for both on-line and batch portions of the system.

Project tasks:Michael will perform the QSA on site review according with the scope defined (SAQ support, Initial interviews, pre-assessment, testing, presentation of recommendation and submission of ROC).The percentage of time devoted to the project will be 100% (80 hours) for QSA per entity assigned.

B.5 Identify other specialists or individuals within the firm who will be assigned to this contract, the functions they will perform and hourly rates.ANSWER:

N/A

B.6 Use of Subcontractors. It is presumed that the selected Bidder will be responsible for and perform all the duties and requirements of this RFR. In this section, the Bidder must identify any subcontractors that will or may be used to conduct any of the work described in this RFR, including the names of subcontractors, summaries of their qualifications, experience and duties and responsibilities for performance. The Bidder will remain the sole point of contact and will be responsible for all performance under the contract. For all subcontractors the following information is required in this Response: the name of the firm that will provide direct services; the anticipated number of Full-Time Equivalent (FTE) hours the subcontractor will be utilized during a work week; and the individual area(s) of PCI compliance in which subcontractor will be used under a resulting contract.




ANSWER:

Individual Name: Doug GwinnerTitle: Support Manager Qualys, Inc.Telephone: (650)-801-6119Email Address: [email protected]: (650)-801-6101Responsibilities: QualysGuard PCI support and activation of customer account(s).Number of hours: N/A

Individual Name: Margo ConnellTitle: Technical Account Manager Qualys, Inc.Telephone: (845)-534-3586Email Address: [email protected]: (845)-913-9272Responsibilities: QualysGuard PCI support and activation of customer account(s).Number of hours: N/A

B.7 References: The Response must include three (3) references for the most relevant, comparable work of the type requested in this RFR (a state or large local government entity). The Office of the Comptroller reserves the right to verify references included in the Response and to conduct other reference checks as deemed appropriate.

Reference name: Randy L. Harris, Manager Network OperationsFirm: Marine Corp Community ServicesPhone: (703)784-3830 Internet address: [email protected] and date(s) of services provided:ASV Scanning since 7/2005 Reference name: Ms. M.J. LaliberteFirm: Twin Oaks Software Development, Inc.Phone: (860)829-6000Internet address: www.tosd.comDescription and date(s) of services provided: PCI compliance services from May 2006 - ongoing. Reference name: Steve Curran, VP ITFirm: Bank of Rhode IslandPhone: 401-333-2322Fax:Internet address: www.BankRI.com

Description and date(s) of services provided:

IT Risk Assessment 2006. Security policies and procedures development.







RFR RESPONSE PART C – SCOPE OF PERFORMANCE

C.1 This section of the Bidder’s response should be detailed enough to portray the experience of the Bidder in engagements such as the Commonwealth. Please identify a work plan of how your firm would perform the following. It is understood that specific engagements have not yet been identified; therefore Bidder should identify a work plan model that can be adapted to individual engagements.

A. Consulting services for CTR on a statewide basis to ensure that the Commonwealth as a whole is PCI compliant, that high risk areas are identified, and what the Commonwealth needs to do to ensure on-going PCI compliance

1) Describe what tasks / work is to be performed by your company. What would CTR be asked to do to facilitate your normal business process?

2) Please describe what Commonwealth resource requirements would your company have in terms of space, dedicated staff, and computer access? .

3) Based upon the information provided in this RFR, provide an estimate of the total length of time and materials you expect the services would require from start to completion, including final report(s).

4) Schedule of Implementation: Summarize how this project would be implemented, accompanied by a Schedule of Implementation to include a project timetable, by phase if applicable

B. Consulting services for individual state department merchants , assisting with completion of PCI questionnaire, identifying high risk areas, and what the Department needs to be ensure on-going PCI compliance.

1) The Bidder/partner must facilitate the successful completion of the PCI Self-Assessment Questionnaire (SAQ) for all Commonwealth merchants. The PCI SAQ must be used to address any system(s) or system resource component(s) involved in processing, storing, or transmitting cardholder data.

2) For the Commonwealth of Massachusetts, this questionnaire applies to all entities transacting credit card business, regardless of channel. The Bidder shall provide an on-line web-based product for the ePay shared service and the Commonwealth’s participating merchants to complete the PCI-Self Assessment Questionnaire.

3) Describe what tasks / work is to be performed by your company. What would CTR be asked to do to facilitate your normal business process?

4) What Commonwealth resource requirements would your company have in terms of space, dedicated staff, and computer access? Please describe.

5) Based upon the information provided in this RFR, provide an estimate of the total length of time and materials you expect the services would require from start to completion, including final report(s).

6) Schedule of Implementation: Summarize how this project would be implemented, accompanied by a Schedule of Implementation to include a project timetable, by phase if applicable

C. SECURITY SCANS - Scanning services for individual state departments.

1) The Bidder/partner must conduct PCI network security scans for the ePay shared service and Commonwealth entity merchants. The network security scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web




applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Describe what tasks / work is to be performed by your company. What would CTR be asked to do to facilitate your normal business process?

2) The Bidder/partner must complete these scans in accordance with the PCI Security Scanning Procedures.

3) What Commonwealth resource requirements would your company have in terms of space, dedicated staff, and computer access?

4) Please describe how the Bidder will comply with the following.

(i) The Bidder/partner must provide each merchant account with a web-based tool to set-up and perform monthly scans for up to XXX? IP addresses, as well as up to 10 self-directed scans at the merchant or service provider’s discretion.

(ii) The Bidder/partner must notify each merchant or service provider with an automated e-mail notification of the pending scan at least five (5) business days prior to the scan occurring, as well as notification that the scanning process has begun and/or has completed.

(iii) Within three (3) business days upon completion of the scan, the Bidder/partner shall notify each merchant or service provider via an automated e-mail notification that the results of the scan are available for viewing in an on-line report.

(iv) The Bidder/partner must allow for multiple e-mail addresses on the automated e-mail notifications.

D. The Bidder/partner must provide an on-line monitoring/reporting system. Describe how the Bidder/partner’s online system will:

1) Assist CTR, the ePay shared service, and the Commonwealth merchant community with managing their PCI Security Compliance needs (particularly, the PCI Self-Assessment Questionnaire and Network Scans).

2) Allow web-based access for central monitoring of compliance status for all Commonwealth merchants. This central monitoring access shall be provided to CTR.

3) Provide monitoring authority with on-line access to view reports resulting from the Commonwealth merchant community’s completion of the compliance questionnaire or network scans, within their respective areas of oversight responsibility.

4) Provide each Commonwealth merchant with on-line access to view reports resulting from the completion of their compliance questionnaire or network scans.

5) Allow for flexibility in scheduling scans.

6) Provide detailed and summary level reporting to management specifying areas of risk, along with recommended corrective actions.

7) Provide the ability to report compliance status of Commonwealth merchants to the Merchant Services Provider(s).

8) Present an on-line Certification of Compliance Validation.

E. The Bidder must provide and describe their controls over confidentiality of client data. The Bidder must describe their procedures for informing a client when the client’s data has been, or may have been, inadvertently disclosed/compromised.




C.2 List and describe types of reporting that your company would provide during the engagement and the frequency of the reports. Also describe a final report that your company would provide at the completion of the engagement. Provide a short sample summary of a final report.

ANSWER:

C1.A.1) LCS will perform consulting services for QSA and ASV compliance for the entities defined. An initial pre-assessment based on information provided and Self Assessment Questionnaires will be presented, identifying areas of risk related with the PCI standards. The specific tasks to be performed for QSA and ASV are detail in the following sections (C1-B and C1-C).CTR should provide information related with the IT environment and Cardholder data, through Self Assessment Questionnaires and interviews, in order to determine the scope of the assessment for compliance with PCI DSS requirements.

C1.A.2) LCS will require an office with phone, internet access for at least three computers, as well a dedicated printer. The Commonwealth will serve as a liaison with the entities in the scope and will help to set the meetings with the personnel in each entity responsible for the data cardholder environment.Each entity in the scope should fill up the Self Assessment Questionnaire with LCS support.

C1.A.3) See C1.B.5 below

C1.A.4) See C1.B.6 below

C1.B1) LCS will provide a secure web base self assessment questionnaire tool to be used for all Commonwealth entities transacting credit card business, regardless of the channel, in order to identify high risk areas for the processing, storing or transmission of cardholder data. LCS will assist the personnel responsible in each entity to develop of this SAQ as required via email, or phone.

C1.B2) See C1.B1 above.

C1.B3) CTR will identify the entities which this SAQ applies with their contact and will communicate opportunely to them the rules to perform this questionnaire.Each entity’s contact will provide/facilitate the information, interviews and fill up the SAQ properly and on time according with schedules defined.LCS will review and suggest initial recommendations based on this SAQ, in order to allow each entity to be complaint with PCI requirements.Once the recommendations have been put in place, LCS will validate this information and will perform a full PCI assessment of compliance with PCI requirements. As result of this Audit, a report on compliance (ROC) will be completed acknowledges entity’s




compliance status. If this report contains open items, LCS will provide recommendations to fix them, in which the entity must address. LCS will revalidate and issue a new ROC, after the entity addresses these items.

C1.B4) LCS will require an office with a phone, internet access for at least three computers, as well a dedicated printer.

C1.B5) For each entity LCS will: Assist each entity with SAQ, as required Provide recommendation based on SAQ, in order to ensure compliance with PCI

requirements. Perform an assessment of compliance with PCI requirements, validating the

information provided in the SAQ. Issue, as result of this assessment, either a ROC or a report with open items and

recommendation that need to be implemented. Validate remediation implemented in order ensure full compliance with PCI, is

apply, as well a new ROC

For each entity defined by the CTR, 8 hours will be utilized in order to capture all information required as well to assist them with the SAQ.The time for this QSA validation for each entity will be 120 hours (assuming only one network with data cardholder). For additional networks, 20 additional hours will be utilized.If as result of the SAQ, adequate network segmentation that isolate data cardholder information is identified, the scope of the QSA validation could be reduced, once the network segmentation is verified.

For each entity LCS will perform:

Phase 1, Pre-Assessment

Task: Information Request. Objective: Obtain understanding of the entity IT environment and cardholder data. Provide assistance with SAQ development.Process/Methodology: Through SAQ and request of information related with data Cardholder.Entity responsibilities: Provide the information required and fill up SAQ.Deliverables: SAQ web-base documented and recommendations (if apply)Based on SAQ and information provided, the scope of the on site review will be determined and redefined as necessary, based on components related with Cardholder data environment and networks involved and network segmentation identified.Hours: 12




Phase 2, ROC certification

Task: Assessment for Compliance Based on the information provided in the SAQ, LCS will perform interviews and on site assessment of controls related with the following PCI requirements:

1) Review of Firewalls/routers on scope according with PCI-DSSObjective: Validate the adequacy of firewall configuration to protect cardholder data. Process/Methodology: Through interview with firewall manager LCS will gather information about standards used, protocols, services, users and rules and validate their controls.Hours: 12

2) Review of security parameters and system passwords according with PCI-DSSObjective: Review of default passwords and configuration standards.Process/Methodology: Using statistical sampling, LCS will evaluate and validate the appropriateness of the configuration standards used, as well as default passwordsHours: 12

3) Review of encryption to protect cardholder data according with PCI-DSS.Objective: Identify the measures in place to protect stored cardholder data.Process/Methodology: Evaluation and validation of data retention and disposal policies for cardholder information. Validate through statistical sample of storage and protection according with requirements defined by PCI.Hours: 12

4) Data cardholder transmission review according with PCI-DSSObjective: Identify sensitive information transmitted across open public networks and controls in place.Process/Methodology: Identification encryption used for sensitive information transmitted over public networks.Hours: 8

5) Antivirus Software Review according with PCI-DSSObjective: Identify the anti-virus software solutions in place.Process/Methodology: Review of antivirus configuration and update process.Hours: 8

6) Review of systems and applications security according with PCI-DSSObjective: Evaluation of change management process for applications, components and software development.Process/Methodology: Identification of software development guidelines as well as change management process in placeHours: 8




7) Data cardholder access review according with PCI-DSSObjective: Ensure that critical data can only be accesses by authorized personnel.Process/Methodology: Evaluation and validation of policies related with control access.Hours: 12

8) Users ID review according with PCI-DSSObjective: Verify that each person has assigned a unique user name and password and his/her actions can be traced.Process/Methodology: Through statistical sampling, user IDs configuration will be reviewed. Review and validation of user ID and password policies and proceduresHours: 12

9) Physical access review according with PCI-DSSObjective: Ensure that systems with data card holder information has adequate physical access controls.Process/Methodology: Walkthrough to the facilities that hold data cardholder information. Review and validation of policies and procedures related with physical access controls.Hours: 8

10) Review of network monitoring and log mechanism according with PCI-DSSObjective: Verify that networks with data cardholder information have in place audit trails and are reviewed in a daily basis. Review and validate retention policies.Process/Methodology: Through interviews, identify the audit logs active and their parameters. Verify that they are daily reviewed.Hours: 8

11) Review processes in place for systems testing according with PCI-DSSObjective: Verify that systems are tested regularly.Process/Methodology: Identify and validate testing procedures in place.Hours: 8

12) Information Security Policy review according with PCI-DSSObjective: Evaluate the Information security policies.Process/Methodology: Verify and validate that the system security policy covers all PCI requirementsHours: 12

Entity responsibilities: Provide information requested and facilitate interviews and walk through.Deliverables: Controls in place documented and recommendations for open items (if apply) and accreditation ROC (reassessment if open items were found).Total hours (per entity/per LCS resource): 120.




C1.B6): See section C1.B5 above

C1.C1): LCS will conduct remote security non-intrusive scans of external IP addresses in order to identify vulnerabilities of networks and web applications, according with the PCI DSS, through Qualys’ unique on-demand model. QualysGuard PCI simply requires the activation of the customer account(s). This activation would be performed by Qualys. QualysGuard PCI is offered as Software-as-a-Service. As such, all database administration and maintenance are performed by Qualys, therefore, customers are not required to perform any type of database support or maintenance. CTR will identify the entities and their IP addresses and domain name list.

C1.C2): As a PCI compliant scanning vendor, Qualys is certified to help merchants and their consultants evaluate the security of their entire externally facing network and achieve compliance with the PCI Data Security Standard.

C1.C3): As mentioned above, Qualys’ Software-as-a-Service model does not require space, dedicated staff or computer access from CTR.

C1.C4 (i): Authorized users of the Merchant accounts can conduct vulnerability and compliance scans from anywhere using a Web browser. The QualysGuard PCI solution provides unlimited, highly accurate network security scans for an unlimited number of IP addresses and provides multiple user support for effective collaboration on PCI compliance.

C1.C4 (ii): LCS will notify each merchant or server provider via email of the upcoming scan, 5 days prior the scan, as well as when it has been finalized.

C1-C4 (iii): QualysGuard PCI will be configured on a per user basis to send a summary email when a scan or map has been completed. The e-mail summary provides high-level, non-sensitive information including the number of vulnerabilities and overall trend per severity level. E-mail recipients are configurable as part of the per user notification options. With the e-mail is a hyperlink to securely access the complete detailed report.

C1-C4 (iv): Please see response C4 (iii) above.

C1.D1): The QualysGuard PCI On-Demand module is accessible via a web browser and provides an online version of the PCI Security Council self-assessment questionnaire as well as the ability to run/schedule network scans. Draft versions can be saved at any time during the process for later completion. Questionnaires can be collaboratively viewed and shared by multiple users.

C1.D2): QualyGuard provides web-based, multiple user support for effective collaboration on PCI compliance.




C1.D3): See D2 above.

C1.D4): See D2 above.

C1.D5): With QualysGuard PCI, scan jobs can be scheduled to run or can be initiated on demand through the web-based interface. Any user with the granted privileges can create scheduled jobs on the assets they are responsible for. The occurrence of jobs can be selected between daily, weekly or monthly, with a specific hour and time zone. The day of the week or month is selected by the user if the job is either weekly or monthly. Scan jobs can be set with or without recurrence. In addition to setting the start time for a scan, a “hard” stop time can be provided so that if a scan is exceeding an approved window of time, it is automatically stopped permanently or can be automatically restarted during the next window. If the job is stopped before completion, all of the completed hosts are available for reporting.

C1.D6): QualysGuard PCI provides both PCI technical reports, which include streamlined vulnerability remediation through comprehensive, step-by step instructions and PCI executive reports for submission to management and/or the Merchant’s acquiring bank as proof of PCI compliance.

C1.D7): QualysGuard PCI enables the Commonwealth merchants to automatically submit the scan results and self-assessment questionnaire directly to the acquiring bank on-line.

C1.D8): Please see D7 above.

C1-E) Enterprises entrust Qualys to collect and store information about their devices; therefore, it is imperative that QualysGuard safeguards that data in transit and storage. Data in transit is encrypted via SSLv3 128 bit encryption. Data at rest is encrypted in AES 128 and is not accessible by Qualys personnel as the encryption is based on a hash of an individual’s username and password. Role based administration provides for authentication based upon separation of duties.

Qualys maintains two primary Qualys Secure Operations Centers (SOCs). The SOCs are located in Santa Clara, USA and Frankfurt, Germany. The Santa Clara, USA data center undergoes annual 3rd party SAS70 certification. The Frankfurt, Germany data center is audited under BS 7799. All Qualys machines and racks are secured in a locked, private vault that requires the use of a badge and biometric authentication for access. Only customer-authorized personnel have any logical access to their own vulnerability scan data.

C2: LCS will provide the standard formats defined by PCI for Assessment for Compliance (ROC, Report on Compliance) on an annual basis as well as informative report based on the results of the network scans on a quarterly basis.Recommendations will be presented as result of Self Assessment Questionnaire,




Assessment for compliance (open items) and network scans

C.3 CUSTOMER SERVICE, TRAINING, RESOLUTION PCI ISSUES:The Bidder/partner must provide training and support to the Commonwealth merchant community. Describe how the Bidder will meet the following requirements:

1. The Bidder/partner must provide training on the use of the Bidder’s on-line systems. The Bidder/partner may deliver the initial training via an interactive web-based training solution or in person at a training facility, which at the discretion of the Commonwealth, may include multiple Regional/geographical locations within the Commonwealth of Massachusetts. Training must be provided to all state and local governmental entities with merchant accounts falling under the scope of this solicitation. Attendees would include a business and a technical contact from each Commonwealth entity.

2. The Bidder/partner must provide for a customer service arrangement to meet the needs of the Office of the State Comptroller and the Commonwealth’s merchant community. Most servicing needs of the merchant community are anticipated to be coordinated through the entities themselves.

3. The Bidder/partner must provide technical support to the Office of the State Comptroller and its merchant community via a toll-free telephone number during normal business hours, which are between 8:00 a.m. and 5:00 p.m. Eastern Time, Monday through Friday.

4. The Bidder/partner must keep the Office of the State Comptroller and the Commonwealth merchant community informed of all PCI rule changes, and provide guidance for adherence to the changes in an adequate and timely manner. The Bidder/partner must notify the Office of the State Comptroller and all Commonwealth merchants of any PCI rule changes within five business days after learning of the rule change.

5. The Bidder/partner must assist the Commonwealth and its merchant community with the resolution of issues resulting from any alleged violations of the PCI Data Security Standard requirements.




ANSWER:

C.3-1): Core staff will be provided with onsite training, at no cost, for one full day. Web-based “refreshers”, informational training regarding new releases, and telephone based Q/A is also provided at no cost.Qualys offers free live QualysGuard certification training at many major cities in the United States and Europe. The certification class schedule can be viewed at the following link: http://www.qualys.com/support/training/TCP/All new users of Qualys starting after the initial adoption period may also receive no-cost training via live, web-based service.

C.3-2): LCS will provide support via phone and email. Qualys Support tools are interconnected with Qualys Engineering tools to ensure prompt resolution of open tickets. There are no costs associated with these calls or emails, all regions for the Commonwealth merchants are covered.

C.3-3): LCS will provide technical support to the Office, to the State Comptroller and its entities, via toll-free telephone during normal business hours, Monday through Friday and via email 24/7.

C.3-4): In the case that PCI rule changes, these will informed in a timely manner, five business days after the rule change. Guidance to be compliant with new rules will be provided to the Office to the State Comptroller and its entities. For scan services, the Qualys product supports online updates of any new changes.

C.3-5): Any issue identified, as open items for Consulting services and vulnerabilities identified for scan services, that are in violation of the PCI Data security Standard will be presented to the Office to the State Comptroller and the entity, with recommendations intended to solve the issue and allow compliance with PCI requirements.


http://www.qualys.com/support/training/TCP/



C.4 In addition to what has been identified in the Work Plan, describe what additional information, documents, data, staff assistance, facilities or other resources you would require from the Commonwealth to complete your work and declare any other critical assumptions upon which your work plan is based.

ANSWER:

For Consulting services, LCS assumes that data cardholder information is maintained in only one network per entity. For additional networks with data cardholder information, the scope of the compliance assessment will be increased in 20 hours.

No shared hosting provider is included in this scope.

C.5 Describe any related value-added services that would be advantageous to the Commonwealth. Include any value-added services, specialties, enhanced reporting, cost-effective fees and services, experience, employee training, etc. that you feel sets your company apart.

ANSWER:

LCS personnel have more than 10 years experience in security evaluations, all CISA certified.

Janus is the oldest independent information security company in the nation, providing commercial, government and not-for-profit clients with leading edge information security solutions

QualysGuard PCI is delivered as an on Demand Web application, it requires no software to deploy or manage, significantly reducing the total cost of ownership. Qualys’ Six Sigma quality program drives the most accurate security scans in the industry. PCI DSS-defined vulnerabilities are continuously kept up to date. 24x7x365 live customer support.

C.6 Describe in full the security that you have in place to safeguard the confidentiality of Commonwealth data and systems. With certain merchant Departments, access to data and systems is prohibited by state and federal law. Personnel conducting performance may be required to sign confidentiality agreements and undergo a CORI Criminal Offender Report.


http://www.mass.gov/?pageID=eopssubtopic&L=4&sid=Eeops&L0=Home&L1=Crime+Prevention+%26+Personal+Safety&L2=Background+Check&L3=Criminal+Offender+Record+Information+(CORI)



ANSWER:

For Consulting services see section B2.d above.

For Scanning services, the information collected and stored is encrypted in AES 128 and is not accessible by Qualys personnel as the encryption is based on a hash of an individual’s username and password and data in transit is encrypted via SSLv3 128 bit encryption.

Qualys maintains two primary Qualys Secure Operations Centers (SOCs). The SOCs are located in Santa Clara, USA and Frankfurt, Germany. The Santa Clara, USA data center undergoes annual 3rd party SAS70 certification. The Frankfurt, Germany data center is audited under BS 7799. All Qualys machines and racks are secured in a locked, private vault that requires the use of a badge and biometric authentication for access. Only customer-authorized personnel have any logical access to their own vulnerability scan data.

For all personnel involved in this project, criminal background checks have been performed and no exceptions were found. If is required, confidentiality agreements will be signed and Criminal Offender Report can be completed.

RFR RESPONSE PART D– REQUIRED ATTACHMENTSAll Required Response attachments are listed in the “Forms and Terms” tab for this RFR on Comm-PASS. If the Action is “yes” and the “Action Description” requires “Review, Complete and Return with RFR”, the Attachment must be completed, printed, signed if necessary and returned with this Response.

See also: Guidance for Vendors -

The Attachments do not have to be submitted in any specific order. Attachments must be attached in this Section of the Response for printed or photocopied submissions only.

For Electronic CDs copies, the Attachments are not included.

Certificate of Good StandingPlease be advised that any Bidder selected for a contract must obtain a Certificate of Good Standing from the Department of Revenue as part of Contract Execution. Additional Information about this Certificate may be found at: https://wfb.dor.state.ma.us/webfile/Certificate/Public/WebForms/Help/LearnMore.aspx and http://www.dor.state.ma.us/rul_reg/AdminProcedure/AP613.htm.


http://www.dor.state.ma.us/rul_reg/AdminProcedure/AP613.htm

https://wfb.dor.state.ma.us/webfile/Certificate/Public/WebForms/Help/LearnMore.aspx

http://www.mass.gov/?pageID=osctopic&L=2&L0=Home&L1=Guidance+for+Vendors&sid=Aosc



RFR RESPONSE PART E - COST RESPONSE

1. Bidders must provide a cost schedule that provides the most cost effective pricing for the Commonwealth for both consulting and scanning services.

2. Pricing must be identified for each fiscal year of the contract (FY 2008 – ending June 30, 2008, and FY 2009 ending FY 2009).

3. Bidders must provide schedule that includes volume discounts based upon the number of Department merchants that participate in purchasing services.

4. Departments are required to encumber funds to cover the total cost of an engagement. Therefore, hourly rates must be Composite Blended hourly rates that include all related fringe benefit costs and profit. All other direct, clerical, administration, indirect, overhead and incidental costs, such as travel, accommodations, meals, non-deliverable related printing, equipment, and supplies must also be included in the blended rate and may not be separately billed.

5. Describe how the pricing for an engagement is calculated.

6. How should the Commonwealth structure engagements to be most cost effective?

Contractor Name: Lighthouse Computer ServicesVC0000389868Contact: Timothy BernardTelephone: (508) 254-2804Email Address: [email protected] Fax: (401) 334-0719Web: www.lighthouseCS.com

The following is a standard price list. Prices and packages are subject to negotiation with each Department and will depend upon the Department’s payment application and negotiated PCI Quote Form/SOW.

Pre-Assessment Package Cost is $2600 Review of network diagram PCI Consulting assistance Pre-SAQ readiness (recommendations) Quarterly scans (review, SAQ recommendation, 1 IP). Recommendations (if apply) in order to be compliant.

***All remediation is handled outside the scope of this package…

Annual Assessment Package Cost is $2600 PCI consulting assistance Review of network diagram SAQ Report Quarterly Scans (review, SAQ, 1 IP) Offering the previous package (recommendations) and the SAQ report ready to go after

implementation of recommendations (If any).


http://www.lighthouseCS.com/




***All remediation is handled outside the scope of this package…

Annual Penetration Testing (PCI requirement citeCost per External IP Addresses - 1- 3 IP ( Cost $372).Between 4-249 IPs the cost is $19 per each additional IP.Over >249 IPs the cost is $12 per each additional IP.

Security Consulting/PCIConsulting assistance is $150 an hour/ recommend block of hours agreement. Pricing will depend on the scope of the vulnerability assessment and penetration test/scan, network environment and number of internal/external IPs.

Wireless Scans$150 an hour block of hours agreement. Pricing will depend on the scope of the vulnerability assessment and penetration test/scan, network environment and number of internal/external IPs.


rfr response part a - title page, table of contents and

Documents