RFP Concept Paper
(Attach F)
RFP Concept Paper # 124
Presented to Technology Governance Board (TGB)
Date Prepared: December 5, 2009
Name of document to be reviewed:
Internet Gateway Messaging Security and E-mail Encryption Solution
(Antivirus protection, anti-spam management, content security filtering, email encryption and data leakage
prevention)
(Please check one item listed in the following two sections)
Document for review and approval:
X Request for Proposal (RFP) __ Sole Source Procurement
__ Request for Service (RFS) __ Statement of Work
__ Request for Quote (RFQ) Staff Augmentation
__ Invitation to Qualify __ Master Agreement Purchase
Document for review only:
__ Master Agreement __ Request for Information (RFI)
1
(Attach F)
Agency:
Department of Administrative Services, Information Technology Enterprise
Projected cost over $50,000? Yes X _ No ___
Projected agency staff hours over 750? Yes _X_ No ___
Project Cost, Funds and Funding Source:
Project costs are estimated at $700,000. This funding will come from an existing budget for
Gateway services through DAS-ITE and a Pooled Technology Grant for FY11.
Timelines:
Estimated timeline:
January 2010 – Release RFP February 2010 – Collect vendor responses March - April 2010 – Evaluate responses June - July 2010 - Vendor selection and contract
July - December 2010 - implementation
Goal:
The goal is to solicit proposals, select a qualified vendor and implement a solution for internet
gateway message including antivirus protection, spam and content filtering, data leakage prevention
and e-mail encryption.
Background:
With organizations facing a growing number of information security threats and an increasing
emphasis on information privacy and compliance regulations, securing e-mail communications
is a critical concern. Email represents an enormous productivity tool for both users and
enterprises; however, its pervasive and largely unsecured nature also represents one of the
greatest information security threats, the potential theft or loss of confidential information. This
threat comes with a high price tag which includes exposing citizens to the risk of identity theft,
losing public trust, negative publicity, excessive staff time remediating the breach and costly
lawsuits. There are many ways to minimize the risk of confidential information leaving a secure
network. One of the most effective methods is to scan, encrypt or block e-mails with
confidential information. This prevents both the intentional and unintentional disclosure of
confidential information. The Department of Human Services currently hosts an agency solution
for e-mail encryption. Other agencies encrypt files on a case-by case scenario. However,
there is no enterprise wide solution in place to protect this data.
To address this problem, a multi-agency workgroup was formed to evaluate the feasibility of
implementing an e-mail encryption solution. Initial research revealed that this technology is
often bundled with internet gateway, anti-spam and anti-virus software; otherwise known as
2
(Attach F)
gateway services. The current gateway services solution is effective at blocking 98% of spam
and viruses, but does not have a mechanism to encrypt e-mails or prevent confidential data
from being sent outside the states network. It also lacks the functionality to block some of the
more recent and advanced spamming techniques. The workgroup has identified technologies
and vendors that provide solutions in these areas.
Securing and protecting confidential information is a fundamental principal and cornerstone of the
State of Iowa Enterprise Information Security standards. A theft of this type of data requires customer notification as outlined in Iowa Code CH 715C (Personal Information Security Breach Protection).
This law requires businesses and government agencies to notify state residents if unauthorized
access of their computerized personal information is likely to do financial harm. Other compliance
standards include the Payment Credit Card Industry (PCI), Health Insurance Portability and
Accountability Act (HIPAA), data classification and stewardship.
Expected Results:
A vendor solution will be selected to provide internet gateway message filtering and email
encryption technologies. This solution will be available to all state agencies.
What are the tangible and intangible benefits of this purchase for this agency and/or
state government?
E-mail is a daily productivity tool for the vast majority of State workers. In order for employees
to effectively utilize this tool, SPAM e-mail messages must be filtered out. The State of Iowa
receives between six and twelve million SPAM e-mails messages per day. In addition to
advertisements, these messages routinely contain computer viruses and malware. The
workgroup has identified the following features for an e-mail gateway solution.
, Capacity and scalability to accommodate the States e-mail volume
, Supports a multi-server and data center design for disaster recovery and load balancing
, Provides effective anti-spam features including auto-update of anti-spam definitions
, Provides comprehensive and granular reporting
, Product support 24x7x365
, Configurable and granular filtering to accommodate agency specific rules and policies
, Allows the review and management of quarantined e-mail
, Allows user managed e-mail white and blacklists
, Ability to integrate with existing e-mail systems
Confidential data is being passed between agencies and externally through e-mail on a regular
basis because no enterprise-wide technology is currently in place to prevent this or facilitate it in
a secure fashion. Users need to be able to send encrypted messages from their e-mail
applications and are secured such that only the intended recipients can unlock them.
Encrypted E-mail: Support for the security and confidentiality of:
, Statutory designated information
, Credit Card, payroll, and financial reports
, Personal information as defined in Iowa Code Chapter 715C
3
(Attach F)
, Employee and patient records
, Communications between lawyers and clients
, User ID’s and passwords
, Information that comprises personal privacy and safety
Features the agency workgroup identified are:
, Compatibility with open records
, Message expiration and locking
, Gateway to gateway encryption
, User to User e-mail encryption
, Validate the authenticity of the message and verifiability of the sender
Can these benefits be quantified in financial terms? If yes, please explain. (YES—costs
savings for state agencies.)???
Estimates can be made in lost productivity due to managing excessive amounts of e-mail, lost
productivity due to computer outages and costs associated with a breach of confidential
information. All of these variables are contingent on the number of employees impacted and the
scope of the problem.
Ex. 1000 impacted employees @ $50 an hour x 1 hour a day = $50,000 a day lost on filtering
spam from their inboxes or recovering from a computer virus.
Ex. 2000 confidential records sent out unintentionally @ $202 per record (according to the thPonemon institute 2009, 4 annual data breach report) = $404,000
How will you be more effective as a result of this purchase?
More effective use of State computer assets and e-mail system due to fewer SPAM e-mails and
e-mail related malware, phishing schemes and computer viruses.
How will service to your customers be enhanced as a result of this purchase?
Availability of computer systems are typically necessary to deliver services to customers. This
project benefits the citizens of Iowa by efficiently using computer assets and protecting their
personal and confidential information from being intentionally or unintentionally sent through the
e-mail system.
Project Funds:
Existing funding from gateway services and FY11 Pooled Technology Funding
Some of the Interested Parties: The workgroup represents ten different agencies all varying in size.
Some of the Recipients of this Service:
26 State agencies will benefit immediately from the gateway services and e-mail encryption project.
Standards:
4
(Attach F) The following standards address protection of confidential information including user names and
passwords
, Information Security Standard
, Shared Authentication Standard
, Interconnectivity Standard
, Data Stewardship Standard
Architecture: --Variables
Based on the information gathered from the RFI, we anticipate the following types of architecture will be
proposed.
Product based: (On-Site solution or hardware)
Gateway product
Encryption product
Hosted service: (Cloud computing)
Gateway service
Encryption service
Recommendations from DAS staff and CIO Council members:
From 5 of 11 JCIO members:
a) Is there duplication within Government? No.
b) Can an existing program be modified to address a new need? No.
c) Do you have any similar program in existence? No.
d) Have you sought RFP’s for similar programs in the past? No.
e) Do you have RFP’s for similar programs? No.
f) Do you have an RFP that could be used as a starting point for this program? No.
g) Is there anything you could provide that could assist the agency with this RFP? No.
h) Are there alternatives available to the agencies? No.
Recommendation of the JCIO to the TGB:
Authorize this RFP (or Sole Source Procurement) to be released for bid Yes _X_ No ___
Alternatives suggested by the JCIO (see additional comments below) Yes ___ No _X_
Additional comments: None.
Recommendation of the IT RFP Advisory Group to the TGB:
Authorize this RFP (or Sole Source Procurement) to be released for bid Yes _X_ No ___
Alternatives suggested by the advisory group (see comments below) Yes ___ No _X_
Additional comments from advisory group members: None.
5