RFP Concept Paper

RFP Concept Paper (Attach F) RFP Concept Paper # 124 Presented to Technology Governance Board (TGB) Date Prepared: December 5, 2009 Name of document to be reviewed: Internet Gateway Messaging Security and E-mail Encryption Solution (Antivirus protection, anti-spam management, content security filtering, email encryption and data leakage prevention) (Please check one item listed in the following two sections) Document for review and approval: X Request for Proposal (RFP) __ Sole Source Procurement __ Request for Service (RFS) __ Statement of Work __ Request for Quote (RFQ) Staff Augmentation __ Invitation to Qualify __ Master Agreement Purchase Document for review only: __ Master Agreement __ Request for Information (RFI) 1 (Attach F) Agency: Department of Administrative Services, Information Technology Enterprise Projected cost over $50,000? Yes X _ No ___ Projected agency staff hours over 750? Yes _X_ No ___ Project Cost, Funds and Funding Source: Project costs are estimated at $700,000. This funding will come from an existing budget for Gateway services through DAS-ITE and a Pooled Technology Grant for FY11. Timelines: Estimated timeline: January 2010 – Release RFP February 2010 – Collect vendor responses March - April 2010 – Evaluate responses June - July 2010 - Vendor selection and contract July - December 2010 - implementation Goal: The goal is to solicit proposals, select a qualified vendor and implement a solution for internet gateway message including antivirus protection, spam and content filtering, data leakage prevention and e-mail encryption. Background: With organizations facing a growing number of information security threats and an increasing emphasis on information privacy and compliance regulations, securing e-mail communications is a critical concern. Email represents an enormous productivity tool for both users and enterprises; however, its pervasive and largely unsecured nature also represents one of the greatest information security threats, the potential theft or loss of confidential information. This threat comes with a high price tag which includes exposing citizens to the risk of identity theft, losing public trust, negative publicity, excessive staff time remediating the breach and costly lawsuits. There are many ways to minimize the risk of confidential information leaving a secure network. One of the most effective methods is to scan, encrypt or block e-mails with confidential information. This prevents both the intentional and unintentional disclosure of confidential information. The Department of Human Services currently hosts an agency solution for e-mail encryption. Other agencies encrypt files on a case-by case scenario. However, there is no enterprise wide solution in place to protect this data. To address this problem, a multi-agency workgroup was formed to evaluate the feasibility of implementing an e-mail encryption solution. Initial research revealed that this technology is often bundled with internet gateway, anti-spam and anti-virus software; otherwise known as 2 (Attach F) gateway services. The current gateway services solution is effective at blocking 98% of spam and viruses, but does not have a mechanism to encrypt e-mails or prevent confidential data from being sent outside the states network. It also lacks the functionality to block some of the more recent and advanced spamming techniques. The workgroup has identified technologies and vendors that provide solutions in these areas. Securing and protecting confidential information is a fundamental principal and cornerstone of the State of Iowa Enterprise Information Security standards. A theft of this type of data requires customer notification as outlined in Iowa Code CH 715C (Personal Information Security Breach Protection). This law requires businesses and government agencies to notify state residents if unauthorized access of their computerized personal information is likely to do financial harm. Other compliance standards include the Payment Credit Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), data classification and stewardship. Expected Results: A vendor solution will be selected to provide internet gateway message filtering and email encryption technologies. This solution will be available to all state agencies. What are the tangible and intangible benefits of this purchase for this agency and/or state government? E-mail is a daily productivity tool for the vast majority of State workers. In order for employees to effectively utilize this tool, SPAM e-mail messages must be filtered out. The State of Iowa receives between six and twelve million SPAM e-mails messages per day. In addition to advertisements, these messages routinely contain computer viruses and malware. The workgroup has identified the following features for an e-mail gateway solution. , Capacity and scalability to accommodate the States e-mail volume , Supports a multi-server and data center design for disaster recovery and load balancing , Provides effective anti-spam features including auto-update of anti-spam definitions , Provides comprehensive and granular reporting , Product support 24x7x365 , Configurable and granular filtering to accommodate agency specific rules and policies , Allows the review and management of quarantined e-mail , Allows user managed e-mail white and blacklists , Ability to integrate with existing e-mail systems Confidential data is being passed between agencies and externally through e-mail on a regular basis because no enterprise-wide technology is currently in place to prevent this or facilitate it in a secure fashion. Users need to be able to send encrypted messages from their e-mail applications and are secured such that only the intended recipients can unlock them. Encrypted E-mail: Support for the security and confidentiality of: , Statutory designated information , Credit Card, payroll, and financial reports , Personal information as defined in Iowa Code Chapter 715C 3 (Attach F) , Employee and patient records , Communications between lawyers and clients , User ID’s and passwords , Information that comprises personal privacy and safety Features the agency workgroup identified are: , Compatibility with open records , Message expiration and locking , Gateway to gateway encryption , User to User e-mail encryption , Validate the authenticity of the message and verifiability of the sender Can these benefits be quantified in financial terms? If yes, please explain. (YES—costs savings for state agencies.)??? Estimates can be made in lost productivity due to managing excessive amounts of e-mail, lost productivity due to computer outages and costs associated with a breach of confidential information. All of these variables are contingent on the number of employees impacted and the scope of the problem. Ex. 1000 impacted employees @ $50 an hour x 1 hour a day = $50,000 a day lost on filtering spam from their inboxes or recovering from a computer virus. Ex. 2000 confidential records sent out unintentionally @ $202 per record (according to the thPonemon institute 2009, 4 annual data breach report) = $404,000 How will you be more effective as a result of this purchase? More effective use of State computer assets and e-mail system due to fewer SPAM e-mails and e-mail related malware, phishing schemes and computer viruses. How will service to your customers be enhanced as a result of this purchase? Availability of computer systems are typically necessary to deliver services to customers. This project benefits the citizens of Iowa by efficiently using computer assets and protecting their personal and confidential information from being intentionally or unintentionally sent through the e-mail system. Project Funds: Existing funding from gateway services and FY11 Pooled Technology Funding Some of the Interested Parties: The workgroup represents ten different agencies all varying in size. Some of the Recipients of this Service: 26 State agencies will benefit immediately from the gateway services and e-mail encryption project. Standards: 4 (Attach F) The following standards address protection of confidential information including user names and passwords , Information Security Standard , Shared Authentication Standard , Interconnectivity Standard , Data Stewardship Standard Architecture: --Variables Based on the information gathered from the RFI, we anticipate the following types of architecture will be proposed. Product based: (On-Site solution or hardware) Gateway product Encryption product Hosted service: (Cloud computing) Gateway service Encryption service Recommendations from DAS staff and CIO Council members: From 5 of 11 JCIO members: a) Is there duplication within Government? No. b) Can an existing program be modified to address a new need? No. c) Do you have any similar program in existence? No. d) Have you sought RFP’s for similar programs in the past? No. e) Do you have RFP’s for similar programs? No. f) Do you have an RFP that could be used as a starting point for this program? No. g) Is there anything you could provide that could assist the agency with this RFP? No. h) Are there alternatives available to the agencies? No. Recommendation of the JCIO to the TGB: Authorize this RFP (or Sole Source Procurement) to be released for bid Yes _X_ No ___ Alternatives suggested by the JCIO (see additional comments below) Yes ___ No _X_ Additional comments: None. Recommendation of the IT RFP Advisory Group to the TGB: Authorize this RFP (or Sole Source Procurement) to be released for bid Yes _X_ No ___ Alternatives suggested by the advisory group (see comments below) Yes ___ No _X_ Additional comments from advisory group members: None. 5