Provision of a Managed Supplier Security Assurance Tender - 23469783

Procurement Summary

Country: United Kingdom

Summary: Provision of a Managed Supplier Security Assurance Service (MSSAS)

Deadline: 01 Jun 2018

Posting Date: 21 May 2018

Other Information

Notice Type: Tender

TOT Ref.No.: 23469783

Document Ref. No.: PUR1711/03

Competition: ICB

Financier: European Bank for Reconstruction and Development (EBRD)

Purchaser Ownership: -

Tender Value: Refer Document

Purchaser's Detail

Name: Login to see tender_details

Address: Login to see tender_details

Email: Login to see tender_details

Login to see details

Tender Details

Request for proposals are invited for Provision of a Managed Supplier Security Assurance Service (MSSAS).
The European Bank for Reconstruction and Development (EBRD) intends to select and engage a Supplier who can help better identify and quantify security-related risk to the Bank via a cloud-based service for third party security assurance assessments and to automate the Bank-s security management processes.
Interested companies are hereby invited to submit responses to the attached Request for Proposal (RFP) document. A set of minimum requirements are contained with the RFP in Annex B. Only companies whose responses fully meet the minimum requirements will be deemed to be pre-qualified and will have their technical response evaluated.
Responses to the RFP with any requested supplementary documentation must be submitted to: Raj Sandhu, e-mail: sandhur@ebrd.com to arrive at EBRD not later than 13:00hrs GMT on Friday 1st June 2018.
You will be sent an e-mail notification to confirm that your submission has been received. If you do not receive an e-mail notification within 24 hours of your submission, please contact Raj Sandhu on 0207 338 7661.
1. INTRODUCTION
The European Bank for Reconstruction and Development (the “Bank” or the "EBRD") is an international financial institution. The EBRD was established by treaty in 1990 to foster the transition towards open market oriented economies and to promote private and entrepreneurial initiatives in Central and Eastern Europe, the Baltic States and the Commonwealth of Independent States that are committed to and applying the principles of multiparty democracy, pluralism and market economics. The EBRD has 63 members (61 countries, the European Community and the European Investment Bank). Further information about the EBRD's roles and activities can be found on the EBRD's website: www.ebrd.com.
1.1 Definitions:
• The terms ‘EBRD- and ‘the Bank- shall mean the European Bank for Reconstruction and Development.

• The term ‘RFP- shall mean Request for Proposals.

• The term ‘Suppliers(s)- shall mean a party that submits a tender in accordance with this RFP.

• The term ‘Tender- shall mean the process by which the Bank evaluates and selects a Supplier to provide the Services described herein

• The ‘Project- shall mean the provision and operation of a Managed Supplier Security Assurance Service (MSSAS) for the Bank.

• The ‘Building- shall mean the Bank-s Headquarters at One Exchange Square, London EC2A 2JN

• The term ‘Technical Proposal- shall mean a Supplier-s response to the Bank-s business and technical requirements.

• The term ‘Quotation File- shall mean a Supplier-s financial proposal.

• The term ‘Proposal- shall mean the combination of the Technical Proposal and the Quotation File.
2. PROJECT BACKGROUND
2.1 Background
To help better identify and quantify security-related risk to the Bank, and to provide efficiency savings, the Bank-s Operational Risk Management (ORM) team requires a cloud-based service for third party security assurance assessments and to automate the Bank-s security management processes (internal security review and assessment of Bank technology projects).
2.2 Supplier Security Assurance Assessments
ORM currently perform annual third party security assurance assessments of Bank suppliers and third parties which hold and/or process sensitive Bank data. The basis for this assessment has been an ISO27001 based assurance questionnaire referred to internally as the ‘Third Party Security Assurance Questionnaire (TPAQ)-. This has historically been obtained by independent suppliers selected through competitive procurement, who then assess up to 10 Bank suppliers selected by ORM. This typically takes the form of a series of questionnaires, telephone interviews and on-site assessments based on security standards such as ISO27001/2. ‘Supplier- and ‘Third Party- here refers to those organisations processing (or transmitting, holding etc.) Bank data as part of services delivered to the Bank.
This activity has historically only looked at a small fraction of the suppliers who potentially handle the Bank-s more sensitive information, meaning that there are a large number of suppliers a year who should be assessed, but are not being looked at in any detail. The current supplier assurance risk to the Bank cannot therefore be fully quantified with any great certainty. The activity currently requires considerable internal resources to process both within ORM and the stakeholders within EBRD who manage the relationships with the third parties/suppliers.
2.3 Security Management Process (SMP)
ORM also have a related Business-As-Usual (BAU) activity known as the ‘Security Management Plan- (SMP) process. This requirements capture/assurance process identifies the security controls required for any Information and Communication Technology (ICT) solution, service, application or outsourcing that the Bank is involved in where there is a requirement to create, process, store or transmit sensitive Bank information assets classified as either ‘RESTRICTED- or ‘HIGHLY RESTRICTED- (its two highest classification levels).
This process is intended to identify risks and security requirements for any Bank project where there is a need to procure technology, service or consultancy. It involves the project team, with the support of ORM and IT Security, building in baseline security controls to safeguard Bank data. As projects involve third parties/suppliers then there is additionally a need to assess these suppliers against a ‘minimum security baseline-.
The existing BAU security management processes are summarised in the diagram below:
Figure 1: Current SMP and TPAQ processes
Both the Bank-s Third Party Security Assurance Questionnaire (TPAQ) and the internal SMP process require varying forms of risk assessment and management which will also need to be supported.
2.4 Goal/Objectives
The objective of the Project will be to make ORM-s third party security assurance assessments and the internal security management processes (SMP) more effective though use of increased automation (e.g. on-line questionnaires) alongside simplified and standardised end-to-end processes. In particular, the Bank wishes to:
• Automate and improve BAU security management processes through the automation and cloud based delivery of this process;

• improve supplier coverage through the automation and cloud based delivery of this process;

• reduce assessment costs spent on each Bank project/service and supplier;

• have better management of its project/service and supplier risks.
3. CONTACT DETAILS
The Suppliers- sole contact for the purposes of the RFP is:
Raj Sandhu

Procurement Associate

Procurement Operations & Delivery Department

European Bank for Reconstruction and Development

One Exchange Square, London, EC2A 2JN

Tel: +44 207 338 8768

Email: sandhur@ebrd.com
4. DESCRIPTION OF THE RFP PROCESS
4.1 OVERVIEW
Suppliers wishing to participate in this Tender will be required to make a submission of the following documents in accordance with the timetable outlined in section 4.2:
• a completed minimum requirements checklist (the “Checklist”) in Annex B

• a technical proposal (the ‘Technical Proposal-) in Annex C

• provide company information (the “Company Information”) in Annex D

• a completed quotation file (the ‘Quotation File-) in Annex F
4.2 TIMETABLE
Description Date (2018)

Opportunity Notice & Request for Proposals published on EBRD Website 17 May

Deadline for submission of clarification questions and confirmation of participation from Suppliers 23 May

EBRD Response to questions from Suppliers 25 May

RFP - Technical Proposal Submission By 13.00hrs on 1 June

Supplier Technical Presentations 11 & 12 June

Notify Suppliers who have passed minimum Technical threshold & request Quotation File 13 June

RFP - Financial Quotation Submission 14 June

Identify Preferred Bidder & Commence Contract Negotiations 20 June

Contract Award 9 July
4.3 CLARIFICATIONS
The process for reception and resolution of questions shall be as follows:
• Suppliers must send any requests for clarifications by e-mail to the following email address: sandhur@ebrd.com by the date specified in section 4.2;

• there will be one round of clarifications;

• the Bank will respond to all requests for clarification in writing, sending an e-mail to all Suppliers on the date indicated in section 4.2;

• all clarifications shall be sent to each of the Suppliers that have confirmed their intention to participate in the process; and

• the response document will contain no indication of which Supplier made which request for clarification.
4.4 TECHNICAL PROPOSAL
Ref 4.4.1, 4.4.2 and 4.4.3, these will need to be completed and submitted via email to the contact specified in the Contracts section. The email should be clearly identified as “PUR1711/03 - Managed Supplier Security Assurance Service (MSSAS) - Technical Submission and in accordance with the timetable set out in Section 4.2 of this RFP.
4.4.1 Minimum Requirements
Suppliers wishing to participate in this Tender are required to complete the Checklist provided as Annex B to this RFP. Only those Suppliers capable of answering “yes” to all of the questions are eligible to participate. Suppliers that answer “no” to any question or provide an incomplete response will not be eligible for participation in this Tender.
The Bank may request evidence to justify the responses at any stage of the procurement process and during any subsequent Contract Negotiations and should it be deemed the Supplier is not able to provide this evidence, the Bank reserves the right to disqualify the Supplier from the process.
4.4.2 Response to Technical Questions
The Supplier shall

Documents

 Tender Notice