Royal Holloway and Bedford College

RHUL-19053 Cyber Security Discovery and Design Project

Incomplete applications

26
Incomplete applications
21 SME, 5 large

Completed applications

13
Completed applications
7 SME, 6 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Tuesday 26 February 2019
Deadline for asking questions Tuesday 5 March 2019 at 11:59pm GMT
Closing date for applications Tuesday 12 March 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work A partner to help in the Identification of a strategic cyber security roadmap and a coherent security architecture as part of a high level design that will build on the substantial changes already made to key business systems and their migration to the cloud.
Latest start date Thursday 2 May 2019
Expected contract length 2 year pased project / contract with initial phase 8 weeks
Location London
Organisation the work is for Royal Holloway and Bedford College
Budget range

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The goal of the College is to work with a Supplier to assist in this phased approach project with the initial phase of work being discovery and to assist in identifying program of works required in order to build on the substantial changes already made by the College to key business systems and their migration to the cloud. These migrations have enhanced the Colleges security posture and brought next generation security practices and tools to the forefront of IT operations
The design and discovery work for this project must commence Thursday 02nd of May for a 8 week period (approx.)
Problem to be solved The problem to be solved is for the Supplier to assist, support and work with the College through provision of expertise and knowledge of databases, networks, hardware, firewalls and encryption in order to provide the Identification of a strategic cyber security roadmap and a coherent security architecture as part of a high level design in order to support future phases of the project
Who the users are and what they need to do With cyber attacks increasing against the UK education sector and as a University, RHUL want to be able to confidently work with a Supplier that will use their knowledge and expertise to help support and assist the College through their cyber security project in whatever phases their assistance is required.
Early market engagement Early market engagement that had taken place, in summary, found that there is the requirement is for a strategy and design document to be put in place that will clarify, elaborate on and sequence a large programme of works that are expected to fall into seven different categories as described below for potential delivery:

• Managing user access control
• Home and mobile working
• Malware prevention
• Network Security
• Secure configuration
• Monitoring
• Removable media control
Any work that’s already been done
Existing team The internal Royal Holloway University London team will comprise of;
-System network specialists
-Application Specialists
-System Network and Application Specialists
-Project Manager
-Team Stakeholders, in order to provide guidance on requirements and approvals of proposals
-Business Owners
Current phase Discovery

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Royal Holloway University London
Egham Hill,
Egham
TW20 0EX
Working arrangements As outlined about working arrangements will be with the University's internal team.
This will ensure complete transparency in works being completed and communication achieved.
Work will be done on-site, daily, unless otherwise agreed and where required face to face team meetings
Expenses to be in line with the University's expense policy, once we have site of rate card and expenses this can be reviewed
Security clearance It will be a requirement that whom ever has been awarded the contract signs the University NDA agreement

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Experience establishing status & suitability of patching across server and endpoint estates, including managed devices, capabilities of configuration / patch management tools currently deployed and supporting policies and processes.
  • Experience selecting, implementing & deploying tool(s) for performing configuration and patch management across managed devices with Windows, Mac OS X, Linux operating systems, common products including Java and Adobe products
  • Experience selecting, implementing & deploying tool(s) for multifactor authentication (MFA) services and ensure that industry best practice and compatibility with a broad range of systems / applications is supported.
  • Outline experience in the provision of, or the selection/ recommendation of, a Security Operations Centre (SOC) for 24/7 monitoring of networks and attached devices with appropriate alerting and response measures.
  • Ensure solutions, processes and tools designed for specific security threats remain compatible with other related tools and services such as Log Aggregation and out sourcing to a Security Operations Centre.
  • highlight services for the tuning of monitoring tool(s), including the existing LogRhythm tool, and the training in such tools to RHUL IT resources to enable automatic analysis, reporting, alert generation
  • review Intrusion Prevention capabilities and configuration of existing Palo Alto firewalls with recommendation and implementation of other intrusion prevention tools confirming suitability for meeting present threats
  • ensure application systems only have the network access they need and defining new rules where required.
  • Approach in providing services for IT network re-design according to current best practices and to support, but not limited to, the following: Segregation of managed and unmanaged devices;
  • review the current Sophos end point security products (one for Cloud, one for on-premise) confirm their on-going suitability as the tool of choice for both Windows and wider estate security
  • Following review, can you advise, if necessary, of further configuration optimisation or replacement with a different security product.
  • Ability to select, recommend & implement tools to manage DNS queries, protect the wider IT estate in addition to filtering / blocking those associated with malware & ransomware threats.
  • Provide services for network tuning to meet required performance and quality of service criteria.
  • Experience in analysis and design of DNS posture, external visibility and DNS, IPAM & DHCP architecture.
  • Ability provide services for analysis and review of existing account/password sync between on-premise AD and Cloud O365 and design of a quicker, fully supported and more robust solution
  • Outline experience in selection, recommendation and implementation of a scalable web VPN upgrade, or other appropriate mechanisms/solutions for delvering remote acccess
  • Outline experience in above with NAC (Network Access Control) with support for user role-based access, posture checking and easy on-going maintenance with compatibility with MFA and SSO solutions.
Nice-to-have skills and experience
  • Outline approach in providing services to select, implement & deploy tool(s), and define & help produce policies and processes, safeguarding against non-managed devices which access the College's networks
  • Help establish the status of, and define procedures for, vulnerability scanning across server, endpoint estates, a range of managed devices, and the capabilities of the vulnerability scanning tools currently deployed
  • Able to provide services for review and subsequent improvement of the student on-boarding process using existing, and, if necessary, recommended new tools.
  • Able to provide services for the analysis and review of O365 email accounts, given to alumni with no additional tools for management or security, and recommendation of potential self-service solutions.
  • Able to provide services for the identification, recommendation and implementation of tool(s) for new account / password creation & communication and subsequent password management.
  • Could you evidence where you have done such a project before and how it was phased

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 7
Proposal criteria
  • Approach in providing for the definition and updating of security policies for server and desktop estates /
  • Approach to a policy definition and implementation of management of network devices (e.g. firewalls, switches, etc.) to block threats and to stop the spread of malicious infections.
  • Outline recommendation for implementation & configuration of appropriate network monitoring tools to: Better understand traffic on the University network and detect security issues; Provide network behaviour modelling;
  • Approach to Detecting unusual behaviour of traffic on network raising / log alerts; Support sFlow monitoring (sampling approach); Support NetFlow monitoring.
  • review Intrusion Prevention capabilities and configuration of existing Palo Alto firewalls with recommendation and implementation of other intrusion prevention tools.
  • review Intrusion Prevention capabilities and configuration of existing Palo Alto firewalls with recommendation and implementation of other intrusion prevention tools confirming suitability for meeting present threats whilst ...
  • …ensuring application systems only have the network access they need and defining new rules where required.
  • Approach to providing services for analysis and design of DNS posture, external visibility and DNS, IPAM & DHCP architecture.
  • Able to provide services for consultation, policy proposals, solution design and implementation on removable media controls and DLP (Data Loss Protection).
  • provide analysis and review of existing, varied log on processes (ADFS, SSO, Open Athens, system specific logins) designing a more coherent end user experience for logging into student facing services
  • Selection approach , recommendation and implementation of Cloud based tools for protection against phishing, spoofing, malware, ransomware threats by the inspection of inbound and outbound email traffic and appropriate filtering,
  • Approach and Methodology to consultation for policy proposals, solution design and implementation on mobile working.
  • Approach to identifying, recommending and implementing of tool(s) for new account / password creation & communication and subsequent password management.
  • Highlight approach to Able to provide services for review and subsequent improvement of the student on-boarding process using existing, and, if necessary, recommended new tools.
  • Output Requirement: Knowledge Transfer (RHUL to Partner), Infrastructure Estate Discovery, Detailed Requirements Analysis & Review, High Level Design, Strategic Road Map Iterations, Review & Approval
  • Knowledge transfer workshops to facilitate completion of the ‘As Is’ Cyber Security picture. Document the ‘As Is’ picture
  • Analysis, discussion and documentation of risk management strategies & potential solutions to inform the strategic road map, security architecture and high level design
  • Document & present to Project Board the strategic high level Project Plan supported by the following, Work Breakdown Structure, Activity Plan, Cost Plan, Quality Plan, Communication Plan, Risk Management Plan
  • Document the ‘As Is’ picture
  • Document & present to the Project Board the Cyber Security strategy road map
Cultural fit criteria
  • •Work as a team with our organisation and other suppliers
  • •Be transparent and collaborative when making decisions
  • •Be transparent and collaborative when making decisions
Payment approach Fixed price
Assessment methods
  • Written proposal
  • Case study
  • Work history
  • Reference
Evaluation weighting

Technical competence

60%

Cultural fit

20%

Price

20%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Please can you provide an indication of budget for the project. It is the College preference not to set a budget for this requirement. Bidders are required to provide a fixed cost for the 8 week piece of work together with a breakdown of consultancy day rates and consultancy grades.
2. Please can you confirm where we can put our pricing in the application submission Please refer to guidance shown within the Digital Outcomes and Specialists templates and legal documents.
3. Are potential suppliers able to use sub-contractors and / or alliance partners in order to fulfil your full range of technical requirements? Yes you are able to use sub-contractors. However, as the main contractor you will still be liable for the delivery and performance of the services provided by these sub-contractors.
4. Will you be seeking to award the full programme to a single supplier / delivery partner or create an eco-system of suppliers? Ideally we would want to award this programme of work to a single supplier but we reserve the right to award individual elements of the programme to another supplier.
5. If a supplier bids and is successful in this discovery and design phase, does it exclude that supplier from bidding, supplying and or engaging with RHUL for the implementation of technical solutions which you would look to procure as a result of this project? Please refer to previous question and answer provide but as confirmation No it will not exclude the supplier for bidding, supplying and engaging with RHUL.
6. In the last nice-to-have skills questions, i.e. "Could you evidence where you have done such a project before and how it was phased", could you please expand on the phrase 'such a project'? Please provide evidence of where you have undertaken a project or projects which clarifies your skills and experience against the broad scope of the requirements and criteria being requested and provides insight into your approach for analysis, design and delivery.
7. Please could you confirm if there is any additional documentation other than the information detailed on the Digital Marketplace Opportunity? For the purposes of the tender there is no additional documentation. However, an indicative timeline already planned and expected to be worked to is as follows:

01/05/2019 – 03/05/2019 Pre kick-off discussion
07/05/2019 – 07/05/2019 Discovery & Design kick-off
08/05/2019 – 17/05/2019 Knowledge Transfer Workshops & Further Discovery
20/05/2019 – 03/06/2019 Detailed Requirements Analysis & Review
03/06/2019 – 14/06/2019 High Level Design
03/06/2019 – 14/06/2019 Strategic Road Map iterations
17/06/2019 – 17/06/2019 HLD & Road Map Completed
06/06/2019 – 04/07/2019 Complete High Level Schedule Development (Activities, Costs, Risks, Quality, Resources, Communication)
8. “Is the scope of this engagement limited to the outlined consultancy requirement or are RHUL looking for a partner and reciprocal relationship that extends to the Cyber programme run by the University?” Please refer to our earlier question and answer response.
9. In reference to the submission of our full written proposal, case studies, work history and reference material – at what point in the process will you need these? Do we send this separately or via the portal (it is not immediately obvious) and at what stage (e.g. is it now, after a shortlisting process, or after the Q&A session)? The tender request is not showing the details of what is planned following shortlisting. The three top scoring suppliers will be invited to deliver a presentation to the review panel. Dates for this are between 25th March and 3rd April. Your initial response before short listing should include a full written proposal addressing the specific requirements. It is recommended that reference to work history and case studies is provided but full details and additional reference material is not required at this stage; if you are shortlisted then any presentation should provide far greater detail in support of your earlier statements.
10. Does RHUL use any architectural framework (e.g. TOGAF, SABSA, etc.)? No
11. Although the work summary looks for a partner to assist RHUL in the identification of a strategic cyber security roadmap and a coherent security architecture, some of the essential skills refer to experience in daily operations rather than architecture. Is RHUL looking for a partner to document and evaluate the current state, design the target state, and derive the corresponding interim states, all placed in a roadmap? Or is RHUL looking for a partner to evaluate current tools and configurations with the aim to provide advice on improvements or replacements, which seems more of a tactical approach rather than strategic? The former - RHUL is looking for a partner to document and evaluate the current state, design the target state, and derive the corresponding interim states, all placed in a roadmap. This exercise is initially based on a targeted scope driven by prioritised business risks.