Link to CyberSecurity Audit FAQ



REQUEST FOR PROPOSALS

 

Cyber and Security Audit

 

 

 

 

Legal Aid of NorthWest Texas


2022 LSC TECHNOLOGY IMPROVEMENT PROJECT GRANT

 

 

 

 

Table of Contents

INTRODUCTION

OVERVIEW AND OBJECTIVE

SCOPE OF SERVICES

DELIVERABLES

MINIMUM DESIRED QUALIFICATIONS

TIMELINE AND SUBMISSOIN

FORMAT OF PROPOSALS

EVALUATION AND SELECTION CRITERIA

PRICE

QUALITY

PERFORMANCE

PROFESSIONALISM

CONFIDENTIALITY

TERMS AND CONDITIONS

FREEDOM OF INFORMATION ACT

COMMITMENT TO DIVERSITY

 

 

INTRODUCTION

It is the mission of Legal Aid of NorthWest Texas (LANWT) to ensure equal justice for the millions of Texans living in poverty through the provision of high-quality legal representation, and to improve the lives of low-income Texans through the rule of law.  LANWT is a 501(c)3 organization providing free advocacy, legal representation, and community education to help ensure equal access to justice for all.  LANWT operates 25 offices across 114 Texas counties throughout North and West Texas in both rural and metropolitan areas.  LANWT is one of three free full service legal providers in Texas that provide advocacy through community education, legal advice, brief services, negotiations, administrative representation, litigation, community redevelopment, community lawyering, pro bono representation, and pro se assistance and resources.

 

 

OVERVIEW AND OBJECTIVE

LANWT requests proposals from qualified consultants to conduct a comprehensive network security audit and organizational technology assessment.  Where applicable, the consultant will make suggestions and recommendations, as well as provide examples and materials based upon their findings in the overall assessment.

 

The consultant will review LANWT's existing Information Technology (IT) policies and strategies to provide policy management assistance, including the creation of forms and templates to serve as a foundation for an overall risk management program.

 

The audit will assist in securing all LANWT files (including but not limited to: legal, client, financial, employee information) from loss or unintended breach or exposure.   The audit should help identify potential threats (internal or external) and to implement countermeasures and system upgrades.  The consultant will identify weaknesses and where necessary, establish targets for continuing improvement of LANWT's security, internal controls, IT operations, and overall security.  This project will help LANWT remain in compliance with funder requirements for data and cybersecurity. The audit and recommendations will be utilized to assist LANWT in positioning itself to obtain cybersecurity insurance coverage at a reasonable rate.

 

This project is funded by a grant from the Legal Services Corporation and the consultant's portion must be completed no later than May 31, 2023.

 

SCOPE OF SERVICES

To assist with an overriding total security posture, LANWT is looking for a consultant to conduct a cyber and security audit that must include but not limited to the following:

 

  • Conduct a comprehensive security review of all operational aspects of information technology services.
  • Provide suggestions and recommendations to commonly accepted industry standards.
  • Identify high-risk information technology issues.
  • Evaluate and review policies, provide recommendations, identify lapses of coverage, and policy gaps.
  • Provide examples and provide assistance in policy creation.
  • Review services such as FTP, VPN, email, and the necessary ingress/egress points against attack vectors.
  • Detailed analysis of LANWT's internal and external network architecture.
    • Consideration of approximately 25 offices and a 350 plus mobile work force to include volunteers and donors.
  • Evaluation of software, systems, and procedures to include perimeter, internal, and endpoint defenses.
  • Evaluation of loss prevention against malicious, internal, and catastrophic threats.
  • Evaluation of a vulnerability baseline.
  • Review training and preparedness procedures.
  • Review firewall policies.
  • Penetration testing with up to 14 external IP addresses.
  • Conduct any necessary interviews with principle people.
  • Regularly communicate progress to LANWT.
  • The selected consultant will follow a defined scope, schedule, and budget.
  • The selected consultant will appropriately manage project activities and risks.

     

     

DELIVERABLES

Deliverables for the audit include:

 

  • A written Project Plan that specifies the scope of work, tasks, schedules, and dependencies.
  • Weekly status reports that identify risks and progress made on the Project Plan
  • An executive summary for LANWT leadership that details LANWT's position against comparable organizations, including strengths and areas of improvement.
    • A list of technical concerns and recommendations.
    • Technical details for key technical personnel.
    • Information about network connected devices and software for use in developing an inventory management system and polices surrounding hardware and software management.
    • High-level feedback regarding existing technology-related polices, including a summary of how policies might be improved to be more comprehensive.
    • Staff survey results that can be used to make additional decisions regarding technology planning, training, and development.
    • A prioritized road map of activities developed in conjunction with LANWT's IT personnel.
  • A written Technology Security Audit Report that includes:
    • Results of any threat analysis, vulnerability testing, and phishing testing performed.
    • Findings, risks, and prioritized recommended solutions for vulnerabilities found during the review, including but not limited to recommendations for improvements to the existing Microsoft 365 security configuration and external perimeter (firewalls, web, file transfer protocol (FTP) and DNS servers)
    • Technical details for key technical personnel.
    • Estimates, based on experience, of the costs to implement proposed solutions, including licensing, support, maintenance, hosting, and annual costs for any subscription-based services.
    • A prioritized road map of activities developed in conjunction with LANWT IT personnel.

       

       

MINIMUM DESIRED QUALIFICATIONS

Qualified consultants will have knowledge and demonstrated experience with technical and security assessments, the ability to have virtual meetings with LANWT staff to facilitate the project development and evaluation, the ability to meet the deliverables on time and within budget, and experience using resources effectively and efficiently, and familiarity with civil legal aid and the nonprofit sector.

 

TIMELINE AND SUBMISSION

Proposals are due by 5:00p.m. Central Time on Friday December 2, 2022.  A consultant will be selected by Friday Dec 30, 2022.  The selected consultant should be ready to engage almost immediately in January 2023, even if this only includes a kickoff meeting.  Proposals must be "total cost" bids.

 

Please submit all inquiries and proposals via email to:

Doug Johnson

IT Director

Legal Aid of NorthWest Texas

Phone: 214-243-2252

Email: johnsond@lanwt.org

                        Use the subject line: LANWT Security Audit

 

A copy of this RFP can be found at https://internet.lanwt.org/en-us/Pages/rfp_security_audit.aspx. An additional FAQ page is available at the same URL.

 

 

FORMAT OF PROPOSALS

In addition to the requirements elsewhere in this RFP, proposals must contain the information listed below:

  • The consultant's name, address, website, URLs, federal tax identification number of Social Security Number, description of the vendor's legal status (corporation, sole proprietor, etc.).
  • The consultant's company profile, including background, capabilities, experience, and other relevant experience/skills.
  • The name, telephone number, and email address for the consultant's primary contact.
  • The names of staff members along with CV, experience, and or qualifications the consultant will use to conduct the technology security audit.
  • A detailed timeline for the project, including the approximate start date.
  • An itemized sales quote for listed expenses and cost projections.
  • Communication and evaluation procedures for staff/principle interviews.
  • Any relevant conflicts of interest or pending lawsuits in which the consultant is a party.
    • You will be expected to certify a conflict of interest.
  • A list of clients with similar needs for whom the consultant has provided a technology assessment and/or technology security audit, including nonprofit organizations and law firms. For each, please provide the name of the organization along with the name, title, telephone number and/or email address of an individual at the organization for LANWT to contact.

 

In addition to the above, prospective consultants are encouraged to submit any literature, terms and conditions, warranty information, and other documentation to support their proposal.

 

EVALUATION AND SELECTION CRITERIA

The contract will be awarded to the consultant who provides the best value – the most advantageous balance of price, simplicity, flexibility, support, innovation, quality, value added feature set, and performance to LANWT.  Proposals will be evaluated based on the following criteria:

 

PRICE

    • The reasonableness and completeness of the prices submitted for the proposed services.
    • Whether the price is realistic (especially if it is an estimate), reflects a clear understanding of LANWT's need, and is consistent with other parts of the proposal.

QUALITY

    • Qualifications and experience of proposed staff – account, support, and training assets.
    • Technical expertise of the consultant.
    • Project plan and approach.
    • Level of detail in response.

PERFORMANCE

    • Capacity.
    • Understanding of and ability to meet LANWT's needs.
    • Responsiveness to LANWT.

PROFESSIONALISM

    • Reputation for excellence in price, performance, and quality.
    • Willingness to accept LANWT and LSC terms (e.g., Texas venue and governing law, no limitation on liability, no binding arbitration, indemnification, and estimated cost, but not to exceed clause).

       

CONFIDENTIALITY

During the vendor selection and project execution phases, LANWT may provide you access to its confidential or proprietary information.  You agree not to use any information obtained for your or that of any third party's benefit.  You further agree not to disclose any proprietary information to any person who does not have a need to know, and you agree to sign an agreement to protect the interests and information of our clients and our proprietary information.

 

TERMS AND CONDITIONS

LANWT reserves the right to change this RFP or the RFP schedule, and also reserves the right to cancel or reissue the RFP, at any time.

 

LANWT reserves the right to waive minor irregularities or errors contained in the submitted proposal.

 

LANWT will not pay any consultant costs associated with preparing responses or proposals in response to this RFP.

 

All proposals received shall remain confidential until the evaluation is completed, the consultant selected, and the consultant approved.  Thereafter, proposals shall be deemed public records.

 

All responses, proposals, accompanying documentation, and other materials submitted in response to this RPF shall become the property of LANWT and will not be returned.

 

LANWT and the successful vendor will negotiate payment terms and incorporate said terms into the contract agreement.  LANWT will not pay for work not properly authorized, contracted or performed.

 

The release of this RFP does not compel LANWT to enter any contract.  LANWT reserves the right to refrain from contracting with any consultant that has responded to this RFP whether or not the consultant's response has been evaluated and whether or not the consultant has been determined to be qualified. Exercise of this reserved right does not affect LANWT's right to contract with any other consultant. LANWT reserves the right to request an interview with any consultant, and/or a demonstration from any consultant, prior to entering into a contract.

 

The successful consultant will not make any press releases, public statements, advertisement or other promotional materials using LSC's or LANWT's name or logo, the name of any employee, referring to the agreement, or the purchase of goods or services without prior written approval.  Requests for prior written approval of any such releases, public statements, advertisements or other promotional materials must be directed to LANWT'S Director of Communication.

 

Failure on the consultant's part to request clarification shall obligate the proposer to abide by LANWT's decision as to the intended meaning of any portion of the proposal documents.  The evaluation of proposals shall be LANWT's sole responsibility, based on information furnished by the proposer as well as on other information available.

 

FREEDOM OF INFORMATION ACT

The Freedom of Information Act (FOIA) and associated federal regulations may require LANWT to disclose certain documents to the public, including portions of your proposal.  Generally, LANWT will not release any documents that would cause you competitive harm.

 

You are encouraged to label any confidential information contained in your proposal to facilitate LANWT's ability to withhold it from disclosure.

 

COMMITMENT TO DIVERSITY

LANWT is proud to be an equal opportunity employer.  We are committed to building a diverse workplace and strongly encourage women, persons of color, LGBTQ individuals, veterans, persons with disabilities, and persons from other underrepresented groups to submit a proposal.