Texas Health and Human Texas Health and Human Services Commission (HHSCServices Commission (HHSC))

Information Technology Audit of Information Technology Audit of Wireless Technology SecurityWireless Technology Security

Request for Proposals # 529-07-Request for Proposals # 529-07-01110111

Vendor Conference January 2, 2008Vendor Conference January 2, 2008

WelcomeWelcome

IntroductionsIntroductions Steve Bailey and Thomas Spears, Enterprise Steve Bailey and Thomas Spears, Enterprise

Contract and Procurement Services (ECPS)Contract and Procurement Services (ECPS) Sherice Williams-Patty, HUB Coordinator, Sherice Williams-Patty, HUB Coordinator,

Administrative Services Development (ASD)Administrative Services Development (ASD) David Griffith, Director, HHSC Internal AuditDavid Griffith, Director, HHSC Internal Audit Annick Barton, IT Audit Manager Annick Barton, IT Audit Manager David Brown, Assistant General CounselDavid Brown, Assistant General Counsel

Housekeeping ItemsHousekeeping Items

HHSC Procurement RolesHHSC Procurement Roles

ECPSECPS- Responsible for procurement activity- Responsible for procurement activity HUBHUB- Responsible for HUB activity - Responsible for HUB activity ProgramProgram- Responsible for project scope, - Responsible for project scope,

requirements, performance, results, contract requirements, performance, results, contract management/monitoringmanagement/monitoring

LegalLegal- Questions/answers and legal activity- Questions/answers and legal activity

Vendor Conference OverviewVendor Conference Overview

Procurement ActivitiesProcurement Activities

HUB ItemsHUB Items

RFP OverviewRFP Overview

Questions SubmittalQuestions Submittal

Break Break

Preliminary Responses to QuestionsPreliminary Responses to Questions

Closing CommentsClosing Comments

Procurement ActivitiesProcurement Activities

Questions & Answers Questions & Answers Sole Contact, Mary Townsend, ECPSSole Contact, Mary Townsend, ECPS Procurement Schedule Procurement Schedule Solicitation Access Solicitation Access Submission RequirementsSubmission Requirements Solicitation ChangesSolicitation Changes Screening & EvaluationScreening & Evaluation Award InformationAward Information

HUB Subcontracting HUB Subcontracting PlanPlan

(HSP) Requirements(HSP) Requirements

AgendaAgenda TopicsTopics

• RFP Section 4.0 Historically Underutilized RFP Section 4.0 Historically Underutilized

Business Business

Participation RequirementsParticipation Requirements

• HUB Subcontracting PlanHUB Subcontracting Plan

• Self Performance HSP Self Performance HSP

• HSP Prime Contractor Progress Assessment HSP Prime Contractor Progress Assessment

ReportReport

• HUB Participation GoalsHUB Participation Goals

• Potential Subcontracting OpportunitiesPotential Subcontracting Opportunities

• Vendor Intends to Subcontract Vendor Intends to Subcontract

• Minority or Women Trade Organizations Minority or Women Trade Organizations

• Self PerformanceSelf Performance

• HSP Changes After Contract AwardHSP Changes After Contract Award

• Reporting and Compliance with the HSPReporting and Compliance with the HSP

RFP Section 4.0 - Historically Underutilized RFP Section 4.0 - Historically Underutilized

Business Participation RequirementsBusiness Participation Requirements

Self Performance Declaration

Company Information

HSP Information Page

If more than 20, provide attached list

HUB GOALS

One page for each area

subcontracted(listed on page

1)

List Line # and Subcontracting

Opportunity

HSP Information Page

Protégé performing the work

HSP Information Page

Skip to Sections

8 and 10

Professional Services Category

HSP Information Page

Good Faith Efforts to find Texas Certified HUB VendorsContact HUB Trade Organization

Written Notification Requirements

List 3 HUBs Contacted

for this Subcontractin

g Opportunity

HSP Information Page

List Subs to be used (HUBs & Non-HUBs) for

this Subcontracting

Opportunity

HSP Information Page

Reason why HUB was not selected

for this Subcontracting

Opportunity

HSP Information Page

Self Performanc

e Explanation

Signature Affirms that True and Correct Information is Provided

HSP Information Page

HUB Subcontracting Plan (HSP)

Prime Contractor Progress Assessment Report This form must be completed and submitted to the contracting agency each month to document compliance with your HSP.

Contract/Requisition Number: Date of Award: Object Code: (mm/dd/yyyy) (Agency Use Only)

Contracting Agency/University Name:

Contractor (Company) Name: State of Texas VID #:

Point of Contact: Phone #:

Reporting Period: - Jan. - Feb. - Mar. - Apr. - May - Jun. - Jul. - Aug. - Sept. - Oct. - Nov. - Dec. (Check only one Month)

Total Contract Amount Paid this Reporting Period to Contractor: $

Report HUB and Non-HUB subcontractor information

Subcontractor’s Name Subcontractor’s VID or HUB Certificate Number

Total Contract $ Amount from HSP with Subcontractor

Total $ Amount Paid This Period to Subcontractor

Total Contract $ Amount Paid

to Date to Subcontractor

Object Code (agency use only)

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

$ $ $

TOTALS: $ $ $

Signature: Title: Date:

HSP-PAR Rev. 9/05

• Required with ALL Pay Requests

• Required even if not subcontracting

• List ALL Sub payments (HUBs & Non- HUBs)

HSP Prime Contractor Progress Assessment Report

ATTACHMENT “E”

HSP ASSISTANCE FROM CPA

HUB Subcontracting Plan (HSP) Forms

Step-by-step instructions and an audio on “How to Complete an HSP ” is located on the Comptroller of Public Accountants (CPA’s) website at: http://www.cpa.state.tx.us/procurement/prog/hub/hub-forms/hsp_project.wmv

How to Complete an HSP

Play Windows Media Version (7.7 mb download)Play Macromedia Flash version (10.8 mb download)Read Video Transcript (.rtf file) (160k download)Play QuickTime (mp4) version (24 MB download)

Administrative Services Administrative Services Development HUB Program OfficeDevelopment HUB Program Office

Sherice Williams-Patty, HUB AdministratorSherice Williams-Patty, HUB AdministratorAdministrative Services Development Administrative Services Development - (512) 424-6903- (512) 424-6903- - sherice.williams-patty@hhsc.state.tx.ussherice.williams-patty@hhsc.state.tx.us

Carlos Balderas, HUB Administrator Carlos Balderas, HUB Administrator Administrative Services Development Administrative Services Development - (512) 424-6896- (512) 424-6896- - carlos.balderas@hhsc.state.tx.uscarlos.balderas@hhsc.state.tx.us

Robert L. Hall, C.P.M.Robert L. Hall, C.P.M. Administrative Services Development Director Administrative Services Development Director

- (512) 424-6596- (512) 424-6596- - robert.hall@hhsc.state.tx.usrobert.hall@hhsc.state.tx.us

RFP Overview: IT Audit of RFP Overview: IT Audit of Wireless Technology Wireless Technology

SecuritySecurity

HHSC Internal Audit HHSC Internal Audit

Annick M. Barton, IT Audit Annick M. Barton, IT Audit ManagerManager

January 2, 2008January 2, 2008

IT Audit of Wireless Technology IT Audit of Wireless Technology SecuritySecurity

Mission and ObjectivesMission and Objectives Scope of WorkScope of Work Project ScheduleProject Schedule Key Performance Requirements Key Performance Requirements Cost ProposalCost Proposal

Mission Mission (Section 1.4 and 1.5)(Section 1.4 and 1.5)

To engage an independent audit services To engage an independent audit services contractor to evaluate wireless technology contractor to evaluate wireless technology security in Health and Human Services security in Health and Human Services agencies agencies

Audit services must be conducted in Audit services must be conducted in accordance with auditing standards issued by accordance with auditing standards issued by the IIA, GAO, and ISACAthe IIA, GAO, and ISACA

Experience and expertise of the Respondent’s Experience and expertise of the Respondent’s key professional staff is a significant factor in key professional staff is a significant factor in selection of the audit services contractorselection of the audit services contractor

Objectives Objectives (Section 1.5)(Section 1.5)

Determine whether:Determine whether:A.A. Agency decisions to use wireless technology are Agency decisions to use wireless technology are

supported by an analysis of business needs, impacts on supported by an analysis of business needs, impacts on the technology infrastructure, data and system risks, the technology infrastructure, data and system risks, and associated benefits and costs.and associated benefits and costs.

B.B. HHS enterprise contract provisions and information HHS enterprise contract provisions and information technology standards and policies adequately address technology standards and policies adequately address wireless technology risk areas and are aligned with wireless technology risk areas and are aligned with State and Federal requirements and best practices.State and Federal requirements and best practices.

C.C. HHS agency contract provisions and information HHS agency contract provisions and information technology policies, procedures, and practices technology policies, procedures, and practices adequately address wireless technology risk areas and adequately address wireless technology risk areas and are consistent with HHS enterprise standards and are consistent with HHS enterprise standards and policies, State and Federal requirements, and best policies, State and Federal requirements, and best practices.practices.

Objectives Objectives (Section 1.5)(Section 1.5)

Determine whether:Determine whether:D.D. Wireless network access points and servers that Wireless network access points and servers that

support Blackberry/Personal Digital Assistant services support Blackberry/Personal Digital Assistant services are appropriately secured to help ensure HHS data are appropriately secured to help ensure HHS data and systems are protected from unauthorized and systems are protected from unauthorized disclosure, use, modification, or destruction.disclosure, use, modification, or destruction.

E.E. Wireless network devices are appropriately secured Wireless network devices are appropriately secured to help ensure HHS data and systems are protected to help ensure HHS data and systems are protected from unauthorized disclosure, use, modification, or from unauthorized disclosure, use, modification, or destruction. destruction.

F.F. Effective mechanisms are in place for detecting, Effective mechanisms are in place for detecting, monitoring, and responding to wireless security monitoring, and responding to wireless security exposures and incidents.exposures and incidents.

Scope of Work Scope of Work (Section 2.2 and (Section 2.2 and 2.5)2.5)

Information Technology Audit of Information Technology Audit of Wireless Technology Security across Wireless Technology Security across all HHS agencies (DADS, DARS, DFPS, all HHS agencies (DADS, DARS, DFPS, DSHS, and HHSC) DSHS, and HHSC)

Audit Planning, Fieldwork, and Audit Planning, Fieldwork, and Reporting PhasesReporting Phases

Scope of Work Scope of Work (Section 2.2 and (Section 2.2 and 2.5)2.5)

Audit ScopeAudit Scope HHS agency and applicable vendor/contractor HHS agency and applicable vendor/contractor

activitiesactivities Includes assessment of wireless access points that Includes assessment of wireless access points that

are rogue or unapprovedare rogue or unapproved Includes evaluation of security controls related to Includes evaluation of security controls related to

wireless technology hardware, software, and wireless technology hardware, software, and devices (such as laptops, PDAs and related servers, devices (such as laptops, PDAs and related servers, and printers)and printers)

Scope of Work Scope of Work (Section 2.2 and (Section 2.2 and 2.5)2.5)

Audit ScopeAudit Scope HHS agency owned or leased HHS agency owned or leased

facilitiesfacilities Any locations that house HHS Any locations that house HHS

employees in Texas employees in Texas Data centers housing HHS data Data centers housing HHS data

located in Texaslocated in Texas

Project Schedule Project Schedule (Section 2.1)(Section 2.1)

Detailed project schedule of work and Detailed project schedule of work and timelinestimelines

Resulting in Final Audit Report submitted no Resulting in Final Audit Report submitted no later than 120 business days after the later than 120 business days after the contract effective datecontract effective date

Anticipated contract effective date: April 15, Anticipated contract effective date: April 15, 20082008

Draft Report due no later than 89 business Draft Report due no later than 89 business days after the contract effective date (August days after the contract effective date (August 22, 2008)22, 2008)

Key Performance Key Performance Requirements Requirements

(Section 2.3 and Attachment A)(Section 2.3 and Attachment A) Contractor must meet Key Performance Contractor must meet Key Performance

Requirements and subscribe to associated Requirements and subscribe to associated liquidated damages for failure to performliquidated damages for failure to perform

Respondent must indicate in its proposal Respondent must indicate in its proposal acceptance or rejection of each Key acceptance or rejection of each Key Performance Requirement, including (if Performance Requirement, including (if rejected) basis for rejection and proposed rejected) basis for rejection and proposed modificationsmodifications

If timeline for any deliverable not met, If timeline for any deliverable not met, contractor must provide Daily Status Report contractor must provide Daily Status Report

Key Performance Key Performance Requirements Requirements (Section 2.3 and (Section 2.3 and

Attachment A)Attachment A) Attachment A outlines Performance Area, Attachment A outlines Performance Area,

Standards and Measures, and Liquidated Standards and Measures, and Liquidated DamagesDamages

Example: Example: List of Audit Project Personnel can be accepted or List of Audit Project Personnel can be accepted or

rejected by the Internal Audit Director rejected by the Internal Audit Director Once personnel are approved, contractor may not Once personnel are approved, contractor may not

make changes without written approval of the make changes without written approval of the Internal Audit Director Internal Audit Director

Liquidated damages for noncompliance are $10,000 Liquidated damages for noncompliance are $10,000 per occurrence plus $500 per day for each project per occurrence plus $500 per day for each project member changedmember changed

Cost Proposal Cost Proposal (Section 3.14.2 and Attachment B)(Section 3.14.2 and Attachment B)

Separate costs must be provided for each audit phase Separate costs must be provided for each audit phase and audit objectiveand audit objective

Include any business, economic, legal, programmatic, Include any business, economic, legal, programmatic, or practical assumptions that underlie the Cost or practical assumptions that underlie the Cost ProposalProposal

Separately identify value-added benefits, costs-Separately identify value-added benefits, costs-savings and cost-avoidance measures and the effect savings and cost-avoidance measures and the effect on the Cost Proposal and Scope of Workon the Cost Proposal and Scope of Work

HHSC reserves the right to select the objectives to be HHSC reserves the right to select the objectives to be performed to obtain best value for HHSC performed to obtain best value for HHSC

Texas Health and Human Texas Health and Human Services Commission (HHSCServices Commission (HHSC))

Questions SubmittalQuestions SubmittalFollowed by BreakFollowed by Break

Closing CommentsClosing Comments

Office of General CounselOffice of General Counsel

Collusion Collusion

Conflict of InterestConflict of Interest

Permissible contactsPermissible contacts