Embed Size (px)
Citation preview
KANSAS CITY AREA TRANSPORTATION AUTHORITY
ADDENDUM #1 TO RFP #16-7013-25B
CONSULTING SERVICES FOR IT SYSTEMS AUDIT
June 17, 2016_____________________________________________________________________________________
The information contained in this Addendum should be considered incorporated into the original Request for Proposals (RFP) dated June 17, 2016 to the same extent as if it was originally included therein and is intended to modify and/or interpret the proposal documents by additions, deletions, clarifications or corrections. Receipt of all addenda must be noted on the “Receipt of Addenda Received” form (attached), and included with the Proposal.
GENERAL INFORMATION
The closing date for proposals and submission has changed to:June 24, 2016 at 3:00 p.m. Central Time.
The proposal calendar (Section 1) has been changed to the following:
Proposal Advertisement May 23, 2016
RFP Issued May 23, 2016Deadline for Proposer Questions, Comments, & Requests for
Clarification June 10, 2016
KCATA Responds to Questions June 17, 2016
Proposal Closing June 24, 2016 at 3:00 p.m.
Interviews/Demonstration (Tentative) June 27 – July 1, 2016
Notice of Contract Award (Anticipated) July 27, 2016
CLARIFICATIONS AND CORRECTIONS
1. Section 2, Scope of Work, Paragraph E “DELIVERABLE REQUIREMENTS”, subparagraph #7 “Recommendations”, part B, #6 is revised with the following:
7. B. The Recommendations document must address, but is not limited to the following items: 1. Data;
2. Data Structures; 3. Architectures;
4. Estimated costs; 5. IT Direction;
6. Organization; The Consultant should perform a high level review of any relevant regulatory compliance requirements and include findings in the final report. 7. Process; 8. Staffing; 9. Timeliness;10. Timetable; and
11. Sourcing.
2. Section 4, Proposal Submission, Evaluation and Award, Paragraph, 4, “Volume III-Contractual”, subparagraph a, “Financial Condition of the Firm:, is revised with the following:
A. Financial Condition of the Firm. Financial data will be held in confidence and will not become part of the procurement file or the awarded contract file. In this section the Proposer must submit information demonstrating that it is financially sound and has the necessary financial resources to perform the contract in a satisfactory manner. The offeror should provide information that documents the depth (#) of resources (I.e. financial, supplies, equipment, facilities, infrastructure, and human resources) to ensure completion of ALL RFP requirements. The Proposer is required to permit KCATA to inspect and examine its financial statements. The Proposer shall submit the firm’s most recent unaudited financial statements and include profit/loss reports from January 1, 2016 through April 30, 2016. The Proposer should also include two (2) years of its most recent audited annual financial statements. These audited statements consist of Statement of Financial Position (Balance Sheet), Results of Operations (Income Statement), Statement of Cash Flow, and Statement of Retained Earnings, and applicable footnotes. Supplementary financial information may be requested as necessary.
PROPOSER QUESTIONS AND REQUESTS FOR CLARIFICATION/INFORMATION
Proposal Reference Questions and Answers
General Questions Q: We understand that you already have 5 year plan; however, do you also have: a. Longer IT plan (such as 10 years)
b. Business Plan (5 year plan, 10 year plan)
A: We have a 5 year business/IT plan focusing on the long range capital budget. Many items of the plan can be extrapolated out to 10 years +
Q: Is there a controls framework that you are currently operating under? If so, can you specify (i.e. ISO, NIST, HiTrust, COSO, and Cobit)?
A: No.
Q: Do you have any requirements from other agencies to comply with specific standards?
A: No.
Q: Have you performed this type of assessment before, and if so do you have any prior deliverables that can be shared with us?
A: The last assessment was conducted in 2003. The department has undergone significant changes rendering most of that assessment obsolete.
Q: Please provide an approximation of the number of applications and servers which would be in scope for this assessment?
A: Approximately 6 Enterprise level applications. Approximately 35 servers.
Q: Could you provide a breakout of the technology along with versions that are used within the IT environment (i.e. Windows, Unix, Mainframe, SQL, Oracle, ERP, etc.)?
A: Primarioy Microsoft Windows (2008, 2012) except for one IBM iSeries. (about 3 years old)
Q: What kind of IT Management tools do you currently utilize (Identity Management, Schedulers, Asset Management, Service/Ticketing Systems, Intrusion detection, Operations Monitoring tools, etc.)?
A: We utilize an in house ticketing system. Asset management is performed at a high level using our ERP system. We also use a check point firewall, Sophos for filtering, and Symantec endpoint protection at the server and desktop level. In addition, we use Network Instruments Observer for some network monitoring as well.
Q: Is there a network diagram that is ready for us to use as basis to understand the network environment?
A: The fiber backbone is well documented. Some documentation is available for additional network components.
Q: Is there a system landscape that is ready for us to use as basis to understand how data flows in/out among various systems? (Possibly a system landscape that shows KCATA's system, regional partners' systems and the data flow among KCATA and regional partners).
A: No.
Q: Is there BCP (Business Continuity Plan) or DRP (Disaster Recovery Plan) that is available for us to review?
A: No.
Q: Is there a current IT organization chart and a list of staff with job responsibilities that are available for us to review (Inclusive of the regional partners)?
A: Yes.
Q: Are you wanting to include an assessment of end-users' satisfaction, challenges, needs, expectations, etc. on the current IT environment?A: Yes. At least a sampling of user satisfaction for each division.Q: In what building/location does the KCATA IT department reside?
A: Howard C. Breen Building at 1200 E. 18H Street.
Q: There was a reference to ongoing project work utilizing consultants – Can you provide a brief summary of the current IT projects that you are outsourcing?A: The current project pertains to customer facing applications. Primarily the purchase or development of a real time mobile
application.
Q: Are there any expected time constraints for the regional partners' IT staff? Or should we expect the same timing constraints noted in the RFP to apply to them?
A: Same timing constraints apply.
Q: Are there any vendors or service organizations that are being utilized to out-source daily IT operations or services?A: No.
Q: What is the current operating budget for the IT department?
A: $2 Million.
Q: The RFP states The Authority maintains approximately 40 servers and supports a combination of 250 desktops and laptops. – Are servers physical or virtual? If virtual what hypervisor? How many physical to virtual servers exist?
A: All physical. No Virtual.
Q: Can you please provide a list of major hardware/software that are Used?
A: KCATA utilize HP Hardware with the exception of one IBM iSeries.
Q: Can you please provide a brief description of the current capability of Disaster Recovery Including: a. Offsite backup? b. Offsite warm site? c. Offsite hot site?
A: KCATA currently utilizes a tape backup system for disaster recovery. All servers are backed up nightly and stored off-site.
Q: What software is used for backup and recovery?
A: Backup Exec.
Q: We would anticipate meeting with department leaders to understand the needs of the organization. Can you please provide an org chart structure so we can gage how many interviews outside of IT we could expect?
A: There are approximately 11 divisions: Executive, Regional Service Delivery, Planning and Engineering, Finance, Human Resources, Procurement, Transportation, Maintenance, Marketing, Communications, and IT.
Q: What are the primary software solutions in use today?
A: A complete list of software solutions will be provided to the selected firm.
Q: What programming language is used for any proprietary software solutions.
A: All new applications are developed in Java with a MS SQL database.
Q: What are the primary vendors for IT systems in use today?
A: A list of vendors will be provided to the selected firm.
Q: What are the primary vendors for IT Infrastructure in use today?
A: A list of vendors will be provided to the selected firm.
Q: What are the primary vendors for IT Security in use today?
A: A list of vendors will be provided to the selected firm.
Q: Will the regional partner locations provide access to IT staff and other staff with the same restrictions as outlined in this RFP, or will other restrictions apply dependent on the regional partner?
A: KCATA will facilitate any required access and communication with regional partners.
Q: Can any guidance be given on the specific IT systems that are linked between KCATA and its partners in use today?
A: All regional partners utilize the same fare collection technology. Otherwise, there is little current interaction between partner systems.Q: What is the current on-bus Wi-Fi infrastructure vendor in use today?
A: T-Mobile modems utilizing Cradlepoint IBR 600 routers.
Q: What is the current KC Streetcar Corridor Wi-Fi infrastructure vendor In use today?
A: There are no public Wi-Fi systems on the Streetcar’s themselves, however the city of Kansas City has the “Kansas City Free Public Wi-Fi” project in place all along those corridors.
Q: Assuming the bus Wi-Fi relies on Cellular coverage to provide internet connectivity to the bus systems, what is the current vendor for cellular service?
A: T-Mobile
Q: Other than the applications listed on the RideKC website, are any other customer facing applications promoted and/or used by KCATA today?
A: No
Q: What is the current radio infrastructure vendor in use today?
A: KCATA is currently replacing a Motorola based system with Tait Radio.
Q: KCATA timelines for document acceptance are included within the RFP; however insight into the actual acceptance process internal to KCATA is not. Can any guidance be provided on the KCATA document acceptance process?
A: KCATA will work with the selected firm to provide adequate communication throughout the process to meet any including timelines.
Q: Does the current IT staff provide internal IT support, external IT support or both?
A: Both.
Q: Does the current IT process involve a change management process that would be invoked if physical inspection of any systems is required?
A: No.
Q: Does the KCATA have a specific list of applications and technologies that will be in scope for this audit?
A: A specific list will be provided to the selected firm.
Q: Will KCATA provide a data repository and secure FTP for transmitting of sensitive data between the organizations?
A: Yes.
Q: Will all levels of KCATA management be available for the interviewing process including non-IT business unit leaders?
A: Yes.
Q: As part of the recommendation process, will KCATA require industry standards or best-in- class support documentation? If so, will KCATA require evidence from more than one standards body?
A: Recommendations should include industry standards and will provide a list of similar transportation agencies for comparison.
Q: Will KCATA provide historical IT service ticket data to assist with discovery process?
A: No.
Q: Will KCATA supply the current list of IT tools used for service ticketing, documentation, management, IT budget (capex/opex) and disaster recovery?
A: Yes.
Q: Are there specific industry certifications that will need to be adhered too or implemented as part of the final recommendation (ISOxxxxx, PCI, Hippa, SOX, etc)
A: Budget has yet to be confirmed and cannot be shared at this time.
Q: Does KCATA have a budget for this project that can be shared?
A: No.
Q: We understand that you already have 5 year plan; however, do you also have: a. Longer IT plan (such as 10 years)
b. Business Plan (5 year plan, 10 year plan)
A: We have a 5 year business/IT plan focusing on the long range capital budget. Many items of the plan can be extrapolated out to 10 years +
Q: In Section E. Deliverables Requirements, Item #3. Asks for review of other regional partners. Will KCATA facilitate their cooperation and participation in the study? And can you describe your expectations for how deep you expect consultant to go with those organizations?
A: KCATA will facilitate any communication with regional partners. We are interested in any enterprise level software applications or key business functions that are currently duplicated among the regional partners where there are potential synergies that could benefit the region.
Q: What is the total number of systems the offeror will be auditing?
A: There are 6 Enterprise level software applications that will be highlighted in this audit.
Q: Can you provide a current IT organization chart, which details roles and departments?
A: Current Staffing is as follows:
CIO IT Operations Manager (network and helpdesk) IT Business Analyst (application support, Business processes) Regional IT Manager (partner IT support and coordination) Application Support Analyst (ERP support) Programmer/Analyst/DBA
Network Administrator System Support Specialist
Q: Can you provide the 5 year technology plan for the offeror’s to view?
A: We will provide the 5 year plan upon award of the contract.
A: Can we deploy NESSUS on KC IT infrastructure (vulnerability Scanner)?
A: Yes.
Q: Does KC have any SCADA systems connected to your network?
A: No.
Q: Is KC using any current cyber security software on the network excluding antivirus software?
A: Yes. Observer Suite
Q: Do you have disaster recovery, incident response, business continuity and IT Security plan documentation? If so, can you share these documents with offeror’s? If you have not already developed this documentation, is it your expectations expected that the offeror will prepare these documents as part IT audit support to KCATA?
A: No. We would expect recommendations for the full DR plan, but not the actual plan development.
Q: Does KCATA have to adhere or comply with any Federal or State government standards; i.e. FISMA?
A: N/A
Q: Are there any other regional partners that the offeror will be expected to meet with the consultant(s) shall be expected to review the I.T. systems of KCATA’s regional partners (Johnson County Transit, the City of Independence, Wyandotte County Transit, and the Kansas City Streetcar Authority) in order to identify synergies or duplication of efforts and recommend solutions for regional I.T. integration including opportunities for data sharing or expanding systems throughout the region?
A: KCATA will coordinate any applicable communications and meetings with regional partners.
Q: Are there any MOU’s with regional partners to support the regional integration efforts?
A: Yes.
Q: Is there some type of mandate requiring regional partners to explore the possibility to Integrate with KC IT Systems?
A: KCATA has agreements in place with all regional partners. KCATA will facilitate any communication with regional partners.
Q: Are there any other stakeholders for the on vehicle technology besides RideKC?
A: RideKC is the regional brand for 5 different transportation entities in the region. (KCATA, JCT, Wyandotte County Transit, Indebus, and KCSA). These are the appropriate stake holders for the on-vehicle technology.
Q: Can you provide a network diagram to the offeror?
A: All existing network documentation will be provided to the selected firm.
Q: At what point in the process will the financial statements need to be provided to KCATA?
A: Financial Statements should be submitted with proposal response as part of Volume III submission.Q: Given the comprehensive nature of this audit and how it could be used for planning purposes, what will be the most useful application of this assessment post-audit?
a. Would you please clarify the method of delivery for proposals? In one place the RFP indicates hand delivery only, and in another hand delivery or electronic options are offered.
b. Understanding that the publication of this information might be sensitive; will there be a time/location available for bidders to review KCATA current documentation in order to effectively size the effort?
c. Do to the nature of this audit will the funding be used for compliance or IT delivery optimization?
A: a. Proposals received via facsimile (fax) or electronic mail (e-mail) will not be considered. Proposals must be delivered or mailed to KCATA’s Procurement Department at 1350 E. 17th Street, Kansas City, MO 64108.
b. No.
c. No.
Q: What are your mission critical systems?
A: KCATA utilizes a Dispatch system, a Scheduling system, an Enterprise Resource Planning system (Finance, Payroll, HR, procurement), Email, Vehicle Maintenance (EAM), and Paratransit scheduling system.
Q: How many systems are there? What is the technology stack of each system?A: There are 6 systems. Actual technology will be provided to selected firm.
Q: In what format(s) do you maintain your documents?
a. Do your documents reside in an enterprise architecture repository?
b. Does your documentation reflect the current state of your technology? If so, as of what date?
c. Will business resources and subject matter experts be made available to our team during the audit?
A: Documents are stored on a file server in department folders. Some documentation exists. SME’s will be available as needed for the audit.
Q: What is the scope of the IT Security Assessment? PIN test
A: We are looking for a high level security assessment, identifying best practices and potential weaknesses. This is not a full scale security test.
Q: What level of access will our team have to documentation including configurations, policies and procedures, user access lists, permissions, and network diagrams?
A: The selected firm will have full access to any documentation that is currently available.
Q: We understand that funding sources often determine security protocols and guidelines such as FISMA or NIS; what KCATA systems impacted by federal guidelines and what are those guidelines?
A: N/A
Q: What helpdesk or service desk ticketing system do you implement?
A: In house developed application.
Q: Will the auditor have access to the ticketing system?
A: YES.
Q: As we audit ACA security practices, what PCI will be handled? Is any material considered classified?
A: No classified information.
Q: Does the current environment leverage a virtual or physical server, or a hybrid?
A: All Physical. No Virtual.
Q: Is hosting on premise local, or is it outsourced? What are the premises?
A: Most services are on Premises. Details will be provided to selected firm.
Q: Does the KCATA implement any customized applications?
A: Yes, but none of the enterprise level software applications are highly customized.
Q: What does your current architecture look like? Specifically, what type and size is it?
A: See the RFP for general details. We maintain a wide area fiber network connecting three buildings on a single campus. The network will likely expand to cover some or all of the regional partners at some future date.
Q: What is your development methodology?
A: We do not do any large scale development and do not have a formal methodology.
Page 6, “Introduction/Purpose”
Q: In Section A Introduction/Purpose – a statement reads “The Kansas City Area Transportation Authority (KCATA) is seeking an IT Audit Consultant to analyze and review the technological infrastructure of KCATA to ensure efficiency and regulatory compliance but there is no mention in the Deliverables section about findings related to regulatory compliance. Can you please confirm whether consultant needs to include evaluating the Authority’s IT for regulatory compliance?
A: Consultant should perform a high level review of any relevant regulatory compliance requirements and include findings in the final report. See revision to section 2, “Scope of Work” that is included in this Addendum 1. Refer to “Deliverable Requirements”, #7B for revised deliverable.
Page 7, “Term”
Q: On page 7 under TERM it states "The term of this agreement shall be for a period of one (1) Year from the contract award." Also on page 7 under GENERAL REQUIREMENTS section 2 states, "KCATA desires to have all deliverables completed as soon as possible; however the completion of the project should be by December 31, 2016." Please clarify the anticipated award and contract start dates.
A: There may be a need for more consulting services subsequent to the primary project related to the IT Audit; however, the primary project should be completed by 12/31/2016.
Page 8, Regional Integration
Q: In Section E3 the RFP states: The consultant(s) shall be expected to review the I.T. systems of KCATA’s
regional partners (Johnson County Transit, the City of Independence, Wyandotte County Transit, and the Kansas City Streetcar Authority) in order to identify synergies or duplication of efforts and recommend
solutions for regional I.T. integration including opportunities for data sharing or expanding systems throughout the region.
a. Have the regional partners agreed to participate in this assessment? Will they be able to provide technical diagrams and documentation to the selected vendor?
b. For the regional partner agencies, how comprehensive is the review the selected consultant will be expected to conduct?
c. Will the review of the regional partners include sites visit and interviews or are you just expecting an analysis of their SW & Infrastructure through diagrams and documentation?
d. Will KCATA make the appropriate introductions and contacts to the regional partner for the selected vendor?
e. Can you confirm that the objective of this study is to provide a 5 Year Plan for the KCATA and not a 5 Year Plan for all of the regional partner members of the Regional Transit Agencies?
f. Has a budget been identified for this project? If so, can you share it?g. Can you supply a copy of the current 5 year technology plan?h. Can you supply a copy of the KCATA organization chart?i. Has a control framework been adopted for audit purposes, i.e. is KCATA
using Cobit 5.0 or another framework?
A: Any correspondence with the regional partners will be facilitated by KCATA. Proposers can assume full cooperation from the regional partners. Site visits may be necessary. The 5 year plan is for KCATA but must include regional implications. Budget for this project will not be shared. The current 5 year plan will be provided to the selected firm, Now control frameworks are currently in place.
Current Staffing is as follows:
• CIO • IT Operations Manager (network and helpdesk) • IT Business Analyst (application support, Business processes) • Regional IT Manager (partner IT support and coordination) • Application Support Analyst (ERP support) • Programmer/Analyst/DBA • Network Administrator • System Support Specialist
Page 18, “Financial Condition of the Firm”
Q: In Section 4A, you state the following related to financial statements: “The Proposer is required to permit KCATA to inspect and examine its financial statements. The Proposer shall submit the firm’s most recent unaudited financial statements as well as two (2) years of its most recent audited annual financial statements. These statements consist of Statement of Financial Position (Balance Sheet), Results of Operations (Income Statement), Statement of Cash Flow, and Statement of Retained Earnings, and applicable footnotes. Supplementary financial information may be requested as necessary.” As a Partnership, we do not provide audited financial statements to our clients. Is there the ability to provide other information that attests to the strong financial viability of our firm?
A: See revision to section 4, “Proposal Submission, Evaluation and Award, Paragraph 4, “Volume III-Contractual”, subparagraph A, “Financial
Condition of the Firm” in this Addendum 1.
Page, 19, “Proposer Status and Affirmative Action”
Q: In section 4F, item 2, you ask for an affirmative action plan. Our firm does not have a formal Affirmative Action Plan but instead has an Equal Employment Opportunity Program that is guided by the firm’s established policy of providing equal employment opportunity. Would such a program meet the County’s Affirmative Action requirements?
A: Yes. Proposers should also complete “Attachment B, AFFIDAVIT OF CIVIL RIGHTS COMPLIANCE”.
END OF ADDENDUM
RECEIPT OF ADDENDA
RFP # 16-7013-25BConsulting Services for IT Systems Audit
Offerors shall return this RECEIPT OF ADDENDA form when submitting your bid. The form shall be signed and dated by an authorized representative of the firm. Failure to submit this form may deem the Offeror non-responsive.
We hereby acknowledge that the Addenda noted below have been received and all information has been incorporated in the RFP as required.
Addendum # 1 Dated June 17 , 2016 Date Received
Company Name:
Address:
City/State/Zip Code:
Telephone: Fax:
Printed Name:
Authorized Signature:
Email Address:
