FROM: James D. Herberg, General Manager
Originator: Lorenzo Tyner, Assistant General Manager
SUBJECT:
title
INCIDENT RESPONSE PROGRAM
end
GENERAL MANAGER'S RECOMMENDATION
recommendation
RECOMMENDATION:
A. Award a Professional Services Agreement to Tevora Business Solutions to provide Cyber Incident Response Consulting Services, Specification No. CS-2020-1160, for a total amount not to exceed $112,700; and
B. Approve a contingency in the amount of $16,905 (15%).
body
BACKGROUND
The Water and Wastewater sector is recognized as one of 16 critical infrastructures by the Department of Homeland Security whose assets, systems, and networks are considered vital. The number of cyber security breaches and incidents are increasing each day. According to Ponemon Institute, a leader in cyber security research, the average cost of a breach in 2019 was $3.92 million. Cyber incident response is the methodology or the organized approach to prepare, detect, contain, and recover from a security breach. Cyber incident response has become an important and necessary component of organizations to rapidly detect incidents to minimize loss and destruction and restore services. Over the last several years the Orange County Sanitation District (Sanitation District) has developed an Incident Response Program which includes the following:
• Incident Response Plan
• Incident response playbooks
• Incident response contact list
• Incident response escalation chart
• Incident response roles and responsibilities
• Incident response quick guide
The Sanitation District has recently renewed its cyber insurance policy which includes incident response services and has performed several tabletop exercises in October 2019 to prepare for a potential cyber security breach.
RELEVANT STANDARDS
• Ensure the public’s money is wisely spent
• Maintain a culture of improving efficiency to reduce the cost to provide the current service level or standard
• Protect Orange County Sanitation District assets
• Commitment to safety & reducing risk in all operations
PROBLEM
Performing incident response effectively is a complex undertaking that requires substantial planning, preparation, and training. Some challenges include timely incident detection, understanding roles and responsibilities, effective communication, and establishing clear procedures and methods for prioritizing the handling of incidents. Over the last several years, the Information Technology (IT) division has had several key personnel retire and new personnel placed in key roles. IT needs to review its current plan, documents, and procedures to improve the incident response program to better detect incidents, minimize loss, and recover data and services. There is also a need to provide training on Incident Response methodology to key IT staff.
PROPOSED SOLUTION
To keep the Cyber Incident Response program up to date, the IT division requests to purchase cyber incident response consulting services to review and improve the current incident response program to deal with cyber incidents with an efficient and effective plan, processes, role-based teams, and training. The consulting service will include the following:
• Review and improve the communication and escalation process
• Update incident classification and severity definitions
• Identify roles and responsibilities of the incident response team
• Recommend relevant incident response metrics
• Review the current playbooks and develop additional playbooks
• Provide incident response training to key IT staff
• Conduct four (4) tabletop exercises
TIMING CONCERNS
Cyber risk continues to grow at an exponential rate with routine attacks from nation states, criminal elements, hacktivists, and insider threats. Delay in this program could cause confidential data to be compromised, create a negative public image, and cause legal issues.
RAMIFICATIONS OF NOT TAKING ACTION
A decision not to purchase cyber incident response consulting services may result in an increase in incident detection times and handling which can lead to more loss and destruction of systems and services.
PRIOR COMMITTEE/BOARD ACTIONS
N/A
ADDITIONAL INFORMATION
On April 28, 2020, the Sanitation District issued a Request for Proposals (RFP) to review and improve the Cyber Security Incident Response Program. The following evaluation criterion were described in the RFP and used to determine the most qualified firm.
CRITERION |
WEIGHT |
1. Qualifications & Experience of Firm |
20% |
2. Proposed Staffing & Project Organization |
20% |
3. Work Plan |
30% |
4. Presentation/Interview |
10% |
5. Cost |
20% |
The RFP closed on May 28, 2020. The Sanitation District received a response from seven (7) companies. The RFP evaluation team consisted of five (5) Sanitation District staff and included an Information Tech Supervisor, a Safety and Health Supervisor, an IT Systems & Operations Manager, a Senior Info Tech Analyst and a Principal Info Tech Analyst. This RFP used the individual scoring method. The evaluation team first reviewed and scored the proposals based upon the first three criteria listed above.
Rank |
Proposer |
Criterion 1 (Max 20%) |
Criterion 2 (Max 20%) |
Criterion 3 (Max 30%) |
Subtotal Score (Max 70%) |
1 |
Tevora Business Solutions |
14.2 |
14.2 |
21.6 |
50.0 |
2 |
Ankura Consulting |
12.6 |
12.8 |
20.1 |
45.5 |
3 |
Fireeye |
15.0 |
13.0 |
18.9 |
46.9 |
4 |
AESI-US |
12.4 |
12.2 |
21.0 |
45.6 |
5 |
Coastline Consulting |
11.8 |
10.4 |
16.2 |
38.4 |
6 |
Natsar LLC |
11.2 |
9.2 |
16.8 |
37.2 |
7 |
LRS |
10.8 |
9.0 |
11.7 |
31.5 |
The three highest ranking firms, Tevora Business Solutions, FireEye, and Ankura Consulting were selected for interviews. The interviews were conducted from June 29 - July 1, 2020. Following the interviews, the evaluation team ranked the firms based on both the proposals and interviews using the evaluation criteria and weighting listed above. The proposals were accompanied by sealed cost proposals. The cost proposals for these three firms were opened with the lowest being Tevora Business Solutions. A Best and Final Offer was requested with Tevora lowering their cost, resulting in additional savings to the Sanitation District.
Rank |
Proposer |
Subtotal Score (Max 70%) |
Presentation (Max 10%) |
Cost (Max 20%) |
Total Weighted Score (Max 100%) |
1 |
Tevora Business Solutions |
50.0 |
7.4 |
20.0 |
77.4 |
2 |
Ankura Consulting |
45.5 |
6.6 |
9.2 |
61.3 |
3 |
Fireeye |
46.9 |
4.6 |
8.4 |
59.9 |
Based on these results, staff recommends awarding the Agreement to Tevora Business Solutions. The term of this Agreement will begin upon the effective date of the Notice to Proceed.
CEQA
N/A
FINANCIAL CONSIDERATIONS
This request complies with authority levels of the Sanitation District's Purchasing Ordinance. This item has been budgeted. (FY2020-21 & 2021-22 Budget, Section 8, Page 49, Information Technology Capital Program (M-MC-IT)).
ATTACHMENT
The following attachment(s) may be viewed on-line at the OCSD website (www.ocsd.com) with the complete agenda package:
• Professional Services Agreement