Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Risk management Consulting For Municipality

215 visualizaciones

Publicado el

Risk Management Complete Practise amade for a client.

Publicado en: Tecnología
  • Inicia sesión para ver los comentarios

  • Sé el primero en recomendar esto

Risk management Consulting For Municipality

  1. 1. EnrollHostel Privileged and Confidential Page 1 of 65 DAN GRIBBLE SOURCETEKIT | 365, Suite 20, Healey Rd, Bolton, ON L7E 5C1 Response to RFP – Peel Region Enterprise Risk and Audit Services KIND ATTN:XXX
  2. 2. EnrollHostel Privileged and Confidential Page 2 of 65 Confidentiality Agreement This document is confidential and may not be copied without the permission of EnrollHostel. This document contains information proprietary to EnrollHostel. Transmittal, receipt or possession of this document does not express licenseor imply rights to use,sell,and design, develop or have developed products or services from this information. No reproduction, publication or disclosure of this information in whole or in part, electronic or otherwise, shall be mad without prior written authorization from a signing office of EnrollHostel. Authorized transfer of this document from the custody and control of EnrollHostel constitutes a loan for limited purposes, and this document must be returned to EnrollHostel upon request, and in allevents upon the conclusion of the loan. Copyright 2018 EnrollHostel ON L7E 5C1
  3. 3. EnrollHostel Privileged and Confidential Page 3 of 65 To: Jason Edgmon Senior Director of IT Infrastructure & Operations Pharmaceutical Research and Manufacturers of America jedgmon@School.org Dear Jason, EnrollHostel thanks Pharmaceutical Research and Manufacturers of America(School) for providing the opportunity to respond to this RFP for the provisioning of one single team that combines IT, Network and Security operations for their Network & IT infrastructure. Value is found in knowledge. EnrollHostel is renowned for its expertise in Asset Management, and Infrastructure management through its state-of-the-art NOC and SOC. A Professional Services’ company specializing in large-scale urban infrastructure engagements, EnrollHostel lends its expertise to leading Value- added re-sellers and construction companies from the design phase through final testing throughout hospitals in North America. EnrollHostel understands that engineering and technical prowess within its organization is of prime importance at a time when our society demands data to be integrated, automated and secured. Our Managed IT Services’ offering is something we’re intimately familiar with and have deployed numerous times over the last year in environments comparable to your prescribed size and scope. EnrollHostel’s Managed IT solution services ensure that our clients’ applications are managed and operated on a 24x7 basis, ensuring both secure and high performance. Our services allow clients to benefit from scalable project operations and cross-functional/discipline-knowledge sharing between teams, enabling EnrollHostel to provide best in class Managed IT services. The advantage of a partnership with EnrollHostel will ensure that this experience and qualification is leveraged to;  Mitigate transitional risk  Provide best in class quality services at significantly lower costs  Quickly construct ateam of experienced and knowledgeable personnel for onsite –offshore based delivery, thereby assuring excellence in operations EnrollHostel follows amanaged serviceapproach, basedon ITILbest practices,that provides for aset of process frameworks and flexiblegovernance models that transform support services;improving productivity, achieving higher operational efficiency and increasing cost predictability. Adopting a multi-phased approach from transition to continual improvement, the managed service model provides:  Scalability and resource efficiency  Less client involvement in routine operational tasks  Predictability in delivery through experience and understanding of application environment  Resource utilization and shift work load balancing  Service Level Agreement (SLA) driven metrics  Total quality management through well-defined processes and ITIL best practices
  4. 4. EnrollHostel Privileged and Confidential Page 4 of 65 EnrollHostel understands School’s key objective to partner with a MSP that can demonstrate how their value- added services will provide critical helpdesk, security, network engineering, business continuity, and disaster recovery capabilities in a cost-effective manner while providing superior customer service to our users in a 24x7x365 environment. In partnering with EnrollHostel over other “large” IT Consulting Firms, School will benefit by leveraging our:  Proven past performances of successfully deploying end-to-end managed IT services to many similar scale organizations  10+ years of proven experience in collaboration, security and Infrastructure management  Agile and dynamic business model that quickly adapts to customer needs and environment Value proposition: Lower cost; maximize process efficiency  Process oriented, result driven methodology focused on maximizing business value Value proposition: Process standardization and consolidation  Thought leadership and unparalleled technology “know-how” Value proposition: Lower cost; maximize process efficiency; fast and safe technology implementation  Focused on customer satisfaction Value proposition: Maximize process efficiency; enable customers to do more  High priority on Quality and Operational Excellence Value proposition: Maximize brand value; increase revenue. Best Regards Dan Gribble VP-Sales, EnrollHostel dgribble@EnrollHostel.com (412) 418 3159
  5. 5. EnrollHostel Privileged and Confidential Page 5 of 65 TABLE OF CONTENTS 1 PART I – GENERAL INFORMATION .................................................................................................................................................................7 1.1 EXECUTIVESUMMARY..................................................................................................................................................................................7 1.2 SCOPEOF SERVICES.......................................................................................................................................................................................7 X1.3 EXCEPTIONS TO RFP REQUIREMENTS ......................................................................................................................................................13 2 PART II – DESCRIPTION OF SERVICES...........................................................................................................................................................14 2.1 AUDITING/ASESSING IT SERVICES COMPLAINCE ...................................................................................................................................14 2.1.1 COMPLAINCE AUDIT/ ASSESSMENT METHODOLOGY ...............................................................................................................14 .............................................................................................................................................................................................................................14 2.1.2 RISK What has Changed? ................................................................................................................................................................17 2.1.3 RISK Governance Framework. ........................................................................................................................................................18 2.1.4 ............................................................................................................................................................Error! Bookmark not defined. ............................................................................................................................................................................Error! Bookmark not defined. 2.1.5 EnrollHostel Audit Knowledge Repository ....................................................................................................................................19 2.1.6 Audit Plan...........................................................................................................................................................................................22 2.1.7 Compliance Dashboards ....................................................................................................................................................................0 2.1.8 VULNERABILITY TESTING ...................................................................................................................................................................3 2.2 EXECUTIONPLAN...........................................................................................................................................................................................4 2.2.1 SERVICE DELIVERY APPROACH .........................................................................................................................................................4 2.2.2 INCEPTION ...........................................................................................................................................................................................6 2.2.3 KNOWLEDGE TRANSFER ....................................................................................................................................................................6 2.2.4 STEADY STATE OPERATIONS .............................................................................................................................................................8 2.2.5 AUDIT STRATEGY ................................................................................................................................................................................9 2.3 ACCOUNT MANAGEMENT & TECHNOLOGY TEAM STRUCTURE..........................................................................................................11 2.3.1 AUDIT ACCOUNT MANAGEMENT ..................................................................................................................................................11 2.3.2 PROJECT TEAM STRUCTURE............................................................................................................................................................13 2.3.2.1 TEAM STRUCTURE..................................................................................................................................................................... 13 2.3.2.2 TEAM ROLES & RESPONSIBILITES.............................................................................................................................................. 14 3 PART III – REFERENCES & ENROLLHOSTEL CAPABILITIES ........................................................................................................................16 3.1 CASE STUDIES ...............................................................................................................................................................................................16 3.1.1 CASE STUDY 1 ....................................................................................................................................................................................17 3.1.2 CASE STUDY 2 ....................................................................................................................................................................................17 3.1.3 CASE STUDY 3 ....................................................................................................................................................................................18 3.2 ENROLLHOSTEL | CAPABILITY....................................................................................................................................................................19 3.2.1 PROGRAM GOVERNANCE ...............................................................................................................................................................20 3.2.2 CONTINUAL SERVICE IMPROVEMENT (CSI)..................................................................................................................................20 3.2.3 KNOWLEDGE MANAGEMENT.........................................................................................................................................................20 3.2.4 TEAM COMPETENCY AND SKILLS ENHANCEMENTS ...................................................................................................................21 3.3 ENROLLHOSTEL | PROJECTMANAGEMENT PROCESS...........................................................................................................................21 3.3.1 REPORTING METRICS .......................................................................................................................................................................22 3.3.2 ESCALATION HANDLING ..................................................................................................................................................................23 3.3.3 COMMUNICATION PLAN .................................................................................................................................................................23 3.3.4 RISK MANAGEMENT PLAN..............................................................................................................................................................24 3.3.5 CHANGE MANAGEMENT PROCEDURE..........................................................................................................................................24 3.4 ENROLLHOSTEL | COMPLIMENTARY VALUE ADDED SERVICES ...........................................................................................................26 3.5 ENROLLHOSTEL | DIFFERENTIATORS .......................................................................................................................................................26 3.5.1 CYBERSECURITY SERVICES ...............................................................................................................................................................28 3.5.1.1 Penetration Testing................................................................................................................................................................... 28 3.5.1.2 Corporate Trainings - Cybersecurity......................................................................................................................................... 28 3.5.1.3 Email Securityand Office 365 Integration................................................................................................................................ 30 3.5.1.4 Cyber-Forensics......................................................................................................................................................................... 31 3.5.1.5 Social Engineering..................................................................................................................................................................... 32 3.5.2 SECURITY ASSESSMENT AND COMPLIANCE .................................................................................................................................33 3.5.3 SECURITY OPERATIONS CENTER.....................................................................................................................................................35 4 PART IV – PROJECT COST................................................................................................................................................................................38 4.1 FIXED PRICE ..................................................................................................................................................................................................38
  6. 6. EnrollHostel Privileged and Confidential Page 6 of 65 4.2 RATE CARD FOR ADDITIONALWORK........................................................................................................................................................38 4.2.1 ADDITIONAL INITIATIVES.................................................................................................................................................................38 4.3 ASSUMPTIONS .............................................................................................................................................................................................39 4.3.1 USER COUNT AND DEMOGRAPHIC................................................................................................................................................40 4.3.2 ON-PREMISE & HOSTED ENVIRONMENT.....................................................................................Error! Bookmark not defined. 4.3.2.1 Desktops/Laptops ..................................................................................................................................................................... 40 4.3.2.2 On-Premise Network................................................................................................................................................................. 40 4.3.2.3 Hosted Cloud Environment....................................................................................................................................................... 40 4.3.2.4 Legacy Business Applications.................................................................................................................................................... 40 4.3.2.5 Third Party Vendors .................................................................................................................................................................. 40
  7. 7. EnrollHostel Privileged and Confidential Page 7 of 65 1 PART I – GENERAL INFORMATION 1.1 EXECUTIVE SUMMARY EnrollHostel is pleased to provide this proposal for Accessing/Auditing Compliance to RISK For School student from Spain [Europe]. EnrollHostel understands the importance of these services School provides to Students. EnrollHostel brings to this engagement a significant advantage to Education Sector, in terms of technology expertise, security, operations architecture, strategy and advisory skills, process maturity and a consistent and reliable track record providing operational and infrastructure support across multiple technologies. EnrollHostel also proposes the advantages it brings on board as compared to other MSPs. 1.2 SCOPE OF SERVICES EnrollHostel understands that School is looking for the following RISK compliance services. Below is EnrollHostel’s compliance to the scope of services detailed by School in their RFP document:
  8. 8. EnrollHostel Privileged and Confidential Page 8 of 65 Our proposed solution has been detailed in the Section: PART II – DESCRIPTION OF SERVICES SNo Stages 1 To Identify Risks 2 To Evaluate Risks 3 To Treat (Manage/Action) Risks 4 To Monitor (Review) Risks 5 To Report on Risks 6 To View/Update Validation Rules
  9. 9. EnrollHostel Privileged and Confidential Page 9 of 65 Risk Management PRINCIPLES Risk Management should: 1 create value – resources expended to mitigate risk should be less than the consequence of inaction 2 be an integral part of organizational processes 3 be part of decision making 4 explicitly address uncertainty and assumptions 5 be systematic, structured and timely 6 be based on the best available information 7 be tailorable 8 take human and cultural factors into account 9 be transparent and inclusive 10 be dynamic, iterative and responsive to change 11 facilitates continual improvement and enhancement of the organization 12 be continually or periodically re-assessed Risk Management BENEFITS 1 Increase the likelihood of achieving objectives; 2 Encourage proactive management; 3 Be aware of the need to identify and treat risk throughout the organization; 4 Improve the identification of opportunities and threats;
  10. 10. EnrollHostel Privileged and Confidential Page 10 of 65 5 Achieve compatible risk management practices between organisations and nations; 6 Comply with relevant legal and regulatory requirements and international norms; 7 Improve governance; 8 Improve stakeholder confidence and trust; 9 Establish a reliable basis for decision making and planning; 10 Improve controls; 11 Effectively allocate and use resources for risk treatment; 12 Improve operational effectiveness and efficiency; 13 Enhance health & safety performance and environmental protection; 14 Improve loss prevention and incident management; 15 Minimize losses; 16 Improve organizational learning; and 17 Improve organizational resilience. Risk Assessment & Management Plan Stage Stage2 # Work Needs to be done Development of Risk Framework Communicate andConsult 1 (38) Has the board and executiveexpressedtheirsupportfor a risk managementprogramme? 2 (39) Has the risk committee (orequivalent) andthe board reviewedandapprovedthe riskpolicy/strategy? Establish the Context 3 (1) Have you identifiedaperson whowill be responsible for implementingriskmanagement? 4 Doesthe risk manager,or equivalent,have reasonable access to staff andmanagementacrossthe organisation? 5 (2) Have you definedcategoriesof riskrelevanttoyour organisationand industry? 6 Do your riskcategoriesreflectall operational riskareas of the businessaswell asmore strategicrisk categories? 7 (3) Is there a clearorganisational strategy(orobjectives) articulatedforthe organisation? 8 (4) Have you definedandagreedalikelihoodscale toassess the potential forthe riskto occur throughoutthe organisation? 9 (5) Have you definedandagreedaconsequencescale to helpassessriskimpactsacrossthe organisation? 10 (6,7) Doesthe organisation'sconsequence scale describe both financial andnon-financial impacts? 11 (8) Doesthe risk Managementframeworkconsiderthe effectivenessof controlsorrisktreatments?
  11. 11. EnrollHostel Privileged and Confidential Page 11 of 65 12 (9) Is there anagreedtemplate orformatfor recordingrisks and risktreatmentinformation(ariskregister)? 13 (10) Has a riskpolicybeendefined? 14 (11) Doesthe organisationhave adocumentedrisk managementstrategy? 15 Do jobdescriptionsof keystakeholdersinclude responsibilitiesforrisk management? 16 (12) Is a formal projectmanagementmethodologyusedto manage projects? 17 Is a mechanisminplace toidentify,assess,recordand monitorrisksonprojects? 18 Has the organisationagreedwhattypesandlevelsof risk are unacceptable? 19 Is there anagreedformat/template forreportingon risk? 20 (13) Is there a processand/ortemplate where new riskscan be recordedby the executiveandstaff? Implementation of Risk Framework Communicate andConsult 21 Is risk managementorawarenesstrainingprovidedtoall staff? 22 Doesthe risk manager(orequivalent) have accesstothe CEO, boardand Audit/RiskCommitteewhen required? 23 (14) Do staff know that theyhave a rightand responsibilityto assistinrisk identificationandescalation? 24 Do staff know whoto report/escalate risksto? 25 (15) Do managersor supervisorsknow thattheyare responsible formanagingriskintheirarea/sof responsibility? 26 (16) Have the executive andthe boardprovidedguidance on whatinformationtheywouldlike tosee inrisk reports? 27 Is there agreementonwhenandhow oftenriskreports will be produced? 28 Have the recipientsof riskreportsbeenidentifiedand agreed? 29 (17) Can differentriskreportsbe producedtomeetdifferent needsof stakeholdergroups? 30 (18) Has responsibilityformanaging/treatingspecificrisks beenassignedandcommunicatedtothose responsible? 31 Are staff encouragedorincentivisedtoreportriskor suggestriskreductionstrategies? Risk Assessment 32 Has a riskbrainstormingworkshop(orworkshops) been conducted? 33 (19) Have you consideredthe historyof eventsandincidents inyour organisationduringthe risk assessment process? 34 Has researchbeenperformedtounderstandcommon risksinthe industry? 35 (20) Has the executive andboardconsideredrisksrelatingto the achievementof keyorganisationalgoalsand objectives?
  12. 12. EnrollHostel Privileged and Confidential Page 12 of 65 36 Are risksidentified duringcompliance reviews/audits alwaysaddedtothe riskregister? 37 (21) Have existingcontrolsbeenidentifiedforrisksduringthe riskassessmentprocess? 38 (22) Has the perceivedeffectivenessof controlsbeen assessedbya personwho understandsthe riskand the controlsinplace? 39 Has the risk registerbeenupdatedinthe lastyear? 40 Is the riskregisterupdatedthroughoutthe yearto reflectchangesinriskandemergingrisks? Treat Risks 41 Doesthe risk registerrecordthe jobtitle of the person responsible foroverseeingthe risktreatmentand monitoringprocess(the 'riskowner'or'risk champion')? 42 (23) Have you identifiedpossibleactions/treatmentplans that couldhelptoreduce the risklevel? 43 (24) Have the benefitsof atreatmentapproachbeen comparedto the potential costof the riskto determine the appropriatenessof the treatment strategy? 44 (25) Have risk treatmentoractionplansbeendocumented and approved forimportantrisks? 45 Have due dates/completiondatesbeenagreedforrisk treatmentactionsandplans? 46 (26) Is there a clearunderstandingof whowill overseethe risktreatmentselectionandexecutionprocess? 47 (27,28) Have keyrisk indicators(KRIs) beendefinedandagreed for keyrisks/riskareas? 48 Are the organisation'sphysical assetsappropriately insured? 49 (29) Is a businesscontinuityplan(BCP) inplace forcritical organisational functions/processes? Monitoring & Review of Risk Framework Monitor and Review 50 (30) Doesyour riskprocessfollow the stepsdescribedinthe AS/NZS:4360 2004 Standard? 51 (31) Doesthe Internal Auditfunctionorequivalentreview riskmanagementprocesses? 52 Is an Internal Audit function/processinplace? 53 (32) Do your internal auditorsfocustheirtime andefforton the most critical risksrecordedinthe riskregister? 54 (33) Doesthe organisationtrackchangesin risklevelsover time inorderto understandtrends/ changesinrisk levels? 55 (34) Has the risk policybeenreviewedandapprovedinthe lastyear? 56 (35) Has the board and/orrisk managementcommittee (or equivalent) made anattestationinthe annual report inaccordance withthe GovernmentRisk ManagementFramework(if applicable) 57 (36) Is the riskprocessintegratedwithotherorganisational planningprocesses - forexampleisriskconsidered duringthe strategicplanning,budgetingandaudit planningprocesses?
  13. 13. EnrollHostel Privileged and Confidential Page 13 of 65 Suggested3tiersof escalatedsupport: SupportTier Description Tier 1 All supportincidentsbegininTier1,where theinitialtrouble ticketiscreated.The issue isidentified, andclearlydocumented,andbasichardware/software troubleshootingis initiated. At this stage engineers are also using the existing knowledge base to investigate and try best of his/her ability to resolve the issue. Tier 2 All supportincidentsthatcannotbe resolvedwithTier1Supportare escalatedtoTier 2 where more complex supporton hardware/software issuescanbe providedby more experiencedEngineers. Tier 3 Support Incidents that cannot be resolved by Tier 2 Support are escalated to Tier 3, where supportisprovidedbythe mostqualifiedandexperiencedengineerswhohave the abilitytocollaboratewith3rdParty(Vendor)SupportEngineerstoresolvethe most complex issues. 1.3 EXCEPTIONS TO RFP REQUIREMENTS None.
  14. 14. EnrollHostel Privileged and Confidential Page 14 of 65 2 PART II – DESCRIPTION OF SERVICES 2.1 AUDITING/ASESSING IT SERVICES COMPLAINCE 2.1.1 COMPLAINCE AUDIT/ ASSESSMENT METHODOLOGY
  15. 15. EnrollHostel Privileged and Confidential Page 15 of 65 EnrollHostel’sGRAYBIEmanagedservices platformprovides asinglepaneof accessandvisibilityforallthenetwork devicesandsecurityissuesbackedbyour 24/7/365 monitoringbyourcertified andhighlyexperienced еngіnееrѕ.
  16. 16. EnrollHostel Privileged and Confidential Page 16 of 65 GRAYBIE connectstoanyIT datasource or monitoringsystemtocollectandcollatedataonvariousITsystemsand applications. GRAYBIE’s Core Rule Engine is leveraged to apply custom rules applicable to the business, gaining insight into how the IT systems are performing within the business. Businesscritical application performance, underlyingITinfrastructureperformanceandService deliverywithinthe organizationITsupportsystemcanall be correlated to give a meaningful insight into the IT environment health. GRAYBIE not only enables operational excellence through quick resolution but also helps in saving operational costs through descriptive,prescriptive,andpredictiveinsightsforcalculatingthe magnitude,risk,andtime of the issue athand, inreal-time, thereby enabling the teams to escalate it to the management at the right moment: Fewreal-time capabilitiesof GRAYBIE:  Sесurіtу threat соrrеlаtіоn and іnсіdеnt аnаlуѕіѕ  Custom соrrеlаtіоn rule сrеаtіоn  Dеvісе fault management  High-touch service delivery  Thіrd-раrtу lоg analysis to mееt compliance rеԛuіrеmеntѕ  Cоnfіgurаtіоn and engineering ѕuрроrt
  17. 17. EnrollHostel Privileged and Confidential Page 17 of 65 2.1.2 Risk Management Stages SNo Stages 1 To Identify Risks 2 To Evaluate Risks 3 To Treat (Manage/Action) Risks 4 To Monitor (Review) Risks 5 To Report on Risks 6 To View/Update Validation Rules 2.1.3 Risk Management Process 2.1.4 Risk Management Principles Risk Management PRINCIPLES Risk Management should: 1 create value – resources expended to mitigate risk should be less than the consequence of inaction 2 be an integral part of organizational processes 3 be part of decision making 4 explicitly address uncertainty and assumptions
  18. 18. EnrollHostel Privileged and Confidential Page 18 of 65 5 be systematic, structured and timely 6 be based on the best available information 7 be tailorable 8 take human and cultural factors into account 9 be transparent and inclusive 10 be dynamic, iterative and responsive to change 11 facilitates continual improvement and enhancement of the organization 12 be continually or periodically re-assessed 2.1.5 Risk Management Audit Benefits Risk Management BENEFITS 1 Increase the likelihood of achieving objectives; 2 Encourage proactive management; 3 Be aware of the need to identify and treat risk throughout the organization; 4 Improve the identification of opportunities and threats; 5 Achieve compatible risk management practices between organisations and nations; 6 Comply with relevant legal and regulatory requirements and international norms; 7 Improve governance; 8 Improve stakeholder confidence and trust; 9 Establish a reliable basis for decision making and planning; 10 Improve controls; 11 Effectively allocate and use resources for risk treatment; 12 Improve operational effectiveness and efficiency; 13 Enhance health & safety performance and environmental protection; 14 Improve loss prevention and incident management; 15 Minimize losses; 16 Improve organizational learning; and 17 Improve organizational resilience. 2.1.6 RISK Governance Framework.
  19. 19. EnrollHostel Privileged and Confidential Page 19 of 65 2.1.7 EnrollHostel Audit Knowledge Repository
  20. 20. EnrollHostel Privileged and Confidential Page 20 of 65 EnrollHostel’s24x7x365 NetworkOperationsCentre (NOC)рrоvіdеѕrеаl-tіmе datafromover1,700 services, аррlісаtіоnѕandрrосеѕѕеѕ inuse асrоѕѕ ourclients’infrastructurenetworks. Alarmingоursecurityandtесhnісаl
  21. 21. EnrollHostel Privileged and Confidential Page 21 of 65 analysts, fromwithin ourсlоudѕеrvісеѕ detectsandrеѕоlvеsроtеntіаl problems bеfоrе thеуbесоmе service аffесtіng to уоurbuѕіnеѕѕореrаtіоnѕ. Our state-of-the-artNOCenablesquickriskdеtесtіоn,securityраtсhdерlоуmеnt,backup andendроіntmanagement for yourѕеrvеrѕ,dеѕktорѕ andportable dеvісеѕ.
  22. 22. EnrollHostel Privileged and Confidential Page 22 of 65 2.1.8 Risk Assessment Management Audit Plan Stage Stage2 # Checklist Item Development of Risk Framework Communicate and Consult 1 Has the board and executive expressed their support for a risk management programme? 2 Has the risk committee (or equivalent) and the board reviewed and approved the risk policy/ strategy? Establish the Context 3 Have you identified a person who will be responsible for implementing risk management? 4 Does the risk manager, or equivalent, have reasonable access to staff and management across the organisation? 5 Have you defined categories of risk relevant to your organisation and industry? 6 Do your risk categories reflect all operational risk areas of the business as well as more strategic risk categories? 7 Is there a clear organisational strategy (or objectives) articulated for the organisation? 8 Have you defined and agreed a likelihood scale to assess the potential for the risk to occur throughout the organisation? 9 Have you defined and agreed a consequence scale to help assess risk impacts across the organisation? 10 Does the organisation's consequence scale describe both financial and non-financial impacts? 11 Does the risk Management framework consider the effectiveness of controls or risk treatments? 12 Is there an agreed template or format for recording risks and risk treatment information (a risk register)? 13 Has a risk policy been defined? 14 Does the organisation have a documented risk management strategy? 15 Do job descriptions of key stakeholders include responsibilities for risk management? 16 Is a formal project management methodology used to manage projects? 17 Is a mechanism in place to identify, assess, record and monitor risks on projects? 18 Has the organisation agreed what types and levels of risk are unacceptable? 19 Is there an agreed format/ template for reporting on risk?
  23. 23. EnrollHostel Privileged and Confidential Page 23 of 65 20 Is there a process and/or template where new risks can be recorded by the executive and staff? Implementation of Risk Framework Communicate and Consult 21 Is risk management or awareness training provided to all staff? 22 Does the risk manager (or equivalent) have access to the CEO, board and Audit/ Risk Committee when required? 23 Do staff know that they have a right and responsibility to assist in risk identification and escalation? 24 Do staff know who to report/ escalate risks to? 25 Do managers or supervisors know that they are responsible for managing risk in their area/s of responsibility? 26 Have the executive and the board provided guidance on what information they would like to see in risk reports? 27 Is there agreement on when and how often risk reports will be produced? 28 Have the recipients of risk reports been identified and agreed? 29 Can different risk reports be produced to meet different needs of stakeholder groups? 30 Has responsibility for managing/ treating specific risks been assigned and communicated to those responsible? 31 Are staff encouraged or incentivised to report risk or suggest risk reduction strategies? Risk Assessment 32 Has a risk brainstorming workshop (or workshops) been conducted? 33 Have you considered the history of events and incidents in your organisation during the risk assessment process? 34 Has research been performed to understand common risks in the industry? 35 Has the executive and board considered risks relating to the achievement of key organisational goals and objectives? 36 Are risks identified during compliance reviews/ audits always added to the risk register? 37 Have existing controls been identified for risks during the risk assessment process? 38 Has the perceived effectiveness of controls been assessed by a person who understands the risk and the controls in place? 39 Has the risk register been updated in the last year? 40 Is the risk register updated throughout the year to reflect changes in risk and emerging risks? Treat Risks 41 Does the risk register record the job title of the person responsible for overseeing the risk
  24. 24. EnrollHostel Privileged and Confidential Page 24 of 65 treatment and monitoring process (the 'risk owner' or 'risk champion')? 42 Have you identified possible actions/ treatment plans that could help to reduce the risk level? 43 Have the benefits of a treatment approach been compared to the potential cost of the risk to determine the appropriateness of the treatment strategy? 44 Have risk treatment or action plans been documented and approved for important risks? 45 Have due dates/ completion dates been agreed for risk treatment actions and plans? 46 Is there a clear understanding of who will oversee the risk treatment selection and execution process? 47 Have key risk indicators (KRIs) been defined and agreed for key risks/ risk areas? 48 Are the organisation's physical assets appropriately insured? 49 Is a business continuity plan (BCP) in place for critical organisational functions/ processes? Monitoring & Review of Risk Framework Monitor and Review 50 Does your risk process follow the steps described in the AS/NZS: 4360 2004 Standard? 51 Does the Internal Audit function or equivalent review risk management processes? 52 Is an Internal Audit function/ process in place? 53 Do your internal auditors focus their time and effort on the most critical risks recorded in the risk register? 54 Does the organisation track changes in risk levels over time in order to understand trends/ changes in risk levels? 55 Has the risk policy been reviewed and approved in the last year? 56 Has the board and/or risk management committee (or equivalent) made an attestation in the annual report in accordance with the Victorian Government Risk Management Framework (if applicable) 57 Is the risk process integrated with other organisational planning processes - for example is risk considered during the strategic planning, budgeting and audit planning processes?
  25. 25. 2.1.9 Compliance Dashboards The compliance team рrоvіdеѕrеаl time datavisibilityformonitoring asperthe following dashboards:
  26. 26. 1 Fig: NOC Main Dashboard Fig: Threat Activity report
  27. 27. 2 Fig: Types of report dashboard Fig: Devices dashboard Fig: Device Executive summary
  28. 28. 3 Fig: Device executive summary – 2 Fig: Device executive summary - 3 2.1.10 VULNERABILITY TESTING A vulnerabilityassessment/evaluationisaprocedure usedtorecognizeanddole outseriousnesslevelsto whatever number security surrenders as could reasonably be expected in a given time period. This procedure may include robotized and manual systems with changing degrees of meticulousness and an accentuation on thorough scope. Utilizing a hazard-based approach, weakness appraisals may target
  29. 29. 4 diverse layers of innovation, the most widely recognized being host-, network-, and application-layer evaluations. Directing vulnerability appraisals enable associations to distinguish vulnerabilities in their product and supporting framework before a bargain can happen. A vulnerability can be characterized in two ways: • A bug in code or an imperfectioninprogrammingplanthatcan be abusedto cause hurt. Misuse may happen by means of a verified or unauthenticated aggressor. • A hole in securitymethodsora shortcomingininteriorcontrolsthat whenmisusedoutcomesin a security break. Our dedicated team at EnrollHostel provides Vulnerability evaluations that are intended to yield a positionedororganizedrundownof aframework'svulnerabilitiesfordifferentsortsof dangers.Usingthis, we will utilize these evaluations know about security hazards and comprehend they require help distinguishing and organizing potential issues. By understanding their vulnerabilities, we can plan arrangements and patches for those vulnerabilities for consolidation with their hazard administration framework. The pointof viewof adefenselessnessmayvary,contingentuponthe frameworksurveyed.Forinstance, a utilityframework,similartopowerand water,may organize vulnerabilitiestothingsthat coulddisturb administrations or harm offices, similar to cataclysms, altering and psychological oppressor assaults. Notwithstanding, a data framework (IS), like a site with databases, may require an appraisal of its powerlessnesstoprogrammersanddifferenttypesof cyberattack.Thenagain,aserverfarmmayrequire an appraisal of bothphysical andvirtual vulnerabilitiessinceitrequiressecurityforitsphysical office and digital nearness. This is where we pitch in to provide the best of services and line up the possible cases and assessments you need. 2.2 EXECUTION PLAN 2.2.1 SERVICE DELIVERY APPROACH EnrollHostel isof the opinionthatgovernance ismultifacetedwithitsorganizational structure,customer engagement, relationship models, processes and metrics. When the business and operational environmentiscomplexthere isagreaterneedforrobustgovernance,aswithoutitthereisincreasedrisk of shared service and vendor partnership value leakage. 1. Communicate and Consult 2. Establish the context 3. Plan Risk Assessment [Risk identification, Risk Analysis, Risk Evaluation] 4. Risk Treatment 5. Monitor and Review 6. Operate 7. Conform to Standard BusinesssucceedswhenITrunsbetterandquickerwithreducedcost.OurOperations&SupportServices is based on ITIL driven Service management framework, coupled with the state of the art tooling and processes helps IT organizations cut cost, reduce risk and drive down IT Cost. Our mission is to reduce
  30. 30. 5 incident trend targeting zero count and to ensure availability and reliability of applications to meet the service levelcommitmentforeachapplication.We proactivelymonitoruserexperience,businessmetrics, critical components and processes to analyze and fix incidents before end-users are impacted or experience any delay, and thus ensure business critical apps perform at peak efficiency and availability without any downtime. The diagram below illustrates our approach to building an effective and high-performing support/operations service.
  31. 31. 6 2.2.2 INCEPTION A teamcomprisingthe service deliverymanagersfrom EnrollHostel andSchool will be setupfordetailed planning/resource assignmentandscope finalization.The teamwouldschedule,prioritize andmonitor the tasks,as well asprovide statusreports.The tasksassociatedwiththisphase are highlightedbelow: Activities Teams Involved EnrollHostel Team School Team(s) Existing Vendor Team(s) Identify Processes: Standard ProcessFlowCharts    Identify existing Documentation and Knowledgebase    Team Ramp-up  2.2.3 KNOWLEDGE TRANSFER During this phase, the EnrollHostel support team will gain and share the knowledge about the environmentandinfrastructure tobe supported.Existing School andvendorteamswill alsobe involved, as required. Activities Teams Involved ENROLLHOSTEL Team School Team(s) Existing Vendor Team(s) Study Processes: Standard ProcessFlowCharts    Reporting / Interfaces (If any changes) / Access    Environment / System Landscape / Architecture / Database / Servers / Hosting    Study Documentation and Knowledge Base    Issue /Back Log forlast 3 monthsandlast quarterof previousyear(foryear-endissues)    DetailedRolesandResponsibilities   The EnrollHostel Knowledge Transfer model promotes:  Preparing SOPs and other documents (e.g. architectural details of environment, workflow diagrams etc.)  Maintaining strong known issues databases
  32. 32. 7  Capture of knowledge through collaboration both by explicit (interviewing and observation process; ticket-by-ticket analysis) and implicit (discussion forums, blogs, error database and reusable components repository) means.  Ensure acquired knowledge is easily retrievable.  Knowledgesharingacrossmultiple anddisparate ENROLLHOSTELresources  Reductionof informationoverload/capturethroughreplicationbestpractices.
  33. 33. 8 2.2.4 STEADY STATE OPERATIONS EnrollHostel’s team will commence steady-state operations will full SLA compliance. SLA measurement as per targets would be measured and reported to SCHOOL. All the handover from current vendor team(s) will be considered complete, and they can be disengaged from the project at the start of Steady-State Operations.
  34. 34. 9 2.2.5 AUDIT STRATEGY Effective implementationof Auditstrategy,andleverage the bestpracticesof ITService Management (ITSM) concepts.The main focusfor IT Auditandcompliance istoexecute the businessrequirements definedatthe Service Deliverytothe business.The diagrambelow illustratesthe variouscomponentsof an ITSM approach. The important components of ITSMfor having a Network-First strategy are as per below: Access Management
  35. 35. 10 Implementation of security polices defined by Information Security Management. The implementation should include physical barriers to systems such as VLAN separation, firewalling, and access to storage and applications. Change Management Establisha processfor controllingthe life cycle of all changeswhile minimizingdisruptiontooperations. Test and review all changes that are candidates for automation vs, mechanized.
  36. 36. 11 Service Asset and Configuration Management Establish a process for maintaining information on assets, component, and infrastructure needed to provide services. Informationonassetsshouldcontainpast andcurrentstatesandfuture-statesforecast for demand portfolio. Release & Deployment Management Establish a predictable and homogenized release and deployment process to protect the production environment. Ensure during capacity planning hardware and VM specifications are pre-defined and tested,priortodeploymentcycle. UtilizeVMcomponenttemplatesapprovedforproductionsuchasVM images and Gold images. Knowledge Management Establisha knowledgemanagementprocessforgathering,analyzing,andstoringandsharingknowledge within the IT organization Incident & Problem Management Establishaprocessforresolvingeventsthatare impactingservicesinthe virtualizedenvironmentassoon as possible with minimal disruption. Identify and resolve root causes of incidents that have occurred as well as identity and prevent or minimize the impact of incidents that may re-occur. Request Fulfillment Management of all service requests while utilizing best practices for managing requests. All services requests will be documented in the services catalog and will include SLA on when the request will be completed. Systems Administration Regularly perform systems administration tasks and mature towards automation and scripting skills. 2.3 ACCOUNT MANAGEMENT & TECHNOLOGY TEAM STRUCTURE 2.3.1 AUDIT ACCOUNT MANAGEMENT Despite havingmultiple Centersof Excellence,practicesandbeingdrivenbyIndustry’sStandardsandBest Practices, EnrollHostel firmly believes and promotes a Client Centric model where each engagement is tailored explicitly around the client’s needs and business drivers. To thisextent,ithascreatedthe ClientSolutionsgroup,whichprovidesadedicatedAccountManagerand Solution Specialists who actively interact with all the stakeholders within each client’s organization not only to understand the business needs and requirements but also to align the proper services and resources that will ensure maximum benefits to the client. Additional, these two entities indirectly validate the qualityof the deliveryandprovide feedbackandinputstothe Global DeliveryOrganization.
  37. 37. 12
  38. 38. 13 2.3.2 PROJECT TEAM STRUCTURE 2.3.2.1 TEAM STRUCTURE Director Audit Committee IT Audit Team IT Audit Team Legal IT complaince Team IT Audit Manager Chief Audit Executive IT AuditManager Lead Auditor Internal Auditors Department 1 Internal Auditors Department 2
  39. 39. 14 2.3.2.2 TEAM ROLES & RESPONSIBILITES Role Description Data Subject A living natural person – they have rights and RISK refers to them Data Controller Specifies how RISK is to be manipulated Data Processor Manipulates the RISK on behalf of the Data Controller DPO Data Protection Officer: A person charged with protecting RISK and helping an organisation to meet the RISK compliance requirements Supervisory Authority (SA) A national body who enforces the RISK in EU member states. EDPB European Data Protection Board: The coordinating layer who provides consistency between SAs Third Country A country outside of the EU Third Party An individual linked in some way to the Data Subject or any company or organisation to who data is sent Role Responsibilities Delivery Manager (Audit)  Reviewingandunderstandingthe responsibilitiesof eachpartyunderthisSOW.  Workingwith School teamto accomplishthe tasksoutlinedinthisSOW.  Maintainingregularcommunicationswiththe School teamonengagementprogress.  Assistinginthe resolutionof deviationsfromthe scope/planthatmayimpact deliverables,schedulesand/orcosts.  Provide managementupdate of the projectteamdeliverablesprogramgovernance metricsandreport onengagementhealthto School stakeholders.  Ensure that the engagementremainshealthyandtasksoutlinedwithinthe SOWare executedtothe client’ssatisfaction.
  40. 40. 15 SeniorAuditors  Coordinate/manageendtoendsupportandoperationsrelatedactivitiesandprioritize userrequestsand problemsaccordingtoseverityandexistingworkload.  Optimize effortwithembeddedbestpracticesthataccelerate time tovalue  Manage projectteamdeliverables/qualityissues/SLAs.  Ensure all outagesare communicatedandaddressedwithinthe stipulatedtimeframe.  Manage the shiftschedule andavailabilityof resources  Supportoperational tools  Manage properdelegationof supporttaskamongall supportteammembers.  Provide clarificationaboutnew andexistingprocesses  AssistSchool managersinall projectrelatedtasks,includingticketmanagement.  Maintainand update documentation.  Followdefinedguidelinesand processesand ensure the otherteammembersalso followit.  Planand participate inService ImprovementandValue-additionactivities  Plancross-traininginitiativeswithinthe team JuniorAuditors  Work on supportandoperationsrelatedactivities/tasks/tickets–primarilyon Network Operations/activities  Optimize effortwithembeddedbestpracticesthataccelerate time to market  Guide otherteammembersonbestpracticesandtechnologyenhancements  Planand participate inService ImprovementandValue-additionactivities  Define andenhance supportprocesses  Provide necessaryadvisoryservicesto SCHOOL  Provide on-call supportonweekends/USholidays Lead Auditor RISK  Work on support and operationsrelatedactivities/tasks/tickets – primarilyon IT Operations/ activities  Maintain constant communicationwith customers and SCHOOL stakeholders, especiallywiththe onsite leads.  Prioritizationof userrequestsand problems,withlead /manager, according to severityand existingwork load  Coordinate with other SCHOOL teams for issue resolution  Support operational tools  PerformRCAs  Followguidelinesofdefinedsupportprocesses.
  41. 41. 16 3 PART III – REFERENCES & ENROLLHOSTEL CAPABILITIES 3.1 CASE STUDIES Some of the salientprojectsthat EnrollHostel hasdone inthe pastinclude the following(additional detailshave beenprovidedasCase Studiesinthe proposal documentinANNEXUREI) Customer* Services Details LeadingGovernment RISK Consulting RISK assessment, RISK Gap Analysis, RISK internalaudit, RISK external audit,DPIA Data protectionimpactassessment, Leadingglobal Insurance Regulator RiskControls consulting RiskLaw basedaudit/assessment, AssigningDPORole/team,RiskGap Analysis Riskinternalaudit, Risk law external audit. Leadingmulti-nationalBank RiskLaw consulting RISK assessment, RiskLaw based audit/assessment,, RiskGap Analysis Riskinternalaudit, Risk law basedexternal audit *Due to contractual obligations, we are not permitted to explicitly name the organization for which these services were provided. Some of the key tasks that EnrollHostel teams have been involved in projects with Managed Operations/Support included: a) Risk Audit/assessment , RISK processing lawfully. b) GAP Analysis to Reach for RISK compliance c) Risk by design d) Data Protection Impact assessment e) Appointing and building Data Protection Officer Team. f) Remedies, liability, & penalties g) Provisions relating to specific processing situations h) Delegated acts and implementing acts
  42. 42. 17 3.1.1 CASE STUDY 1 Name and Address Leading Government in EMEA Region Contracting Activity RISK Audit Contract Type Fixed Price Description of Services *Due to contractual obligations, we are not permitted to explicitly name the organization for which these services were provided. The Challenges  Client wanted to Assess its Risk based on new Risk law.  Risk Audit/assessment , RISK processing lawfully.  GAP Analysis to Reach for RISK compliance  Risk by design  Data Protection Impact assessment  Appointing and building Data Protection Officer Team.  Remedies, liability, & penalties  Provisions relating to specific processing situations  Delegated acts and implementing acts Solution The enterprise leveragedServerOperationsandCrisisManagementteams.Teamalsoworkedclosely withthe other dependent team for any changes and upgrades to the production web applications.  Risk Audit/assessment , RISK processing lawfully.  GAP Analysis to Reach for RISK compliance  Risk by design  Data Protection Impact assessment  Appointing and building Data Protection Officer Team.  Remedies, liability, & penalties  Provisions relating to specific processing situations  Delegated acts and implementing acts Benefits Delivered  Risk Audit/assessment , RISK processing lawfully.  GAP Analysis to Reach for RISK compliance  Risk by design  Data Protection Impact assessment  Appointing and building Data Protection Officer Team.  Remedies, liability, & penalties  Provisions relating to specific processing situations  Delegated acts and implementing acts 3.1.2 CASE STUDY 2 Name and Address Leading media and entertainment company in US* Contracting Activity 24 x 7 Infra-support
  43. 43. 18 Contract Type Fixed Price Description of Services *Due to contractual obligations, we are not permitted to explicitly name the organization for which these services were provided. The Challenges The IT team of the Insurance company is responsible for provisioning and managing the entire enterprise ITinfrastructure acrossmultiplelocations.The primaryobjectivewasto fix Riskaspectwith respect to providing legally , regulatory complaint and competitive IT elements. This automation would enable higher compliance to Risk and helpthe IT team and customer in managing day-to-day operations more effectively. The IT team had a challenge in terms of managingIT across distributed locations and the huge impact of smooth IT operations on business services. Solution The Risk assessment was done and solution was deployed centrallyat the IT operations center to proactively monitor the network, systems, applications and database infrastructure and notify users if there is any Risk issue. The solutiondeployedisusedtomonitor Riskaspectforregulatoryandlegal complianceof the critical network devices. Service level committed by the service provider is been verified by using the availability service level report available from NOC solution service. The solution was deployed for monitoring multiple key performance indicators of various elements including;  Routers,switches ->Availability,responsetimes,CPUutilizationandmemoryutilization, customSNMP expressions-basedperformance metrics  MPLS links -> availability,response timesandutilization  Servers->Resource utilizationbyCPU,Memory,Disk,Bandwidth,etc  Databases-> table space utilization,logfileutilization,deadlocksandqueryresponse times  Applications ->service availability  WebServices ->availability Benefits Delivered  Risk by design service was deployed to centralize incoming service requests to various departments.  A streamlined service request, routing, tracking, escalation, resolution and closure has brought about accountability within each department.  The automatedroutingandSLA monitoringcapabilitieshave reducedissueclosure timesand have improved end user satisfaction.  The NOC solution deployed has helpedthe IT staff to provide better service response, quick resolution of end user reported issues with flexible workflow-based automation and has enabled higher customer satisfaction across organization. 3.1.3 CASE STUDY 3 Name and Address Leading media and entertainment company in US* Contracting Activity 24 x 7 Infra-support Contract Type Fixed Price
  44. 44. 19 Description of Services *Due to contractual obligations, we are not permitted to explicitly name the organization for which these services were provided. The Challenges The IT infrastructure companyisdistributedacross10 locations.There are about100 critical network elementsincludingrouters,switches,linksetc.The IToperationsrunon20+critical windows2000and 2003 servers. There are about 15+ mission critical applications that run on variety of Microsoft SQL and proprietary databases. These applications also include web based middleware and other web services based application. The few objectives for IT Infrastructure monitoring include the following:  Proactive auditing/assessment of networks, systems, applications, databases, IT services infrastructure for availability and performance  Determine root cause, fix problems quickly and ensure mission critical applications are healthy and available for end users conflicting with RISK.  Enhance enduserperceptionof ITservicesbyensuring Riskprotection resolutiontoenduser issues.Ensure thatthe ITteamisaccountableinclosingenduserreportedissuesontimewith higher user satisfaction.  Audit Risk of hosts, applications, locations, departments including hourly, weekly, monthly usage trends  Plan future Risk needs like Risk by design need are met in advance and maintain the competitive edge Solution  The Riskby design solutionwasdeployedtomonitorcore IT serviceslike messagingservices, ERP servicesandEIP services. The teamusesNOCtool to ensure availabilityof these services to the branches is proactively monitored and accounted  Real time dashboards and historical reports were made available as part of a build in web based portal and are used by the IT team to examine and optimize resource compliance.  The non-invasive,agentlessmonitoringcapabilityof complaince wasdeployedtohelpthe IT team for easy and faster deployment for monitoring across local and remote servers, databases, applications  Flexible notification and escalation capabilities of Complaince were used for proactive monitoring of faults and performance breaches. This helped the IT engineers to fix issues before they are reported by end users. Benefits Delivered  The Complaince Assessment and analysis helped to audit better manage applications compliance across locations, departments  Better manage compliance for RISK assessment, Risk Law based audit/assessment, Risk Gap Analysis Risk internal audit, Risk law based external audit  Better Risk Compliance for application, link availability and performance  Quick response time & resolution resulting in customer delight 3.2 ENROLLHOSTEL | CAPABILITY
  45. 45. 20 EnrollHostel is founded on a strong foundation of architecture, process, and a Risk-based approach to technologysolutions.Ourprofessionalsconsistentlyuse these fundamental principlescoupledwithout- of-the-box thinking to deliver creative and robust solutions that meet our clients stated as well as unanticipated needs. This approach allows us to deliver solutions that combine our expertise around development,supportandtestingusingacontinuousintegrationapproachwithindustryleadingproducts in various functional domains. Our core competency is the ability to quickly understand the client’s business needs and deliver an elegant and robust, yet cost-effective solution. Over the past 10 years, customers have engaged EnrollHostel for solutions and services across a wide variety of technologies. EnrollHostel has constantly innovated and kept abreast of new and emerging technologies in IT infrastructure, Security & Internet Of Things, amongst others. 3.2.1 PROGRAM GOVERNANCE EnrollHostel has a well-defined program governance process, which closely monitors customer satisfaction, service levels and quality. Periodic reviews are conducted to ensure that services are being delivered to exceed customer expectation and seek feedback.  Monthly business review is conducted to review service levels, process compliance, issues to be escalated, targets and improvements for next month.  Quarterlyexecutive briefings,presentopportunitytodiscusspastperformance,recommendations and focus areas for future. 3.2.2 CONTINUAL SERVICE IMPROVEMENT (CSI) EnrollHostel continuallyinstitute processandmethodologythatmeetsrequirementsandalso allowsfor needsthatadjustbasedonclientchangingbusinessdynamics.Toachieve ourobjective of providingbest in class services, our project teams adhere to continual improvement framework based on ITIL best practices. The team will continually identify areas of improvement and provide recommendation on:  Deployingandenhancingcontinuousintegrationframeworksforcode deploymentandautomated deployment  Build IT automation for important processes, such as automatic deployment and operations, automatic ticket creation based on monitoring alert, integration of monitoring tools  Proactivelymonitor,identifytrendandaddresssituationsandproposesolutionsinordertorestore and resolve critical issues in a timely fashion  Use ITIL techniques to improve the processes used.  Proactively work closelywith client teamsand third-party development for operational readiness and hand off of new development and applications 3.2.3 KNOWLEDGE MANAGEMENT The EnrollHostel Knowledge Management approach promotes:
  46. 46. 21  Capture of knowledgethroughcollaborationbothbyexplicit(interviewingandobservationprocess; case-by-case analysis) and implicit (discussion forums, blogs, error database and reusable components repository) means.  Organize the acquired knowledge so that it is easily retrievable.  Share and distribute knowledge through wiki documentation, run-books, standard operating procedures etc.  Use and reuse knowledge for operational efficiency, improvement, automation 3.2.4 TEAM COMPETENCY AND SKILLS ENHANCEMENTS To be on the forefrontof the ever-changingITtrends in business,itisimperative foranyorganizationto constantly update and reinvent itself. EnrollHostel aims to achieve this through a strategic skill enhancement program that involves every employee. Industry trend, analysts identify key areas of skill enhancement keeping in view, our core competencies and goals. EnrollHostel continuallystrivestoaugmentitsteamcompetencyandskillsconsideringthe changeinclient processes, technology,tools, and domain knowledge and encourages and facilitates across the board technical certification programs. Along with acquiring formal technical certification, it also empowers employeeswithenhancedskillsandknowledge.We sponsorthese certificationsandproactivelyarrange formal sessionsbetween industry expertsand our professionals. Some of the where our projects teams get trainings from internal and external trainers are, Soft Skills, Technical Trainings on disruptive and emerging technologies, team management, leadership etc. 3.3 ENROLLHOSTEL | PROJECT MANAGEMENT PROCESS EnrollHostel ensuresthatall projectsundertakenby itsteamare beinggovernedandmanagedeffectively meeting the customer expectations. Below are the key project monitoring & control processesthat will be followed to track the progress of the project delivery. Some of these may be tailored based on specific plans during project execution.  Track project planned activities against the actual and update critical dependenciesin schedule accordingly with the revised planned dates  Status Reporting of ongoing project activities & implement corrective actions based on the comments received from different stakeholder  Internal team meetings  Project customer meeting  Monthly business reviews  Track the estimates for reviewing the planned vs. actual effort throughout the project lifecycle  Monitor Risks associated with cost, resource and schedule aspects and perform ongoing risk identification and management in conjunction with client stakeholders.  Review any changes to the allocated requirements according to change management process
  47. 47. 22  Collect measurement data for the project regularly throughout the project life cycle in data collection plan on a monthly basis. This is done for the purpose of analysis & plan the preventive and corrective actions  SLA Monitoring & Tracking 3.3.1 REPORTING METRICS Below is a list of typical metrics that EnrollHostel team would produce during the course of thisproject. These metrics can be tailored in discussion with School at the time of project initiation. Service Desk Support Reports  Daily – ticket report, Pending & Closed ticket reports.  Weekly – ticket trend report, ticket analysis report.  Monthly – ticketAnalysis report, ticketTrendReport,Uptime reports,Backup and restore Report, RCA, Escalated ticket report Incident Management  Number of repeated Incidents, with known resolution methods  Number of Incidents resolved remotely by the support teams  Number of escalations for Incidents not resolved in the agreed resolution time  Average time for resolving an incident  Percentage of Incidents resolved by L2 without L3 involvement  Rate of incidents resolved during solution times agreed in SLA Problem Management  Number of problems logged  Average time for resolving problems  Number of problems where the underlying root cause is not known at a particular time  Number of reported incidents linked to the same problem after problem identification  Average time betweenfirstoccurrenceof anincidentandidentificationofthe underlyingrootcause  Average work effort for resolving problems Service Level Management  Number of services covered by SLAs  Number of Services where SLAs are backed up by corresponding OLAs/ UCs  Number of monitored Services/ SLAs, where weak-spots and counter-measures are reported  Number of Services/ SLAs which are regularly reviewed  Number of Services/ SLAs where the agreed service levels are fulfilled  Number of issues in the service provision, which are identified and addressed in an improvement plan Availability Management  Availability of applications relative to the availability agreed in SLAs and OLAs  Number of service interruptions  Average duration of service interruptions  Percentage of applications components under availability monitoring  Number of implemented measures with the objective of increasing availability
  48. 48. 23 Security Management  Number of preventive security measures which were implemented in response to identified security threats  Duration from the identification of a security threat to the implementation of a suitable counter measure  Number of identified security incidents, classified by severity category  Number of security incidents causing service interruption or reduced availability  Number of security tests and trainings carried out  Number of identified shortcomings in security mechanisms which were identified during tests 3.3.2 ESCALATION HANDLING EnrollHostel expects that all queries & issues related to successful execution of the project would be discussed and resolved via various meetings as per the CommunicationPlan. However, there may be instanceswhere eitherSchool orEnrollHostel managementencounters orforeseesanyissuesthatneed direct and prompt attention of other side’s management. 3.3.3 COMMUNICATION PLAN Meeting Type/Purpose Frequency Participants (EnrollHostel) Participants (School) Project Discussion/Issue Resolution Needbasis • Technical Lead • Otherteammembers (optional) • ProjectManager • IT SPOC Project Status Review Weekly • Service DeliveryManager • Technical Lead • ProjectManager SteeringCommittee Review Monthly • EngagementManager • Technical Lead • Service DeliveryManager • ProjectManager • ProjectChampion
  49. 49. 24 3.3.4 RISK MANAGEMENT PLAN EnrollHostel proposes to use industry-standard FMEA tool (Failure Mode Effect Analysis) for managing risks.FMEA aidsinanalysisof potential failures,problemsordefectswithinasystemusingaclassification by the severity and likelihood of the failures. Using the FMEA analysis, the project team can plan for appropriate mitigation & contingency strategies. 3.3.5 CHANGE MANAGEMENT PROCEDURE EnrollHostel understands that a project often requires changes during execution, and hence proposesa robust change management procedure. EnrollHostel proposes that a Change Management Board is established that has authority to approve, partially approve or reject any change request. The Board would comprise of: ENROLLHOSTEL  Service Delivery Manager  Engagement Manager School  Project Manager  Project Champion  Sourcing (optional) Risk Identification via FMEA Develop Mitigation & Contingency Plan PeriodicRisk Review Address major risks Update FMEA Trigger for Change  Scope  Requirements  Tools & Technology  Schedule Adjustments
  50. 50. 25 Impact Analysis • Schedule • Effort • Cost • Artifacts and Deliverables Submission of formal Change Request (CR) Discussion & Approval of CR by Change Management Board Updated CR Implementation of CR • Contract • Project plan • Artifacts & Deliverables
  51. 51. 26 3.4 ENROLLHOSTEL | COMPLIMENTARY VALUE ADDED SERVICES EnrollHostel’s decade old expertise in managing networks infrastructure brings a lot of advantages as compared to other IT Managed service providers. Since we always strive for bringing the best possible robustness to our clients’ networks, we will be bringing the following as complimentary services: - Complimentary Anti-virus software license for all end-point devices along with maintenance - Complimentary Penetration Testing to test the robustness of the installed network 3.5 ENROLLHOSTEL | DIFFERENTIATORS | Services EnrollHostel is one of those rare organisations, that not only possesses leading IT Infrastructure management professionals but also a global group of cybersecurity professionals. With security clearances of the highest order (US Fed clearance), our professionals have led many “Incident Response teams” carrying out “Forensics” for networks that have been breached.
  52. 52. 27
  53. 53. 28 3.5.1 CYBERSECURITY SERVICES In tоdау’ѕinformationесоnоmу,dаtасаnbe уоur оrgаnіzаtіоn’ѕmostvaluableаѕѕеt,butwіththе rіѕе of mоbіlе tесhnоlоgу, сlоud соmрutіng, аnd еxроnеntіаllу grоwіng vоlumе of digital іnfоrmаtіоn, kееріng that dаtа ѕесurе аlѕо bесоmеѕ оnе оf уоur grеаtеѕt сhаllеngеѕ. No оnе is immune to data lоѕѕ іnсіdеntѕ, and nо оnе is bеttеr еԛuірреd than EnrollHostel tо help уоu іdеntіfуаnd сlоѕе gарѕ thаt рut уоur оrgаnіzаtіоn’ѕ cyber ѕесurіtу аt rіѕk. Information ѕесurіtу іѕѕuеѕ — such as data brеасhеѕor employee mіѕсоnduсt — are a соnѕtаnt worry fоr C-ѕuіtе lеаdеrѕаѕwеll as fоr frоnt-lіnеmаnаgеrѕіnуоurorganization.Cуbеrѕесurіtусhаllеngеѕput ѕеnѕіtіvеdataаt rіѕkandсаn соѕt your соmраnу time, revenue and rеѕоurсеѕ. EnrollHostel offersextensivecybersecuritystrategyandѕеrvісеѕthatсаnbе аррlіеdtomееtyourunіԛuе rеԛuіrеmеntѕ,whеthеr thеуbе rеlаtеd tо a ѕуѕtеm, аn аrсhіtесturе, a network, роlісу establishmentоr рrосеѕѕ implementationand improvement. Wе wоrk with оrgаnіzаtіоnѕ аt vаrіоuѕ stages оf thеіr суbеr ѕесurіtу ѕtrаtеgу dеvеlорmеnt and суbеr ѕесurіtу program іmрlеmеntаtіоn. 3.5.1.1 RISK Services A Penetration test(Pen-test) is a procedure to assess the security of an IT foundation by securely attempting to misuse its vulnerabilities. These vulnerabilities may exist in working frameworks, administrations,operatingsystemsandapplicationblemishes,inappropriate arrangements ordangerous end-client conduct. Such evaluations are likewise helpful in approving the viability of protective components, and, end-client adherence to security arrangements. EnrollHostel’steamof leadingPen-testersthattestthe effectivenessof the security of the organization. This is accomplished by emulating the behaviors and techniques of likely attackers in the most realistic way possible. 3.5.1.2 Corporate Trainings Risk/Security Awareness
  54. 54. 29 Risk/Security awarenessisthe learninganddemeanorindividualsfroman associationhave withrespect to the assurance of the physical, and particularlyenlightening,resourcesof that association. Numerous associations require formal security mindfulness preparing for all specialists when they join the association and intermittently from there on, normally every year. EnrollHostel commitson providing this training and practice to all its employees and clients and letting them know about the possible outcomes thereafter. Being“securely aware”means;onecomprehendsthatthere isthe potentialforafew peopletopurposely or coincidentally take, harm, or abuse the information that is set aside inside an organization's PC frameworks and through its association. Along these lines, it is judicious to help the advantages of the foundation (data, physical, and individual) by attempting to prevent that from happening. The focal point of Security Awareness here at EnrollHostel is to accomplish a long haul move in the disposition of workers towards security, while advancing a social and behavioral change inside an organization.Securitystrategiesoughttobe seenaskeyempoweringagentsforthe association,notasa progression of principles confining the proficient working of your business. We provide Security Awareness training to our new employees and keep them up to date with these principles.
  55. 55. 30 3.5.1.3 Email Risk & Security with Office 365 Integration Email isthe mostimportantbusinesscommunicationtool—andsimultaneously,the leadingthreatvector for cyber-attacks.Infact,accordingto the CiscoMidyearCybersecurityReport,attackersturntoemail as the primary vector for spreading ransomware and other malware. Mass spamcampaignsare no longeryouronlyemail securityconcern.Attackersscoursocial mediasites to find information on their intended victims and then create sophisticated and highly targeted ransomware, business email compromise (BEC), and phishing campaigns. EnrollHostel’sEmailSecurityenablessecure emailuseandprotectstheleadingattackvectorwithmultiple layers of protection using Cisco’s Email Security. Gain a robust layerof defense againstransomware,businessemail compromise,phishing,andmore for Office 365 solution. It helpsprotectyour networkfrom threatsin incomingemail while helpingpreventthe lossof business- sensitive data in outgoing mail. Benefits  Block more threats with comprehensive threat intelligence from Cisco Talos- one of the largest commercial threatintelligence teamsinthe world,comprisedof world-classresearchers,analysts and engineers.  Combat ransomware hidden in attachments that evade initial detection with Cisco Advanced Malware Protection (AMP).  Stop BEC and phishing attacks with superior URL intelligence and forged-email detection
  56. 56. 31  Protectsensitive contentinoutgoingemailswithdatalossprevention(DLP) andeasy-to-use email encryption, all in one solution.  Gain maximum deployment flexibilitywith a cloud, virtual, on-premises,or hybrid deployment or move to the cloud in phases. 3.5.1.4 Cyber-Forensics Our Forensics and Investigation solutions provide an attack’s context, infrastructure-wide visibility, codified expertise, rich intelligence, and insights gained from front-line experience responding to the world’s most impactful threats. Empowering your infrastructure with everything you require to rapidly detect, triage, investigate, and minimize the impact of attacks. One of the veryfeworganizationswith cybersecurityprofessionalswithTop-levelsecurityclearances(US Fedsecurityclearance),enablesourclientswiththe highestlevel of confidenceinperformingthesecurity incident analysis and forensics.
  57. 57. 32 3.5.1.5 Social Risk Test Engineering Social engineeringismandatorytocounterthe social engineers,hackerswhoexploitthe one weakness that isfoundineach and everyorganization:humanpsychology.Usingavarietyof media,including phone callsandsocial media,these attackerstrickpeople intoofferingthemaccesstosensitive information. These are the common types of social engineering attacks:  Phishing: These assaults can incorporate situations like the previously mentioned, however may likewise bemorefocusedon.Lancephishingassaultsare morerefinedandcanincorporate tweaked email sends or focused on advertisements that require more research on the aggressor's part.  Wateringgap: In a wateringopeningassault,clientbunchesare particularlybeingfocusedon.For instance,aggressorswouldinquire aboutparticularworkersthatvisitspecialtysitesandafterward have malware particularly focusing on these representatives.  Bedeviling:Justlike the termproposes,teasingassaultsinclude offeringcasualtiessomethingthey need. The hazard is that you might download malware rather than, or notwithstanding, the documents you really need. Teasing can likewise incorporate pipe dream online arrangements or phony messages with answers to questions you never asked on any gatherings. EnrollHostel’sdecadeof experienceenablesustoprovide assistance andservicesonhow anorganization can adhere itself and its employees against such attacks and prepare to tackle them anytime.
  58. 58. 33 3.5.2 SECURITY ASSESSMENT AND COMPLIANCE Securitythreats,risks,andvulnerabilitiesare presentthroughoutorganizationsof all sizes.Anyintrusions orbreachesof critical systems,data,andapplicationswilllikelyresultinbusiness-impactingconsequences that have varyingdegreesof severity.Witha solidsecurityplanandevaluation,however,theseriskscan be identified and mitigated without impacting compliance and regulatory requirements. EnrollHostel offersacomprehensivesecurityassessmentservice thatevaluatesanorganization’scurrent information security program and infrastructure. The assessment identifies vulnerabilities and weaknesses, and measures any risks associated with the organization’s current IT environment and security practices. FEATURES & COVERAGE  Identify internal and external security gaps and vulnerabilities  Discoveranyareasof concern,includingunpatchedsystems,openports,andcompliance violations  Find security bugs and loopholes that could potentially be used to harm your network  Verify network connections are secure, encrypted, and working as expected  Outline and develop an actionable plan to mitigate the identified risks and vulnerabilities  Approachand methodologiesare basedon industrystandardsand practices,such as the National Institute of Science and Technology (NIST), Health Insurance Portability and Accountability Act(HIPAA) Our Network Vulnerability Assessment services are grouped into three categories of services:  PeriodicnetworkVulnerabilityAssessmentasaservice: Ourclientsoftenrequestthatwe perform a one time or periodicnetworkVA toverifythe strengthof theirnetworksecurityprofile.Industry best practices suggest that you periodically rotate vendors for a more comprehensive VA.  Deployment of network Vulnerability Assessment solutions: We help our clients select and configure the mostsuitable networkVA solutionandmanage it on theirbehalf ortransferday-to- day operation to their staff.  Compliance Reporting for network Vulnerability Assessment: We provide a network VA that supports your compliance obligations.Accordingly,we leverage our eGRC compliance reporting solutions that supports more than 500 regulatory compliance reports. Specifically, we provide reports that support: o Payment Card Industry (PCI) Data Security Standards o ISO 27001 o General data protection regulation (RISK) o Health Insurance Portability and Accountability Act(HIPAA)  Scope of Network Vulnerability Assessment Services: As part of our network Vulnerability Assessment we typically cover the following areas: o Network Topology Risk Assessment: Discover and assess the risk of network topology and zones including: Public, Operational, Restricted, and Highly Restricted zones.
  59. 59. 34 o DiscoverNetworkAssets:Aspart of the networkVA,ourpersonnelhelpyoudiscovernetwork assets,includingnetworknodes,firewalls,IPSs,IDSs,routersandswitches,servers,databases, applications. o Discover Network Asset Vulnerabilities: Utilizing an array of commercial and open source tools,we probe eachnetworkassetforpotentialvulnerabilities.Tocomplete ournetworkVA, we deploy host configuration review. o Verify Vulnerabilities (or Penetration Testing): With management approval, we verify identified network vulnerabilities by actively trying to leverage it for further network penetration and subversion of existing controls. o NetworkSecurityConfigurationAssessment: We review thedeviceconfigurationforpotential networkvulnerabilities.Ourpersonnelutilizeasetof automatedtoolsandmanual techniques to review such vulnerabilities. o Reporting: Our reportingprocessis designedtoinformexecutives,managementgroups,and technical teams, compliance and audit departments. We carefully explain each vulnerability, its respective exposure, and discoverability. Our personnel also provide pragmatic prioritizationandrecommendations.Whendeemedappropriate,ourteamwill provideatrend report to demonstrate the status of network VA over a designated period of time. BENEFITS  Validates current security programs and practices  Identifies known security risks and vulnerabilities before they are exploited  Provides organizations with an outline and action plan to remediate issues and improve IT environment resiliency and performance  Prepares organizations for audits and other reviews, and ensures compliance and regulatory requirements are continuously met  Can be performed at your convenience, either onsite or remotely
  60. 60. 35 3.5.3 SECURITY OPERATIONS CENTER – Risk Or Confidentiality Asadvancedcyberthreatsbecome more sophisticatedandorganized,vulnerabilitiesmore complex,with the intentof notonlystealingyourdatabut alsoinstallingcryptocurrency-miningmalware,orusingyour systemas a pivotpointto other attack vectors,businessestodayrecognize theycan't manage or handle thischallenge alone.They're turningtomanagedsecurityservice providerslike EnrollHostel tokeeptheir business protected. Managed and monitored by highly skilled and highly sought after cyber security experts 24x7x365, EnrollHostel’s SOC is one of its most advancedthreat intelligence monitoring, provided at an affordable monthly price Benefits:  Security made easy – EnrollHostel’s NOC handles 24/7/365 monitoring of your network and data. We identify and correlate any suspicious behavior, and we immediately alert you of any suspicious or active threat alongwith detailed remediation instructions your IT staff can follow for any malicious activity.  Cost-effective security – EnrollHostel’sNOC is a comprehensive security services offering that leverages security products you already own. And best of all, you won’t have to recruit, hire and pay hard-to-find cyber security talent.  Simplified compliance reporting – EnrollHostel’s NOC consolidates data from hundreds of security products to ease the pain of manually compiling regulatory and compliance reports. Plus, there are many built-in reports for regulations such as PCI- DSS, HIPAA, and many others.  Comprehensive Forensics – Gain the capability to conduct detailed forensic investigations to help remediate a breach Fig: SOC Monitoring Dashboard
  61. 61. 36 Fig: SOC Monitoring Tool Analysis report Fig: SOC Monitoring SIEM
  62. 62. 37 Fig: SOC Monitoring SIEM
  63. 63. 38 4 PART IV – PROJECT COST 4.1 FIXED PRICE Audit consultant cost: $15,000 Auditors/assessors documentation, travel, miscellenous : $5,000 charges= $20,000 least cost bid for 42 man days project 4.2 RATE CARD FOR ADDITIONAL WORK ** For each project we might have few different type of resources and project management office involve. PRICE IN USD  Support Engineer – 120/hr  Sr. Engineer – 150/hr  Project Manager – 140/hr  Database Engineer – 150/hr  Hardware move and installation – 80/hr 4.2.1 ADDITIONAL INITIATIVES In additiontothe ongoingmanagedservicesprovidedunderafixedfeecontract,there are otherservices related to the onboarding that would be billed separately, including but not limited to the following: Network Equipment Upgrades • UPS: Replacement of multiple aging APC UPS 1500 units with a proper NOC room UPS with Power DistributionUnits(PDU) ineachrack capable of remote managementandenvironmental monitoring • Switches:Replacementof agingCiscoCatalyst3750floor switchesandCiscoCatalyst6506Core Switch • Bandwidth:Deploymentof alargermulti-source DirectInternetCircuittosupportanticipatedgrowth fromadditional trafficgeneratedbySkype videoconferencingandamultitudeof hostedcloud-based applications Server Maintenance • Upgrade of existing Microsoft Server 2008 to Microsoft Server 2016 • Upgrade of existing Microsoft 2008 Active Directory (AD) Domain Server to MS AD 2016 • Virtualizing the remaining on-premise servers to provide for better support/security • Archiving of existing on-premise data storage to a virtualized environment Advisory Services
  64. 64. 39 The MSP shall provide advisory services including, but not limited to: • Technology planning & cost forecasting • Business continuity planning • Disaster recovery planning • Enterprise architecture • Technology consulting • Process development • Incident Response Process 4.3 ASSUMPTIONS EnrollHostel has made general assumptions that the information which was provided during the preparationof thisproposal isaccurate andup-to-date. Duringthe course of thisproject,itmaybe found that, assumptions that were made are invalid due to lack of information at the time of proposal development. In such a case, EnrollHostel will work with School to make suitable amendments to this proposal that is mutually agreed upon by both parties and when applicable, the corresponding change request process would be initiated. It is understoodand agreedupon that the followingitemsmustbe in place and/or providedat the start of the engagement:
  65. 65. 40 4.3.1 USER COUNT AND DEMOGRAPHIC Approximate 250 users are located at School’s The followingisahigh-leveloverviewof the on-premiseSchool computingassets: 4.3.1.1 Desktops/Laptops We are concerned How replaced laptop 4.3.1.2 On-Premise Network/Software hosted School Network andsoftware hosteddetailsare notknown. 4.3.1.3 Hosted Cloud Environment It is anticipated that the majority of School’s services will be cloud-based by the end of FY2018. Cloud details are not known. All software , platform and infrastructure information storing processing or transmittingRISK informationisnotknown[ Dependingonhow manyapplicationswe needtocheckthe amount of work may vary] 4.3.1.4 Legacy Business Applications Details not known. 4.3.1.5 3rd Party Vendors We wouldneed to understandthe SLAs whichthird party vendorsare on with respect to handlingof RISK informationbeingprocessed,stored or transmitted.

×