Cybersecurity Governance
Solicitation number 204-WCB-23-043
Publication date
Closing date and time 2023/08/03 15:00 EDT
Last amendment date
Description
The Workers Compensation Board of Manitoba (WCB) invites firms to submit a Proposal for the following: Consulting services to deliver against cybersecurity initiatives as identified in year one and two of the WCB's five-year cybersecurity roadmap.
Description of Services
The WCB is seeking to engage a Contractor which will address and eliminate the identified cybersecurity governance gaps through a high confidence cybersecurity plan that will expedite deliverables to reduce the WCB's current cybersecurity exposure and increase its maturity rating through proven accelerators and expertise.
The initial scope of work from this RFP is focused on retaining the Contractor to address the delivery and implementation of the ten (10) Cybersecurity Governance initiatives.
The Contractor will also deliver program oversight, integration, and progress reporting against the broader roadmap of the entire thirty-five (35) initiatives. The Contractor will provide strategic direction to the WCB management team and project resources and act as the escalation point for all cybersecurity roadmap initiatives.
The Contractor will be required to establish a cybersecurity target operating model taking into consideration the WCB's business risk management requirements, cyber considerations for digital transformation, required operational skillsets, and strategic planning needs.
The WCB will require the Contractor to supply resources that have the combined experience and expertise to expedite the required deliverables in an acceptable time period to best mitigate current cybersecurity governance risks.
The execution of the deliverables, which will raise the maturity of WCB's cybersecurity program, will include the following:
The Services will be structured with an Agreement to address the delivery and implementation of the ten (10) Cybersecurity Governance initiatives and will require the parties to enter into subsequent Statements of Work (collectively the "SOWs") for implementation support of initiatives under the other five (5) major themes, which will include program oversight, integration, and progress reporting against the broader roadmap of the entire thirty-five (35) initiatives. The Contractor, acting as CISO, or equivalent role, will execute the deliverables listed in section 13 above, providing strategic direction to the WCB management team and project resources, and acting as the escalation point for all cybersecurity roadmap initiatives.
The full scope of work for the Services cannot be determined by the parties at the time the Agreement is executed because it is anticipated the WCB's needs and priorities will evolve as the ten (10) Cybersecurity Governance initiatives are completed and further information is collected. The parties shall, following internal approval by the WCB executive, mutually agree upon the distinct scopes of work for the other five (5) initiatives (Access Management, Data Protection, Network Security, Access and Configuration Management, and Resiliency and Incident Management) and the duties of the CISO, or equivalent role, including the total fees, deliverables, and completion dates for same, in writing, via the SOWs, prior to commencing work on such new components.
The Services shall normally be performed during Business Hours. However, the WCB may request some of the Services to be performed outside Business Hours from time to time, as deemed necessary, in the unfettered discretion of the WCB. The Contractor shall not be entitled to charge overtime rates unless specified in the Fee Schedule.
The WCB expects the Contractor to supply resource(s) on a full-time basis [thirty-six and a quarter (36.25) hours per week], given the urgent nature of the Services.
The CISO, or equivalent, must have experience and knowledge with the following:
The WCB prefers that the CISO, or equivalent, has experience and knowledge with the following (which may be considered an asset when evaluating Proposals):
The Contractor will not be required to have and maintain workers compensation coverage for its workers who will be providing the Services, unless required pursuant to The Workers Compensation Act.
The Proposal should include an overview of the proposed resource(s) being offered, including profiles of work which highlight their experience performing similar projects. Vendors are expected to provide the following for each proposed resource:
This RFP is only being sent to the Vendors that were pre-qualified under the WCB's Request for Information No. 206-WCB-22-014 that closed on MERX March 31, 2022. Vendors are each reminded of the obligations under their executed Non-Disclosure Agreement to maintain the confidentiality of all WCB sensitive technical IT data and to not share the contents of this RFP with any third party except as expressly allowed pursuant to the Non-Disclosure Agreement.
The Services shall be provided onsite at the WCB's facilities located at 333/363 Broadway in Winnipeg, Manitoba, unless otherwise agreed in writing. Working remotely may be permitted for a portion of the Services, but only as pre-approved in writing by the WCB.
It is expected the Services to complete the delivery and implementation of the ten (10) initiatives under the theme of Cybersecurity Governance will be completed within an initial period of twenty-four (24) months with a preferred start date of August 14, 2023. The WCB shall have an irrevocable option to further extend the Services on the same terms and conditions and fees for two (2) additional periods of up to six (6) months each.
Description of Services
The WCB is seeking to engage a Contractor which will address and eliminate the identified cybersecurity governance gaps through a high confidence cybersecurity plan that will expedite deliverables to reduce the WCB's current cybersecurity exposure and increase its maturity rating through proven accelerators and expertise.
The initial scope of work from this RFP is focused on retaining the Contractor to address the delivery and implementation of the ten (10) Cybersecurity Governance initiatives.
The Contractor will also deliver program oversight, integration, and progress reporting against the broader roadmap of the entire thirty-five (35) initiatives. The Contractor will provide strategic direction to the WCB management team and project resources and act as the escalation point for all cybersecurity roadmap initiatives.
The Contractor will be required to establish a cybersecurity target operating model taking into consideration the WCB's business risk management requirements, cyber considerations for digital transformation, required operational skillsets, and strategic planning needs.
The WCB will require the Contractor to supply resources that have the combined experience and expertise to expedite the required deliverables in an acceptable time period to best mitigate current cybersecurity governance risks.
The execution of the deliverables, which will raise the maturity of WCB's cybersecurity program, will include the following:
a) Provide a dedicated CISO (Chief Information Security Officer) or equivalent role to lead the development and implementation of an organizational-wide cybersecurity governance practice, including cybersecurity policies, standards, and programs;
b) Establish and lead a cybersecurity governance committee with internal WCB leadership representatives included for IT, risk, privacy, internal audit, data governance, and executive sponsorship (includes defining the roles and responsibilities and charter for the cybersecurity governance committee, and the vision, mission, and strategies for the cybersecurity program);
c) Support the cybersecurity program by identifying required skillsets and forming a dedicated cybersecurity team that collaborates with other WCB teams;
d) Recommend and execute capability improvements to address known gaps in cybersecurity maturity, increase efficiency, and set a foundation for the WCB's new digital modernization program;
e) Define the WCB's cybersecurity strategy to address top threats and risks and protect the WCB's crown jewel assets and data (includes defining security requirements, cybersecurity strategy, and a WCB cloud security framework for the digital modernization program);
f) Establish an ERM framework to identify, assess, track, and report on organizational risks, including cybersecurity risks. Assess cyber risks on an ongoing basis and report into the ERM risk register (includes establishing key risk indicators and key performance indicators to report on the cybersecurity risks and programs success, and provide insights to the WCB executive and the board of directors);
g) Define and recommend an accountable internal department to own the TPRM (Third Party Risk Management) centrally (includes assisting with preparation of procurement requirements, vetting third-party service providers, and acting as a gatekeeper for the on-boarding of any new applications);
h) Define clear criteria and process for conducting cyber due diligence reviews prior to, and during the term of third-party contracts (includes defining effective and clear plans to respond to third-party security incidents);
i) Implement controls that take a holistic view of increasingly fragmented attack surfaces and brittle identity infrastructure;
j) Define the WCB's cybersecurity policies and standards in collaboration with the WCB's Policy Services (includes use of accelerators for developing and communicating a broad set of policies including Bring Your Own Device (BYOD) policy to set security requirements for the use of personal devices to access the WCB's IT assets and data, access control policy, separation of duties policy, remote access policy, auditing and log review policy, patch management policy, security impact assessment policy, development of a comprehensive enterprise wide system acceptance criterion for system development process including design and security related requirements, etc.);
k) Develop and enhance a formal security awareness program to educate staff on threats and their responsibilities (includes target training to high risk roles for privileged access and/or access to confidential information, and perform annual awareness training for all employees and contractors, ensuring the training covers current topics and threats), and provide executive reporting on training results and go forward recommendations;
l) Define a cloud security reference architecture framework and detailed security requirements for the WCB;
m) Define an interaction model between a hypothetical cybersecurity office (the WCB does not currently have a dedicated cybersecurity office) and the rest of the organization (e.g. cybersecurity office should regularly collaborate with all stakeholders, legal and privacy teams to review current requirements and when new legislations or regulatory requirements come into effect, etc.); and
n) Provide key knowledge transfer to designated WCB staff.
b) Establish and lead a cybersecurity governance committee with internal WCB leadership representatives included for IT, risk, privacy, internal audit, data governance, and executive sponsorship (includes defining the roles and responsibilities and charter for the cybersecurity governance committee, and the vision, mission, and strategies for the cybersecurity program);
c) Support the cybersecurity program by identifying required skillsets and forming a dedicated cybersecurity team that collaborates with other WCB teams;
d) Recommend and execute capability improvements to address known gaps in cybersecurity maturity, increase efficiency, and set a foundation for the WCB's new digital modernization program;
e) Define the WCB's cybersecurity strategy to address top threats and risks and protect the WCB's crown jewel assets and data (includes defining security requirements, cybersecurity strategy, and a WCB cloud security framework for the digital modernization program);
f) Establish an ERM framework to identify, assess, track, and report on organizational risks, including cybersecurity risks. Assess cyber risks on an ongoing basis and report into the ERM risk register (includes establishing key risk indicators and key performance indicators to report on the cybersecurity risks and programs success, and provide insights to the WCB executive and the board of directors);
g) Define and recommend an accountable internal department to own the TPRM (Third Party Risk Management) centrally (includes assisting with preparation of procurement requirements, vetting third-party service providers, and acting as a gatekeeper for the on-boarding of any new applications);
h) Define clear criteria and process for conducting cyber due diligence reviews prior to, and during the term of third-party contracts (includes defining effective and clear plans to respond to third-party security incidents);
i) Implement controls that take a holistic view of increasingly fragmented attack surfaces and brittle identity infrastructure;
j) Define the WCB's cybersecurity policies and standards in collaboration with the WCB's Policy Services (includes use of accelerators for developing and communicating a broad set of policies including Bring Your Own Device (BYOD) policy to set security requirements for the use of personal devices to access the WCB's IT assets and data, access control policy, separation of duties policy, remote access policy, auditing and log review policy, patch management policy, security impact assessment policy, development of a comprehensive enterprise wide system acceptance criterion for system development process including design and security related requirements, etc.);
k) Develop and enhance a formal security awareness program to educate staff on threats and their responsibilities (includes target training to high risk roles for privileged access and/or access to confidential information, and perform annual awareness training for all employees and contractors, ensuring the training covers current topics and threats), and provide executive reporting on training results and go forward recommendations;
l) Define a cloud security reference architecture framework and detailed security requirements for the WCB;
m) Define an interaction model between a hypothetical cybersecurity office (the WCB does not currently have a dedicated cybersecurity office) and the rest of the organization (e.g. cybersecurity office should regularly collaborate with all stakeholders, legal and privacy teams to review current requirements and when new legislations or regulatory requirements come into effect, etc.); and
n) Provide key knowledge transfer to designated WCB staff.
The Services will be structured with an Agreement to address the delivery and implementation of the ten (10) Cybersecurity Governance initiatives and will require the parties to enter into subsequent Statements of Work (collectively the "SOWs") for implementation support of initiatives under the other five (5) major themes, which will include program oversight, integration, and progress reporting against the broader roadmap of the entire thirty-five (35) initiatives. The Contractor, acting as CISO, or equivalent role, will execute the deliverables listed in section 13 above, providing strategic direction to the WCB management team and project resources, and acting as the escalation point for all cybersecurity roadmap initiatives.
The full scope of work for the Services cannot be determined by the parties at the time the Agreement is executed because it is anticipated the WCB's needs and priorities will evolve as the ten (10) Cybersecurity Governance initiatives are completed and further information is collected. The parties shall, following internal approval by the WCB executive, mutually agree upon the distinct scopes of work for the other five (5) initiatives (Access Management, Data Protection, Network Security, Access and Configuration Management, and Resiliency and Incident Management) and the duties of the CISO, or equivalent role, including the total fees, deliverables, and completion dates for same, in writing, via the SOWs, prior to commencing work on such new components.
The Services shall normally be performed during Business Hours. However, the WCB may request some of the Services to be performed outside Business Hours from time to time, as deemed necessary, in the unfettered discretion of the WCB. The Contractor shall not be entitled to charge overtime rates unless specified in the Fee Schedule.
The WCB expects the Contractor to supply resource(s) on a full-time basis [thirty-six and a quarter (36.25) hours per week], given the urgent nature of the Services.
The CISO, or equivalent, must have experience and knowledge with the following:
a) Effectively communicating with both technical and non-technical staff;
b) Clearly and effectively articulating the WCB's cybersecurity posture to senior management particularly when the situation is not satisfactory;
c) Developing and implementing security policies and procedures, using a security framework as a guide;
d) Understanding network activity and preparing for potential threats;
e) Overseeing incident response and disaster recovery planning (includes oversight and leadership of table top testing on hypothetical cyberattack scenarios);
f) Coordinating the response and recovery efforts when a data or security breach occurs;
g) End to end security operations including the design and approval of a comprehensive security strategy which accounts for the end-to-end lifecycle of information security operations (includes evaluating the IT threat landscape, devising policies and controls to reduce risk, and leading auditing and compliance initiatives); and
h) Proven ability to coach and develop internal staff for improved performance.
b) Clearly and effectively articulating the WCB's cybersecurity posture to senior management particularly when the situation is not satisfactory;
c) Developing and implementing security policies and procedures, using a security framework as a guide;
d) Understanding network activity and preparing for potential threats;
e) Overseeing incident response and disaster recovery planning (includes oversight and leadership of table top testing on hypothetical cyberattack scenarios);
f) Coordinating the response and recovery efforts when a data or security breach occurs;
g) End to end security operations including the design and approval of a comprehensive security strategy which accounts for the end-to-end lifecycle of information security operations (includes evaluating the IT threat landscape, devising policies and controls to reduce risk, and leading auditing and compliance initiatives); and
h) Proven ability to coach and develop internal staff for improved performance.
The WCB prefers that the CISO, or equivalent, has experience and knowledge with the following (which may be considered an asset when evaluating Proposals):
a) Setting up a cybersecurity governance committee at the enterprise level and knowing the accountabilities and responsibilities of all committee members (should have accelerators for creating the terms of reference for the committee, setting structure, rules of engagement, etc.);
b) Setting up a cybersecurity practice and understanding its role within an organization (includes experience in creating an interaction model between various departments and establishing best practices for increased collaboration and ownership of data assets);
c) Experienced in writing cybersecurity policies and/or using accelerators where required to fill gaps to expedite the WCB's cybersecurity maturity;
d) Experienced in defining a cloud security reference architecture framework and associated security requirements;
e) Excellent communication, consultation, and mediation skills to address complex and sensitive issues;
f) Senior IT leadership experience in the delivery of complex projects/programs including digital modernization of core systems of record; and
g) Ability to manage competing demands, multiple priorities, and changes in direction seamlessly.
b) Setting up a cybersecurity practice and understanding its role within an organization (includes experience in creating an interaction model between various departments and establishing best practices for increased collaboration and ownership of data assets);
c) Experienced in writing cybersecurity policies and/or using accelerators where required to fill gaps to expedite the WCB's cybersecurity maturity;
d) Experienced in defining a cloud security reference architecture framework and associated security requirements;
e) Excellent communication, consultation, and mediation skills to address complex and sensitive issues;
f) Senior IT leadership experience in the delivery of complex projects/programs including digital modernization of core systems of record; and
g) Ability to manage competing demands, multiple priorities, and changes in direction seamlessly.
The Contractor will not be required to have and maintain workers compensation coverage for its workers who will be providing the Services, unless required pursuant to The Workers Compensation Act.
The Proposal should include an overview of the proposed resource(s) being offered, including profiles of work which highlight their experience performing similar projects. Vendors are expected to provide the following for each proposed resource:
a) Resources' names and identify any subcontractor relationship (i.e. if an individual resource is not an employee of the Vendor);
b) Completed skills matrix identifying resources' skills and knowledge;
c) Ability to start on WCB's preferred start date or later date of availability; and
d) Resume of resources.
b) Completed skills matrix identifying resources' skills and knowledge;
c) Ability to start on WCB's preferred start date or later date of availability; and
d) Resume of resources.
This RFP is only being sent to the Vendors that were pre-qualified under the WCB's Request for Information No. 206-WCB-22-014 that closed on MERX March 31, 2022. Vendors are each reminded of the obligations under their executed Non-Disclosure Agreement to maintain the confidentiality of all WCB sensitive technical IT data and to not share the contents of this RFP with any third party except as expressly allowed pursuant to the Non-Disclosure Agreement.
The Services shall be provided onsite at the WCB's facilities located at 333/363 Broadway in Winnipeg, Manitoba, unless otherwise agreed in writing. Working remotely may be permitted for a portion of the Services, but only as pre-approved in writing by the WCB.
It is expected the Services to complete the delivery and implementation of the ten (10) initiatives under the theme of Cybersecurity Governance will be completed within an initial period of twenty-four (24) months with a preferred start date of August 14, 2023. The WCB shall have an irrevocable option to further extend the Services on the same terms and conditions and fees for two (2) additional periods of up to six (6) months each.
Bidding and Documents are available on http://www.merx.com. Fees may apply; See https://www.merx.com/public/pricing for more information.
Contract duration
The estimated contract period will be 24 month(s).
Trade agreements
-
Canadian Free Trade Agreement (CFTA)
-
Canada-European Union Comprehensive Economic and Trade Agreement (CETA)
-
Please refer to tender description or tender documents
Partner with another business
The functionality to add your company name to the list of interested businesses is temporarily unavailable.
This list does not replace or affect the tendering procedures for this procurement process. Businesses are still required to respond to bid solicitations, and to compete based on the set criteria. For more information please read the Terms of use.
Contact information
Contracting organization
- Organization
-
Workers Compensation Board of Manitoba
- Address
-
333 Broadway AveWinnipeg, Manitoba, R3C 4W3Canada
- Contracting authority
- Agreement Administrator
- Email
- AgreementAdministrator@wcb.mb.ca
Bidding details
Full details for this tender opportunity are available on a third-party site
Click on the button below to be directed to this website. Note that on the third-party site you may need an account to view and/or bid on this tender. Information on any fees or additional costs to access the full details is outlined in the Description tab of this tender opportunity.
Eligibility and terms and conditions
Government of Canada tender and awards notices, solicitation documents, and other attachments are fully accessible and available free of charge and without having to register on CanadaBuys.
Information may be available on another source prior to being available on CanadaBuys. You may have received this information through a third-party distributor. The Government of Canada is not responsible for any tender notices and/or related documents and attachments not accessed directly from CanadaBuys.canada.ca.
Government of Canada tender or award notices carry an OpenGovernment License - Canada that governs its use. Related solicitation documents and/or tender attachments are copyright protected. Please refer to our terms and conditions page for more information.
