information technology security and compliance services · rfq a2114499r1 ‐ broward county it...

RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services

PROPOSED CATEGORY

1st Secure IT

LLC

Prime: 3K Technologies

LLCSubs: Managni Systems, Inc. ;

Aujas Information Risk

Services ATTBreakPoint

Labs

Prime: Carahsoft Technology

CorpSolution Provider: Trustwave

Crowe Horwath LLP

Enterprise Risk Management,

Inc.

Focal Point

Data Risk LLC

Foresite MSP LLC

Global Information Intelligence

LLCCATEGORY 1 ‐ PCI SERVICES X X X X X X XCATEGORY 2 ‐ HIPAA SERVICES X X X X X X XCATEGORY 3 ‐ IT AUDIT SERVICES X X X X X X X XCATEGORY 4 ‐ SECURITY PENETRATION TESTING X X X X X X X X X XCATEGORY 5 ‐ SECURITY INCIDENT RESPONSE X X X X X X

X X X

PROPOSED CATEGORY# OF RESPONSES PER CATEGORY

CATEGORY 1 ‐ PCI SERVICES 16CATEGORY 2 ‐ HIPAA SERVICES 18CATEGORY 3 ‐ IT AUDIT SERVICES 17CATEGORY 4 ‐ SECURITY PENETRATION TESTING 22

CATEGORY 5 ‐ SECURITY INCIDENT RESPONSE 13CATEGORY 6 ‐ PUBLIC SAFETY NETWORK AND SYSTEMS AUDIT SERVICES 6

Note: "X" indicates vendor responded to this categoryNote: Vendor did not propose team member with at least (1) of the required qualifying certifications

CATEGORY 6 ‐ PUBLIC SAFETY NETWORK AND SYSTEMS AUDIT SERVICES

VENDOR NAME VENDOR NAM

RFQ A2114499R1 ‐ Broward County I

PROPOSED CATEGORYCATEGORY 1 ‐ PCI SERVICESCATEGORY 2 ‐ HIPAA SERVICESCATEGORY 3 ‐ IT AUDIT SERVICESCATEGORY 4 ‐ SECURITY PENETRATION TESTINGCATEGORY 5 ‐ SECURITY INCIDENT RESPONSE

PROPOSED CATEGORYCATEGORY 1 ‐ PCI SERVICESCATEGORY 2 ‐ HIPAA SERVICESCATEGORY 3 ‐ IT AUDIT SERVICESCATEGORY 4 ‐ SECURITY PENETRATION TESTING

CATEGORY 5 ‐ SECURITY INCIDENT RESPONSECATEGORY 6 ‐ PUBLIC SAFETY NETWORK AND SYSTEMS AUDIT SERVICES

Note: "X" indicates vendor responded to this cNote: Vendor did not propose team member w

CATEGORY 6 ‐ PUBLIC SAFETY NETWORK AND SSERVICES

Prime: JohnsTek

Inc.Sub:

IOMAXIS

Prime: Marcum

LLPSub: 24by7 Security

Merchant Preservation Services, LLC

d/b/a CampusGuard

MGT of America

Consulting, LLC

Nettitude, Inc. d/b/a Nettitude

Online Enterprises

Inc. d/b/a Online

Business Systems

Optiv Security

Plante & Moran,

PLLC dba Plante Moran Presidio

X X X X X X XX X X X X X XX X X X

X X X X X X X XX X X X

X

ME VENDOR NAME

RFQ A2114499R1 ‐ Broward County I

PROPOSED CATEGORYCATEGORY 1 ‐ PCI SERVICESCATEGORY 2 ‐ HIPAA SERVICESCATEGORY 3 ‐ IT AUDIT SERVICESCATEGORY 4 ‐ SECURITY PENETRATION TESTINGCATEGORY 5 ‐ SECURITY INCIDENT RESPONSE

PROPOSED CATEGORYCATEGORY 1 ‐ PCI SERVICESCATEGORY 2 ‐ HIPAA SERVICESCATEGORY 3 ‐ IT AUDIT SERVICESCATEGORY 4 ‐ SECURITY PENETRATION TESTING

CATEGORY 5 ‐ SECURITY INCIDENT RESPONSECATEGORY 6 ‐ PUBLIC SAFETY NETWORK AND SYSTEMS AUDIT SERVICES

Note: "X" indicates vendor responded to this cNote: Vendor did not propose team member w

CATEGORY 6 ‐ PUBLIC SAFETY NETWORK AND SSERVICES

RSM US LLP

Securance LLC

SeNet International Corporation

SHI International

Corp

Verizon Business Network Services Inc. d/b/a Verizon

Business Services

X XX X X XX X X X XX X X XX X X

X X

VENDOR NAME

RFQ A2114499R1 ‐ Broward County IT Security and Compliance ServicesCategory 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix 1st Secure IT LLC ATTPrime: Carahsoft Technology Corp

Solution Provider: Trustwave

Servers and Workers Located in the USA Attestation Form Provided ‐ PDF Pg. 120 Provided ‐ PDF Pg. 569 Provided ‐ See 7

AND1. Provide proof of Approved Qualified Security Assessor (QSA) company Provided ‐ PDF Pg. 17 Provided Provided

AND2. Provide proof of a Qualified Security Assessor on staff

Provided Requirement Met



AND3. Provide proof that Contractor has not been in QSA Remediation Status at any time during the past twenty‐four (24) months) Provided ‐ PDF Pg. 119 Provided Provided ‐ See PDF Pg. 46

AND4. Provide proof that Contractor's proposed QSA primary point of contact has not been in QSA Remediation Status at any time during the past twenty‐four (24) months Provided ‐ PDF Pg. 119 Provided Provided ‐ See PDF Pg. 46

AND5. Provide certification for at least one (1) certified QSA proposed as the County's primary point of contact (i.e. Project Lead) Provided ‐ PDF Pg. 119 Provided Provided ‐ See PDF Pg. 46

AND6. Contractor must complete and submit the following attestation form affirming their understanding and acceptance of additional requirements pertaining to the PCI Services:‐ Category 1 ‐ PCI Attestation Form Provided ‐ PDF Pg. 119 Provided Provided ‐ See PDF Pg. 46

Vendor Questionnaire Form Provided Provided Provided

Vendor Security Questionnaire Form Provided Provided Provided

RESPONSIBILTY REQUIREMENTS

FORMS

1 10/20/2017 1:34 PM

RFQ A2114499R1 ‐ Broward County IT Security and ComCategory 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix

Servers and Workers Located in the USA Attestation Form

AND1. Provide proof of Approved Qualified Security Assessor (QSA) company


AND3. Provide proof that Contractor has not been in QSA Remediation Status at any time during the past twenty‐four (24) months)

AND4. Provide proof that Contractor's proposed QSA primary point of contact has not been in QSA Remediation Status at any time during the past twenty‐four (24) months

AND5. Provide certification for at least one (1) certified QSA proposed as the County's primary point of contact (i.e. Project Lead)

AND6. Contractor must complete and submit the following attestation form affirming their understanding and acceptance of additional requirements pertaining to the PCI Services:‐ Category 1 ‐ PCI Attestation Form

Vendor Questionnaire Form

Vendor Security Questionnaire Form


FORMS

Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLC

Provided ‐ See PDF Pg. 9 Provided Provided

Provided Provided Provided




Provided ‐ See PDF Pg. 43 Provided Provided ‐ Pg. 3






2 10/20/2017 1:34 PM


Licensing Matrix











FORMS

Foresite MSP LLCPrime: Marcum LLPSub: 24by7 Security Merchant Preservation Services, LLC d/b/a CampusGuard






Provided Provided Provided ‐ PDF Page 501



Provided ‐ PDF Pg. 84 Provided Provided ‐ PDF Page 4



3 10/20/2017 1:34 PM


Licensing Matrix











FORMS

Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante Moran

Provided ‐ See PDF Pg. 42 Provided ‐ See PDF Pg. 309 Provided Provided

Provided Provided Provided Provided





Provided ‐ PDF Pg 41 Provided ‐ PDF Pg 14 Provided Provided ‐ PDF Pg. 16

Provided ‐ PDF Pg 41 Provided ‐ PDF Pg 14 Provided Provided ‐ PDF Pg. 16

Provided ‐ PDF Pg 41 Provided ‐ PDF Pg 14 Provided Provided

Provided ‐ PDF Page 41 Provided ‐ PDF Page 291 Provided Provided ‐ PDF Pg. 16



4 10/20/2017 1:34 PM


Licensing Matrix











FORMS

Presidio RSM US LLPVerizon Business Network Services Inc. d/b/a Verizon Business Services






Provided ‐ PDF Pgs 10 ‐11 See Category 1 ‐ PCI Attestation Form

See Category 1 ‐ PCI Attestation Form

Provided ‐ PDF Pgs 10 ‐11 See Category 1 ‐ PCI Attestation Form

See Category 1 ‐ PCI Attestation Form

Provided ‐ PDF Pg 11 See Category 1 ‐ PCI Attestation FormSee Category 1 ‐ PCI Attestation Form

Provided ‐ PDF Pg 13 Provided Provided



5 10/20/2017 1:34 PM



Solution Provider: Trustwave

1. Ability of Professional Personnel:a. Describe the qualifications and relevant experience of the Project Manager and all key staff that are intended to be assigned to services performed within this category. Include resumes for the Project Manager and all key staff described.

See PDF Pg. 138. Resumes ‐ See PDF Pgs. 145 ‐ 154.Mark Akins, PCI QSA, CISSP, CISA, 24+ years experienceAlberto Espana, CISM, PCI‐QSA, 30+ years experienceOrencio Cardenas, MCSA, MCSE, CISSP, 20+ years experiencesAlan Kakareka, CISSP, GSEC, CEH, LPT, 20+ years in IT; 13+ years in IT SecurityAbelardo Rodrigues, PCI QSA, CISSP, CISA, 24+ years experience

See PDF Pgs. 453 ‐ 458

"CONFIDENTIAL"

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

See PDF Pg. 9Trustwave knows the ins and outs of risk. Additionally, we want you to understand risk, too. Our Global Compliance and Risk Services team serves as trusted advisors who operate alongside your internal team. Our Global Compliance and Risk Services staff is comprised of Qualified Security Assessors (QSAs) and our consultants hold various other industry certifications including CISSP, CISM, and CISA certifications, among others. The team averages more than eight years of experience in IT security, information security as well as extensive compliance, audit and consulting expertise. The Global Compliance and Risk Services team (GCRS) is backed by our SpiderLabs team to keep you ahead of the latest threats and is also sponsored by a Senior Compliance Support Analyst to ensure yourproject runs smoothly. We will customize your engagement, assess what is unique about your business challenges and scale with your business needs.

b. List any other relevant Security and Compliance Industry certifications, such as a PCI Forensic Investigator (PFI), that the Project Manager and key staff described may have. Include copies of certificates, if applicable.

See PDF Pg. 138Mark Akins, PCI QSA, CISSP, CISA, 24+ years experienceAlberto Espana, CISM, PCI‐QSA, 30+ years experienceOrencio Cardenas, MCSA, MCSE, CISSP, 20+ years experiencesAlan Kakareka, CISSP, GSEC, CEH, LPT, 20+ years in IT; 13+ years in IT SecurityAbelardo Rodrigues, PCI QSA, CISSP, CISA, 24+ years experience

See PDF Pg. 1391st Secure IT is an Active QSA Company and status can be looked up on the PCI council's website.

CONFIDENTIAL

Pgs 35: Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. affiliatedcompanies."

Pgs 36‐ 223:"AT&T Consulting Proprietary and Confidential Information"


See PDF Pg. 9Please see the representative biographies embedded below, which includes the typical certifications held by the resources who may be assigned to your project.

2. Project Approach:

EVALUATION CRITERIA

6 10/20/2017 1:34 PM


Licensing Matrix




EVALUATION CRITERIACrowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLC

See PDF Pgs. 29 ‐ 30. Appendix A ‐ Resumes (PDF Pgs. 39 ‐ 41). Appendix B ‐ Relevant Certifications (PDF Pgs. 44 ‐ 45).Craig D. Sullivan, CPA, CISA, QSA, Partner, 32+ years experienceJeffrey A. Palgon, CPA, CISSP, CISM, CISA, Senior ManagerSean F. McAloon, CISA, Manager

See PDF Pgs. 8 ‐ 20Silka M. Gonzalez, CPA, CISSP, CISM, CISA, CITP, CRISC, 30+ years experienceEsteban Orlando Farao, CISSP, CISA, CISO, CRISC, CEH, QSA, and PCIP.PCI QSA, 20+ years experienceChristopher Steven Sanchez, Information Security Consultant, Extensive experience completing penetration testingMaria Rogers, CEH, CCFE, Extensive experience in software testing and Digital ForensicsAnimesh Srivastava, Extensive experience competing regulatory compliance assessments

See PDF Pgs. 11 ‐ 12Andrew Cannata – Principal, QSA, CISSP, CISM, 25+ years experienceChristie Verscharen – Principal, QSA, CISSP, CISA. Christie leads Focal Point’s PCI and Risk Services practice. Christie has 15 years of information security and technology advisory work experience.Derek Parks – Director, QSA, CISSP, CISA, CBCP. Derek has a significant amount of experience delivering and leading Sarbanes‐Oxley, PCI, IT risk assessment, IT governance policy, and disaster recovery and business continuity assessment engagements.Jim Flannery – Director, QSA, CISSP, CISA. Jim is a Director in Focal Point’s security practice.Brett Phillips – Director, QSA, CISSP, CISA. During his time with Focal Point, Brett has focused on several service offerings, including PCI, Sarbanes‐Oxley/IT audit, SAP security, business continuity, business process redesign, and IT risk assessments.Terry Bristow – Manager, QSA, CISM. Terry is a Manager in Focal Point’s Information Security Risk Advisory Services practice.Adam Cotto – Manager, QSA, CISSP. Adam has performed PCI, IT risk assessments, and disaster recovery and business continuity assessment...Chris Thompson – Manager, QSA, CISSP, CCNA. Chris has focused on conducting PCI assessments, firewall and router rule set reviews.....

See PDF Pgs. 29 ‐ 30. Appendix A ‐ Resumes. Appendix B ‐ Relevant Certifications.Craig D. Sullivan, CPA, CISA, QSA, Partner, 32+ years experienceJeffrey A. Palgon, CPA, CISSP, CISM, CISA, Senior ManagerSean F. McAloon, CISA, Manager

See PDF Pgs. 8 ‐ 20Silka M. Gonzalez, CPA, CISSP, CISM, CISA, CITP, CRISC, 30+ years experienceEsteban Orlando Farao, CISSP, CISA, CISO, CRISC, CEH, QSA, and PCIP.PCI QSA, 20+ years experienceChristopher Steven Sanchez, Information Security Consultant, Extensive experience completing penetration testingMaria Rogers, CEH, CCFE, Extensive experience in software testing and Digital ForensicsAnimesh Srivastava, Extensive experience competing regulatory compliance assessments

See PDF Pgs. 11 ‐ 12Andrew Cannata – Principal, QSA, CISSP, CISM, 25+ years experienceChristie Verscharen – Principal, QSA, CISSP, CISA. Christie leads Focal Point’s PCI and Risk Services practice. Christie has 15 years of information security and technology advisory work experience.Derek Parks – Director, QSA, CISSP, CISA, CBCP. Derek has a significant amount of experience delivering and leading Sarbanes‐Oxley, PCI, IT risk assessment, IT governance policy, and disaster recovery and business continuity assessment engagements.Jim Flannery – Director, QSA, CISSP, CISA. Jim is a Director in Focal Point’s security practice.Brett Phillips – Director, QSA, CISSP, CISA. During his time with Focal Point, Brett hasfocused on several service offerings, including PCI, Sarbanes‐Oxley/IT audit, SAP security, business continuity, business process redesign, and IT risk assessments.Terry Bristow – Manager, QSA, CISM. Terry is a Manager in Focal Point’s Information Security Risk Advisory Services practice.Adam Cotto – Manager, QSA, CISSP. Adam has performed PCI, IT risk assessments, and disaster recovery and business continuity assessment...Chris Thompson – Manager, QSA, CISSP, CCNA. Chris has focused on conducting PCI assessments, firewall and router rule set reviews.....

7 10/20/2017 1:34 PM


Licensing Matrix




EVALUATION CRITERIAForesite MSP LLC

Prime: Marcum LLPSub: 24by7 Security Merchant Preservation Services, LLC d/b/a CampusGuard

See Bios ‐ Jason L, Specialities: Compliance and Network Security, 20+ years experience, QSA PCI, PA QSA, PCIP PCI, SANS GIAC GSNA, GCIH, GPENThomas A, Specialities, Compliance and Network Security, 15+ years experience, QSA PCI, CISSP, HCISSPJohn W, Compliance, Network Security, and Incident Response/Digital Forensics, QSA PCI, PA QSA, CISSPKeith K, GRC, Security Architecture and Audit, 20+ years experience, CISSPBradley A, Penetration Testing, 15+ years of experience, CISSP, OSCE, OSCP, CEH, SANS GIAC

See PDF Pg. 5Marcum LLP is a Qualified Security Assessor (QSA) Company. Furthermore, three of the team members assigned to this engagement are QSA employees at Marcum. Each member has significant technology experience and has assisted companies apply the provisions of Payment Card Industry Data Security Standard (DSS) 3.2. Please refer to Appendix A for team profiles and relevant certifications.

See PDF Pgs 482 ‐ 483.

Edward (Ed) Ko, QSA Manager, Multi Campus PCI Experience, Information Privacy, Network Analysis, Telecommunications, 12 years in security field; 16 years in experience and responsibilitiesJudi Seguy, CRM Manager, Project Management, E‐Commerce, PCI DSS Compliance, General Information Technology, 8 years experience in security related field in higher education and information technology security


See PDF Pg. 5For Marcum LLP’s proposed key staff, please see profiles and certificates available in Appendix A.� Client Service and Engagement Partner:Mark Agulnik, Partner, CPA, CISA, PCI‐QSA� Senior Audit Manager:Heather Bearfield, Principal, CISA, CISM, CRISC, PCI‐QSA� Senior Manager:Robert Coro, Senior Manager, CISA, CISM, PCI‐QSA


Edward (Ed) Ko, QSA, ASV, CISSP, CPISM/A, PCIPJudi Seguy, PCIP

8 10/20/2017 1:34 PM


Licensing Matrix




EVALUATION CRITERIANettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante Moran

See PDF Pg. 5.Shai Canaan, Senior Security Consultant, 15+ years experience, PCI QSA, PA QSA, ISO 27001 Lead Auditor, Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional(CISSP), Certified in Risk and Information Systems Control (CRISC)Ben Rothke, Senior Security Consultant, PCI QSA, Certified Information Security Manager (CISM), Certified in the Governance of the Enterprise IT (CGEIT), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Information Systems Security Professional (CISSP)

See PDF Pgs. 6 ‐ 7.Steve Levinson (VP, Risk Security & Privacy Consulting), 25+ years experience, CISSP Rob Harvey, Director of Online's Risk, Security & Privacy Consulting Practice, 12+ years experienceMark Hannah, PCI Practice Lead, Sr. Consultant, 8 years experienceGreg High, Principal Consultant, CISSP, CISM, 8+ years experience

See PDF Pg. 232The security, privacy and business concerns of our clients‐bothcurrent and past‐are of the highest priority.As such, we must respectfully decline to provide specific contact names and details for potential references at this stage. However, a number of our clients from recent engagements would be willing to entertain an informal conversation with their peers to discuss their use of the products and services they were provided which we can help facilitate at the appropriate time.

See PDF Pgs 7 ‐ 8.Scott Petree, Principal, 16+ years experienceKyle Miller, Manager, 9+ years experienceBob Funke, Manager, 25+ years experience


See PDF Pgs. 6 ‐ 7.Steve Levinson (VP, Risk Security & Privacy Consulting), 25+ years experience, CISSP Rob Harvey, Director of Online's Risk, Security & Privacy Consulting Practice, 12+ years experienceMark Hannah, PCI Practice Lead, Sr. Consultant, 8 years experienceGreg High, Principal Consultant, CISSP, CISM, 8+ years experience In addition to Certified QSA certifications, Online’s Risk, Security and Privacy consultants hold certifications such as CISSP, CCSP, CIPP, CRISC, PCI QSA, PCI‐P, and CISA to name only a few.


See PDF Pgs 7 ‐ 8.Scott Petree, CPA, CISA, CFE, QSAKyle Miller, CISA, QSA, CCSFPBob Funke, MBA, CISA, QSA

9 10/20/2017 1:34 PM


Licensing Matrix




EVALUATION CRITERIAPresidio RSM US LLP

Verizon Business Network Services Inc. d/b/a Verizon Business Services

Resumes See PDF Pgs 75 ‐ 89.See PDF Pg 14.Presidio Cyber Security Project Managers are responsible for managing all cyber security projects, including: Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), IT Audit Services, Security Penetration testing, and architecture consulting. Presidio’s project managers and key staff have an extensive list of industry certifications that include CISSP, CISA, CISM, CRISC, OSCP, GPEN, GWAPT, G2700, CEH, ITIL Practitioner and ITIL (v3). In addition, Presidio has 1,600 engineers on the backendthat provide architecture design and implementation services. Presidio includes resumes for the Project Manager and key staff in Attachment A.Presidio has been providing PCI DSS QSA services since September 2013.

The following table describes the qualifications of the proposed team, their roles and the value they will bring to the County. Detailed biographies containing each team member’s formal education and professional affiliations, are included in the Team resumes section located in the Appendix of this proposal.Alan Guiterrez‐Arana, Director, Security, Privacy, and Risk Services, 20+ years experienceKerry Erickson, Manager, Security, Privacy and Risk Services; Lead QSA and Project ManagerRex Johnson, Director, Security, Privacy and Risk Services; Lead field work QSA

Pgs. 12‐151) Verizon performs around 1100 QSA assessments each year, including readiness assessments, as well as investigating 100 cases per year for payment card related incidents.2) We specialize in complex assessments that span multiple countries with different geopolitical, legal, and regulatory frameworks.3) Prior to the formal creation of the PCI SSC, Verizon was a preferred vendor delivering Visa CISP security assessments as well as security assessments for MasterCard’s SDP and American Express’ DSOP cardholder data security programs, going back to 1999.4) As one of the first QSA companies, our practice has strong, long‐standing relationships with all the payment card brands and we participate on virtually every PCI SSC Special Interest Group. We have performed PCI DSS assessments for the card companies directly: Visa USA, Visa Canada, Visa France, MasterCard France, and MasterCard International and contributed to payment card program development over the years.5) Our assessors are highly experienced, often industry thought‐leaders and maintain an array of security industry certifications including the

f d fResumes See PDF Pgs 75 ‐ 89.See PDF Pgs 14 ‐ 15Presidio brings Broward County our broad skill set and depth of experience. Our security engineering team is composed of Certified Information System Security Professionals (CISSPs), Certification and Accreditation Professionals (CAPs), InfoSec Assessment Methodology (IAM) professionals, Certified Ethical Hackers (CEHs), and Certified Information Security Managers(CISMs). This highly trained and experienced group has completed many Vulnerability Risk Assessment (VRA) and Security Certification and Accreditation (C&A) projects, tests, evaluations, and related services. Exhibit 5 illustrates Presidio’s Security Certifications.

Alan Guiterrez‐Arana ‐ Certified Information Systems Auditor (CISA); Certified in Risk and Information Systems Controls (CRISC); Qualified Security Assessor (QSA); PCI Payment Card Professional (PCIP)Kerry Erickson ‐ PCI Payment Card Professional (PCIP); Certified Information Systems Auditor (CISA); Qualified Security Assessor (QSA)Rex Johnson ‐ PCI Qualified Security Assessor (QSA); Certified Information Systems Auditor (CISA); Certified Information Systems Security Professional (CISSP); Certified Information Privacy Technologist (CIPT); Project Management Professional (PMP)

As well as a leading global Qualified Security Assessor (QSA), Payment Application Qualified Security Assessor (PA‐QSA), and Qualified Security Assessor Point‐to‐Point Encryption (P2PE) company, we are one of few qualified PCI Forensic Investigators (PFI) for Visa and MasterCard. Our assessors are highly experienced, often industry thought‐leaders and maintain an array of security industry certifications including the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and Certified Ethical Hacker (CEH).

10 10/20/2017 1:34 PM



Solution Provider: Trustwavea. Describe the prime Vendor’s approach to performing similar work in this Category.

See PDF Pg. 140 ‐ 142.IMPLEMENTATION ROADMAP AND TIMINGThe Payment Card Industry Data Security Standards (PCI DSS) includes 12 Requirement sections in whichseveral sub‐requirements are within each main requirement. Overall, there are approximately 300+individual requirements that must be met to be considered “PCI Certified”. The PCI DSS address all areas of operations to ensure the protection of cardholder data. Therefore, a significant effort is required by all departments within an organization to establish and maintain a PCI DSS certified environment. Here’s a high level overview of the standard: 1st Secure IT has a repeatable and proven methodology for helping our clients achieve PCI DSSCompliance. On Page 10 of the PCI Data Security Standard it states “The first step of a PCI DSS assessment is to accurately determine the scope of the review.....


CONFIDENTIAL




See PDF Pg. 9 ‐ 13.Trustwave provides a comprehensive portfolio that can help organizations of any size respond to PCI regulations. We are ideally suited to help support a compliance program centered on the administrative, physical and technical requirements of PCI. Trustwave has a number of PCI related services available to Broward County. Trustwave can provide a full over‐arching Compliance Validation Service, specifically designed for customers needing to supply a ROC (Report on Compliance), as well as PCI Readiness Subject Matter Expert Consulting, PCI Readiness Workshops, PCI Gap Assessments, Remediation Consulting, P2PE Solution Assessments, PA‐DSS Compliance Consulting, as well as ad‐hoc PCI Consulting hours. A brief description of each of the offerings are listed below, as well as a sample project plan approach.

11 10/20/2017 1:34 PM


Licensing Matrixa. Describe the prime Vendor’s approach to performing similar work in this Category.

Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLCSee PDF Pgs. 31 ‐ 33PCI Data Security AssessmentIt is our understanding that it is the goal of the County is to engage a firm for services related to PCI compliance, such as PCI auditing, web application assessment from Approved Scanning Vendors (ASV), risk assessment, remediation and consulting, gap analysis, training, credit card data breach response, evaluating Point‐to‐Point Encryption (P2PE) systems, and implementations. To help the County achieve its goals, we have outlined the following approach.ScopingFor purposes of the PCI compliance assessment, the scope is defined to include all people, processes, and systems (defined as network components, servers, or applications) that store, process, or transmit card data and are included in or connected to the cardholder data environment. This includes any system that could affect the security of cardholder data. The scoping portion of the assessment will determine the systems, processes, and people involved in the processing of payment card transactions through the performance of a data discovery review. During the data discovery phase, all data flows, vendors, and systems will be inventoried to ensure that appropriate policies, procedures, and controls are in place to handle security of cardholder data in alignment with the PCI Data Security Standards (DSS).....

See PDF Pgs. 21 ‐ 22a. ApproachA review of the project’s objectives, scope, scheduled activities, assumptions and or possible constraints will be reviewed with client key personnel and staff during a project kickoff meeting.PCI DSS AnalysisERM will perform a thorough PCI DSS analysis to identify the client organization’s preparedness levels tocomply with PCI DSS requirements. ERM will audit the client’s cardholder environment against the PCIDSS listed requirements...

Planning and Project AdministrationKick‐off – Fieldwork will begin with an initial Broward/Focal Point team kick‐off meeting. This meeting will communicate the scope and objectives of the engagement to internalrepresentatives. We will also provide detailed interview and documentation requests lists, so that we may perform our procedures as efficiently as possible once on‐site.Status Reporting – Throughout the assessment period, we will communicate with management through semi‐monthly status reporting as to the progress made against our baseline projectplan.Project Close Meeting – We will conduct a formal project close meeting with the Broward team to discuss lessons learned and areas for improvement.Quality Assurance – Focal Point employs a team‐based approach to our engagements. Each team is comprised of professionals from each of our resource levels. Our professionals aretrained to continuously review the quality of service and work product provided at each level. As a result, prior to release to the client, all reports and deliverables are reviewed by one of our Directors or Principals. Furthermore, throughout the course of the engagement, we will solicit feedback from our project sponsor and incorporate that feedback accordingly.....

12 10/20/2017 1:34 PM




See "Broward Security Services 2017" See PDF Pg. 6The first step that we will apply will be to determine the scope of the review. DSSapplies to all systemcomponents included in or connected to the cardholder data environment (CDE).We will need to obtainan understanding of CDE, which will include determining which people, processes and technologiesstore, process, or transmit cardholder data or sensitive authentication data. While conducting the scopereview, we will assess whether there is segmentation, thereby reducing the scope.Marcum’s approach will be consistent with applying PCI DSS Prioritized Approachfor PCI DSS 3.2(“Prioritized Approach”). This approach will help the County protect against the highest risk factorsimmediately while working towards compliance with PCI DSS. As noted in the Prioritized Approach,certain benefits of applying this approach is as follows:� Roadmap that can be used to address risks in a priority order� Supports financial and operating planning� Promotes objective and measurable progress indicators

See PDF Pgs 484 ‐ 496.CampusGuard has developed an approach and methodology that takes into consideration the standards of information security to include the PCI DSS, and how to apply those standards in the higher education environment. We have established a proprietary gap analysis we call our Readiness Review that prepares all county merchants and the IT organization for PCI DSS compliance. Department business processes and the networks that support them are analyzed for adherence to the PCI DSS. Merchants and the IT organization are provided PCI awareness training. CampusGuard delivers a detailed Final Findings Report and Roadmap that guides the institution to full compliance. Further, the PCI DSS version 3.2 presents unique challenges to higher education. CampusGuard understands this environment and will apply its experience and knowledge to the critical PCI compliance issues and objectives at Broward County. Phase 1 – Charter Meeting Phase 2 – Information Gathering and Review Phase 3 – Onsite Review at Customer Site(s) Phase 4 – Review Information Obtained During Onsite Visit Phase 5 – Presentation of Findings Report and Roadmap Phase 6 – Remediation Phase 7 – Attestation of Compliance Phase 8 – Ongoing Advisory Services and Scanning

13 10/20/2017 1:34 PM



Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante MoranSee PDF Pgs. 6 ‐ 9.This section details our strategy and approach when working with all our clients and provides thebackdrop to our proposal. The methodology below will take Broward County through their PCI DSSjourney from the initial stage to the ultimate goal of achieving compliance and certification across theorganization.Our ApproachNo matter the size of your organization, our bespoke Project Management based methodology will helpyou achieve and maintain your compliance objectives, applying SMART (Specific, Measurable,Achievable, Realistic & Time‐bound) objectives, to assist in making your end goals more achievable.

See PDF Pgs. 7 ‐ 9.Online has developed a unique, risk‐based approach to help organizations implement the controls, technologies, policies, and procedures that align with their business, their threats, and their risk tolerance. Online’s security professionals work from virtual offices ‐ we average more than fifteen years of information security experience. With our extensive business experience, at the C‐level in many cases, we understand that security strategy must align with business objectives. Online’s Risk, Security & Privacy team consists of approximately 25 seasoned professionals, ten of whom are current QSAs (note, we also have three penetration testers who were QSAs in the past). Online’s Risk, Security, and Privacy Practice focuses on services, solutions, and subject matter expertise to provide strategic information security guidance to our clients. As a PCI Qualified Security Assessor (“QSA”) Company, our QSAs are deeply experienced in the Payment Card Industry (PCI), security consulting, and information technology. Our security consultants have an average of ten years of working PCI experience, having performed hundreds of PCI assessments and gap assessments. All of our QSAs have obtained industry‐recognized security certifications, including CISSP and CISA. Online has over forty PCI clients in the US and Canada and writes over fifty PCI ROCs a year.


See PDF Pgs 9 ‐ 12Plante Moran’s PCI DSS compliance program assists organizations in obtaining compliance by assessing their environment, providing recommendation to assist in remediating any deficiencies, and creating reporting documentation to prove the organizations compliance status. Our PCI DSS compliance team works with your team to define, and possibly reduce, your cardholder data environment (CDE). This step is critical in the project as it determines the scope for all testing and compliance requirements.

14 10/20/2017 1:34 PM




See PDF Pgs 15 ‐ 17As further described below, Presidio’s approach to performing PCI work includes the following:1. Compliance Assessment2. Initial Discovery and CDE Definition3. Current‐State Assessment4. Gap Analysis5. Deliverables

See PDF Pgs 10‐14Our PCI approach is based on established, proven methodology that is flexible to meet the County’s specific needs. Each PCI engagement is kicked off with planning and scoping activities allowing us to tailor our approach. The project planning and scoping phase will include the initial processes needed tocomplete a successful engagement, including the following specific tasks:• Performing a pre‐audit kickoff meeting• Internal education and training of the County’s staff about the PCI standard, as necessary• Analysis of project scope against PCI criteria and audit procedures• Review of prior year’s compensating controls, as well as all controls for PCI DSS• In addition, to validate the scope of the cardholder data environment, the following will be performed:− Development of an audit plan and melines with the County’s input− Discovery and analysis of all credit card acceptance channels, where applicable− Discovery and analysis of network topology and network management− Discovery and analysis of so ware architecture related to storage, processing or transmission ofcredit card data, where applicable Discovery and analysis of applications that store, process or transmit credit card data, whereapplicable− Discovery and analysis of any databases related to storage, processing or transmission of credit

d d h l bl

See Pages 15 ‐ 16.We will deliver projects using an efficient, phased methodology, which is proven through hundreds of PCI projects delivered by Verizon for organizations around the world. The experience gained from these engagements provides us with valuable insight into the critical steps required to initiate and complete a PCI project in the most efficient and cost‐effective manner. The defined Card Holder Data (CHD) environment is assessed for compliance against the current PCI DSS using our three‐phased approach, as shown in the table below.

15 10/20/2017 1:34 PM



Solution Provider: Trustwaveb. Number of employees, coordination efforts, servers and workers located within the USA

1st Secure IT LLC has 7 employees located at their headquarters in Ft. Lauderdale, FL. They maintain 10 servers in a FTL Hosting facility. CONFIDENTIAL




See PDF Pg. 13.All employees and servers would be within the United States. Trustwave has over 900 employees in the US.

c. Describe vendor’s plan to meet key milestones and deadline dates including communication plan.

See PDF Pgs. 141 ‐ 142.Our approach is to inform, assist and advise the assessed company each step of the way. We employ a proven project framework that will rapidly assess and document specific PCI‐DSS challenges. Recognizing that maximizing the time allocated for this engagement is critical, the assessment framework is conducted through scheduled work and project management sessions. The nine phases of our compliance methodology are:� Phase 1 ‐ Preliminary meeting/documentation request. This phase will review servicerequirements and deliverables and it helps us to identify significant system information that the1st Secure IT Auditor will need to collect and analyze.� Phase 2 – Review and Assess documentation. Determine primary audit focus and general CDEscope.� Phase 3 ‐ Discovery (interview, data discovery, Service Provider Identification) during this phasewe will collect data and examine all existing business processes that involve cardholder data,interview key personnel, review and analyze cardholder dataflow and network topology andgather an inventory of all components that process, transmit or store cardholder data. Thefollowing chart defines the characteristics of cardholder data (CHD) and SensitiveAuthenticationData (SAD).......

CONFIDENTIAL




See PDF Pg. 13 ‐ 14Project Phases and MethodologyThe Compliance Validation Service consists of phases to ensure comprehensive and efficient service. Client must fulfill their obligations within each phase before progressing tosubsequent phases. Time frame and chronology are based on accurate completion of Clientobligations. Failure to fulfill obligations may require an addendum to this contract that will include additional charges for any time or materials above and beyond those agreed in this contract.Phase 0: Project Initiation� Kickoff meeting between all designated stakeholders� Identify key stakeholders� Define roles and responsibilities of Client� Agree on initial scope, including validation of segmentation, and discuss sampling methodology� Define and agree to high‐level project plan key steps, estimates for duration, deliverables andresource requirements� Establish communication and escalation plans for both Trustwave and Client� Action item creation and training� Schedule periodic (weekly, bi‐monthly, or monthly) status meetings.....

3. Past Performance:

16 10/20/2017 1:34 PM


Licensing Matrixb. Number of employees, coordination efforts, servers and workers located within the USA



Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLCSee PDF Pg. 33Crowe Horwath has 30 team members focused on PCI, however we have a group of 175 Information Technology and Cybersecurity specialists that we can utilize if necessary. Crowe Horwath’s PCI team is distributed across the US.

See PDF Pg. 22ERM has approximately 30 full time employees. Of these employees, 25 are located in the USA. Only full time employees located in the USA will work in these engagements.Regarding coordination efforts, Esteban Farao will be the Project Manager. He will lead a project kickoff meeting, send the information requirements, manage the project, communicate with the client project team, lead project update calls and meeting as well as delivery the final reports andpresentations. All of ERM’s severs are located at the ERM’s headquarters in Coral Gables, Florida.

See PDF Pg. 32 ‐ 33Throughout this engagement, the Crowe Project Leader(s) will provide oral progress reports to the County. We will also schedule a formal status meeting at the end of fieldwork that will include an outline of the procedures completed, along with a detailed list of PCI scope, any non‐compliant requirements, any documented compensating controls, and an updated timeline for completion. Any issues identified as exposing your organization's network, Internet connectivity, and security to imminent risk will becommunicated immediately, along with recommendations for mitigating the exposure.

See PDF Pg. 22‐23ERM Project Manager will develop a Project Plan which details all key milestones and deadline dates. ERM Project Manager will work with the client to adjust based on client needs. The CommunicationPlan will be discussed and agreed to during the kick‐off call. ERM’s communication plans typically include weekly status updates as well as updates based on key milestones and deadlines.

17 10/20/2017 1:34 PM






The consulting team has over 20 people across the US. Our servers are supported in SSAE18 Co‐Los

See PDF Pg. 7As a national firm with 29 offices and approximately 1,550 professionals, we serve as a strategic alternative to the much larger firms. The partners and managers with whom you will develop relationships drive all major decisions, possessing both the appropriate resources and decision making authority. Our local firm approach provides hands‐on service and timely communication, which willresult in the County receiving the best of both worlds. Marcum has more than 20 professionals dedicated to providing IT Audit and Technology Services.

See PDF Pgs 496 ‐ 497Merchant Preservation Services LLC, d/b/a CampusGuard, was established for the sole purpose of providing information security services for multi campus environments. Wedeliver professional services in the areas of PCI DSS, Red Flags, FERPA, HIPAA, GLBA, and other areas regarding protecting personally identifiable information. CampusGuard was founded in 2009 as an alternative for public sector and education based sectors seeking apartner that has not only deep experience with information security, but understands the complexities of applying the standards into the culture that separates multi campus environments from all other areas of enterprise. CampusGuard is the “doing business as” name of Merchant Preservation Services, a limited liability company. The company is certified by the PCI Security Standards Council (PCI SSC) as both a Qualified Security Assessor and Approved Scanning Vendor.The parent company, Nelnet, Inc. (NYSE: NNI) is an education planning and financing company focused on providing quality products and services to students, families, schools, and financial institutionsnationwide. The company was formed in Nebraska in 1977. Built through a focus on long term organic growth and further enhanced by strategic acquisitions, the company earns its revenues from fee‐based revenues related to its diversified education finance and service operations. Our mission is to assist our clients to achieve and maintain PCI DSS compliance as well as meet other regulationsand requirements currently being mandated at the federal and state levels (e.g., HIPAA and GLBA). CampusGuard provides a full range of services that are the result of our comprehensive knowledge of the PCI DSS as it applies to the multi campus environment.

Deadlines are based objectives, current gaps, and risk based findings of gaps. Phased approach to compliance can be reviewed in Broward Security Services 2017. All foresite services are customized to address client specific needs and can changed based on scope, level or not‐in‐place findings and budget.

See PDF Pg. 7Marcum’s initial step will be to meet with various personnel within IT and compliance to determine the scope of our review. We will test the CDE to confirm our understanding of where cardholder data or sensitive authentication data is stored, processed or transmitted. Subsequently, we will apply each milestone by applying the Prioritized Approach. We plan to communicate each ofour findings upon the completion of each milestone. As we meet with your key personnel, we will work with management to lay out deadline dates for each milestone.

See PDF Pg 496.Many of our milestones and communication coordination is mentioned in section 2a above but it is important to know that these milestones and coordination come from a dedicated resource to Broward County. CampusGuard has introduced a full Customer Relationship Management (CRM) team that supports our customersthroughout the entire PCI compliance project. Our CRMs are matched with the QSA and become involved as an integral member of a customer’s PCI Team, beginning with the initial “kick‐off” and continuing through the assessment phase and ongoing Annual Support. The result is that our customers have a CampusGuard team who are familiar with their environment, issues and culture. Additionally, CampusGuard has implemented a CRM systemthat captures all relevant information and data of a customer engagement and creates a workflow that enables each participant to have the right information at the right time. CampusGuard will assign a QSA and Customer Relationship Manager to the Broward County project. The partnership is guaranteed unless there are extenuating circumstances that would require change. If there is any circumstance that may require change, our partnership with the County extends to mutual agreement of any modification.

18 10/20/2017 1:34 PM






Not Provided

Online’s Risk, Security, and Privacy practice has approximately 18 consultants based in the USA. Online’s US Headquarters is located in Minneapolis, MN.


See PDF Pg. 12Plante Moran has over 2,200 employees and 500 servers in the USA.

Not Provided

See PDF Pgs. 9 ‐ 10.Online has a number of strategies in place for all engagements to deal with the impact of any events on project milestones including: Iterative and Parallelized Approach Online’s approach to conducting an assessment is a highly parallelized process. The review of multiple CHDdata flows with multiple departments and personnel are started simultaneously. The collection and review of information will progress at different rates for each of these parallel activities. Upfront Planning The QSA will work closely with the County’s project personnel to mitigate the impact of factors such asresource availability on compliance documentation activities. Acquiring and discussing upcoming holiday plans and important business activity schedules at the outset allows for optimized task planning.....


See PDF Pg. 12Frequent communication, guided by a “no surprises” philosophy is the key to a successful project. In this way, expectations can be effectively managed and problems can either be avoided entirely, or addressed early on to minimize wasted effort and keep the project on schedule. Prior to formally kicking off the project, we will work with the County to develop a communications plan for the project.We will identify project stakeholders, and for each:� What they will need to know throughout the project (e.g., status updates, risk and issues)� When and how frequently they will want communication (e.g., weekly, monthly)� How communications will be delivered (e.g., status updates reports, meetings, phone calls)� Who will be responsible for the communicationWe will maintain this communication plan on a shared collaboration site throughout the project toensure regular communication and ongoing collaboration.

19 10/20/2017 1:34 PM






See PDF Pg 17.Presidio has twenty‐three (23) people on our Cyber Security Consulting team, all whom are Presidio employees located within the USA. The Presidio Cyber Security Project Managers coordinate all the resources on the Presidio team.

RSM has approximately 25 PCI QSAs nationally and over 100 additional staff members who work on ourPCI engagements. Also see the Servers and Workers Located in the USA Attestation Form included in the Appendix section of this proposal.

Verizon operates a global QSA practice with over 70 assessors providing consistent delivery of high quality PCI services around the world. 16 QSA are located in the USA

See PDF Pg 17 ‐ 19Presidio would develop a project plan with all defined project milestones which includes weekly status meetings to track the project overall progress. Escalation methodology follows.

RSM’s management approach can be expressed in one simple phrase: “no surprises.” First, we will work with the County to establish a communication protocol and approach that you prefer, and we will use these channels and tools to share information on the engagement. Once the communications plan has been created, RSM will create a timeline and milestones project schedule and track those milestones to completion on a weekly basis. We will work with you and management to keep you informed of our progress throughout the engagement with periodic formal and informal status reports and meetings as appropriate. Continuous communication helps ensure that the County and the RSM team are in agreement on, and informed about, every aspect of an engagement. Our team will work closely with County management to establish clear, open lines of communication via face‐to‐face meetings, phone calls, and/or regular electronic or hard‐copy communications to keep you informed of progress and issues. In the event that RSM identifies that a particular engagement is behind schedule, it will be formally communicated to the client to discuss the issues and possible solutions to get back on track. Similarly, if observations or risk areas are identified during an engagement, we will be on hand to provide recommendations for remediation and provide support to management in the enhancement of current processes.

Verizon will designate a “Project Manager” who will act as the single point of contact throughout the Project. The Project Manager will oversee and coordinate the Project. The Project Manager will manage Verizon resources to complete Project activities, such as milestone tracking, coordinating tasks and dependencies, as well as providing weekly status reports (the “Weekly Report”). Customer will appoint a single point of contact or program management team to coordinate the Project activities with Verizon and ensure timely data flow and exchange of information required for execution of the Project within the agreed time frame. Verizon will work with Customer to schedule a kick‐off meeting to initiate the Project. Verizon and Customer will collaborate to determine required stakeholders and other attendees, agenda, and meeting location (i.e. on site or virtual).

20 10/20/2017 1:34 PM



Solution Provider: Trustwavea. Describe prime Vendor’s experience on projects of similar nature and scope, along with evidence of satisfactory completion, both on time and within budget, for the past five years. Provide a minimum of three projects with references, preferably government agencies (i.e. state, local) of similar size and structure and proven experience and skillset in evaluation a mixed credit card environment of web applications, point of sale (POS), and Interactive Voice Response (IVR) Systems.Vendor should provide references for similar work performed to show evidence of qualifications and previous experience. Refer to Vendor Reference Verification Form and submit as instructed. Only provide references for non‐Broward County Board of County Commissioners’ contracts. For Broward County contracts, the County will review performance evaluations in its database for vendors with previous or current contracts with the County. The County considers references and performance evaluations in the evaluation of Vendor’s past performance.

See Reference Verification Form PDF Pg. 124, 128, 132.See PDF Pg. 142.1st Secure IT has been a Qualified Security Assessor Company since 2010 and hasperformed has performed hundreds of PCI DSS audit. 1st Secure IT, LLC is a Payment Card Industry Qualified Security Assessor Company (PCI‐QSA) certified and authorized to perform PCI DSS and PCI PIN audits it the United States and Latin America. We are headquartered in Coral Springs, FL and focus on compliance services and solutions related to regulations such as PCI, HIPAA, EI3PA, and SOC2. We specialize in and are focused on delivering industry standards compliance and fraud prevention services.SAMPLE LIST OF CLIENTS1st Secure IT, LLC has done well over 100 Reports of Compliance (ROC) in the last 12 months. The followingis a sample set of clients for whom 1st Secure IT, LLC has performed compliance/security engagements:Sample clients in USA1. Luihn Foods ‐ (Refer to Vendor Reference Verification Form)2. FPN ‐ (Refer to Vendor Reference Verification Form)3. Sedano’s Supermarket ‐ (Refer to Vendor Reference Verification Form)4. Great Health Works5. Softheon,Inc Amwest Venture Corp6. Apartment Owners Association of California, Inc.7. Bagshaw Enterprises8. BKK Management Co (Yakima)9. Burger Florida Group10. Century Fast Foods, Inc.

CONFIDENTIAL




See References.

21 10/20/2017 1:34 PM


Licensing Matrixa. Describe prime Vendor’s experience on projects of similar nature and scope, along with evidence of satisfactory completion, both on time and within budget, for the past five years. Provide a minimum of three projects with references, preferably government agencies (i.e. state, local) of similar size and structure and proven experience and skillset in evaluation a mixed credit card environment of web applications, point of sale (POS), and Interactive Voice Response (IVR) Systems.Vendor should provide references for similar work performed to show evidence of qualifications and previous experience. Refer to Vendor Reference Verification Form and submit as instructed. Only provide references for non‐Broward County Board of County Commissioners’ contracts. For Broward County contracts, the County will review performance evaluations in its database for vendors with previous or current contracts with the County. The County considers references and performance evaluations in the evaluation of Vendor’s past performance.

Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLCSee PDF Pgs. 34 ‐ 37.Client Experience 1A team of Crowe QSAs and SMEs helped a Fortune 100 company identify the scope of the environment subject to PCI DSS and help the company achieve PCI DSS compliance. The project scope included the company’s retail operations in 15 countries with various in‐store network configurations. Over the course of the relationship, Crowe has consulted with the client on a variety of information security and compliance issues including virtualization, tokenization, point‐to‐point encryption, and network segmentation including tools such as VMWare, Lumigent, Q1Radar, and DLP. The companies environment included various operating systems types including Stratus VOS, AIX, HP‐UX, CentOS,Red Hat, and Windows. The assessment also covered the review of various databases including DB2, Informix, Oracle, and SQL. The scope of the assessment required Crowe to review various applicationsThe result has been an ongoing relationship in which Crowe has helped the client reduce scope, create repeatable processes and controls, and maintain compliance for over six years.Client Experience 2Crowe performed a scoping and gap analysis for a global payment processor that had recently acquired a new business subject to PCI DSS. The company was using a custom developed application that wasusing an Oracle back end for card storage and processing. Crowe helped the client prioritze gaps in compliance and developed a roadmap for the client to achieve compliance. The end result was a compliant, first year Report on Compliance that was delivered to the card brands on time.Client Experience 3A team of Crowe QSAs and SMEs performed a scoping and gap analysis for a cloud services provider. Crowe helped the company minimize scope subject to PCI DSS and helped the client prioritize its remediation efforts......

(4) Reference Verification Forms included for this Category ‐ PDF Pgs. 24‐27a. ERM’s ExperienceERM has completed approximately 100 PCI projects. All of our projects have been completed on timeand within budget.As requested, below are three references for projects of similar size and structure.1. Miami Dade County2. Entertainment Benefits Group, LLC3. General Growth Properties4. Banco Popular Dominicano

See PDF Pgs. 16 ‐ 18Ace Hardware 2016 – Current PCI Compliance Risk Assessment

Beall’s 2005 – Current Approved Scanning Vendor (ASV) TestingAnnual PCI QSA AuditIncident ResponseIT Audit AssistanceOngoing PCI & Security Trusted Advisory AssistancePenetration TestingPCI Gap Analysis and Compliance RoadmapPCI Infrastructure and Architecture AssistanceSecurity TrainingSocial Engineering

Borgata Hotel and Casino 2009 – CurrentApproved Scanning Vendor (ASV) TestingOngoing PCI Trusted Advisory AssistanceAnnual Penetration Testing

Bright House Networks(Charter Communications) 2014 – Current Annual PCI QSA AuditPCI Gap Analysis and Compliance Roadmap

........

22 10/20/2017 1:34 PM




See References.Foresite supplies services to forture 500 companies within the US and address specific needs based on a phased approach. The approach starts with a gap assessment to determin actual scope followed by findings and observations, recommendations for remediation then a road map plan to address all aspects of the overall objectives.

See PDF Pg. 8Marcum has several clients that are required to comply with PCI DSS, and Marcum provides guidance onPCI matters frequently.See attached Vendor Reference Form for:� Eastern Account Systems

Page 497 University of Virginia: The University of Virginia is a four‐year, public university with an enrollment of over 23,000 students. CampusGuard performed a PCI Readiness Review identifying the complete cardholder environment, prescanned for vulnerabilities, recommended options for correcting deficiencies referenced directly to associated PCI DSS controls and requirements...Virgina Department of Alcholic Beverage Control: The Virginia ABC has more than 350 locations across the Commonwealth of Virginia.Based on the volume of credit card transactions, ABC is required to verify compliance with the PCI DSS annuallywith a Report on Compliance (ROC)...Indiana University: Indiana University is a four‐year public research university serving over 110,000 students and 19,000 employees across eight campuses. The University uses PeopleSoft as the ERP system for the main functional areas of student, financial, and human resources operations...

23 10/20/2017 1:34 PM



Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante MoranSee PDF Pgs. 10 ‐ 11.How many years of experience does Nettitude have performing PCI‐DSS assessments?Nettitude has been performing PCI‐DSS assessments since 2007.2. How many PCI‐DSS assessments did Nettitude complete last year?Nettitude performed 26 formal PCI‐DSS assessments. There are many more including consultativeand other engagements.3. How long has your company been a PCI SSC authorized QSA?Nettitude has been a PCI SSC authorized QSA since 2007.Nettitude has provided Broward County with a case study of a previous PCI project....

(3) Reference Verification Forms included ‐ See PDF Pgs. 311‐315.Estee Lauder Companies: Online performed PCI assessments for three different business units and provided ROCs and AOCs for each. Macy’s Technology: Online provided QSA Services for Macy’s, providing assessment reviews, ROCand AOC reports, and post assessment feedback. Next Jump Inc.: Online has been providing Next Jump advisory and assessment services in the context of PCI Data Security Standards since 2013.


Reference Verification Forms included. ‐ See PDF Pgs. 66 ‐ 68Examples ‐ See PDF Pgs. 13 ‐ 15

24 10/20/2017 1:34 PM




Reference Verification Forms included. See PDF Pg. 19PCI DSS is a core competency of our cyber security consulting team. Presidio provides the following three references for which we have provided similar solutions to Category 1 – PCI DSS:� U.S Naval Academy Alumni Association & Foundation� Dayton’s Children Hospital� Broward HealthcarePresidio uploads these customer references on the required Vendor Verification Form, in a separate file.

The best measure of client satisfaction can only come from our clients. As requested, we present below references from other clients where we have performed comparable work. To respect the availability and cooperation of our clients, and to help ensure a prompt reception of your contact, please advise Alexandra M. Lorie at +1 305 742 7117, of your intent to contact them. She will arrange the calls at your convenience, while helping to ensure these references’ availability. In addition to the references listed below, we are prepared to provide additional client references to help ensure that you are comfortable withthe experience and levels of client service our team is accustomed to delivering.Prince William County, VirginiaMarch 2015 ‐ May 2015RSM completed an evaluation of the Payment Card Industry (PCI) compliance program at PWC.City of Sacramento April 2013 ‐ PresentRSM conducts the City’s annual PCI report on compliance assessment and penetration testing.Kansas Turnpike AuthorityApril 2017 ‐ May 2017Annual assessment of PCI compliance along with Attestation of Compliance (ACC), recommendations for strengthening PCI compliance for future years.

Verizon has highly relevant customers who can provide information on the work we have done and the quality of our relationship with their organizations. Due to the number of requests Verizon receives for recommendations from these customers, it is our policy to provide contact information only when we are under serious consideration for a contract award. In addition, Verizon’s corporate nondisclosure policies – combined with the sensitive nature of our customers’ business – require that certain agreements be in place before we can release sensitive customer data. In order to protect the interests and confidentiality of our customers, and at the request of our customers, we prefer to facilitate references calls and/or visits at a mutually convenient time for all. It is standard policy of Verizon to not publish reference lists due, in large part, to Non‐Disclosure Agreements between Verizon and its customers.

25 10/20/2017 1:34 PM



Solution Provider: Trustwaveb. Provide evidence of similar work related to services identified in this Category.

See Reference Verification Form PDF Pg. 124, 128, 132.See PDF Pg. 142.1st Secure IT has been a Qualified Security Assessor Company since 2010 and hasperformed has performed hundreds of PCI DSS audit. 1st Secure IT, LLC is a Payment Card Industry Qualified Security Assessor Company (PCI‐QSA) certified and authorized to perform PCI DSS and PCI PIN audits it the United States and Latin America. We are headquartered in Coral Springs, FL and focus on compliance services and solutions related to regulations such as PCI, HIPAA, EI3PA, and SOC2. We specialize in and are focused on delivering industry standards compliance and fraud prevention services.SAMPLE LIST OF CLIENTS1st Secure IT, LLC has done well over 100 Reports of Compliance (ROC) in the last 12 months. The followingis a sample set of clients for whom 1st Secure IT, LLC has performed compliance/security engagements:Sample clients in USA1. Luihn Foods ‐ (Refer to Vendor Reference Verification Form)2. FPN ‐ (Refer to Vendor Reference Verification Form)3. Sedano’s Supermarket ‐ (Refer to Vendor Reference Verification Form)4. Great Health Works5. Softheon,Inc Amwest Venture Corp6. Apartment Owners Association of California, Inc.7. Bagshaw Enterprises8. BKK Management Co (Yakima)9. Burger Florida Group10. Century Fast Foods, Inc.

See Forensic Report PDF Pgs. 147‐178, 223‐301 See References.

4. Workload of the Firm:List all completed and active projects that Vendor has managed within the past five years. In addition, list all projected projects that Vendor will be working on in the near future. Projected projects will be defined as a project(s) that Vendor is awarded a contract but the Notice to Proceed has not been issued. Identify any projects that Vendor worked on concurrently. Describe Vendor’s approach in managing these projects. Were there or will there be any challenges for any of the listed projects? If so, describe how Vendor dealt or will deal with the projects’ challenges.

See PDF Pgs. 143 ‐ 144.1st Secure IT, LLC is a QSA company for the PCI SSC. Our core competencies are within the PCI and Penetration Testing arena. Over 90% of our revenue derives from direct PCI related work. PCI relatedwork includes:� PCI DSS Scoping Reviews� PCI DSS Reports on Compliance� PCI Self‐Assessment Questionnaire assistance� Penetration Testing – for PCI Compliance� IT Security Consultation Projects for PCI ComplianceApproximately, 10% of our revenue is generated from projects outside of PCI, but are synergistic to ITSecurity. These projects include:� Fraud Prevention Consultation� Visa Global Risk Assessments� PIN Security� Non‐PCI related Penetration Testing� General IT Security Consulting....

CONFIDENTIAL




See PDF Pg. 16As a private firm, we do not go into specific details, but we can say we do about 4000 pen tests a year and about 850 RoCs ‐ but also have the most QSAs and Pen Testers than any other competitor – over 100 in each case. We are busy, but have sufficient resources to cover all of our engagements.

26 10/20/2017 1:34 PM


Licensing Matrixb. Provide evidence of similar work related to services identified in this Category.


Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLCSee PDF Pgs. 34 ‐ 37.Client Experience 1A team of Crowe QSAs and SMEs helped a Fortune 100 company identify the scope of the environment subject to PCI DSS and help the company achieve PCI DSS compliance. The project scope included the company’s retail operations in 15 countries with various in‐store network configurations. Over the course of the relationship, Crowe has consulted with the client on a variety of information security and compliance issues including virtualization, tokenization, point‐to‐point encryption, and network segmentation including tools such as VMWare, Lumigent, Q1Radar, and DLP. The companies environment included various operating systems types including Stratus VOS, AIX, HP‐UX, CentOS,Red Hat, and Windows. The assessment also covered the review of various databases including DB2, Informix, Oracle, and SQL. The scope of the assessment required Crowe to review various applicationsThe result has been an ongoing relationship in which Crowe has helped the client reduce scope, create repeatable processes and controls, and maintain compliance for over six years.Client Experience 2Crowe performed a scoping and gap analysis for a global payment processor that had recently acquired a new business subject to PCI DSS. The company was using a custom developed application that wasusing an Oracle back end for card storage and processing. Crowe helped the client prioritze gaps in compliance and developed a roadmap for the client to achieve compliance. The end result was a compliant, first year Report on Compliance that was delivered to the card brands on time.Client Experience 3A team of Crowe QSAs and SMEs performed a scoping and gap analysis for a cloud services provider. Crowe helped the company minimize scope subject to PCI DSS and helped the client prioritize its remediation efforts......

(4) Reference Verification Forms included for this Category ‐ PDF Pg. 28ERM’s evidence of similar work is provided by the references above.

See PDF Pgs. 16 ‐ 18Ace Hardware 2016 – Current PCI Compliance Risk Assessment

Beall’s 2005 – Current Approved Scanning Vendor (ASV) TestingAnnual PCI QSA AuditIncident ResponseIT Audit AssistanceOngoing PCI & Security Trusted Advisory AssistancePenetration TestingPCI Gap Analysis and Compliance RoadmapPCI Infrastructure and Architecture AssistanceSecurity TrainingSocial Engineering

Borgata Hotel and Casino 2009 – CurrentApproved Scanning Vendor (ASV) TestingOngoing PCI Trusted Advisory AssistanceAnnual Penetration Testing

Bright House Networks(Charter Communications) 2014 – Current Annual PCI QSA AuditPCI Gap Analysis and Compliance Roadmap

........

See PDF Pg. 38Over the past 5 years, Crowe has had over 16,000 clients, of which over 1,200 were government clients. Crowe currently has 871 government clients, with 32 in the Florida area. Crowe is well positioned to provide quality service to Broward County in a timely fashion. Crowe has a sophisticated Centralized Resource Management function that is responsible for ensuring that Broward County’s needs are met with the experienced and trained staff from our local offices, and if needed, from across our firm. We realize that resource management is a crucial element to consistently providing top quality service to Broward County, and all of our clients.

See PDF Pg. 29ERM has completed approximately 50 PCI projects during the past 5 years and estimates it will becomplete at least 2 per month through the remainder of 2017.ERM is able to manage several projects simultaneously based on our efficient project managementapproach. We have not experienced any challenges to complete these projects, nor do we expect toexperience challenges completed projects for the client.a. Past Five YearsDue to client confidentiality, ERM will provide project information by industry type.• Banking & Financial Services (7)• Credit Card Processing (7)• Federal Government (2)• Hospitality (2)• Insurance (2)• Local, City, State Government (4)• Real Estate (1)• Retail (2)• Other (15)......

See PDF Pg. 19Focal Point has completed hundreds of PCI assessments over its 12 years of providing securityand compliance services. Our PCI team completes around 75 projects annually for companiesacross every industry. We complete all of our projects concurrently with other projects, so theadded workload that this project presents is not an issue for our firm.As of now, our PCI team is engaged in 20 projects that include PCI DSS 3.2 assessments, gapanalyses, and trusted advisory. We do not anticipate these other projects limiting us fromproviding the County with the highest level of service.

27 10/20/2017 1:34 PM





See "Broward Security Services 2017" See PDF Pg. 8Marcum has several clients that are required to comply with PCI DSS, and Marcum provides guidance on PCI matters frequently. This includes involvement with our clients SAQ and ROC reports.

Page 497 University of Virginia: The University of Virginia is a four‐year, public university with an enrollment of over 23,000 students. CampusGuard performed a PCI Readiness Review identifying the complete cardholder environment, prescanned for vulnerabilities, recommended options for correcting deficiencies referenced directly to associated PCI DSS controls and requirements...Virgina Department of Alcholic Beverage Control: The Virginia ABC has more than 350 locations across the Commonwealth of Virginia.Based on the volume of credit card transactions, ABC is required to verify compliance with the PCI DSS annuallywith a Report on Compliance (ROC)...Indiana University: Indiana University is a four‐year public research university serving over 110,000 students and 19,000 employees across eight campuses. The University uses PeopleSoft as the ERP system for the main functional areas of student, financial, and human resources operations...

Foresite has over 600 active projects and current has a client base of over 2000 companies. Foresite has over 8 million US dollars currently in the 6 month sales pipe. The request can certainly be discussed but would not seem logical to address at the level you are requesting.

See PDF Pg. 9We were formally engaged to conduct procedures related to Eastern Account Systems, Inc. compliance with PCI. There were no challenges noted. Refer to Vendor Reference verification form for more information. In addition, Marcum has several clients that are required to comply with PCI DSS, and Marcum provides guidance on PCI matters frequently. This includes involvement with our clients SAQ and ROC reports.

See PDF Pgs 499 ‐ 500.With over 140 Readiness Reviews done between 2012 and today, CampusGuard is well versed in managing projects for multi campus environments with multiple methods of accepting credit cards. A small example of clients over the past five years who have had Readiness Reviews (Gap Analysis) and Annual SupportAgreements is listed below, if more projects are needed to help identify the capabilities that CampusGuard can provide, they will be made available.

28 10/20/2017 1:34 PM




Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante MoranSee PDF Pgs. 10 ‐ 11.How many years of experience does Nettitude have performing PCI‐DSS assessments?Nettitude has been performing PCI‐DSS assessments since 2007.2. How many PCI‐DSS assessments did Nettitude complete last year?Nettitude performed 26 formal PCI‐DSS assessments. There are many more including consultativeand other engagements.3. How long has your company been a PCI SSC authorized QSA?Nettitude has been a PCI SSC authorized QSA since 2007.Nettitude has provided Broward County with a case study of a previous PCI project....

See PDF Pgs. 11 & Appendix B (PDF Pgs. 21 ‐ 249)Online is pleased to include a Sample Report for a PCI engagement as evidence of our PCI services.


Reference Verification Forms included. ‐ See PDF Pgs. 66 ‐ 69

See PDF Pgs. 10 ‐ 11.How many years of experience does Nettitude have performing PCI‐DSS assessments?Nettitude has been performing PCI‐DSS assessments since 2007.2. How many PCI‐DSS assessments did Nettitude complete last year?Nettitude performed 26 formal PCI‐DSS assessments. There are many more including consultativeand other engagements.3. How long has your company been a PCI SSC authorized QSA?Nettitude has been a PCI SSC authorized QSA since 2007.Nettitude has provided Broward County with a case study of a previous PCI project....

See PDF Pg. 11Online’s Risk, Security, and Privacy consulting practice has over 100 clients and delivers well over 200 engagements annually. To protect the privacy of our clients, we cannot divulge client names, but we can guarantee that our team can meet any project deadlines that Broward County establishes. Our 98% customer retention rate speaks volumes of our ability to meet our clients’ needs while delivering high quality services. Our dedication to the customer experience combined with our strong team bond (there are rare all‐hands‐on‐deck moments) help us ensure that we deliver engagements on time. The Risk, Security, and Privacy practice has never missed an engagement deadline. Online spends a great deal of time reviewing our workloads and our forecast pipeline so that we work the fine balance of not having too many consultants on the bench but also not overloading our consultants. We ensure that we always have a handful of qualified recruits in our hiring queue for when we hit growth spurts.


Our team of 40+ cybersecurity consultants has completed projects for hundreds of organizations over the past five years. In addition, our team uses multiple firm wide project management tools to assistwith working with dozens of clients each week. Should an unexpected conflict occur while working with the County, the County will be given priority as necessary.

29 10/20/2017 1:34 PM





Reference Verification Forms included. See PDF Pg. 19PCI DSS is a core competency of our cyber security consulting team. Presidio provides the following three references for which we have provided similar solutions to Category 1 – PCI DSS:� U.S Naval Academy Alumni Association & Foundation� Dayton’s Children Hospital� Broward HealthcarePresidio uploads these customer references on the required Vendor Verification Form, in a separate file.

The best measure of client satisfaction can only come from our clients. As requested, we present below references from other clients where we have performed comparable work. To respect the availability and cooperation of our clients, and to help ensure a prompt reception of your contact, please advise Alexandra M. Lorie at +1 305 742 7117, of your intent to contact them. She will arrange the calls at your convenience, while helping to ensure these references’ availability. In addition to the references listed below, we are prepared to provide additional client references to help ensure that you are comfortable withthe experience and levels of client service our team is accustomed to delivering.Prince William County, VirginiaMarch 2015 ‐ May 2015RSM completed an evaluation of the Payment Card Industry (PCI) compliance program at PWC.City of Sacramento April 2013 ‐ PresentRSM conducts the City’s annual PCI report on compliance assessment and penetration testing.Kansas Turnpike AuthorityApril 2017 ‐ May 2017Annual assessment of PCI compliance along with Attestation of Compliance (ACC), recommendations for strengthening PCI compliance for future years.

Sample reports embeded in response but unable to open the documents.

The Presidio Cyber team averages 70 concurrent projects at any one time. Our project managers ensure that we have resources allocated for the projects. Our project sizes range from $8,000 to $1.6M. We monitor and manage the workload monthly and make decisions on whether we need to add additional security consultants to the team.

RSM maintains confidentiality agreements with many of our clients. For this reason, we cannot name them in proposals or marketing collateral without express permission. However, in the Past Performance section above, we provide references from clients who can discuss our work with them on issues relevant to your operations. If we are engaged by the County, you will be a priority for our firm and to each member of your engagement team. Our workload fluctuates based on a number of factors, including timing and currently pending engagements. Regardless, our firm has excelled at managing its human resources so that our workload never surpasses the ability of our assigned teams to devote the time and attention necessary to add value to our clients’ organizations. Our ability to manage our workload is evidenced by relatively lowturnover rates and is supported by clients’ opinions of our service. The engagement team along with County management will design a plan that will ensure expectations are met along with responsive and timely delivery of services as required by the County. The engagement in‐charge and staff will be solely dedicated to the County from start to finish for the audit. We believe this to be a team effort so that all team members understand their roles, expectations, deliverables, andtimelines. We do not anticipate any scenario under which we will have difficulty completing the requested work.

Verizon performs around 1100 QSA assessments each year as well as investigating 100 cases per year for payment card related incidents. Verizon is continuously working multiple projects concurrently and has the people, process and technology to ensure all active projects are meeting the milestones defined on the project scope. We do not anticipate any challenges; however, should issues arise we have a well‐defined process for identifying the root cause and developing a remediation plan.

30 10/20/2017 1:34 PM



Solution Provider: TrustwaveVENDOR QUESTIONNAIRE FORMVerify that these questions are the same as in the advertised solicitation:1. Legal business name. 1ST SECURE IT LLC AT&T Corp Carahsoft Technology Corporation

2. Doing Business As/ Fictitious Name (if applicable): N/A

3. Federal Employer I.D. Number. 27‐1776302 13‐4924710 5221896934. Dun & Bradstreet Number. (If applicable). N/A 00‐698‐0080 08‐83657675. Website address (if applicable). https://www.1stsecureit.com/en/ www.att.com www.carahsoft.com6. Principal place of business. 6810 Lyons Technology Circle, Suite 190

Coconut Creek, FL 33073One AT&T Way, Bedminster, NJ 07921 1860 Michael Faraday Drive, Suite 100

Reston, VA 20190

7. Office Location for this project. 6810 Lyons Technology Circle, Suite 190, Coconut Creek, FL 33073 2002 NW 64th St., Ft. Lauderdale, FL 33309 1860 Michael Faraday Drive, Suite 100Reston, VA 20190

8. Telephone/Fax Number: Telephone no.:(954) 613‐0515 Fax no.:(866) 735‐3369 Telephone no.:305‐913‐3887 Fax no.: Telephone no.:703.871.8500 Fax no.:703.871.85059. Type of Business LLC Corporation; New York Corporation; Maryland10. List Florida Registration Number. L10000009297 84582211. List name and title of each principal, owner, officer and major shareholder.

a) Dewsnap, Stephenb) Espana, Albertoc) Akins, Markd) Rodrigues, Abelardoe) Finizio, Stephenf) Dewsnap, Edward

a. Thadeus Arroyo, President and CEO AT&T, 208 S. Akard St., Dallas, TX 75202b. Anne Chow, President‐Integrator Solutions, AT&T, 208 S. Akard St., Suite 3514, Dallas, TX 75202c. Frank Jules, President ‐ Global Business AT&T, 208 S. Akard St., Suite 3509, Dallas, TX 75202d. Cathy Martine‐Dolecki, President ‐ Natl Bus AT&T, 1 AT&T Way, Bedminster, NJ 07921e. Delores McCarty, Assistant Secretary AT&T, 675 W Peachtree St, NW, Atlanta, GA 30308f. George B. Goeke, CFO and Treasurer AT&T, 208 S. Akard St., Suite 1824, Dallas, TX 75202AT&T is a publicly held corporation. No single person owns more than 10% of the company. It is an independent, publicly traded telecommunications services provider.The names and titles of the AT&T Inc. officers are• Randall Stephenson—Chairman and Chief Executive Officer (CEO)• William Blase—Senior Executive Vice President, Human Resources• James Cicconi—Senior Executive Vice President, External and Legislative Affairs• Ralph de la Vega—President and Chief Executive Officer (CEO), AT&T Mobile andBusiness Solutions• John Donovan—Senior Executive Vice President, AT&T Technology andOperations and Corporate Strategy• Jose Gutierrez—Senior Vice President, Executive Operations• David Huntley—Chief Compliance Officer• Lori Lee—Senior Executive Vice President and Global Marketing Officer• John Stankey—CEO, AT&T Entertainment and Internet Services• John Stephens—Sr. Executive Vice President and Chief Financial Officer (CFO);Corporate Development

d d l l

a) Craig P. Abod ‐ Presidentb) Robert Moore ‐ Vice Presidentc) Jillian Szczepanek ‐ Controllerd) Jennifer Taha ‐ Proposals Director

31 10/20/2017 1:34 PM


Licensing MatrixVENDOR QUESTIONNAIRE FORMVerify that these questions are the same as in the advertised solicitation:1. Legal business name.

2. Doing Business As/ Fictitious Name (if applicable):

3. Federal Employer I.D. Number.4. Dun & Bradstreet Number. (If applicable).5. Website address (if applicable).6. Principal place of business.

7. Office Location for this project.

8. Telephone/Fax Number:9. Type of Business10. List Florida Registration Number.11. List name and title of each principal, owner, officer and major shareholder.

Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLC

Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk, LLC

Not applicable

35‐0921680 65‐0827427 61‐1805201787324008 610144201 08‐0541660www.crowehorwath.com www.emrisk.com www.focal‐point.com225 West Wacker Drive, Suite 2600Chicago, Illinois 60606‐1224

800 S. Douglas Road, Suite 940 North Tower, Coral Gables, FL 33134 201 E Kennedy Blvd, Suite 1750Tampa, FL 33602

401 East Las Olas Boulevard, Suite 1100Fort Lauderdale, Florida 33301‐4230

800 S. Douglas Road, Suite 940 North Tower, Coral Gables, FL33134

We will utilize both our Tampa location and our BrowardCounty location for this project.Our Broward County address is 1601 Sawgrass Corp. Pkwy., Suite 130, Sunrise, FL 33323

Telephone no.:954.202.8600 Fax no.:954.202.8639 Telephone no.:305‐447‐6750 Fax no.:305‐447‐6752 Telephone no.:(813) 402‐1208 Fax no.:813‐436‐5283Limited Liability Partnership Corporation; Florida LLCGP0800003826 M16000008367a) James Powers, CEOb) Joseph Santucci, COOc) Todd Welu, CFOd) Crowe Horwath LLP is a limited liability partnership with more than 275 partners/principals. If required, we will provide a complete listing of the partner/principals. The names and titles of the firm's leadership is available at www.crowehorwath.com/leadership.

a) Silka Gonzalez ‐ Presidentb) Michelle Miller ‐ COOc) Esteban Farao ‐ Director of Consulting Services

a) Andrew Cannata ‐ Principal, Cyber Securityb) Christie Verscharen ‐ Principal, PCI and Risk Servicesc) Eric Dieterich ‐ Principal, Data Privacy

32 10/20/2017 1:34 PM








Foresite MSP LLC Marcum LLP

5820 Solutions, LLC

CampusGuard

38‐3916369 111986323 203756873968051180 134960447

www.foresite.com www.marcumllp.com www.campusguard.com

E Windsor Ct451 East Las Olas Boulevard, Ninth FloorFort Lauderdale, FL 33301

121 S.13th Street, STE 201Lincoln NE 68508

New York451 East Las Olas Boulevard, Ninth FloorFort Lauderdale, FL 33301


800‐940‐4699 954‐320‐8000 Fax no.:954‐320‐8001 419‐873‐7016 Fax no.:972‐867‐4861LLC Limited Partnership Limited Liability Company ‐ LLC

LLP090003311Robin Mano ‐ CEOGeorge Farris ‐ Board MemberDavid Cohen ‐ Board MemberGary Fish ‐ Board Member

a) Michael Balter, Regional Managing Partnerb) Mark Agulnik, Partnerc) David Appel, Partnerd) Shaun Blogg, Partnere) Ilyssa Blum, Partner f) Marc Breslow, Partnerg) Michael Curto, Partner h) Adam Firestein, Partneri) Michael Futterman, Partner j) John Gabriel, Partner k) Cecelia Garber, Partner l) Kim Lamplough, Partner m) Michele Lipson, Partnern) Michael Novak, PartnerMarcum LLP is managed by more than 140 partners around the country. Below isa list of partners from our local Florida offices. A complete list of partners around the country is available at www.marcumllp.com/people‐search.

a) Harvey Gannon ‐ CEOb) Ronald E. King ‐ President

33 10/20/2017 1:34 PM








Netitude, Inc. Online Enterprises Inc. Optiv Security Plante & Moran, PLLC

Netitude Online Business Systems Optiv, Optiv Security Plante Moran

36‐4694227 41‐180 5060 43‐1806449 381357951968240825 08‐6535676 01‐946‐6684 004913299www.Nettitude.com www.obsglobal.com optiv.com plantmoran.com85 Broad Street, New York NY 10004 US Headquarters: 7760 France Ave. S., Minneapolis, MN 55435 USA

Canadian Headquarters: 200‐115 Bannatyne Avenue, Winnipeg, MB Canada R3B 0R3

1125 17th St., Suite 1700Denver, CO 80202‐2032

27400 Northwestern HwySouthield, MI 48037

85 Broad Street, New York NY 10004 000 Kruse Way Place, Bldg 1 Suite 360Lake Oswego, OR 97035

N/A Southfield, MI

Telephone no.:646‐795‐1881 Fax no.: Telephone no.:866.884.0304 Fax no.:503.224.5962 Telephone no.:(303) 298‐0600 Fax no.:(303) 298‐0868 Tel:248‐223‐3428 Fax no.:248‐603‐5997Corporation; S Corporation; Minneapolis Corporation; Delaware Limited Partnership

In Progress M11000002358a) Rowland Johnsonb) Ben Denshamc) Martin Wattsd) Mitchell Titley

a) Chuck Loewen (Founder, Owner & CEO)b) Tim Siemens (CTO)c) Lynne Black (CFO)

a) Dan Burns ‐ CEOb) David Roshak ‐ CFOc) Nate Brady ‐ CAOd) Veena Bricker ‐ CHRO

a) James Proppe, Managing Partnerb) Dnnis Graham, Group Managing Partnerc) Frank Audia, CIOd) Beth Bialy, Government Industry Group Leader

34 10/20/2017 1:34 PM








Presidio RSM US LLP Verizon Business Network Services Inc. on behalf of MCI Communications Services Inc.

d/b/a/ Verizon Business Services (VerizonBusiness or Verizon)

58‐1667655 FEIN‐42‐0714325 13‐274589215‐405‐0959 73482424 556565836www.presidio.com www.rsmus.com www.verizonenterprise.com12120 Sunset HIlls Rd, Sutie 202Reston, Va 20190

100 NE Third Ave, Suite, Fort Lauderdale, FL 33301 OneVerizon Way, Basking Ridge NJ 07920

3250 W. Commercial BlvdFort Lauderdale, Fl 33309

Fort Lauderdale Tampa, FL

305‐606‐2835 954‐462‐6351 no.:(813) 520‐9786 Fax no.:813‐978‐6751LLC Limited Partnership Corporation; DelawareL15000111335 ADP004384 829591Regarding principals, owners, etc., not applicable. Presidio is a publicly owned company.

please see: http://www.verizon.com/about/investors/corporate‐governance MCI Communications Services Inc. (100% Shareholder)

35 10/20/2017 1:34 PM



Solution Provider: Trustwave12. Authorized contacts for your firm. Name: STEPHEN M DEWSNAP

Title: Managing PartnerE‐mail: [email protected] No.: 866‐735‐3369 x110Name: MARK AKINSTitle: Managing PartnerE‐mail: [email protected] No.: 866‐735‐3369 x120

Name: Dwayne StaffordTitle: Strategic Account LeadE‐mail: [email protected] No.: 786‐479‐4113Name: Esther MartinTitle: Strategic Account LeadE‐mail: [email protected] No.: 305‐582‐9541

Name: Aaron GianniniTitle: Account RepresentativeE‐mail: [email protected] No.: 703.889.9848Name: Jennifer TahaTitle: Proposals DirectorE‐mail: [email protected] No.: 703.871.8556

13. Has your firm, its principals, officers or predecessor organization(s) been debarred orsuspended by any government entity within the last three years? If yes, specify detailsin an attached written response.

No No No

14. Has your firm, its principals, officers or predecessor organization(s) ever been debarred or suspended by any government entity? If yes, specify details in an attachedwritten response, including the reinstatement date, if granted.

No No No

15. Has your firm ever failed to complete any services and/or delivery of products duringthe last three (3) years? If yes, specify details in an attached written response.

No We are unaware of any work completion issues that would impair our ability to meet our obligations under any contract. AT&T is a large company with an international presence and significant contractual relations. Given the size and scope of our business, we from time to time over our history have been involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our abilityto meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.

No

36 10/20/2017 1:34 PM


Licensing Matrix12. Authorized contacts for your firm.




Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLCName: Craig SullivanTitle: PartnerE‐mail: [email protected] No.: 574.236.7618

Name: Silka GonzalezTitle: PresidentE‐mail: [email protected] No.: 305‐447‐6750Name: Michelle MillerTitle: COOE‐mail: [email protected] No.: 305‐447‐6750

Name: Andrew CannataTitle: Principal, Cyber SecurityE‐mail: acannata@focal‐point.comTelephone No.: (813) 731‐9074Name: Eric DieterichTitle: Principal, Data PrivacyE‐mail: edieterich@focal‐point.comTelephone No.: (786) 390‐1490

No No No

No No No

Yes, Like all large professional service firms, Crowe is, from time to time, subject to contract disputes or issues where contracts may be terminated for a variety of reasons, including without limitation lack of client funding, disputes over the scope of the work, or payment disputes. Through active management and communication with our clients, Crowe is usually successful in anticipating such areas and working with the client to mitigate these issues.

No No

37 10/20/2017 1:34 PM







Jason LeducVP Cyber Security [email protected]‐674‐0871

John [email protected]‐940‐4699 ext 227

Name: Mark AgulnikTitle: PartnerE‐mail: [email protected] No.: 954‐320‐8000, Ext. 38013Name: Jose AntiguaTitle: Senior ManagerE‐mail: [email protected] No.: 954‐320‐800, 38054

Name: Andy GrantTitle: Director, National Business DevelopmentE‐mail: [email protected] No.: 419‐873‐7016Name: Ron KingTitle: PresidentE‐mail: [email protected] No.: 972‐964‐8884

No No No

No No No

No No No

38 10/20/2017 1:34 PM






Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante MoranName: Miles CornTitle: Head of Bid ManagementE‐mail: [email protected] No.: 646‐795‐1881Name: Karen BoltonTitle: EVP & Leader North AmericaE‐mail: [email protected] No.: 646‐795‐1898

Name: Steve LevinsonTitle: Vice President, Risk, Security & PrivacyE‐mail: [email protected] No.: 619.701.8614

Name: Doug HartTitle: Client ManagerE‐mail: [email protected] No.: 305‐972‐8137Name: Michael MangraTitle: Solutions ArchitectsE‐mail: [email protected] No.: 561‐670‐1536

Name: Raj PatelTitle: PartnerE‐mail: [email protected] No.: 248‐223‐3428Name: Scott EilerTitle: PartnerE‐mail: [email protected] No.: 248‐223‐3447

No No No No

No No No No

No No No No

39 10/20/2017 1:34 PM







Name: Jill FinkelsteinTitle: Business Development ManagerE‐mail: [email protected] No.: 305‐606‐2835Name: Ralph GentileTitle: Sales LeadE‐mail: [email protected] No.: 954‐817‐0690

Jason AlexanderPrincipal786‐239‐4279

Name: Frank ParraTitle: Sr. Client ExecutiveE‐mail: [email protected] No.: (813) 520‐9786

No No No

No No No

No No No

40 10/20/2017 1:34 PM



Solution Provider: Trustwave16. Is your firm or any of its principals or officers currently principals or officers of another organization? If yes, specify details in an attached written response.

Yes.Dewsnap, Stephen• Microliance, LLC – Partner• Interlink Commerce, LLC – PartnerEspana, Alberto• Payment Power, Inc.Finizio, Stephen• Advantage Networking ‐ Owner• Advantage Web Consulting ‐ Owner• Tend Skin Store ‐ PartnerDewsnap, Edward• Microliance, LLC – Partner• Interlink Commerce, LLC ‐ Partner

Yes No

17. Have any voluntary or involuntary bankruptcy petitions been filed by or against your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response.

No No No

18. Has your firm’s surety ever intervened to assist in the completion of a contract or havePerformance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

No No No

19. Has your firm ever failed to complete any work awarded to you, services and/ordelivery of products during the last three (3) years? If yes, specify details in anattached written response.

No We are unaware of any work completion issues that would impair our ability to meet our obligations under any contract. AT&T is a large company with an international presence and significant contractual relations. Given the size and scope of our business,we from time to time over our history have been involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our ability to meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.

No

41 10/20/2017 1:34 PM


Licensing Matrix16. Is your firm or any of its principals or officers currently principals or officers of another organization? If yes, specify details in an attached written response.




Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLCNo No No

No No No

No No No

Yes, Like all large professional service firms, Crowe is, from time to time, subject to contract disputes or issues where contracts may be terminated for a variety of reasons, including without limitation lack of client funding, disputes over the scope of the work, or payment disputes. Through active management and communication with our clients, Crowe is usually successful in anticipating such areas and working with the client to mitigate these issues.

No No

42 10/20/2017 1:34 PM







Principal invests in multiple businessesp // p / / g p

Marcum Group is an organization providing a comprehensive range of professional services spanning accounting and advisory, technology solutions, wealth management and executive and professional recruiting. MARCUM LLPMarcum LLP is one of the largest independent public accounting and advisory services firms in the nation, with offices in major business markets throughout the U.S., Grand Cayman and China. MARCUM FINANCIAL SERVICESMarcum Financial Services was founded in late 2009 by combining the expertise of several professionals and firms with extensive investment, financial and business experiences. MARCUM SEARCHMarcum Search LLC offers professional recruiting services. Our recruiters recognize the importance of working closely with companies and prospective candidates to ensure the perfect match. MARCUM TECHNOLOGYMarcum Technology LLC is a full‐service integrated solutions vendor (ISV) specializing in data storage, disaster recovery, network infrastructure, IT staffing and managed services. MARCUM BERNSTEIN & PINCHUKMarcum Bernstein & Pinchuk is an independent public accounting firm. We provide a full range of audit and assurance, tax and transaction advisory services for clients in a variety of industries.MARCUM RBK (IRELAND) LIMITEDMarcum RBK is a service center for current and future hedge fund and private equity fund clients of the Marcum Alternative Investment Group.

No

No No No

No No No

No Our firm enters in to Engagement letters with clients that allow for cessation of work and/or termination by either party in certain circumstances.

No

43 10/20/2017 1:34 PM






Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante MoranNo No No No

No No No No

No No No No

No No No No

44 10/20/2017 1:34 PM







No No No

No No No

No No No

No No No

45 10/20/2017 1:34 PM



Solution Provider: Trustwave20. Has your firm ever been terminated from a contract within the last three years? If yes,specify details in an attached written response.

No Except for material matters that AT&T discloses in filings with the Securities and Exchange Commission or otherwise discloses in response to subpoenas or other valid court orders, AT&T is legally and contractually prohibited from disclosing information to third parties about contractual matters. Also, due to the size and scale of AT&T’s operations, as a practical matter, AT&T cannot state with absolute certainty whether AT&T has defaulted under a contract. Notwithstanding the legal and practical restrictions that limit AT&T’s ability to disclose specific contract performance issues, AT&T can assure Customer that AT&T is capable of performing the services requested under this RFP and that AT&T has no history or pattern of performance issues with other customers that would affect AT&T’s ability to perform the services requested by Customer. AT&T reiterates that AT&T is not aware of any circumstances involving performance under another contract which would materially and adversely impact AT&T’s ability to perform services for Customer. Moreover, AT&T is not aware of any circumstance when AT&T was not awarded a bid due to non‐performance concerns about AT&T by the entity sponsoring a particular procurement. AT&T is forced to qualify such assurances to the best of its knowledge due to the scale and scope of AT&T’soperations. AT&T will not be able to provide such assurances with absolute certainty with respect to every contract or bid opportunity in which AT&T has participated.

No

21. Living Wage solicitations only: N/A No N/A

46 10/20/2017 1:34 PM


Licensing Matrix20. Has your firm ever been terminated from a contract within the last three years? If yes,specify details in an attached written response.

21. Living Wage solicitations only:

Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLCYes, Like all large professional service firms, Crowe is, from time to time, subject to contract disputes or issues where contracts may be terminated for a variety of reasons, including without limitation lack of client funding, disputes over the scope of the work, or payment disputes. Through active management and communication with our clients, Crowe is usually successful in anticipating such areas and working with the client to mitigate these issues.

No No

N/A N/A

47 10/20/2017 1:34 PM





No Our firm enters in to Engagement letters with clients that allow for cessation of work and/or termination by either party in certain circumstances.

No

N/A N/AN/A

48 10/20/2017 1:34 PM




Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante MoranNo No No No – Plante Moran is not aware of any client terminating a

contract involving the provision of information technology security and compliance services. As one of the country’s largest accounting and consulting firms with thousands of annual engagements, there likely have been instances during the last three years where clients receiving tax or accounting‐related services have elected to use other service providers for their particular needs. Plante Moran’s record of client service and satisfaction is best in class, with 99% of clients indicating they would recommend Plante Moran to others.

N/A N/A N/A N/A

49 10/20/2017 1:34 PM





No No No

N/A N/A N/A

50 10/20/2017 1:34 PM

RFQ A2114499R1 ‐ Broward County IT Security and Compliance ServicesCategory 2 ‐ Health Insurance Portability and Accountability Act (HIPAA) Services

Licensing Matrix ATTPrime: Carahsoft Technology Corp

Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.


Provided ‐ PDF Pg. 569 Provided ‐ See Page 47 Provided ‐ See PDF Pg. 9 Provided

AND1.Healthcare Information Security and Privacy Practitioner (HCISPP) on staff and proposed key team member

Not ProvidedRequirement Met




ORCertified Information Systems Security Professional (CISSP) on staff and proposed key team member





ORCertified Information Systems Auditor (CISA) on staff and proposed key team member





Vendor Questionnaire Form Provided Provided Provided Provided

Vendor Security Questionnaire Form Provided ProvidedProvided Provided


FORMS

1 10/20/2017 1:35 PM

RFQ A2114499R1 ‐ Broward CounCategory 2 ‐ Health Insurance Por

Licensing Matrix








FORMS

Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLCPrime: Marcum LLPSub: 24by7 Security















Provided ProvidedProvided

Provided

2 10/20/2017 1:35 PM


Licensing Matrix








FORMS

MGT of America Consulting, LLC Nettitude, Inc. d/b/a NettitudeOnline Enterprises Inc. d/b/a Online Business

Systems Optiv Security

Provided ‐ See PDF Pg. 23 Provided ‐ See PDF Pg. 42 Provided ‐ See PDF Pg. 309 Provided















3 10/20/2017 1:35 PM


Licensing Matrix








FORMS

Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLC
















4 10/20/2017 1:35 PM


Licensing Matrix








FORMS

SHI International CorpVerizon Business Network Services Inc. d/b/a

Verizon Business Services

Provided Provided




ProvidedRequirement Met


ProvidedRequirement Met

Provided Provided

Provided Provided

5 10/20/2017 1:35 PM




1. Ability of Professional Personnel:a. Describe the qualifications and relevantexperience of the Project Manager and all keystaff that are intended to be assigned to servicesperformed within this category. Include resumesfor the Project Manager and all key staffdescribed particularly with respect to HIPAA’ssecurity regulations.

"CONFIDENTIAL"


See PDF Pg. 16.Trustwave knows the ins and outs of risk. And we want you to understand risk, too. Our Global Compliance and Risk Services team serves as trusted advisors who operate alongside your internal team. Our Global Compliance and Risk Services staff is made up of Qualified Security Assessors (QSAs) and our consultants hold various other industry certifications including CISSP, CISM, and CISA certifications, among others. The team averages more than eight years of experience in IT security, information security as well as extensive compliance, audit and consulting expertise. The Global Compliance and Risk Services team (GCRS) is backed by our SpiderLabs team to keep you ahead of the latest threats and is also sponsored by a Senior Compliance Support Analyst to ensure your project runs smoothly. We will customize your engagement, assess what is unique about your business challenges and scale with your business needs.

See PDF Pgs. 158‐159. Appendix A ‐ Resumes (PDF Pgs. 172‐176). Appendix B ‐ Relevant Certifications (PDF Pgs. 182‐184).Jared Hamilton, CISSP, Senior Manager, 13 years experienceCandice Moschell, CISSP, ManagerAmy Justice, Senior Staff, 10 years experienceMorgan Strobel, Senior Consultant, 5+ years experience

See Resumes PDF Pgs. 35 ‐ 47; Certifications ‐ PDF Pgs. 48 ‐ 50 Silka M. Gonzalez, CPA, CISSP, CISM, CISA, CITP, CRISC, 30+ years experienceEsteban Orlando Farao, CISSP, CISA, CISO, CRISC, CEH, QSA, and PCIP.PCI QSA, 20+ years experienceChristopher Steven Sanchez, Information Security Consultant, Extensive experience completing penetration testingMaria Rogers, CEH, CCFE, Extensive experience in software testing and Digital ForensicsAnimesh Srivastava, Extensive experience competing regulatory compliance assessments

b. List any other relevant Security andCompliance certifications that the ProjectManager and key staff described may have.Include copies of certificates, if applicable.

See PDF Pg. 472 ‐ 473

"CONFIDENTIAL"


See PDF Pg. 16.Please see the representative biographies embedded below, which includes the typical certifications heldby the resources who may be assigned to your project.



EVALUATION CRITERIA

6 10/20/2017 1:35 PM


Licensing Matrix



EVALUATION CRITERIAFocal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC

Prime: Marcum LLPSub: 24by7 Security

See PDF Pg. 60 ‐ *Eric Dieterich – Principal, CISA, CRISC, CIPP/US. Eric is a Principal with Focal Point, leading their national privacy practice.Franchesca Sanabria – Principal, CIPP/US, CISA, HITRUST CCSFP. Franchesca is a Principal at Focal Point in the National Data Privacy Practice. She has over 12 years of experience in governance....Jennifer Martin – Director, CIPP/US. Jennifer has over 15 years of experience working in the compliance and audit industries, including privacy and SOX compliance.Melinda Tijerino – Senior Manager, CIPP/US. Melinda has been involved in executing both audit and compliance assessments (e.g., HIPAA, GLBA, GAPP).Donel Martinez – Senior Manager, CISA, CAMS. Donel Martinez is a Senior Manager in the South Florida office of Focal Point.Catherine Kim – Manager, Esq., CIPP/US, CIPM. Catherine is a HIPAA subject matter expert and has been involved with numerous HIPAA and data privacy related projects.......


See PDF Pg. 7, 76Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD Information Security and Computing Sciences (Over 30 years of Professional Experience and 25 years of Research, Harvard and Yale Alumnus, Summa Cum Laude, and Oxford Research, etc.)Global Information Intelligence LLC (100% Small Business, Minority, and Women Owned)By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences and Information Security Founder, Consortium for Emerging Technologies‐Harvard, Exemplary Models forFederal, State, Local, Counties, Cities, Private/Public Sectors, Academia & Industry and Global � Conduct intelligent and proactive services within this category based on proven and experience understanding of HIPAA regulations (including HIPAA/HITECH, BAA, OCR, Audit, Breach Notification Enforcement, NIST 800‐66, etc., including activities related to HIPAA compliance.� Examples of specific activities included but not be limited to HIPAA auditing, risk analysis, technical and policy assessments, remediation and consulting.

See PDF Pg. 19For Marcum LLP’s proposed key staff, please see profiles and certificates available in Appendix A.Marcum has partnered with the firm of 24by7Security to help fulfill the services of the engagement, please see profiles and certificates available in Appendix A.

See PDF Pgs. 157 ‐ 158Project Advisor – Andrew Cannata, Principal, CISSP, QSA, CISM, 25+ years experienceChris Sullo – Practice Lead, CISSP, RHCE, RHCT, 20+ yearsPeter Hefley – Senior Manager, GPEN, CISSP, GREM, CISA. Peter has a broad base of experience in systems administration, network security, information warfare, and cryptography.Steve Tornio – Senior Manager, OSCP, CISSP. Steve has been active within the security community for the past 20 yearsAnthony Miller‐Rhodes – Senior Consultant. Anthony has several years of security experience involving penetration testing and software development of offensive and defensivecapabilities.Eric Turner – Senior Consultant, OSCP. Eric is a Senior Consultant with over four years of penetration testing experience and as a general network....Jeremy Archer – Senior Consultant, GCED, OSCP, CCNA, CISSP. Jeremy has over 20 years of information technology and security experience,....Rob Ditmer – Consultant, GPEN, CISSP. Rob has over six years of experience in information technology and security......



See PDF PG. 19For Marcum LLP’s and 24by7Security’s proposed key staff, please see profiles and certificates availablein Appendix A.� Client Service and Engagement Partner:Mark Agulnik, PartnerCPA, CISA, PCI‐QSAMarcum, LLP� Co‐Engagement Lead:Sanjay Deo, Principal Security ConsultantCISSP, HCISPP24By7Security, Inc.� Senior Security Consultant:Michael Brown, Senior Security ConsultantCISSP, HCISPP, CISA, CRISC, CISM, CGEIT24By7Security, Inc.� Senior Security Consultant:Patrick Parker, Senior Security Consultant24By7Security, Inc.

7 10/20/2017 1:35 PM


Licensing Matrix



EVALUATION CRITERIAMGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude

Online Enterprises Inc. d/b/a Online Business Systems Optiv Security

See PDF Pgs. 49‐52.Tony Martinez, Project Manager, Project Management, Vulnerability Assessment, Physical Penetration Testing, Network Penetration Testing, Web Application Penetration Testing, Security Auditing, Secure Code Reviews, Disaster Reovery/ Business Continuity Planning, Security Policy DesignSteve Porter, CISSP, GPEN, GWAPT, QSA, CEH, GICSP, GMOB, GCIH, Vulnerability Assessment, Network Penetration Testing, PCI‐DSS Preparation & Remediation, Security Auditing, Database Security, Secure Code Reviews, Firewall Administration, System Hardening and Patching, Disaster Recovery/Business Continuity Planning & Design, Security Policy Design, Log Management Planning, Design, AdministrationHenri St. Louis, CISSP, QSA, GCFE, OPST, Vulnerability Assessment, Network Penetration Testing, PCI‐DSS Preparation & Remediation, Security Auditing, Database Security, Secure Code Reviews, System Hardening and Patching, Disaster Recovery/Business Continuity Planning & Design, Security Policy DesignJJ Maria Giner, GPEN, Vulnerability Assessment, Network Penetration Testing, Web Application Penetration Testing


See PDF Pgs. 6 ‐ 7.Steve Levinson (VP, Risk Security & Privacy Consulting), 25+ years experience, CISSP Adam Kehler, 20+ years expereince, CISSPRob Harvey, Director of Online's Risk, Security & Privacy Consulting Practice, 12+ years experienceGreg High, Principal Consultant, CISSP, CISM, 8+ years experience

See PDF . Pg. 234The security, privacy and business concerns of our clients‐both current and past‐are of the highest priority.As such, we must respectfully decline to provide specific contact names and details for potential references at this stage. However, a number of our clients from recent engagements would be willing to entertain an informal conversation with their peers to discuss their use of the products and services they were provided which we can help facilitate at the appropriate time.



See PDF Pg. 254

Steve Levinson (VP, Risk Security & Privacy Consulting), 25+ years experience, CISSP Adam Kehler, 20+ years expereince, CISSPRob Harvey, Director of Online's Risk, Security & Privacy Consulting Practice, 12+ years experienceGreg High, Principal Consultant, CISSP, CISM, 8+ years experience

See PDF Pgs. 6 ‐ 7. Online’s Risk, Security and Privacy consultants hold certifications such as QSA, CISSP, CCSP, CIPP, CRISC, CISM, PCI QSA, PCI‐P, CEH, and CISA to name only a few.


8 10/20/2017 1:35 PM


Licensing Matrix



EVALUATION CRITERIAPlante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLC

See PDF Pg. 18 ‐ 19F. Alex Brown, CPA, CHP, Senior Manager, 18+ years experiencePhillip Long, CISA, CIA, CCSFP, CRISC, CRMA, CISM, Principal, Technical Expert / Project AdvisorAlexis Mathers, CISA, CPA, CCSFP, Senior Manager, 7+ years experienceKyle Miller, CISA, QSA, CCSFP, Manager, 9+ years experienceGrant Phillips, Consultant, Experience in information security, internal control and IT audit

Resumes See PDF Pgs 75 ‐ 89.See PDF Pgs. 23The HIPAA and HITECH Acts, coupled with the Meaningful Use guidelines for Electronic Health Records (EHR), are intended toprotect patient confidentiality while enabling and incenting healthcare organizations to pursue initiatives that further innovation and patient care. The combination of rigorous enforcement and financial incentives make it more important than ever to ensure complete and ongoing compliance with allaspects of these regulations.

The most critical element in the successful completion of any engagement of this nature is the personnelassigned to carry out the responsibilities and the depth of resources available to support the County. Thefollowing table describes the qualifications of the proposed team, their roles and the value they will bringto the County. Detailed biographies containing each team member’s formal education and professionalaffiliations, are included in the Team resumes section located in the Appendix of this proposal. Resumes included.Greg Vetter, Principal, Risk Advisory Services, HIPAA Practice Leader, 20+ years experienceCharles Barley, Jr., Director, Risk Advisory Services, IT Security and Privacy Director, 18+ years experienceVictor Carraway, Manager, Risk Advisory Services, IT and HIPAA Audit ManagerRyan Hay, Manager, Security and Privacy Services, IT and HIPAA Audit Manager

Paul Ashe, President and Engagement Manager, CPA, CISA, CISSP, 15+ years experienceChris Bunn, Practice Director and Senior IT Security Consultant, CISA, CHP, 30+ years experienceChris Cook, Senior IT Security Consultant, CISSP, CISA, 20+ years experience

See PDF Pg. 18 ‐ 19F. Alex Brown, CPA, CHP, Senior Manager, 18+ years experiencePhillip Long, CISA, CIA, CCSFP, CRISC, CRMA, CISM, Principal, Technical Expert / Project AdvisorAlexis Mathers, CISA, CPA, CCSFP, Senior Manager, 7+ years experienceKyle Miller, CISA, QSA, CCSFP, Manager, 9+ years experienceGrant Phillips, Consultant, Experience in information security, internal control and IT audit Plante Moran is a Certified HITRUST Assessor organization that uses the HITRUST Common Security Framework, CSF as the baseline for our HIPAA control analysis over security and privacy and as a comprehensive and certifiable security framework used by healthcare organizations and their business associates. In addition to the firm having HITRUST Assessor Certification status, we have four staff members with the Certified CSF Practitioner designation as granted by the HITRUSTAlliance. We believe Plante Moran is the right firm to assist you in performing this assessment.

See PDF Pgs 23 ‐24.Presidio brings Broward County our broad skill set and depth of experience. Our security engineering team is composed of Certified Information System Security Professionals (CISSPs), Certification and Accreditation Professionals (CAPs), InfoSec Assessment Methodology (IAM) professionals, Certified Ethical Hackers (CEHs), and Certified Information Security Managers (CISMs). This highly trained and experienced group has completed many Vulnerability Risk Assessment (VRA) and Security Certification and Accreditation (C&A) projects, tests, evaluations, and related services. Exhibit 4 illustrates Presidio’s Security Certifications.

Greg Vetter, Certified Common Security Framework Practitioner (CCSFP), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Privacy Professional (CIPP)Charles Barley, Jr. Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Privacy Professional (CIPP)Victor Carraway, Certified Information Systems Auditor (CISA), Certified Fraud Examiner (CFE)Ryan Hay, Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor

Paul Ashe, President and Engagement Manager, CPA, CISA, CISSPChris Bunn, Practice Director and Senior IT Security Consultant, CISA, CHPChris Cook, Senior IT Security Consultant, CISSP, CISA

9 10/20/2017 1:35 PM


Licensing Matrix



EVALUATION CRITERIASHI International Corp


The SHI Security Services team are all senior level Security Professionals with each having 20+ years’ experience. Specific skill sets may vary but overall each has experience working with various industry security frameworks, including HIPAA. The team holds many different Security related certifications however all have CISSP certifications.

Verizon’s Healthcare Governance Risk and Compliance Team has over 10 years of professional experience supporting organizations with meeting their HIPAA requirements through the delivery of a range of consulting services. Verizon routinely conducts HIPAA compliance and risk assessments as well as provide security advisor support to help customers, such as Broward County, avoid common risks to Personal Healthcare Information (PHI) and better align their security and privacy programs to their mandatory HIPAA requirements. Verizon has the capability to provide multiple HIPAA SMEs each with over 10 years and 50 + projects worth of experience in assessing and improvement compliance for both Healthcare providers and Payers. Verizon’s Project Management organization comprises over 60 PMs with significant experience in managing large programs and projects. In order to ensure the successful delivery of all projects and meet the standards required by our Clients, Verizon’s PMs hold the highest levels of certification recognized globally across the Project/Program Management field. Furthermore, Verizon’s Project Management organization has chosen the Project Management Institute’s (PMI’s) Project Management Body of Knowledge (PMBOK®) Guide and Standards as the baseline of its Project Management Delivery Method.

� MBA – Master of Business Administration� CGEIT – Certified in Governance of Enterprise Information Technology� ISSAP –Information Systems Security Architecture Professional� GIAC – Global Information Assurance Certificationo GPEN – GIAC Penetration Tester Certificationo GCFA – GIAC Certified Forensic Analysto GAWN – GIAC Auditing Wireless Networks� CEH – Certified Ethical Hacker� TCNA – Tenable Certified Nessus Auditor� PMP – Project Management Professional� ITILv3 – Information Technology Infrastructure Library version 3

Verizon Professional Services team holds CISSP, CISA, and CHSPE certifications, as identified in Category 1. In addition our Health Care security consultants have� Supported HITRUST assessment and certifications,� Have gotten customer HITRUST certified,� Have co‐authored industry guidelines to meet Health Care requirements,� Have supported legal councils in forming Health Care compliance opinions� Have helped payers, providers, and Business Associates achieve Health Care compliance.

10 10/20/2017 1:35 PM



Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.c. Describe the Project Manager and key staff’sexperience in performing technical as well aspolicy assessments.

See PDF Pg. 472 ‐ 473

"CONFIDENTIAL"


See PDF Pg. 16.Please see the representative biographies embedded below, which includes the typical certifications heldby the resources who may be assigned to your project.



11 10/20/2017 1:35 PM


Licensing Matrixc. Describe the Project Manager and key staff’sexperience in performing technical as well aspolicy assessments.


See PDF Pgs. 157 ‐ 158Project Advisor – Andrew Cannata, Principal, CISSP, QSA, CISM, 25+ years experienceChris Sullo – Practice Lead, CISSP, RHCE, RHCT, 20+ yearsPeter Hefley – Senior Manager, GPEN, CISSP, GREM, CISA. Peter has a broad base of experience in systems administration, network security, information warfare, and cryptography.Steve Tornio – Senior Manager, OSCP, CISSP. Steve has been active within the security community for the past 20 yearsAnthony Miller‐Rhodes – Senior Consultant. Anthony has several years of security experience involving penetration testing and software development of offensive and defensivecapabilities.Eric Turner – Senior Consultant, OSCP. Eric is a Senior Consultant with over four years of penetration testing experience and as a general network....Jeremy Archer – Senior Consultant, GCED, OSCP, CCNA, CISSP. Jeremy has over 20 years of information technology and security experience,....Rob Ditmer – Consultant, GPEN, CISSP. Rob has over six years of experience in information technology and security......



See PDF PG. 19For Marcum LLP’s and 24by7Security’s proposed key staff, please see profiles and certificates availablein Appendix A.� Client Service and Engagement Partner:Mark Agulnik, PartnerCPA, CISA, PCI‐QSAMarcum, LLP� Co‐Engagement Lead:Sanjay Deo, Principal Security ConsultantCISSP, HCISPP24By7Security, Inc.� Senior Security Consultant:Michael Brown, Senior Security ConsultantCISSP, HCISPP, CISA, CRISC, CISM, CGEIT24By7Security, Inc.� Senior Security Consultant:Patrick Parker, Senior Security Consultant24By7Security, Inc.

12 10/20/2017 1:35 PM




Systems Optiv SecuritySee PDF Pg. 52.The Project Manager, as well as the entire team assigned to this proposal is well versed in performing technical and policy related assessments. We leverage our over 18 years of experience in information security as well as industry best standards with all IT audits and assessments. This allows the firm to create a tailored approach when it comes to assessing a specific aspect of our clients’ environment and ensure we provide the most efficient solution for the task at hand. Whether we need to evaluate thirdparty vendor security policies and procedures, assess the current physical security policy in place, take a deep dive into network device security controls, or analyze the organization’s disaster recovery plans, we have the right experience and tools to become a long‐term trusted resource.

Not Provided

See PDF Pg. 254

Steve Levinson (VP, Risk Security & Privacy Consulting), 25+ years experience, CISSP Adam Kehler, 20+ years expereince, CISSPRob Harvey, Director of Online's Risk, Security & Privacy Consulting Practice, 12+ years experienceGreg High, Principal Consultant, CISSP, CISM, 8+ years experience

See PDF Pgs. 6 ‐ 7. Online’s Risk, Security and Privacy consultants hold certifications such as QSA, CISSP, CCSP, CIPP, CRISC, CISM, PCI QSA, PCI‐P, CEH, and CISA to name only a few.


13 10/20/2017 1:35 PM



Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLCThe staff and project managers involved in HIPAA Security services have experience delivering HIPAA Risk Assessments, HIPAA Security Rule compliance assessments, HITRUST Validated assessments and HIPAA Security specific policy assessments. Our managers and staff have experience apply the HIPAA security rule to multiple industries including the public sector.

See PDF Pg 24.Presidio’s Project Manager and key staff have been performing HIPAA assessments since 2006.HIPAA is 40% of the Cyber Security revenue. The Presidio Cyber Security team is comfortablein performing the HIPAA assessment following the NIST 800‐66 Security Rule. We arecomfortable testing administration safeguards, physical safeguards, technical safeguards anddocumentation.

See Pdf Pgs 19 ‐21 See Proposed Project Team ‐ Page 3.See Executive Profile ‐ Page 4.See Staff Profiles ‐ Page 6.

14 10/20/2017 1:35 PM




Verizon Business ServicesSHI Security Services team has consistently delivered 20 security related assessments annually of whichapproximately 6 are HIPAA focused. All SHI Security Assessment include technical review, bothdocumentation and hands on, and Policy review. All assessment reports include detailedrecommendations and on occasion have resulted in a remediation project focused specifically on Policy.

Verizon’s Health Care consulting team has conducted both technicaland operational assessments as part of our compliance and risk assessment processes. Verizon routinely conducts HIPAA compliance assessments, and also conducts HIPAA risks assessments of PHIexposed systems. Verizon reviews and writes Health Care policy, procedures, and standard.

15 10/20/2017 1:35 PM



Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.a. Describe the prime Vendor’s approach toperforming similar work in this Category.

See PDF Pgs. 473 ‐ 491.

"CONFIDENTIAL"


See PDF Pg. 17 ‐ 19Trustwave provides a comprehensive portfolio that can help organizations of any size respond to HIPAA regulations. We are ideally suited to help support a compliance program centered on the administrative, physical and technical requirements of HIPAA. Trustwave has a number of HIPAA related services available to Broward County. Trustwave can provide HIPAA Compliance Pre‐Assessment Service, HIPAA Compliance Readiness Service, HIPAA Risk Assessment, and HIPAA Remediation Consulting. A brief description of each of the offerings are listed below, as well as a sample project plan approach.HIPAA – Compliance Pre‐Assessment – Service DescriptionClient requests an assessment regarding compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 via an evaluation of Client’s security, privacy and incident readiness posture as required by the HIPAA. Trustwave is authorized to perform the following service to assess Client’s data security and privacy practices...

See PDF Pgs. 160 ‐ 165.As part of HIPAA Security Compliance, there are various elements that must be in place to comply with the HIPAA Security Rule. Policies, procedures, and processes must be documented to show the safeguards in place to protect electronic protected health information (ePHI). Such documents should also be implemented within the organization to guide the workforce in the proper protection and handling of ePHI. Additionally, proper Security Awareness Training should be in place to further guideworkforce members on the intent of policies, procedures, and processes but also best practices with regards to safeguarding ePHI as well. Covered entities should also have a good understanding of risks to ePHI through applications and systems given the control environment in place. It is a good practiceto conduct a HIPAA risk analysis annually by constantly managing risks through an established risk governance approach ‐ consistent response and treatment of risks through avoidance, transferring, acceptance, and mitigation of risks.Crowe understands the importance of a risk management process, which will ultimately lead to the organization having a better understanding of its risk conditions. Our process and tools will utilize the NIST 800‐30 Risk Assessment process to assess risk to ePHI assets defined within the scope. Our process will include a qualitative risk assessment of the environment in which ePHI is stored, processed, and transmitted ‐ includes applications and systems processing ePHI, interconnections to other systems via direct connections, the Internet, participant networks....

See PDF Pgs. 51 ‐ 52a. ApproachA review of the project’s objectives, scope, scheduled activities, assumptions and or possible constraintswill be reviewed with client key personnel and staff during a project kickoff meeting. Client shallcooperate with ERM in the performance of ERM’s services. To comply with budgeted project estimates,ERM requires the timely, complete and accurate cooperation from the client.Executive Risk Assessment ‐ Focused on Organizational Wide DataERM will identify vulnerabilities across people, process and technologies and identify the top cyber risks.Key phases include• Asset Inventory• Asset Classification• Threat and Vulnerability Analysis• Controls/Safeguard Analysis• Report Generation

16 10/20/2017 1:35 PM


Licensing Matrixa. Describe the prime Vendor’s approach toperforming similar work in this Category.


See PDF Pg. 63 ‐ 70To evaluate Broward’s alignment with the HIPAA Security Rule requirements and the relatedrisks to ePHI and subsequent IT systems, our proposed activities would include discoverysessions and onsite visits. Through detailed discovery sessions, an in‐depth analysis of existingdocumentation and processes, and a review of relevant technical safeguards, Focal Point willidentify key HIPAA risks and areas of potential non‐alignment with the applicable HIPAASecurity Rule requirements. Based on our understanding of your operations and supportingtechnology, we will identify the project activities that we feel should take place. These typicalactivities have been detailed through the project phases below.....

See "Broward Security Services 2017" See PDF Pg. 39Global Information Intelligence will apply its expert and proven methodology to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive recommendations and remediation sample for design and implementation operational effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Network assessment of BROWARD COUNTY Corporate Network and its Operations Technology Network. INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICESQualified Proponents are to provide services for the Broward County....

See PDF PG. 20 ‐ 22Marcum and 24By7Security's approach to HIPAA compliance is consistent. To avoid redundancy innoting both approaches, Marcum and 24By7Security will apply the following approach:Our team places emphasis on commitment to being an agile vendor partner to help reduce the cost of implementing healthcare by delivering nimble, innovative solutions. Our proactive approach is based on continuous communication, thereby we can rapidly integrate your feedback to meet your current and future needs. Our nationwide network of professionals along with our expertise allows us to evaluate anddeploy experts on your project. Our team will use a tried and tested phased methodology...

17 10/20/2017 1:35 PM




Systems Optiv SecuritySee PDF Pgs. 53 ‐ 54.We pride ourselves on our years of continuous business and these two cornerstone tenants of our business:In‐Depth Understanding of State and Local Government—MGT has worked almost exclusively with the public sector. As a result, we understand the challenges and unique issues inherent inthe operations of state and local government programs and service delivery. Because many of our staff have worked in government, we have a clear understanding of the state and localgovernment structure, control agencies, budgetary processes, and political environment. Our Focus is on Business Understanding and Analysis—MGT consistently focuses on identifying and implementing the most effective and efficient methods for achieving operational objectives in all of our engagements. No matter what the task, we “cut to the chase,” and work to provide the most viable business solutions in the shortest amount of time, at the lowest cost. We understand the importance of streamlining business processes and we know how to pinpointthe most efficient and effective methodologies for specific situations. Based on our more than 40 years of experience in providing consulting services to federal, state, and local government clients, MGT knows the success of any project is based upon the project management. Our project manager will work in tandem with the County’s designated project lead to drive the MGT project management principals and guidelines for the development of your customized solutions.

See PDF Pgs. 16 ‐ 18.The methodology proposed by Nettitude is based on information provided by Broward County keypersonnel to date and draws upon the expertise of Nettitude working with similar organizations. Havingread Broward County’s requirements, the following proposal has been defined:A. Define HIPAA ScopeB. Gap Analysis & Risk Assessment ‐ Allow Broward County to gain a firm understanding of howsecurity processes within designated environment are appliedo Develop a way to measure those processes against the HIPAA CSFo Obtain a firm understanding of security operations throughout organizationC. Remediation Phaseo Complete all tasks identified in Gap analysis reportsD. HIPAA PRE Audit‐ Ensure all remediation advice prescribed by Nettitude has been carried outto the fullest extent.o Task List Completion Check Up.o Designed to ensure Broward County is fully prepared for HIPAA AuditE. HIPAA AuditoAudit against HIPAA CSFo HIPAA certification

See PDF Pgs. 255 ‐ 256.Online has developed a unique, risk‐based approach to help organizations implement the controls, technologies, policies, and procedures that align with their business, theirthreats, and their risk tolerance. Online’s security professionals work from virtual offices ‐ we average more than fifteen years of informationsecurity experience. With our extensive business experience, at the C‐level in many cases, we understand that security strategy must align with business objectives. Online’s Risk, Security & Privacy team consists of approximately 25 seasoned professionals. Online’s Risk, Security, and Privacy Practice focuses on services, solutions, and subject matter expertise to provide strategic information security guidance to our clients.

Not Provided

18 10/20/2017 1:35 PM



Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLCSee PDF Pgs. 20 ‐ 24.Plante Moran uses a phased approach for assisting organizations in successfully completing a report on compliance with the HIPAA Security and HITECH Act. This approach provides for a structured and focused effort throughout the project. The major tasks are organized into five phases. At the conclusion of each phase, there is a scheduled management meeting to confirm progress and to gain synergy for the next phase. Upon conclusion of the assessment, we provide continued support to your organization. As operating environments, industry trends, or the demands of your user organizations change ‐‐ we will be available and quick to respond to your needs. The major phases of the work plan are as follows....

See PDF Pgs. 24 ‐26.Presidio follows the NIST 800‐66 Security Rule to evaluate the overall security posture. Project approach to performing HIPAA services includes:� Compliance Assessment – HIPAA Security Rule� Initial Discovery and In‐Scope Environmental Definition� Current‐State Assessment� Gap Analysis� Deliverables

See Pdf Pgs 21‐24The following section describes RSM’s approach in conducting similar work in this category.Our HIPAA privacy and security audit methodologyA HIPAA risk assessment is a security rule‐required standard. Management, as part of their complianceevaluation, must evaluate the accuracy and thoroughness of the assessment during their review ofestablished administrative safeguards. Our risk‐based review program is based on the threats andvulnerabilities associated with the current technology and operational environment in place relative to theHIPAA requirements. We will conduct a high‐level evaluation of the patient‐protected health information(PHI) security program, assessment of activities to manage and control risk, review of physical security,and review of system support and security administration duties, network administration and associatedcontrols to adequately address HIPAA security compliance requirements.The objective of the HIPAA privacy and security compliance assessment is to identify potential gaps thatmay exist in their ongoing compliance efforts. With respect to HIPAA, this objective is to provide adequatesafeguards to the confidentiality, integrity and availability of ePHI.

See Audit Approach See PDF Pgs. 137‐138Each project we undertake will follow this standard methodology. While we are flexible in modifying our approach and methodology, we do so only in the best interest of our clients and their internal control initiatives.

19 10/20/2017 1:35 PM




Verizon Business ServicesInitially a kick off call will be scheduled to review the scope, tasks, contacts, communications plan andlogistics required to complete the project. Requested documentation (Policies, Process and Procedures,network diagrams) are reviewed and an External Security Vulnerability Scan is completed prior to onsite activities. Onsite activities will consist of staff interviews, internal network scans, live network datacapture analysis, device security configuration review and physical site visits. All information gathered isreviewed for analysis and alignment with HIPAA guidelines and security best practices with resultsprovided in a detailed report with findings and remediation recommendations.

See page 27.Verizon provides Healthcare‐Specific Security and Privacy Assessments to help Customer ensure that their operational processes and procedures, align and meet mandated HIPAA Security Rule and Privacy Rules requirements, and provide a solid foundation for the use of technical controls, and work together to prevent or reduce the potential for incidents and breaches. Verizon provides Healthcare Security Assessments to determine where Customer have gaps and weak spots,through which PHI could be lost, and provides effective recommendations to protect and secure Patient Information. Verizon primary product in the HC area of a HC security assessment which validates the effectiveness of Customer’s security controls to meet the customer’s HIPAA/HITECH requirements. Each of these assessment includes data gathering with review of customer documentation and interviews to uncover AD HOC policies, processes, and standards in the workplace; analysis of customer’s overlapping primary and compensating controls to determine the rate of compliance with HIPAA/HITECH requirements; and reporting with written reports of compliance, presentations to identify compliance and any associated risks of noncompliance, and other mapping to help customers understand and overcome areas of noncompliance at specific locations, or in specific technical or operational areas.

20 10/20/2017 1:35 PM



Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.b. Number of employees, coordination efforts,servers and workers located within USA.

See PDF Pgs. 491

"CONFIDENTIAL"


See PDF Pg. 19.All employees and servers would be within the United States. Trustwave has over 900 employees in the US.


See PDF Pg. 52ERM has approximately 30 full time employees. Of these employees, 25 are located in the USA. Onlyfull time employees and subcontractors located in the USA will work in these engagements.Regarding coordination efforts, Esteban Farao will be the Project Manager. He will lead a project kickoffmeeting, send the information requirements, manage the project, communicate with the clientproject team, lead project update calls and meeting as well as delivery the final reports andpresentations.All of ERM’s severs are located at the ERM’s headquarters in Coral Gables, Florida.

21 10/20/2017 1:35 PM


Licensing Matrixb. Number of employees, coordination efforts,servers and workers located within USA.




See PDF Pg. 39Global Information Intelligence will apply its expert and proven methodology to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive recommendations and remediation sample for design and implementation operational effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Network assessment of BROWARD COUNTY Corporate Network and its Operations Technology Network. INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICESQualified Proponents are to provide services for the Broward County....

See PDF Pg. 22 Marcum: As a national firm with 29 offices and approximately 1,550 professionals, we serve as astrategic alternative to the much larger firms. The partners and managers with whom you will developrelationships, drive all major decisions; possessing both the appropriate resources and decision makingauthority. Our local firm approach provides hands‐on service and timely communication, resulting in theCounty receiving the best of both worlds. Marcum has more than 20 professionals dedicated toproviding IT Audit and Technology Services.24by7: With a staff of 15 full‐time and part‐time employees and contractors, and with a strong reputationof performance, we have the experience and the HIPAA Compliance and Cybersecurity knowledge to helpthe County in this project. Our technical staff members are well certified in information security and in IT,and fully qualified and experienced to perform this project. We intend to assign our senior staff membersto this project if we were to be awarded the contract.

22 10/20/2017 1:35 PM




Systems Optiv SecuritySee PDF Pg. 54.Our firm of over 60 professionals have successfully managed more than 8,500client engagements nationally with a significant portion of MGT’s engagements being repeat business, reflecting the firm’s commitment to achieving a high level of customer satisfaction and ability to exceed the expectations of clients. Prior to working with public‐sector entities as consultants, many of our staff worked in government agencies as executives and managers. This insider's knowledge of government structureand process gives MGT a competitive advantage and an ability to hit the ground running from the very start of a project. Our organization leverages leading project management solutions and highly qualified trained professionals throughout all aspects of our engagements in order to ensure the best customerexperience at every stage. Not Provided

Online’s Risk, Security, and Privacy practice has approximately 18 consultants based in the USA. Online’s US Headquarters is located in Minneapolis, MN.

Not Provided

23 10/20/2017 1:35 PM



Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLCPlante Moran has over 2,200 employees and 500 servers in the USA.

Presidio has twenty‐three (23) people on our Cyber Security Consulting team, all whom are

Our team members are comprised of subject matter specialists that have extensive experience conducting information security and risk assessment engagements. Our IT Risk Advisory professionals comprise nearly 1,000 professionals who contain a deep understanding of widely adopted frameworks, best practices and standards such as Committee of Sponsoring Organizations of the TreadwayCommission (COSO), Control Objectives for Information and related Technology (COBIT), Information Technology Infrastructure Library (ITIL) and International Organization for Standardization and the National Institute of Standards and Technology (NIST). Our IT Risk Advisory professionals hold various professional certifications such as Certified Public Accountant (CPA), Certified Information Systems Auditor (CISA), Certified Information Security Manager(CISM), Certified Information Systems Security Professionals (CISSP), Certified Information PrivacyProfessional (CIPP), Certified Business Continuity Professional (CBCP) and various SANS GIAC (GlobalInformation Assurance Certification) security certifications. In addition, many of our professionals havetechnical certifications such as Microsoft Certified System Engineer (MCSE), Cisco Certified NetworkAssociate (CCNA), Cisco Certified Design Associate (CCDA) and Certified Novell Engineer (CNE).Also see the Servers and Workers Located in the USA Attestation Form included in the Appendix sectionf h l

See Audit Approach See PDF Pg. 137‐138Each project we undertake will follow this standard methodology. While we are flexible in modifying our approach and methodology, we do so only in the best interest of our clients and their internal control initiatives.

24 10/20/2017 1:35 PM




Verizon Business ServicesThe SHI Security Services team has 6 active members with 2 openings. Additionally each assessment isassigned a Project Manager from a team of 8 PM’s. All SHI services teams are US based.

Verizon can provide up to twelve fully qualified (US‐based) Health Care SMEs for consulting engagements.

25 10/20/2017 1:35 PM



Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.c. Describe vendor’s plan to meet key milestones and deadline dates including communication plan.


"CONFIDENTIAL"


See PDF Pg. 19 ‐ 20Project Phases and MethodologyThe HIPAA Services typically consist of a planning phase and three assessment phases to ensurecomplete and efficient service. Client must fulfill their obligationswithin each phase before progressing to subsequent phases. Failure to do so may require an addendum to this contract that will include additional charges for any time or materials above and beyond those agreed to in this contract.Phase 0: Project InitiationInitiation Meeting� Kickoff meeting between all designated stakeholders� Define roles and responsibilities of Client overall program steering committee� Agree on formal scope, including validation of segmentation and sampling methodology� Define and agree to high‐level project plan key steps, estimates for duration, deliverables, resourcerequirements and escalation procedures...


See PDF Pg. 52ERM Project Manager will develop a Project Plan which details all key milestones and deadline dates.ERM Project Manager will work with the client to adjust based on client needs. The CommunicationPlan will be discussed and agreed to during the kick‐off call. ERM’s communication plans typicallyinclude weekly status updates as well as updates based on key milestones and deadlines.

26 10/20/2017 1:35 PM


Licensing Matrixc. Describe vendor’s plan to meet key milestones and deadline dates including communication plan.





See PDF Pg. 23 ‐ 24Marcum: Effective Project Management is a key focus at Marcum. As a large audit, tax and consultingfirm, the ability to provide services to clients on schedule and within a set budget is priority. Ourtechniques include best practices from the Project Management Body of Knowledge (PMBOK) and gofrom the Planning to the Reporting phase to going through quality assurance checks. The Marcum LLPteam has an in‐house project manager who coordinates all projects for the IT Audit and TechnologyServices division, ensuring all project deliverables and timelines are met.24by7: 24By7Security follows a proactive approach that is based on continuous communication; therebywe are able to rapidly integrate your feedback to meet your current and future needs. We have foundthat this approach of open communication with our clients has yielded positive results not only with theprojects but also in terms of client relations....

27 10/20/2017 1:35 PM




Systems Optiv SecuritySee PDF Pgs. 54‐ 55.As we have already done with other projects for Broward County, MGT will ensure accountability, compliance, and implementation of the services provided. We will adhere to all applicable federal and state policies, procedures, and regulations. MGT's Project Manager will have primary responsibility for the supervision of all project operations and project administration and will ensure all deliverables meet the standards of quality set forth by theCounty. Our Project Manager is responsible for the day‐to‐day activities of all design and technical key staff. In concert with the County’s Project Lead, MGT’s Project Manager will facilitate implementation of the main components of the project, including the installation, configuration, initiation, pilot, acceptancesystem, and the training of end users as well as generating progress reports on all project activities.Other major responsibilities will include:� Scheduling of project activities.� Financial management.� General tasks related to contract administration.� Serving as the primary point of contact for County inquiries or requests for project updates.....

Not Provided

See PDF Pg. 256 ‐ 257.Online understands that a project – whether it’s a multi‐year, multi‐million dollar initiative, or an eight‐week projectfor a single user – will represent an investment of time, resources and money for the County. We also understand that each project investment must meet the defined objectives. By carefully listening to theCounty’s needs, ensuring regular communication, and then applying industry best practices, our team will create a project environment that delivers success.Online recognizes the value of communication and ongoing collaboration with our customers to help ensurethat engagements are well managed and deadlines are met. As such, Online will coordinate a project initiationmeeting (kick‐off meeting) with the County that will:� Introduce key people at the County and Online.� Exchange contact information (for regular reporting and emergencies)� Review scope of services� Review communication, notification, and issue escalation procedures and escalation points of contact� Discuss the involvement of the County technical staff to facilitate knowledge transfer......

Not Provided

28 10/20/2017 1:35 PM



Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLCFrequent communication, guided by a “no surprises” philosophy is the key to a successful project. In this way, expectations can be effectively managed and problems can either be avoided entirely, or addressed early on to minimize wasted effort and keep the project on schedule. Prior to formally kicking off the project, we will work with the County to develop a communications plan for the project.We will identify project stakeholders, and for each:� What they will need to know throughout the project (e.g., status updates, risk and issues)� When and how frequently they will want communication (e.g., weekly, monthly)� How communications will be delivered (e.g., status updates reports, meetings, phone calls)� Who will be responsible for the communicationWe will maintain this communication plan on a shared collaboration site throughout the project to ensure regular communication and ongoing collaboration.

Presidio employees located within the USA. The Presidio Cyber Security Project Managers coordinate all the resources on the Presidio team.

RSM’s management approach can be expressed in one simple phrase: “no surprises.” First, we will work with the County to establish a communication protocol and approach that you prefer, and we will use these channels and tools to share information on the engagement. Once the communications plan has been created, RSM will create a timeline and milestones project schedule and track those milestones to completion on a weekly basis. We will work with you and management to keep you informed of our progress throughout the engagement with periodic formal and informal status reports and meetings as appropriate. Continuous communication helps ensure that the County and the RSM team are in agreement on, and informed about, every aspect of an engagement. Our team will work closely with County management to establish clear, open lines of communication via face‐to‐face meetings, phone calls, and/or regular electronic or hard‐copy communications to keep you informed of progress and issues. In the event that RSM identifies that a particular engagement is behind schedule, it will be formally communicated to the client to discuss the issues and possible solutions to get back on track. Similarly, if observations or risk areas are identified during an engagement, we will be on hand to provide recommendations for remediation and provide support to management in the enhancement of current processes.

See Project Management Approach See PDF Pg. 139Each project we undertake will follow this standard accountability model.1) Engagement Manager….2) Senior IT Security Consultants….3) Independent Reviewer…..4) Broward County's Project Manager…..5) Status Reports.....

29 10/20/2017 1:35 PM




Verizon Business ServicesOnce an assessment is assigned to a Sr. Solutions Architect, they are dedicated to the project ensuringtheir availability to complete all project related task and milestones as agreed in the SOW and/or projectkickoff meeting. Schedules are managed closely to ensure overlap in projects is minimal and allow allmilestones to be met and assessments to be completed on time. All SHI assessments have an assigned PM who document and track all milestones and significant events for a particular project. The PM will work with all key stakeholders involved to ensure all communications are managed effectively to meet all customer expectations. Email is used for daily communication with secure solutionsbeing utilized for all confidential documentation.

See Pages 28‐30.Throughout Verizon’s HIPAA projects, our engagement management and delivery process is generally the same. Verizon assigns a Project Manager to each engagement, who is Verizon’s representative in the Engagement. Verizon’s Project Manager will work with a Customer’s Point of Contact (POC) to establish project timings, identify all participants, defined the work steps on more detail, and otherwise manage, coordinate, and communicate the Engagement.

30 10/20/2017 1:35 PM



Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.3. Past Performance:a. Describe prime Vendor’s experience onprojects of similar nature and scope, along withevidence of satisfactory completion, both ontime and within budget, for the past five years.Provide a minimum of three projects withreferences, preferably government agencies (i.e.state, local) of similar size and structure andproven experience and skillset in evaluation amixed credit card environment of webapplications, point of sale (POS), and IVRsystems.Vendor should provide references for similarwork performed to show evidence ofqualifications and previous experience. Refer toVendor Reference Verification Form and submitas instructed. Only provide references for non‐Broward County Board of County Commissioners’contracts. For Broward County contracts, theCounty will review performance evaluations in itsdatabase for vendors with previous or currentcontracts with the County. The County considersreferences and performance evaluations in theevaluation of Vendor’s past performance.

CONFIDENTIAL

Pgs 35: Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be reproduced or redistributed in any way,shape, or form without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. affiliatedcompanies."



See PDF Pg. 20Please see Addendum for Client References and Sample Reports.

(3) Reference Verification Forms included for this Category ‐ See PDF Pgs. 167 ‐ 169.We have completed and submitted the Vendor Reference VerificationForm as requested.

(3) Reference Verification Forms included for this Category. See PDF Pgs. 53‐55ERM has completed approximately 30 HIPAA projects. All of our projects have been completed on timeand within budget.As requested, below are three references for projects of similar size and structure.1. Barry University2. Hematology Oncology Associates of the Treasure Coast3. CSID

b. Provide evidence of similar work related toservices identified in this Category, includingsample executive summaries and reports.

See Attachment:ATT Sample Healthcare Risk and Compliance Assessment (PDFPgs. 32 ‐ 92)

See PDF Pg. 20Please see Addendum for Client References and Sample Reports.

See PDF Pgs. 167 ‐ 169.We have completed and submitted the Vendor Reference VerificationForm as requested.

See PDF Pgs. 56 ‐ 57Sample outline of client report.

31 10/20/2017 1:35 PM


Licensing Matrix3. Past Performance:a. Describe prime Vendor’s experience onprojects of similar nature and scope, along withevidence of satisfactory completion, both ontime and within budget, for the past five years.Provide a minimum of three projects withreferences, preferably government agencies (i.e.state, local) of similar size and structure andproven experience and skillset in evaluation amixed credit card environment of webapplications, point of sale (POS), and IVRsystems.Vendor should provide references for similarwork performed to show evidence ofqualifications and previous experience. Refer toVendor Reference Verification Form and submitas instructed. Only provide references for non‐Broward County Board of County Commissioners’contracts. For Broward County contracts, theCounty will review performance evaluations in itsdatabase for vendors with previous or currentcontracts with the County. The County considersreferences and performance evaluations in theevaluation of Vendor’s past performance.



See PDF Pg. 71 ‐ 75Focal Point has established robust methodologies that have been successfully applied andconsistently tested over time at large Fortune 500, mid‐size, and small start‐up organizations.Focal Point has assessed and designed programs to enhance compliance with the HIPAAPrivacy Rule, Security Rule and Breach Notification Rule Standards as well as the HIPAAOmnibus Final Rule requirements. Focal Point typically performs around 30 HIPAA‐relatedassessments annually.


See References. See PDF Pg. 25See attached Vendor Reference Forms for:� Heart & Health System� Femwell Health Group� MCCI GroupAdditional references are available upon request.

Similar to that of pci, HIPAA specific requirements are address on a custimized bases, actual phased approach can be seen in the Broward Security Services 2017 under PCI DSS managed services

See PDF Pgs. 290 ‐ 310See Sample Reports

See PDF Pg. 25See attached executive summary for ACME Sanitized.

32 10/20/2017 1:35 PM






See Reference Verification Forms (3) ‐ See PDF Pgs. 57 ‐ 59.FASTTRACK URGENT CARE: FULL HIPAA AUDITA leading urgent care group in Florida, we coordinated all HIPAA compliance efforts for this organization including: complete risk assessment (full audit, including physical, internal and external infrastructure, application pen testing), development of all policies and procedures, and training and awareness program.We not only completed the work and took FastTrack Urgent Care into full HIPAA compliance (and beyond, as HIPAA compliance doesn’t necessarily equal an adequate security posture), we were able to deliver under the projected budget. With a focus on knowledge transfer, and building a risk management program that truly gave this organization an optimal security posture, the end result was an organization where cyber security was a core competency.IDEAL IMAGE: FULL HIPAA AUDITSimilar to Fast Track Urgent Care, Ideal Image chose us to take a deep dive into their security posture and create a risk management program that not only hardened their information security environment,but also met, and surpassed, HIPAA compliance requirements. We completed a full risk assessment, revised and developed all of their policies and procedures, and set them up with the required trainingand awareness efforts. Once again, we delivered under the quoted budget on a time and materials basis and were able toprovide them with all the knowledge transfer to continue to mature their risk management program.

See Reference Verification Forms. Reference Verification Forms ‐ See PDF Pgs. 317 ‐321.Your Health Idaho (YHI) ‐ ATC MARS‐E NIST 800‐53 (a) Authority to Connect Project: Onlineled this project on behalf of GetInsured (YHI’s vendor for Exchange and Security/Privacy). Onlinesuccessfully completed a passing Security Assessment Report within YHI’s challenging 4‐monthtimeframe.� Public Knowledge, LLC ‐ Wyoming Department of Health Independent Risk Assessment and Security Testing Support: Online supported the State of Wyoming’s MARS‐Ev2 requirements byconducting third party security testing and risk assessment. � Wayne Memorial Hospital – HIPAA Security Risk Assessment and Penetration Test: Onlineconducted a HIPAA security risk assessment and penetration testing via on‐site and remote interviewsand technical tools.

Not Provided

See "Fast Track Urgent Care Sample Report" in Appendix ‐ PDF Pgs. 68 ‐95.

Not Provided

Online is pleased to include a Sample Report for a HIPAA engagement as evidence of our HIPAA consultingcapabilities. It is enclosed under Appendix B.

Not Provided

33 10/20/2017 1:35 PM





Reference Verification Forms included. ‐ See PDF Pg. 69Examples ‐ See PDF Pg. 25

See PDF Pg 27 ‐ 28.Presidio would develop a project plan with all defined project milestones which includes weekly status meetings to track the project overall progress. Escalation methodology follows.

See Pdf Pg 25‐27District of Columbia Water & Sewer AuthorityOctober 2016 ‐ April 2017Evaluate DC Water's information privacy practices and how they aligh to NIST

Cubic Corporation and Transportation SystemsMay 2014 ‐ OngoingRSM monitors compliance with respect to HIPAA's security regulations

Prince William County, VirginiaMay 2014 ‐ August 2014Internal audit services provided to PWC include audit of policies, procedures and compliance as they relate to HIPAA

Vendor Reference Verification Forms included in Appendix

CONFIDENTIAL

References remain confidential.

See PDF Pg. 25Upon conclusion of the engagement described above, we will provide the County with a written HIPAA gap assessment report1 outlining each HIPAA Security and Privacy requirement and whether or not the County has implemented appropriate controls to address compliance requirements. For areaswhere control improvements should be made we will provide specific suggestions for enhancing the control structure.Plante Moran will also provide a written Network Security report detailing the results of the technical assessments performed.

Reference Verification Forms included.See PDF Pg. 29.Presidio provides the following references for which we have provided similar solutions toCategory 2 ‐ HIPAA:� e+CancerCare� Broward Healthcare� Dayton’s Children HospitalPresidio uploads these customer references on the required Vendor Verification Form, in aseparate file.

Due to the sensitivity of the results of the work completed for our clients, results of our engagements or final reports will not be provided as evidence for proof of completion. If the County desires, we are prepared to provide example templates used as part of our reporting process to help ensure you are comfortable with the final work products we are accustomed to delivering.

CONFIDENTIAL


34 10/20/2017 1:35 PM






SHI Security Services is very flexible in scoping a Security Assessment with requirements focused on HIPAA, PCI, CJIS or other Security frameworks such as SANS CIS Controls. It is our experience most local government agencies have requirements for all these areas with systems and data overlapping within departments. By scoping an assessment to include two or more of these regulatory requirements we are able to minimize time and cost and greatly increase the value of the assessment. (Our PCI Assessments are for Self‐Assessment or Gap analysis only as we do not staff a QSA). SHI understands the importance of quality references; however for services such as those being requested by the County, most customers feel the information associated with these services is confidential. SHI has included a list of a few customers that we have provided similar services as requested in this RFP. If needed, we agree to help coordinate a call between our customers and Broward County to discuss their experience with SHI. Please note that customers may not wish to discuss specifics of their project due to the sensitive nature.Gold’s Gym, Anthony (Tony) Wilkins, Director of IT Infrastructure and TelecomTampa General Hospital, Jason Powell, Chief Information Security OfficerCity of San Marcos, Lenora Newson, IT Infrastructure Manager

See Pages 30‐31.Verizon’s Health Care team has specific experience in assessing the Health Care compliance and associated risk due to the use of specific system, products, and communications architectures. Verizon’s team has conducted detailed assessment to validate Verizon internal products and services, and has worked with other product and Health Care service providers to assess and report in the security of their offerings. Verizon is specifically familiar with nontraditional Health Care compliance situations outside and above those typical to covered entities, and has wide ranging experience in assessment and improving call center,communications center, and other networked services. Verizon has highly relevant customers who can provide information on the workwe have done and the quality of our relationship with their organizations. Due to the number of requests Verizon receives for recommendations from these customers, it is our policy to provide contact information only when we are under serious consideration for a contract award. In addition, Verizon’s corporate nondisclosure policies – combined with the sensitive nature of our customers’ business – require that certain agreements be in place before we can release sensitive customer data. In order to protect the interests and confidentiality of our customers, and at the request of our customers, we prefer to facilitate references calls and/or visits at a mutually convenient time for all. It is standard policy of Verizon to not publish reference lists due, in large part, to Non‐Disclosure Agreements between Verizon and its customers.

SHI has attached sample reports with our submission. Sample pdfs embedded in response. Unable to open.

35 10/20/2017 1:35 PM



Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.4. Workload of the Firm:List all completed and active projects that Vendorhas managed within the past five years. Inaddition, list all projected projects that Vendorwill be working on in the near future. Projectedprojects will be defined as a project(s) thatVendor is awarded a contract but the Notice toProceed has not been issued. Identify anyprojects that Vendor worked on concurrently.Describe Vendor’s approach in managing theseprojects. Were there or will there be anychallenges for any of the listed projects? If so,describe how Vendor dealt or will deal with theprojects’ challenges.

See PDF Pgs. 497

Pgs 35: Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be reproduced or redistributed in any way,shape, or form without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. affiliatedcompanies."




See PDF Pg. 171Over the past 5 years, Crowe has had over 16,000 clients, of which over 1,200 were government clients. Crowe currently has 871 government clients, with 32 in the Florida area.Crowe is well positioned to provide quality service to Broward County in a timely fashion. Crowe has a sophisticated Centralized Resource Management function that is responsible for ensuring that Broward County’s needs are met with the experienced and trained staff from our local offices, and if needed,from across our firm. We realize that resource management is a crucial element to consistently providing top quality service to Broward County, and all of our clients.

See PDF Pgs. 58ERM has completed 10 HIPAA projects during the past 5 years and estimates it will be working on 1 permonth for the remainder of 2017.ERM is able to manage several projects simultaneously based on our efficient project managementapproach. We have not experienced any challenges to complete these projects, nor do we expect toexperience challenges completed projects for the client.a. Past Five Years1. Education (2)2. Hospital (4)3. Physician Group (1)4. Local, City, State Government (2)5. Other (1).....

Verify that these questions are the same as in the advertised solicitation:1. Legal business name. AT&T Corp Carahsoft Technology Corporation Crowe Horwath LLP Enterprise Risk Management, Inc.


Not applicable

3. Federal Employer I.D. Number. 13‐4924710 522189693 35‐0921680 65‐0827427

4. Dun & Bradstreet Number. (If applicable). 00‐698‐0080 08‐8365767 787324008 6101442015. Website address (if applicable). www.att.com www.carahsoft.com www.crowehorwath.com www.emrisk.com6. Principal place of business. One AT&T Way, Bedminster, NJ 07921 1860 Michael Faraday Drive, Suite 100

Reston, VA 20190225 West Wacker Drive, Suite 2600Chicago, Illinois 60606‐1224

800 S. Douglas Road, Suite 940 North Tower, Coral Gables, FL 33134

7. Office Location for this project. 2002 NW 64th St., Ft. Lauderdale, FL 33309 1860 Michael Faraday Drive, Suite 100Reston, VA 20190



8. Telephone/Fax Number: Telephone no.:305‐913‐3887 Fax no.: Telephone no.:703.871.8500 Fax no.:703.871.8505 Telephone no.:954.202.8600 Fax no.:954.202.8639 Telephone no.:305‐447‐6750 Fax no.:305‐447‐67529. Type of Business Corporation; New York Corporation; Maryland Limited Liability Partnership Corporation; Florida10. List Florida Registration Number. 845822 GP0800003826

VENDOR QUESTIONNAIRE FORM

36 10/20/2017 1:35 PM


Licensing Matrix4. Workload of the Firm:List all completed and active projects that Vendorhas managed within the past five years. Inaddition, list all projected projects that Vendorwill be working on in the near future. Projectedprojects will be defined as a project(s) thatVendor is awarded a contract but the Notice toProceed has not been issued. Identify anyprojects that Vendor worked on concurrently.Describe Vendor’s approach in managing theseprojects. Were there or will there be anychallenges for any of the listed projects? If so,describe how Vendor dealt or will deal with theprojects’ challenges.

Verify that these questions are the same as in the advertised solicitation:1. Legal business name.

2. Doing Business As/ Fictitious Name (if applicable):3. Federal Employer I.D. Number.

4. Dun & Bradstreet Number. (If applicable).5. Website address (if applicable).6. Principal place of business.


8. Telephone/Fax Number:9. Type of Business10. List Florida Registration Number.



See PDF Pg. 76Since the company’s inception, Focal Point has provided HIPAA compliance, privacy, andinformation security services to clients in both the private and public sectors. Our team’sexperience in providing HIPAA compliance services is unparalleled in the marketplace. Inparticular, the team has extensive experience within the technology, healthcare, insurance, andgovernment industries. Focal Point typically performs over 30 HIPAA assessments on an annualbasis, and regularly perform multiple assessments concurrently with each other.



See PDF Pg. 26 ‐ 27Marcum:1. Independent Living Systems2. Nordis Technologies, Inc.3. Envolve Health Benefits4. International Union of Operating Engineers24by7Security:1. MCCI Group Health2. SantaFe Senior Living3. Integra Health4. Arkansas Heart Health5. Banyan Health Systems6. Barry University7. Clinical Information Systems8. Doctor’s Medical Center9. Primary Care Physician Group10. ED Care Management, Inc.11. Femwell Group Health12. Henderson Behavioral Health13. Insight Software14. Miami Dade College15. Mount Sinai Hospital16. Network Health Plans17. Northern Physician Organization18. Nova University19. Oncology Analytics20. Orange Care Group

Focal Point Data Risk, LLC Foresite MSP LLC Global Information Intelligence LLCMarcum LLP

61‐1805201 38‐3916369 273548900 111986323

08‐0541660 07‐8744163 968051180www.focal‐point.com www.foresite.com www.globalinfointel.com www.marcumllp.com201 E Kennedy Blvd, Suite 1750Tampa, FL 33602

E Windsor Ct 6860 North Dallas Parkway, Suite 200,Plano, TX 75024

451 East Las Olas Boulevard, Ninth FloorFort Lauderdale, FL 33301


New York 6861 North Dallas Parkway, Suite 200,Plano, TX 75024


Telephone no.:(813) 402‐1208 Fax no.:813‐436‐5283 800‐940‐4699 Telephone no.:4082509045 Fax no.:N/A 954‐320‐8000 Fax no.:954‐320‐8001LLC LLC Corp; DE ‐ LLC Limited PartnershipM16000008367

LLP090003311

37 10/20/2017 1:35 PM











See PDF Pgs. 61 ‐ 67.MGT has completed projects for the County, including:� Disparity Study of County Government (2000).� Cost Allocation Plans (2009, 2010, 2011, 2014, 2015, 2016).� Comprehensive Review of the Sheriff’s Office Department of Detention (2009).� Comprehensive Analysis of the Libraries Division (2010).Being a national company, MGT has completed many projects within the past five years. Therefore,instead of providing a list of the over 2,200 projects the firm has completed or is currently conducting, we are providing a list of clients served (presented in alphabetical order by state).

Not Provided

See PDF Pg. 258Online’s Risk, Security, and Privacy consulting practice has over 100 clients and delivers well over 200 engagements annually. To protect the privacy of our clients, we cannot divulge client names, but we can guarantee that our team can meet any project deadlines that Broward County establishes. Our 98% customer retention rate speaks volumes of our ability to meet our clients’ needs while delivering high quality services. Our dedication to the customer experience combined with our strong team bond (there are rare all‐hands‐on‐deck moments) help us ensure that we deliver engagements on time. The Risk, Security, and Privacy practice has never missed an engagement deadline. Online spends a great deal of time reviewing our workloads and our forecast pipeline so that we work the fine balance of not having too many consultants on the bench but also not overloading our consultants. We ensure that we always have a handful of qualified recruits in our hiring queue for when we hit growth spurts.

Not Provided

MGT of America Consulting, LLC Netitude, Inc. Online Enterprises Inc. Optiv Security

Netitude Online Business Systems Optiv, Optiv Security

81‐0890071 36‐4694227 41‐180 5060 43‐1806449

02‐096‐7659 968240825 08‐6535676 01‐946‐6684www.mgtconsulting.com www.Nettitude.com www.obsglobal.com optiv.com3800 Esplanade Way, Suite 210Tallahassee, FL 32311

85 Broad Street, New York NY 10004 US Headquarters: 7760 France Ave. S., Minneapolis, MN 55435 USACanadian Headquarters: 200‐115 Bannatyne Avenue, Winnipeg, MB Canada R3B 0R3

1125 17th St., Suite 1700Denver, CO 80202‐2032

Tallahassee, FL 85 Broad Street, New York NY 10004 000 Kruse Way Place, Bldg 1 Suite 360Lake Oswego, OR 97035

N/A

Telephone no.:850.386.3191 Fax no.:850.385.4501 Telephone no.:646‐795‐1881 Fax no.: Telephone no.:866.884.0304 Fax no.:503.224.5962 Telephone no.:(303) 298‐0600 Fax no.:(303) 298‐0868LLC Corporation; S Corporation; Minneapolis Corporation; DelawareL15000199435 In Progress

38 10/20/2017 1:35 PM










Our team of 40+ cybersecurity consultants has completed projects for hundreds of organizations over the past five years. In addition, our team uses multiple firm wide project management tools to assist with working with dozens of clients each week. Should an unexpected conflict occur while workingwith the County, the County will be given priority as necessary.

See PDF Pg. 29.The Presidio Cyber team averages 70 concurrent projects at any one time. Our project managersensure that we have resources allocated for the projects. Our project sizes range from $8,000 to$1.6M. We monitor and manage the workload monthly and make decisions on whether we needto add additional security consultants to the team. Presidio would assign a project manager and key members upon award of the contract. Wewould require two‐weeks to get the team in place.Presidio’s project manager would create a project plan that clearly outlines the project timelinesand responsibilities for Presidio and Broward County. Presidio would schedule weekly meetingswith Broward County to track the overall progress of the project. We will provide BrowardCounty weekly updates so project status is communicated. Presidio requests Broward County to identify a project sponsor that our project manager would work directly with.

RSM maintains confidentiality agreements with many of our clients. For this reason, we cannot name them in proposals or marketing collateral without express permission. However, in the Past Performance section on the prior page, we provide references from clients who can discuss our work with them on issues relevant to your operations.If we are engaged by the County, you will be a priority for our firm and to each member of your engagement team. Our workload fluctuates based on a number of factors, including timing and currently pending engagements. Regardless, our firm has excelled at managing its human resources so that ourworkload never surpasses the ability of our assigned teams to devote the time and attention necessary to add value to our clients’ organizations. Our ability to manage our workload is evidenced by relatively low turnover rates and is supported by clients’ opinions of our service.The engagement team along with County management will design a plan that will ensure expectations are met along with responsive and timely delivery of services as required by the County. The engagement in‐charge and staff will be solely dedicated to the County from start to finish for the audit. We believe this to be a team effort so that all team members understand their roles, expectations, deliverables andtimelines.We do not anticipate any scenario under which we will have difficulty completing the requested work.

See PDF Pg. 96.We are currently engaged on a number of client projects. We attempt to keep our workload commensurate with our staff. However, we believe the best way to measure our ability to complete task orders on time is through discussion with our current clients (see client references on previous page).We guarantee that we will:� Properly staff each project with employees that are qualified and technical experts;� Begin all task orders on time;� Complete them within budget, within the required time frame; and� Deliver a draft report within one (1) week of fieldwork completion.Due to confidential nature of our work, we are not permitted to provide a complete list of similar projects. However, we guarantee that Securance is experienced with networks of your size and complexity. We have provided a sampling of our related experience of governmental agencies on page 19.

Plante & Moran, PLLC Presidio RSM US LLP Securance LLC

Plante Moran

381357951 58‐1667655 FEIN‐42‐0714325 03‐0392503

004913299 15‐405‐0959 73482424 04‐1637542plantmoran.com www.presidio.com www.rsmus.com http://www.securanceconsulting.com27400 Northwestern HwySouthield, MI 48037

12120 Sunset HIlls Rd, Sutie 202Reston, Va 20190

100 NE Third Ave, Suite, Fort Lauderdale, FL 33301 6922 West Linebaugh Avenue, Suite 101, Tampa, FL 33625

Southfield, MI 3250 W. Commercial BlvdFort Lauderdale, Fl 33309

Fort Lauderdale 6923 West Linebaugh Avenue, Suite 101, Tampa, FL 33625

Tel:248‐223‐3428 Fax no.:248‐603‐5997 305‐606‐2835 954‐462‐6351 Telephone no.:877‐578‐0215 Fax no.:813‐960‐4946Limited Partnership LLC Limited Partnership LLCM11000002358 L15000111335 ADP004384 L02000005108

39 10/20/2017 1:35 PM











Due to the sensitivity and type of services, SHI cannot provide this information as it relates to otherprojects and customers either completed or in the future. SHI would be happy to meet with BrowardCounty discuss our approach and any challenges we may have experienced on similar projects. SHIbelieves in transparency and any time we come upon a challenge with a project we work with thecustomer to let them know the issues and possible solutions. SHI has a clearly defined escalation path soif a challenge arises the proper people can be engaged to assist. In addition as one of the top provider of IT solutions, SHI has built solid relationships with IT manufacturers and has a network of partners to work with should any challenges encountered required additional products or resources.

Workload at any one time varies across our Health Care consulting team and they are in demand for their services. Verizon always works on more than one project at a time, and would work with you to schedule you projects into this larger plan. Verizon cannot enumerate our current project as they are Customer confidential. Verizon is continuously working multiple projects concurrently and has the people, process andtechnology to ensure all active projects are meeting the milestones defined on the project scope. We do not anticipate any challenges; however, should issues arise we have a welldefined process for identifying the root cause and developing a remediation plan.

SHI International Corp Verizon Business Network Services Inc. on behalf of MCI Communications Services Inc.d/b/a/ Verizon Business Services (VerizonBusiness or Verizon)

22‐3009648 13‐2745892

61‐142‐9481 556565836www.shi.com www.verizonenterprise.com290 Davidson Ave Somerset, New Jersey 08873 OneVerizon Way, Basking Ridge NJ 07920

290 Davidson Ave Somerset, New Jersey 08873 Tampa, FL

800‐477‐6479 no.:(813) 520‐9786 Fax no.:813‐978‐6751Corporation; New Jersey Corporation; DelawareF‐01000004066 829591

40 10/20/2017 1:35 PM



Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.11. List name and title of each principal, owner, officer and major shareholder.

a. Thadeus Arroyo, President and CEO AT&T, 208 S. Akard St., Dallas, TX 75202b. Anne Chow, President‐Integrator Solutions, AT&T, 208 S. Akard St., Suite 3514, Dallas, TX 75202c. Frank Jules, President ‐ Global Business AT&T, 208 S. Akard St., Suite 3509, Dallas, TX 75202d. Cathy Martine‐Dolecki, President ‐ Natl Bus AT&T, 1 AT&T Way, Bedminster, NJ 07921e. Delores McCarty, Assistant Secretary AT&T, 675 W Peachtree St, NW, Atlanta, GA 30308f. George B. Goeke, CFO and Treasurer AT&T, 208 S. Akard St., Suite 1824,Dallas, TX 75202AT&T is a publicly held corporation. No single person owns more than 10% of the company. It is an independent, publicly traded telecommunications services provider.The names and titles of the AT&T Inc. officers are• Randall Stephenson—Chairman and Chief Executive Officer (CEO)Willi Bl S i E ti Vi P id t H R


a) James Powers, CEOb) Joseph Santucci, COOc) Todd Welu, CFOd) Crowe Horwath LLP is a limited liability partnership with more than 275 partners/principals. If required, we will provide a complete listing of the partner/principals. The names and titles of the firm's leadership is available at www.crowehorwath.com/leadership.


12. Authorized contacts for your firm. Name: Dwayne StaffordTitle: Strategic Account LeadE‐mail: [email protected] No.: 786‐479‐4113Name: Esther MartinTitle: Strategic Account LeadE‐mail: [email protected] No.: 305‐582‐9541


Name: Craig SullivanTitle: PartnerE‐mail: [email protected] No.: 574.236.7618



No No No No

14. Has your firm, its principals, officers or predecessor organization(s) ever beendebarred or suspended by any government entity? If yes, specify details in an attachedwritten response, including the reinstatement date, if granted.

No No No No

41 10/20/2017 1:35 PM


Licensing Matrix11. List name and title of each principal, owner, officer and major shareholder.

12. Authorized contacts for your firm.





Robin Mano ‐ CEOGeorge Farris ‐ Board MemberDavid Cohen ‐ Board MemberGary Fish ‐ Board Member

a) DR. EMMANUEL HOOPER, PHD, PHD, PHD, Harvard Yale Alumni, Presidentb) Theresa Marie Hooper, BA (Harvard),Senior Executive

a) Michael Balter, Regional Managing Partnerb) Mark Agulnik, Partnerc) David Appel, Partnerd) Shaun Blogg, Partnere) Ilyssa Blum, Partner f) Marc Breslow, Partnerg) Michael Curto, Partner h) Adam Firestein, Partneri) Michael Futterman, Partner j) John Gabriel, Partner k) Cecelia Garber, Partner l) Kim Lamplough, Partner m) Michele Lipson, Partnern) Michael Novak, PartnerMarcum LLP is managed by more than 140 partners around the country. Below is a list of partners from our local Florida offices. A complete list of partners around the country is available at www.marcumllp.com/people‐

hName: Andrew CannataTitle: Principal, Cyber SecurityE‐mail: acannata@focal‐point.comTelephone No.: (813) 731‐9074Name: Eric DieterichTitle: Principal, Data PrivacyE‐mail: edieterich@focal‐point.comTelephone No.: (786) 390‐1490


John [email protected] 940 4699 ext 227

Name: DR. EMMANUEL HOOPER, PHD, PHD, PHDTitle: PresidentE‐mail: [email protected] No.: 408‐250‐9045Name: Theresa M. HooperTitle: Senior ExecutiveE‐mail: [email protected] No.: 714‐331‐1173


No No No No

No No No No

42 10/20/2017 1:35 PM







Systems Optiv Securitya) A. Trey Traviesa, Chairman & CEOb) Fred Seamon, Executive Vice Presidentc) Brad Burgess, Executive Vice President

a) Rowland Johnsonb) Ben Denshamc) Martin Wattsd) Mitchell Titley

a) Chuck Loewen (Founder, Owner & CEO)b) Tim Siemens (CTO)c) Lynne Black (CFO)


Name: A. Trey TraviesaTitle: Chairman & CEOE‐mail: [email protected] No.: 850.386.3191Name: Fred SeamonTitle: Executive Vice PresidentE‐mail: [email protected] No.: 850.386.3191

Name: Miles CornTitle: Head of Bid ManagementE‐mail: [email protected] No.: 646‐795‐1881Name: Karen BoltonTitle: EVP & Leader North AmericaE‐mail: [email protected] No.: 646‐795‐1898

Name: Steve LevinsonTitle: Vice President, Risk, Security & PrivacyE‐mail: [email protected] No.: 619.701.8614


No No No No

No No No No

43 10/20/2017 1:35 PM






Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLCa) James Proppe, Managing Partnerb) Dnnis Graham, Group Managing Partnerc) Frank Audia, CIOd) Beth Bialy, Government Industry Group Leader

Regarding principals, owners, etc., not applicable. Presidio is a publicly owned company.

Paul Ashe




Name: Paul AsheTitle: PresidentE‐mail: [email protected] No.: 877‐578‐0215Name: Gillian TedeschiTitle: Director of MarketingE‐mail: [email protected] No.: 877‐578‐0215

No No No No

No No No No

44 10/20/2017 1:35 PM







Verizon Business ServicesThai LeeKoguan Leo


Name: Meghan FlisakowskiTitle: Public Program ManagerE‐mail: [email protected] No.: 5125174088Name: Natalie CastagnoTitle: Director Response TeamE‐mail: [email protected] No.: 732‐868‐5902


No No

No No

45 10/20/2017 1:35 PM



Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.15. Has your firm ever failed to complete any services and/or delivery of products duringthe last three (3) years? If yes, specify details in an attached written response.

We are unaware of any work completion issues that would impair our ability to meet our obligations under any contract. AT&T is a large company with an international presence and significant contractual relations. Given the size and scope of our business, we from time to time over our history have been involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our ability to meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.

No Yes, Like all large professional service firms, Crowe is, from time to time, subject to contract disputes or issues where contracts may be terminated for a variety of reasons, including without limitation lack of client funding, disputes over the scope of the work, or payment disputes. Through active management and communication with our clients, Crowe is usually successful in anticipating such areas and working with the client to mitigate these issues.

No

16. Is your firm or any of its principals or officers currently principals or officers of another organization? If yes, specify details in an attached written response.

Yes No No No


No No No No

46 10/20/2017 1:35 PM


Licensing Matrix15. Has your firm ever failed to complete any services and/or delivery of products duringthe last three (3) years? If yes, specify details in an attached written response.




No No No No

No Principal invests in multiple businesses Nop // p / / g p

Marcum Group is an organization providing a comprehensive range of professional services spanning accounting and advisory, technology solutions,wealth management and executive and professional recruiting. MARCUM LLPMarcum LLP is one of the largest independent public accounting and advisory services firms in the nation, with offices in major business markets throughout the U.S., Grand Cayman and China. MARCUM FINANCIAL SERVICESMarcum Financial Services was founded in late 2009 by combining the expertise of several professionals and firms with extensive investment, financial and business experiences. MARCUM SEARCHMarcum Search LLC offers professional recruiting services. Our recruiters recognize the importance of working closely with companies and prospective candidates to ensure the perfect match. MARCUM TECHNOLOGYMarcum Technology LLC is a full‐service integrated solutions vendor (ISV) specializing in data storage, disaster recovery, network infrastructure, IT staffing and managed services. MARCUM BERNSTEIN & PINCHUKMarcum Bernstein & Pinchuk is an independent public accounting firm. We provide a full range of audit and assurance, tax and transaction advisory services for clients in a variety of industries.MARCUM RBK (IRELAND) LIMITEDMarcum RBK is a service center for current and future hedge fund and privateequity fund clients of the Marcum Alternative Investment Group.

No No No No

47 10/20/2017 1:35 PM






Systems Optiv SecurityNo No No

Yes. Principal is CEO of MGT of America Consulting, LLC and Strategos Public Affairs, LLC, both wholly owned subsidiaries of MGT of America, LLC.

No No No

No No No No

48 10/20/2017 1:35 PM





Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLCNo No

No No No No

No No No No

49 10/20/2017 1:35 PM






Verizon Business ServicesNo No

No No

No No

50 10/20/2017 1:35 PM



Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.18. Has your firm’s surety ever intervened to assist in the completion of a contract or havePerformance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

No No No No


We are unaware of any work completion issues that would impair our ability to meet our obligations under any contract. AT&T is a large company with an international presence and significant contractual relations. Given the size and scope of our business,we from time to time over our history have been involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our ability to meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.


No

20. Has your firm ever been terminated from a contract within the last three years? If yes,specify details in an attached written response.

Except for material matters that AT&T discloses in filings with the Securities and Exchange Commission or otherwise discloses in response to subpoenas or other valid court orders, AT&T is legally and contractually prohibited from disclosing information to third parties about contractual matters. Also, due to the size and scale of AT&T’s operations, as a practical matter, AT&T cannot state with absolute certainty whether AT&T has defaulted under a contract. Notwithstanding the legal and practical restrictions that limit AT&T’s ability to disclose specific contract performance issues, AT&T can assure Customer that AT&T is capable of performing the services requested under this RFP and that AT&T has no history or pattern of performance issues with other customers that would affect AT&T’s ability to perform the services requested by Customer. AT&T reiterates that AT&T is not aware of any circumstances involving performance under another contract which would materially and adversely impact AT&T’s ability to perform services for Customer. Moreover, AT&T is not aware of any circumstance when AT&T was not awarded a bid due to non‐performance concerns about AT&T by the entity sponsoring a particular procurement. AT&T is forced to qualify such assurances to the best of its knowledge due to the scale and scope of AT&T’soperations. AT&T will not be able to provide such assurances with absolute certainty with respect to every contract or bid opportunity in which AT&T has participated.


No

21. Living Wage solicitations only: No N/A N/A

51 10/20/2017 1:35 PM


Licensing Matrix18. Has your firm’s surety ever intervened to assist in the completion of a contract or havePerformance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.





No No No No

No No No Our firm enters in to Engagement letters with clients that allow for cessation of work and/or termination by either party in certain circumstances.

No No No Our firm enters in to Engagement letters with clients that allow for cessation of work and/or termination by either party in certain circumstances.

N/A N/A N/A N/A

52 10/20/2017 1:35 PM







Systems Optiv SecurityNo No No No

No No No No

No No No No

N/A N/A N/A N/A

53 10/20/2017 1:35 PM






Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLCNo No No No

No No No No

No – Plante Moran is not aware of any client terminating a contract involving the provision of information technology security and compliance services. As one of the country’s largest accounting and consulting firms with thousands of annual engagements, there likely have been instances during the last three years where clients receiving tax or accounting‐related services have elected to use other service providers for their particular needs. Plante Moran’s record of client service and satisfaction is best in class, with 99% of clients indicating they would recommend Plante Moran to others.

No No No

N/A N/A N/A N/A

54 10/20/2017 1:35 PM







Verizon Business ServicesNo No

No No

No No

N/A N/A

55 10/20/2017 1:35 PM

RFQ A2114499R1 ‐ Broward County IT Security and Compliance ServicesCategory 3 ‐ IT Audit Services

Licensing Matrix

Prime: 3K Technologies LLCSubs: Managni Systems, Inc. ; Aujas Information Risk

Services ATTPrime: Carahsoft Technology Corp

Solution Provider: Trustwave Crowe Horwath LLP

Servers and Workers Located in the USA Attestation Form Provided Provided ‐ PDF Pg. 569 Provided ‐ See Page 47 Provided ‐ See PDF Pg. 9AND

1. Certified Information Systems Security Professional (CISSP) on staff and proposed key team member





ORCertified Information Systems Auditor (CISA) on staff and proposed key team member Not Provided

Requirement MetNot Provided


Requirement MetProvided

Requirement Met

Vendor Questionnaire Form Provided Provided Provided Provided

Vendor Security Questionnaire Form Provided Provided ProvidedProvided


FORMS

1 10/20/2017 1:35 PM

RFQ A2114499R1 ‐ Broward County IT Security and Compliance ServCategory 3 ‐ IT Audit Services

Licensing Matrix

Servers and Workers Located in the USA Attestation FormAND






FORMS

Enterprise Risk Management, Inc. Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC












2 10/20/2017 1:35 PM


Licensing Matrix







FORMS

Prime: Marcum LLPSub: 24by7 Security MGT of America Consulting, LLC Plante & Moran, PLLC dba Plante Moran Presidio

Provided Provided ‐ See PDF Pg. 23 Provided Provided











3 10/20/2017 1:35 PM


Licensing Matrix







FORMS

RSM US LLP Securance LLC SeNet International Corporation SHI International Corp












4 10/20/2017 1:35 PM


Licensing Matrix







FORMS

Verizon Business Network Services Inc. d/b/aVerizon Business Services

Provided



Provided

Provided

5 10/20/2017 1:35 PM


Licensing Matrix




1. Ability of Professional Personnel:

a. Describe the qualifications and relevant experience of the Project Manager and allkey staff that are intended to be assigned to services performed within this category.Include resumes for the Project Manager and all key staff described.

See file "Evaluation ‐ Cat 3" Aman has extensive experience in IT audit services. He is experienced in doing audits from security standpoint for different companies. He has well proven industry standard procedures and techniques help perform these audits and generate recommendations for the clients.


CONFIDENTIAL




See PDF PG. 22 Trustwave knows the ins and outs of risk. And we want you to understand risk, too. Our Global Compliance and Risk Services team serves as trusted advisors who operate alongside your internal team. Our Global Compliance and Risk Services staff is made up of Qualified Security Assessors (QSAs) and our consultants hold various other industry certifications including CISSP, CISM, and CISA certifications, among others. The team averages more than eight years of experience in IT security, information security as well as extensive compliance, audit and consulting expertise. The Global Compliance and Risk Services team (GCRS) is backed by our SpiderLabs team to keep you ahead of the latest threats and is also sponsored by a Senior Compliance Support Analyst to ensure your project runs smoothly. We will customize your engagement, assess what is unique about your business challenges and scale with your business needs.

See PDF Pgs. 55‐56. Appendix A ‐ Resumes (PDF Pgs. 67 ‐ 70). Appendix B ‐ Relevant Certifications (PDF Pgs. 76 ‐ 84).Craig D. Sullivan, CPA, CISA, QSA, Partner, 32+ years experienceJeffrey A. Palgon, CPA, CISSP, CISM, CISA, Senior ManagerKiel Murray, Senior Manager, 7+ years experienceBert Valle, CISA, Security+, CobiT, Itil, Manager, 13+ years experience

b. List any other relevant Security and Compliance Industry certifications that theProject Manager and key staff described may have. Include copies of certificates, ifapplicable.

See file "Evaluation ‐ Cat 3" Aman has CISSP certification. In addition to that, he has additional certifications like AWS Certified Solutions Architect, Infoexpress Certified CyberGatekeeper Administrator, Certified SonicWall Security Administrator, Cyberoam Certified Network & Security Professional (CCNSP), McAfee Certified System Security Technical Professional (MCSSTP), Securing Network with Pix and ASA (SNPA), CCNA, Check Point Certified Security Administrator, ISO 27001:2013 Lead Auditor.


CONFIDENTIAL




See PDF PG. 22 Please see the representative biographies embedded below, including the typical certifications held by the resources who may be assigned to your project.

See PDF Pgs. 55‐56. Appendix A ‐ Resumes (PDF Pgs. 67 ‐ 70). Appendix B ‐ Relevant Certifications (PDF Pgs. 76 ‐ 84).Craig D. Sullivan, CPA, CISA, QSA, Partner, 32+ years experienceJeffrey A. Palgon, CPA, CISSP, CISM, CISA, Senior ManagerKiel Murray, Senior Manager, 7+ years experienceBert Valle, CISA, Security+, CobiT, Itil, Manager, 13+ years experience

EVALUATION CRITERIA

6 10/20/2017 1:35 PM


Licensing Matrix




EVALUATION CRITERIA


See PDF Pgs. 68 ‐ 78Esteban Orlando Farao, CISSP, CISA, CISO, CRISC, CEH, QSA, and PCIP.PCI QSA, 20+ years experienceKaren Livingstone, CPA, CIA, CISA, CRMARay Vazquez, CISA, CRISC, Senior Executive, Extensive experience in enterprise risk management, technology risk management, Information Security, etcChristopher Sanchez, Information Security ConsultantMaria Rogers, CEH, CCFE, Extensive experience in software testing and Digital ForensicsAnimesh Srivastava, Information Security Consultant, Extensive experience competing regulatory compliance assessmentsSrivathsav Gandrathi, CEH, Information Security Consultant, Extensive experience in Implementation of Secure Network Protocols

See PDF Pg. 113 ‐ 115Larry Burke, Principal, CPA, CITP, CGMA, HITRUST CCSFP.Franchesca Sanabria – Principal, CIPP/US, CISA, HITRUST CCSFP. Franchesca is aPrincipal at Focal Point in the National Data Privacy Practice. She has over 12 years ofexperience in governance, risk and compliance.Derek Parks – Director, CISSP, CBCP, CISA, QSA.Donel Martinez – Senior Manager, CISA, CAMS. Donel Martinez is a Senior Manager in theSouth Florida office of Focal Point.Ivan Reyes – Senior Manager, CISA, HITRUST CCSFP.Lascelles Gonsalves – Manager, CISA.Corey Gant – Manager, CISSP, CISM, PMP, CISA, CGEIT, ITIL V3F, 12+ years experienceAdriel Camejo – Senior Consultant, CISA, CAPM.


See PDF Pg. 78Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD Information Security and Computing Sciences (Over 30 years of Professional Experience and 25 years of Research, Harvard and Yale Alumnus, Summa Cum Laude, and Oxford Research, etc.)Global Information Intelligence LLC (100% Small Business, Minority, and Women Owned)By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences and Information Security Founder, Consortium for Emerging Technologies‐Harvard, Exemplary Models forFederal, State, Local, Counties, Cities, Private/Public Sectors, Academia & Industry and GlobalCategory 3 – IT Audit Services:� Provided intelligent and effective services within this category including IT Audit and Review Services.� Examples of specific activities includes but not be limited to evaluation of IT General and Application controls, IT Governance, Security Strategy and Systems, General Network Topology, Connections to External Parties, Inbound and Outbound Remote Access, IT Security Policies and Procedures, Network Device Security (i.e. switches, routers, firewalls, wireless access points) – Firmware and Patching Standards, Endpoint Devices (Servers, workstations) – Patching and Antivirus checks, Physical Security, Data/Configuration Backup and Disaster Recovery, Network Management, Vendor/Contractor Access Management, System Administration/Privileged Access Management, and Network Documentation Creation and Maintenance.

See PDF Pg. 79• Esteban Farao: CISSP, CISA, CISO, CRISC, CEH, PCI QSA, and PCIP• Maria Rogers: CEH• Animesh Srivastava: CCFE• Srivathsav Gandrathi: CEH

See PDF Pg. 113 ‐ 115Larry Burke, Principal, CPA, CITP, CGMA, HITRUST CCSFP.Franchesca Sanabria – Principal, CIPP/US, CISA, HITRUST CCSFP. Franchesca is aPrincipal at Focal Point in the National Data Privacy Practice. She has over 12 years ofexperience in governance, risk and compliance.Derek Parks – Director, CISSP, CBCP, CISA, QSA.Donel Martinez – Senior Manager, CISA, CAMS. Donel Martinez is a Senior Manager in theSouth Florida office of Focal Point.Ivan Reyes – Senior Manager, CISA, HITRUST CCSFP.Lascelles Gonsalves – Manager, CISA.Corey Gant – Manager, CISSP, CISM, PMP, CISA, CGEIT, ITIL V3F, 12+ years experienceAdriel Camejo – Senior Consultant, CISA, CAPM.


See PDF Pg. 78Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD Information Security and Computing Sciences (Over 30 years of Professional Experience and 25 years of Research, Harvard and Yale Alumnus, Summa Cum Laude, and Oxford Research, etc.)Global Information Intelligence LLC (100% Small Business, Minority, and Women Owned)By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences and Information Security Founder, Consortium for Emerging Technologies‐Harvard, Exemplary Models forFederal, State, Local, Counties, Cities, Private/Public Sectors, Academia & Industry and GlobalCategory 3 – IT Audit Services:� Provided intelligent and effective services within this category including IT Audit and Review Services.� Examples of specific activities includes but not be limited to evaluation of IT General and Application controls, IT Governance, Security Strategy and Systems, General Network Topology, Connections to External Parties, Inbound and Outbound Remote Access, IT Security Policies and Procedures, Network Device Security (i.e. switches, routers, firewalls, wireless access points) – Firmware and Patching Standards, Endpoint Devices (Servers, workstations) – Patching and Antivirus checks, Physical Security, Data/Configuration Backup and Disaster Recovery, Network Management, Vendor/Contractor Access Management, System Administration/Privileged Access Management, and Network Documentation Creation and Maintenance.

7 10/20/2017 1:35 PM


Licensing Matrix




EVALUATION CRITERIA


See PDF PG. 84For Marcum LLP’s proposed key staff, refer to profiles and certificates available in Appendix A.� Client Service and Engagement Partner:Mark Agulnik, Partner, CPA, CISA, PCI‐QSA� Principal:Heather Bearfield, Principal, CISA, CISM, CRISC, PCI‐QSA� Senior Manager (Project Lead):Jose Antigua, Senior Manager, CISA, ACDA, COBIT� Senior Manager:Robert Coro, Senior Manager, CISA, CISM, PCI‐QSA

See PDF Pgs. 99 ‐ 102.Tony Martinez, Project Manager, Project Management, Vulnerability Assessment, Physical Penetration Testing, Network Penetration Testing, Web Application Penetration Testing, Security Auditing, Secure Code Reviews, Disaster Reovery/ Business Continuity Planning, Security Policy DesignSteve Porter, CISSP, GPEN, GWAPT, QSA, CEH, GICSP, GMOB, GCIH, Vulnerability Assessment, Network Penetration Testing, PCI‐DSS Preparation & Remediation, Security Auditing, Database Security, Secure Code Reviews, Firewall Administration, System Hardening and Patching, Disaster Recovery/Business Continuity Planning & Design, Security Policy Design, Log Management Planning, Design, AdministrationHenri St. Louis, CISSP, QSA, GCFE, OPST, Vulnerability Assessment, Network Penetration Testing, PCI‐DSS Preparation & Remediation, Security Auditing, Database Security, Secure Code Reviews, System Hardening and Patching, Disaster Recovery/Business Continuity Planning & Design, Security Policy DesignJJ Maria Giner, GPEN, Vulnerability Assessment, Network Penetration Testing, Web Application Penetration Testing

See PDF Pgs. 28 ‐ 29.F. Alex Brown, CPA, Senior Manager, 18+ years experienceCollin Taggart, CPA, CISA, Senior Manager, 18+ years experienceBob Funke, MBA, CISA, Manager, 25+ years experienceTony Chan, CISA, CRISC, Manager, 10+ years experienceGrant Phillips, Consultant, Experience in information security, internal control and IT audit

Resumes See PDF Pgs 75 ‐ 89.See PDF Pgs. 32The Presidio Project Managers are responsible for managing all cyber security projects that include: Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), IT Audit Services, Security Penetration testing, and architecture consulting. Presidio’s project managers and key staff have an extensive list of industry certifications that include: CISSP, CISA, CISM, CRISC, OSCP, GPEN, GWAPT, G2700, CEH, ITIL Practitioner and ITIL (v3). In addition, Presidio has 1,600 engineers on the backend that provide architecture design and implementation services. Presidio has been providing IT Audit services since September 2006.

See PDF PG. 84For Marcum LLP’s proposed key staff, refer to profiles and certificates available in Appendix A.� Client Service and Engagement Partner:Mark Agulnik, Partner, CPA, CISA, PCI‐QSA� Principal:Heather Bearfield, Principal, CISA, CISM, CRISC, PCI‐QSA� Senior Manager (Project Lead):Jose Antigua, Senior Manager, CISA, ACDA, COBIT� Senior Manager:Robert Coro, Senior Manager, CISA, CISM, PCI‐QSA


See PDF Pgs. 28 ‐ 29.F. Alex Brown, CPA, Senior Manager, 18+ years experienceCollin Taggart, CPA, CISA, Senior Manager, 18+ years experienceBob Funke, MBA, CISA, Manager, 25+ years experienceTony Chan, CISA, CRISC, Manager, 10+ years experienceGrant Phillips, Consultant, Experience in information security, internal control and IT auditAs noted above, related key staff have certifications for CPA, CISA, CRISC, with additional teammatespotentially involved in related projects also holding QSA, CCSFP, CEH, and CCNA certifications.

See PDF Pgs 23 ‐24.Presidio brings Broward County our broad skill set and depth of experience. Our security engineering team is composed of Certified Information System Security Professionals (CISSPs), Certification and Accreditation Professionals (CAPs), InfoSec Assessment Methodology (IAM) professionals, Certified Ethical Hackers (CEHs), and Certified Information Security Managers (CISMs). This highly trained and experienced group has completed many Vulnerability Risk Assessment (VRA) and Security Certification and Accreditation (C&A) projects, tests, evaluations, and related services. Exhibit 4 illustrates Presidio’s Security Certifications. Our security professionals keep current with changes in the information security space and are considered thought‐leaders in the market. Each security team member has extensive experience performing VRA and C&A services for commercial, enterprise, and government clients and is well acquainted with applicable compliance regulations.

8 10/20/2017 1:35 PM


Licensing Matrix




EVALUATION CRITERIA


The most critical element in the successful completion of any engagement of this nature is the personnel assigned to carry out the responsibilities and the depth of resources available to support the County. Our team has a strong blend of information technology auditing, information security experience, project management capabilities and extensive experience auditing various applications, supporting systems and databases. The following table describes the qualifications of the proposed team, their roles and the value they will bring to the County. Detailed biographies containing each team member’s formal education and professional affiliations are included in the Team resumes section located in the Appendix of this proposal.Jason Alexander, Principal, Risk Advisory Services, Engagement Leader, 15+ years experienceAlexandra Lorie, Director, Risk Advisory Services, Engagement Director, 16+ years experienceRyan Moore, Manager, Risk Advisory Services, Manager, and IT general and application controls specialistRyan Hay, Manager, Risk Advisory Services,

Paul Ashe, President and Engagement Manager, CPA, CISA, CISSP, 15+ years experienceChris Bunn, Practice Director and Senior IT Security Consultant, CISA, CHP, 30+ years experienceChris Cook, Senior IT Security Consultant, CISSP, CISA, 20+ years experienceChris Thomas, Senior IT Security Consultant, CompTIA Security+, CompTIA Network+, 10+ years experience

See PDf Page 12‐24 for Qualifications and pages 70‐82 for Resumes.Qualifications and Experience

The SHI Security Services team are all senior level Security Professionals with each having 20+ years’ experience. Specific skill sets may vary but overall each has experience working with various industry security frameworks such as NIST or SANs CIS Controls. The team holds many different Security related certifications however all have a CISSP certification.

Jason Alexander, Certified Internal Auditor (CIA), Certified Information Systems Auditor, Certified Fraud Examiner (CFE)Ryan Moore, Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), Certified Information Technology Infrastructure Library (ITIL)Ryan Hay, Certified Information Systems Auditor (CISA), Certified Information Systems Security ProfessionalTrixie de Leon, Certified Information Systems AuditorAlyssa Mrdjenovich, Certified Cloud Security Knowledge (CCSK), Certified Information Systems Auditor (CISA), ISO/IEC 27001 Lead Auditor

Paul Ashe, President and Engagement Manager, CPA, CISA, CISSPChris Bunn, Practice Director and Senior IT Security Consultant, CISA, CHPChris Cook, Senior IT Security Consultant, CISSP, CISAChris Thomas, Senior IT Security Consultant, CompTIA Security+, CompTIA Network+

See Pages 5 ‐ 10Qualifications and Experience


9 10/20/2017 1:35 PM


Licensing Matrix




EVALUATION CRITERIA


See Pages 39 ‐ 41.Verizon’s Project Management organization comprises over 60 PMs with significant experience in managing large programs and projects. In order to ensure the successful delivery of all projects and meet the standards required by our Clients, Verizon’s PMs hold the highest levels of certification recognized globally across the Project/Program Management field. Furthermore, Verizon’s Project Management organization haschosen the Project Management Institute’s (PMI’s) Project Management Body of Knowledge (PMBOK®) Guide and Standards as the baseline of its Project Management Delivery Method.

As well as a leading global Qualified Security Assessor (QSA), Payment Application Qualified Security Assessor (PA‐QSA), and Qualified Security Assessor Point‐to‐Point Encryption (P2PE) company, we are one of few qualified PCI Forensic Investigators (PFI) for Visa and MasterCard.Our assessors are highly experienced, often industry thought‐leaders and maintain an array of security industry certifications including the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and Certified Ethical Hacker (CEH).

10 10/20/2017 1:35 PM


Licensing Matrix



Solution Provider: Trustwave Crowe Horwath LLP2. Project Approach:a. Describe the prime Vendor’s approach to performing similar work in this Category. We are going to take holistic approach to the project. First

is to understand the complete environment at Broward county, including the servers, Linux machines, web servers, Linux servers, application running and the complete infrastructure. We are going to lay down a comprehensive effort to get this started. Then identify the best practices to start using it for implementing Audits. The goal is to lay down a phased approach to penetration testing, including the pre work as well as any precautions that needs to be taken so that the results are accurate


CONFIDENTIAL




See PDF Pg. 22 ‐ 25Trustwave has a number of IT Audit and Risk assessment‐related services available to Broward County. A Trustwave risk assessment engagement gives your organization a roadmap for a risk‐based approach to decision‐making. This helps establish security standards and informs purchasing decisions, but more importantly ‐ it helps your organization set the framework for following numerous compliance and industry best practices. We combine elements of best practices from National Institute of Standards and Technology (NIST) special publications, the Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) security framework, International Organization for Standardization (ISO) 27000 series family of standards, as well as our own proprietary methods. Engagements are scaled as needed for business needs, or for an entire enterprise, and can be specific to an infrastructure, application, device or data type. A brief description of each of the offerings are listed below, as well as a sample project plan approach.

See PDF Pg. 57 ‐ 61Information Technology (IT) Risk AssessmentThe Information Technology Risk Assessment is designed to help an institution get a holistic view of the risks associated with their IT Environment. During this assessment, Crowe will work closely with County personnel to prioritize information systems based on risk. This risk will be determined considering the applications and functions managed by the system, and considering the sensitivity and vulnerability levels associated with the systems. As a result of this assessment of IT Risk, Crowe will work with the County to develop an IT Audit schedule. This plan will help the County to determine how they will monitor and control systems with considerable risks. Special attention will be paid to the direction of risk, and the increasing or decreasing dependence on certain customer information systems, regulatory scrutiny and pressures, current IT Industry Risks and the County’s strategic IT planning.� The acknowledgment and assessment of risks that threaten customer information systems� The development of controls and procedures that minimize these types of risks� The management of service providers including review and monitoring of third party activity as itrelates to customer information....

b. Number of employees, coordination efforts, servers and workers located withinUSA.

See file "Evaluation ‐ Cat 3" Number of employees will be determined based on the infrastructure we have to maintain and cover for IT audits. It will also depend on the timeframe required to complete the project

CONFIDENTIAL




See PDF Pg. 25All employees and servers would be within the United States. Trustwave has over 900 employees in the US.


11 10/20/2017 1:35 PM


Licensing Matrix2. Project Approach:a. Describe the prime Vendor’s approach to performing similar work in this Category.



See PDF Pg. 84 a. ApproachA review of the project’s objectives, scope, scheduled activities, assumptions and or possible constraintswill be reviewed with client key personnel and staff during a project kickoff meeting.Client shall cooperate with ERM in the performance of ERM’s services. To comply with budgeted project estimates, ERM requires the timely, complete and accurate cooperation from the client.IT AuditERM will perform a comprehensive Information Technology Audit of the client organization’s processes,procedures, and IT infrastructure. The IT Audit will cover all critical general and application controls. The various phases and components of the audit will depend on the specific project scope at hand, but will include, at a high‐level, the following areas: (1) General Audit Planning; (2) Review of General Controls; Review of Infrastructure Controls; and (4) Review of Application Controls. The Information Systems audit work performed on a periodic basis will be based on the results of the overall audit risk assessment andthe proposed audit plan, after management and the Audit Committee approve such plan. Our review ofthe areas mentioned above assumes we will receive assistance from the internal personnel of theorganization....

See PDF Pg. 116 ‐ 120When providing co‐sourced services, our approach is to follow the client’s methodology whileleveraging the foundational elements of the Focal Point methodology to provide the highestlevel of customer service. Focal Point uses a collaborative but disciplined approach to executingaudit projects. We will ensure that there is proper planning, timely communication to the InternalAudit team prior to the start of audit fieldwork, complete and accurate workpapers, validatedfindings, and relevant and practical recommendations to correct deficiencies.We will take a risk‐based approach to performing a review of the information technology risks,related general controls, technical and network safeguards, information technology processes,and oversight activities in connection with these areas in accordance with applicable regulatoryguidance and internal audit standards. As appropriate, we will also reference or utilize relevantguidance such as COBIT, the National Institute of Standards and Technology (NIST), ISO27000, and ITIL.....

See "Broward Security Services 2017" See PDF Pg. 40Global Information Intelligence will apply its expert and proven methodology to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive recommendations and remediation sample for design and implementation operational effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Network assessment of BROWARD COUNTY Corporate Network and its Operations Technology Network. INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES

See PDF Pg. 85ERM has approximately 30 full time employees. Of these employees, 25 are located in the USA. Onlyfull time employees located in the USA will work in these engagements.Regarding coordination efforts, Esteban Farao will be the Project Manager. He will lead a project kickoffmeeting, send the information requirements, manage the project, communicate with the clientproject team, lead project update calls and meeting as well as delivery the final reports andpresentations.All of ERM’s severs are located at the ERM’s headquarters in Coral Gables, Florida.



See PDF Pg. 40Global Information Intelligence will apply its expert and proven methodology to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive recommendations and remediation sample for design and implementation operational effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Network assessment of BROWARD COUNTY Corporate Network and its Operations Technology Network. INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES

12 10/20/2017 1:35 PM





See PDF Pgs. 85‐86Firm’s historyMarcum LLP is one of the largest independent public accounting and advisory services firms in thenation, with offices in major business markets throughout the U.S., Grand Cayman and China.Headquartered in New York City, Marcum provides a full spectrum of traditional tax, accounting and assurance services; advisory, valuation and litigation support; and an extensive range of specialty and niche industry practices. The Firm serves both privately held and publicly traded companies, as well as high net worth individuals, private equity and hedge funds, with a focus on middle‐market companies and closely held family businesses. Marcum is a member of the Marcum Group, an organizationproviding a comprehensive array of professional services.Established in 1951, Marcum is a leader with an outstanding reputation at the national and regional levels. Marcum is ranked as one of the largest firms in the New York metropolitan area (Crain’s New York Business), the New England region (Boston Business Journal) and the Southeast (South Florida Business Journal).....

See PDF Pg. 103 ‐ 104.We pride ourselves on our years of continuous business and these two cornerstone tenants of ourbusiness: In‐Depth Understanding of State and Local Government—MGT has worked almost exclusively with the public sector. As a result, we understand the challenges and unique issues inherent in the operations of state and local government programs and service delivery. Because many of our staff have worked in government, we have a clear understanding of the state and local government structure, control agencies, budgetary processes, and political environment. Our Focus is on Business Understanding and Analysis—MGT consistently focuses on identifying and implementing the most effective and efficient methods for achieving operational objectives in all of our engagements. No matter what the task, we “cut to the chase,” and work to provide the most viable business solutions in the shortest amount of time, at the lowest cost. We understand the importance of streamlining business processes and we know how to pinpoint the most efficient and effective methodologies for specific situations. Based on our more than 40 years of experience in providing consulting services to federal, state, and local government clients, MGT knows the success of any project is based upon the project management. Our project manager will work in tandem with the County’s designated project lead to drive the MGT project management principals and guidelines for the development of your customized solutions.

See PDF Pgs. 24‐33For nearly 30 years, Plante Moran has been recognized leader in providing information technology services to public sector clients. We are a full service consulting firm with significant and recentexperience in conducting Information Technology Audit Services. Our approach to each consultingengagement is structured to provide the services and level of professional support required to meetthe individual needs of the client. We will work jointly with Broward County management to design aprocess that will meet the overall needs of the County. Plante Moran uses a phased approach tocreate a high probability of success for our clients. This approach provides for a structured andfocused effort throughout the project. The major tasks are organized into five phases. At theconclusion of each phase, there is a scheduled management meeting to confirm progress and to gain synergy for the next phase. Below is a summary of our approach and project phases.

See PDF Pg. 33 ‐ 34Presidio’s approach methodology for IT Audit Services includes the following components:� Kickoff Meeting� Governance Assessment� External Vulnerability Assessment� Internal Vulnerability Assessment� Wireless Vulnerability Assessment� Web Application Assessment� Penetration Testing� Physical Security Assessment� Social Engineering Assessment� Secure Network Architecture Assessment� Active Directory Architecture Assessment� Firewall Analysis� Device Hardening Assessment� Remote Access Assessment� Deliverableso Executive Summaryo Vulnerability Assessment Reporto Detailed Architecture Reporto Firewall Rule Analysis

See PDF Pg. 86As a national firm with 29 offices and approximately 1,550 professionals, we serve as a strategic alternative to the much larger firms. The partners and managers with whom you will develop relationships, drive all major decisions; possessing both the appropriate resources and decision making authority. Our local firm approach provides hands‐on service and timely communication, resulting in the County receiving the best of both worlds. Marcum has more than 20 professionals dedicated to providing IT Audit and Technology Services....

See PDF Pg. 104.Our firm of over 60 professionals has successfully managed more than 8,500 client engagements nationally with a significant portion of MGT’s engagements being repeat business, reflecting the firm’s commitment to achieving a high level of customer satisfaction and ability to exceed the expectations of clients. Prior to working with public sector entities as consultants, many of our staff worked ingovernment agencies as executives and managers. This insider's knowledge of government structure and process gives MGT a competitive advantage and an ability to hit the ground running from the very start of a project. Our organization leverages leading project management solutions, and highly qualified trained professionals throughout all aspects of our engagements in order to ensure the best customerexperience at every stage.

See Pg. 32Plante Moran has over 2,200 employees and 500 servers in the USA.

See PDF Pg. 34Presidio has twenty‐three (23) people on our Cyber Security Consulting team all whom arePresidio employees located within the USA. The Presidio Cyber Security Project Managerscoordinate all the resources on the Presidio team.

13 10/20/2017 1:35 PM





See PDF pages 33 ‐ 37.It is our understanding that the County is looking for a professional services firm that can provide IT auditservices over a variety of technological areas. A key component of our audit methodology is an integratedapproach across our IT risk advisory professionals, which include both risk and technology team members. Based on our understanding of your needs, we are confident that RSM has the right capabilities, qualifications, and client‐service culture that align specifically to the IT audit services being requested. Our IT risk advisory professionals will work closely with the County to determine the scope of IT control assessment areas. The assessment of IT controls performed by RSM would follow the guidelines of Committee of Sponsoring Organizations (COSO), Control Objectives for Information and Related Technologies (COBIT), and other industry standards, such as IT Infrastructure Library (ITIL), and International Organization for Standardization (ISO). While the County’s audit plan may include individually scoped audits that are specifically technology related, we recognize that most audits will have some relation to your technology platforms and may require expertise beyond standard IT general controls. Our IT risk advisory team will work with your technology team to best determine how to obtain the information we need. We will work with our technology team to best understand how to evaluate your critical applications, supporting systems and databases efficiently and effectively.

Our audit approach is unlike that of any other professional services or accounting firm. We focus on technology risk as it translates into business risk. Our approach will focus on continuous assessment of Broward County IT controls. As we begin the audit process, we will work closely with Internal Audit Management to better understand key technology issues and changes in the organization’s IT environment. We will leverage available resources in your IT and Internal Audit Departments — teaming to eliminate unnecessary duplication of effort, to enhance quality and to maximize cost effectiveness. Securance Consulting’s continuous assessment of these factors will result in discussions with Management to determine what procedures should be performed during the audit, who should perform them and when they should be performed. As a result, we will strategically focus our efforts on areas of high technology risk. Ultimately, our process will deliver assurance. Our audit results are objective. Through continuous communication throughout the process, we deliver a real‐time view of technology risk, providing early warnings and no surprises.

See Pages 21 ‐ 37. Initially a kick off call will be scheduled to review the scope, tasks, contacts, communications plan and logistics required to complete the project. Requested documentation (Policies, Process and Procedures, network diagrams) are reviewed and an External Security Vulnerability Scan is completed prior to onsite activities. Onsite activities will consist of staff interviews, internal network scans, live network data capture analysis, device security configurations and physical site visits. All information gathered is reviewed for analysis and alignment with IT Security best practices and other industry guidelines with results presented in a report detailing the overall security posture with findings and recommendationsfor remediation.

See PDF Pg 38.Our IT risk advisory professionals comprise nearly 1,000 professionals who contain a deep understanding of widely adopted frameworks, best practices and standards such as Committee of Sponsoring Organizations of the Treadway Commission (COSO), Control Objectives for Information and related Technology (COBIT), Information Technology Infrastructure Library (ITIL), International Organization forStandardization (ISO), and the National Institute of Standards and Technology (NIST). Our IT risk advisory professionals hold various professional certifications such as Certified Public Accountant (CPA), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professionals (CISSP), Certified Information PrivacyProfessional (CIPP), Certified Business Continuity Professional (CBCP) and various SANS GIAC (GlobalInformation Assurance Certification) security certifications. In addition, many of our professionals have technical certifications such as Microsoft Certified System Engineer (MCSE), Cisco Certified Network Associate (CCNA), Cisco Certified Design Associate (CCDA), and Certified Novell Engineer (CNE).

See Audit Approach Pages 25 ‐ 27.Each project we undertake will follow this standard methodology. While we are flexible in modifying our approach and methodology, we do so only in the best interest of our clients and their internal control initiatives.

See Pages 5 ‐ 10. The SHI Security Services team has 6 active members with 2 openings. Additionally each assessment is assigned a Project Manager from a team of 8 PM’s. All SHI services teams are US based.

14 10/20/2017 1:35 PM





We will deliver projects using an efficient, phased methodology, which is proven through hundreds of IT Audit projects delivered by Verizon for organizations around the world. The experience gained from these engagements provides us with valuable insight into the criticalsteps required to initiate and complete an IT Audit project in the most efficient and cost‐effectivemanner.

Verizon operates a global QSA practice with over 70 assessors providing consistent delivery of high quality PCI services around the world. 16 QSA are located in the USA.

15 10/20/2017 1:35 PM


Licensing Matrix



Solution Provider: Trustwave Crowe Horwath LLPc. Describe vendor’s plan to meet key milestones and deadline dates including communication plan.

We will have a project manager to help engage in the discussions and monitor the project and coordinate all the activities and players during the project.


CONFIDENTIAL




See PDF Pg. 25Please see attached project management plan as a representative sample of the type of project plan we typically follow.Project ManagementTrustwave has a formal procedure for the project organization and governance as well as adherence to the timelines. Project timelines will be established between Trustwave and Client upon project kick‐off. Project progress, needs and deadlines will be provided to Client through the CVS manager portal that is described further below in this section.Project ResourcesTrustwave’s Managing ConsultantTrustwave will assign a Managing Consultant to oversee all assessment activities and serve as the primary contact for the length of the Agreement. The Managing Consultant will coordinate and schedule activities and resources with Client and ensure the quality of all Trustwave deliverables.......


16 10/20/2017 1:35 PM



Enterprise Risk Management, Inc. Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLCSee PDF Pg. 85ERM Project Manager will develop a Project Plan which details all key milestones and deadline dates.ERM Project Manager will work with the client to adjust based on client needs. The CommunicationPlan will be discussed and agreed to during the kick‐off call. ERM’s communication plans typicallyinclude weekly status updates as well as updates based on key milestones and deadlines.




17 10/20/2017 1:35 PM




See PDF Pg. 87Effective Project Management is a key focus at Marcum. As a large audit, tax and consulting firm, the ability to provide services to clients on schedule and within a set budget is priority. Our techniques include best practices from the Project Management Body of Knowledge (PMBOK) and go from the Planning to the Reporting phase, going through quality assurance checks. Below is an overview of the milestones we will use throughout this engagement. We plan to communicate each of our findings uponthe completion of each milestone. As we meet with your key personnel, we will work with management to lay out specific deadline dates for each milestone that take into consideration the needs of your professionals whose time will be required....

See PDF Pg. 104 ‐ 105.As we have already done with other projects for Broward County, MGT will ensure accountability, compliance, and implementation of the services provided. We will adhere to all applicable federal and state policies, procedures, and regulations. MGT's Project Manager will have primary responsibility for the supervision of all project operations and project administration and will ensure all deliverables meet the standards of quality set forth by theCounty. Our Project Manager is responsible for the day‐to‐day activities of all design and technical keystaff. In concert with the County’s Project Lead, MGT’s Project Manager will facilitate implementation of themain components of the project, including the installation, configuration, initiation, pilot, acceptancesystem, and the training of end users as well as generating progress reports on all project activities.Other major responsibilities will include:� Scheduling of project activities.� Financial management.� General tasks related to contract administration.� Serving as the primary point of contact for County inquiries or requests for project updates.

See PDF Pgs. 32 ‐ 33.Frequent communication, guided by a “no surprises” philosophy is the key to a successful project. Inthis way, expectations can be effectively managed and problems can either be avoided entirely, oraddressed early on to minimize wasted effort and keep the project on schedule. Prior to formallykicking off the project, we will work with the County to develop a communications plan for the project.We will identify project stakeholders, and for each:� What they will need to know throughout the project (e.g., status updates, risk and issues)� When and how frequently they will want communication (e.g., weekly, monthly)� How communications will be delivered (e.g., status updates reports, meetings, phone calls)� Who will be responsible for the communicationWe will maintain this communication plan on a shared collaboration site throughout the project toensure regular communication and ongoing collaboration.

See PDF Pg. 34 ‐ 36.Presidio would develop a project plan with all defined project milestones which includes weekly status meetings to track the project overall progress. Escalation methodology follows.

18 10/20/2017 1:35 PM



RSM US LLP Securance LLC SeNet International Corporation SHI International CorpSee PDF Pg 38.RSM’s management approach can be expressed in one simple phrase: “no surprises.” First, we will work with the County to establish a communication protocol and approach that you prefer, and we will use these channels and tools to share information on the engagement. Once the communications plan has been created, RSM will create a timeline and milestones project schedule and track those milestones to completion on a weekly basis. We will work with you and management to keep you informed of our progress throughout the engagement with periodic formal and informal status reports and meetings as appropriate. Continuous communication helps ensure that the County and the RSM team are in agreement on, and informed about, every aspect of an engagement. Our team will work closely with County management to establish clear, open lines ofcommunication via face‐to‐face meetings, phone calls, and/or regular electronic or hard‐copy communications to keep you informed of progress and issues. In the event that RSM identifies that a particular engagement is behind schedule, it will be formally communicated to the client to discuss the issues and possible solutions to get back on track. Similarly, if observations or risk areas are identifiedduring an engagement, we will be on hand to provide recommendations for remediation and providesupport to management in the enhancement of current processes.

See Project Management Approach See PDF Pg. 93.Each project we undertake will follow this standard accountability model.1) Engagement Manager….2) Senior IT Security Consultants….3) Independent Reviewer…..4) Broward County's Project Manager…..5) Status Reports.....

See Pages 59 ‐ 62. Once an assessment is assigned to a Sr. Solutions Architect, they are dedicated to the project ensuring their availability to complete all project related task and milestones as agreed in the SOW and/or project kickoff meeting. Schedules are managed closely to ensure overlap in projects is minimal and allow all milestones to be met and assessments to be completed on time. All SHI assessments have an assigned PM who document and track all milestones and significant events for a particular project. The PM will work with all key stakeholders involved to ensure all communications are managed effectively to meet all customer expectations. Email is used for dailycommunication with secure solutions being utilized for all confidential documentation.

19 10/20/2017 1:35 PM




Verizon will designate a “Project Manager” who will act as the single point of contact throughout the Project. The Project Manager will oversee and coordinate the Project. The Project Manager will manage Verizon resources to complete Project activities, such as milestone tracking, coordinating tasks and dependencies, as well as providing weekly status reports (the “Weekly Report”). Customer will appoint a single point of contact or program management team tocoordinate the Project activities with Verizon and ensure timely data flow and exchange ofinformation required for execution of the Project within the agreed time frame. Verizon will work with Customer to schedule a kick‐off meeting to initiate the Project. Verizon and Customer will collaborate to determine required stakeholders and other attendees, agenda, and meeting location (i.e. on site or virtual).

20 10/20/2017 1:35 PM


Licensing Matrix




3. Past Performance:a. Describe prime Vendor’s experience on projects of similar nature and scope, alongwith evidence of satisfactory completion, both on time and within budget, for the pastfive years. Provide a minimum of three projects with references, preferablygovernment agencies (i.e. state, local) of similar size and structure and provenexperience and skillset.Vendor should provide references for similar work performed to show evidence ofqualifications and previous experience. Refer to Vendor Reference Verification Formand submit as instructed. Only provide references for non‐Broward County Board ofCounty Commissioners’ contracts. For Broward County contracts, the County willreview performance evaluations in its database for vendors with previous or currentcontracts with the County. The County considers references and performanceevaluations in the evaluation of Vendor’s past performance.

See file "Evaluation ‐ Cat 3" We have extensive experience in doing projects of similar nature and scope. We have consistently performed these tasks with high quality and within the time limits proposed at the beginning of the project.

See PDF Pg. 519

CONFIDENTIAL




See PDF PG. 27Please see addendum for Client References.

(3) Reference Verification Forms included for this Category ‐ PDF Pgs. 63 ‐ 65ReferencesWe have completed and submitted the Vendor Reference Verification Form as requested.Client Experience 1Crowe worked with the City Auditor of a city in Florida to determine an Information Technology Auditplan. Crowe performed a Network Security Assessment and Internal Penetration Assessment on behalfof the City. Crowe worked within the City’s budgetary constraints to provide value to City. Ultimately,Crowe identified gaps in the City’s security to provide the Mayor insight into the City’s security posture.

b. Provide evidence of similar work related to services identified in this Category,including sample executive summaries and reports.

See file "Evaluation ‐ Cat 3" We performed IT Audits for different clients. We generated IT Audit reports that helped companies to take remediation steps.

See Attachments:ATT_Sanitized Security Assessment_Report_Sample Excerpts

See PDF PG. 27 Please see addendum for Sample Reports.

(3) Reference Verification Forms included for this Category ‐ PDF Pgs. 63 ‐ 65ReferencesWe have completed and submitted the Vendor Reference Verification Form as requested.Client Experience 1Crowe worked with the City Auditor of a city in Florida to determine an Information Technology Auditplan. Crowe performed a Network Security Assessment and Internal Penetration Assessment on behalfof the City. Crowe worked within the City’s budgetary constraints to provide value to City. Ultimately,Crowe identified gaps in the City’s security to provide the Mayor insight into the City’s security posture.

21 10/20/2017 1:35 PM


Licensing Matrix




(3) Reference Verification Forms provided for this Category. ‐ See PDF pgs. 85‐88a. ERM’s ExperienceERM has completed over 300 IT Audit projects. All of our projects have been completed on time andwithin budget.As requested, below are three references for projects of similar size and structure.1. Helm Bank USA2. We Family3. Greenville Utilities Commission

Aurora Diagnostics 2011 – CurrentITGC TestingSOX AuditSOX ITGC

Bayview Lending 2007 – CurrentBusiness ContinuityFraud AuditsIncident Response AuditInternal Audit Co‐SourcingIT General Controls TestingIT Risk AssessmentSDLC Process AuditSOX Readiness

Burger King Corporation 2006 – CurrentApplication ControlsDisaster Recovery PlanningInternal Audit Co‐SourceITGC TestingPenetration TestingSOX TestingVulnerability Assessment........


See References

See PDF Pgs. 89 ‐ 90Sample outline of client report.

Aurora Diagnostics 2011 – CurrentITGC TestingSOX AuditSOX ITGC

Bayview Lending 2007 – CurrentBusiness ContinuityFraud AuditsIncident Response AuditInternal Audit Co‐SourcingIT General Controls TestingIT Risk AssessmentSDLC Process AuditSOX Readiness

Burger King Corporation 2006 – CurrentApplication ControlsDisaster Recovery PlanningInternal Audit Co‐SourceITGC TestingPenetration TestingSOX TestingVulnerability Assessment........

similar to that of pci, auditing specific requirements are address on a custimized bases, actual phased approach can be seen in the Broward Security Services 2017 under PCI DSS managed services

See PDF Pgs. 311 ‐ 317See Sample Reports.

22 10/20/2017 1:35 PM


Licensing Matrix




See PDF Pg. 88See attached Vendor Reference Forms for:� City of Coconut Creek� City of Hollywood� City of Pompano Beach� Florida Keys Aqueduct AuthorityIn addition to testing for cities and other government entities, we have conducted similar work for manyprivate businesses. Additional references related to that work are available upon request.

See Reference Verification Forms PDF Pgs. 107 ‐ 109.See PDF Pg. 106.With a focus on organizational goals first, MGT provides business‐driven information security services keeping our clients’ interests at the forefront of our engagements ensuring we deliver the most efficient solution. MGT’s core cyber security capabilities include: security risk assessments, full range of penetration testing services, physical penetration testing, secure application development, compliance engagements, training and awareness, policy and procedure development, among others. Having completed vulnerability assessments, full security risk assessments (including NIST, ISO, HIPAA, etc.), and physical penetration tests for both private and public organizations, along with a team with 18+ years of experience in the field, we believe to have the optimal mix to help the County enhance their overall security posture. Provided below are projects similar to those requested for Category 3 of the County’s RFP, conductedwithin the past five years.SEIBERT INSURANCE AGENCY: INFORMATION SECURITY RISK ASSESSMENTA leading insurance agency in Florida, Seibert Insurance Agency selected us to perform a complete security risk assessment of the organization, create an information security program, and develop all the relevant security policies and procedures to reach an optimal security posture........HIGH RISK HOPE: INFORMATION SECURITY RISK ASSESSMENTA non‐profit organization, High Risk Hope (HRH) selected us to perform a comprehensive look at their information systems to create a risk management program. This effort included a full risk assessment and a complete revamp of their policies and procedures as well as their general security controls......


Reference Verification Forms included.See PDF Pg. 36.Presidio provides the following three references for which we have provided similar solutions to Category 3 ‐ IT Audit Services:� Brady Corporation� Broward Health� Dayton’s Children HospitalPresidio uploads these customer references on the required Vendor Verification Form, in aseparate file.

See PDF Pg. 88See attached for sample report for IT Audit Services.

See Sample Written Information Security Program in Appendix ‐ PDF Pgs. 119 ‐ 349. Reference Verification Forms included. ‐ See PDF Pgs. 70 ‐ 72Examples ‐ See PDF Pg. 34

Reference Verification Forms included.See PDF Pg. 36.Presidio provides the following three references for which we have provided similar solutions to Category 3 ‐ IT Audit Services:� Brady Corporation� Broward Health� Dayton’s Children HospitalPresidio uploads these customer references on the required Vendor Verification Form, in aseparate file.

23 10/20/2017 1:35 PM


Licensing Matrix




Reference Verification Forms included in Appendix (PDF Pg 182 ‐ 186)Brevard County GovernmentJanuary 2015 ‐ April 2015Engaged by Brevard County to understand the current state assessment of the IT environment….Lee County Electric CooperativeSeptember 2016 ‐ December 2016To determine if changes applied to LCEC's flagship systems were documented, tested and approved prior to implmentation to production...City of West Palm BeachAugust 2014 ‐ September 2014RSM was engaged by the City of West Palm Beach to perform a risk assessment of the City's current IT environment....District of Columbia Water & Sewer AuthorityMarch 2016 ‐ June 2016RSM was engaged by DC Water to evaluate the current state IT governance structure and provide recommendations...Prince William County, VirginiaMay 2014 ‐ August 2014RSM was engaged to perform an evaluation of the information technology general controls

CONFIDENTIAL


See Pages 10 ‐20References ‐ pdf pgs 100 ‐ 108


Due to the sensitivity of the results of the work completed for our clients, results of our engagements, orfinal reports will not be provided as evidence for proof of completion. If the County desires, we areprepared to provide example templates used as part of our reporting process to help ensure you arecomfortable with the final work products we are accustomed to delivering.

See Relevant Client Projects ‐ Page 30.

CONFIDENTIAL


See Pages 10 ‐ 20. SHI has attached sample reports with our submission.

24 10/20/2017 1:35 PM


Licensing Matrix




Verizon has highly relevant customers who can provide information on the work we have done and the quality of our relationship with their organizations. Due to the number of requests Verizon receives for recommendations from these customers, it is our policy to provide contact information only when we are under serious consideration for a contract award. In addition, Verizon’s corporate nondisclosure policies – combined with the sensitive nature of our customers’ business – require that certain agreements be in place before we can release sensitive customer data. In order to protect the interests and confidentiality of our customers, and at the request of our customers, we prefer to facilitate references calls and/or visits at a mutually convenient time for all. It is standard policy of Verizon to not publish reference lists due, in large part, to Non‐Disclosure Agreements between Verizon and its customers.

As a highly respected authority on Security and Compliance and one of the most trusted voices in the security community, we truly appreciate your challenges, put payment security in the context of your industry‐specific regulations and standards, and make recommendations not justin terms of IT change, but business process transformation, too. These principles are embodied in our annual Data Breach Investigations Report, now in its tenth edition, report, which uses data and insights drawn directly from assessments we have conducted for global enterprisesacross a variety of industries. View the report at http://www.verizonenterprise.com/verizoninsights‐lab/dbir/2017/#report.

25 10/20/2017 1:35 PM


Licensing Matrix



Solution Provider: Trustwave Crowe Horwath LLP4. Workload of the Firm:List all completed and active projects that Vendor has managed within the past fiveyears. In addition, list all projected projects that Vendor will be working on in the nearfuture. Projected projects will be defined as a project(s) that Vendor is awarded acontract but the Notice to Proceed has not been issued. Identify any projects thatVendor worked on concurrently. Describe Vendor’s approach in managing theseprojects. Were there or will there be any challenges for any of the listed projects? Ifso, describe how Vendor dealt or will deal with the projects’ challenges.

See file "Evaluation ‐ Cat 3" We have recently completed projects with Counsyl, Creditshop. We have sufficient capacity to take on new projects and we are very confident that you will be pleased with our services.

AT&T has conducted hundreds, if not thousands of assessments in the past five years.AT&T applies a structured project management methodology throughout eachengagement to manage risks, communication, expectation, and escalations. AT&T is anindustry leader, providing a wide variety of security consultation services across ourglobal customer base, including; US Federal and State Governments, major financialinstitutions, a large corporate entities. AT&T will leverage its world‐class knowledge,tools, and experience into the execution of our security consultation services forBroward County. Due to the sensitive nature and adherence to mandated informationsecurity practices AT&T cannot provide the specific company and agency namesassociated with past, present, and future security services.

See PDF Pg. 28As a private firm, we do not go into specific details, but we can say we do about 4000 pen tests a year andabout 850 RoCs ‐ but also have the most QSAs and Pen Testers than any other competitor – over 100 ineach case. We are busy, but have sufficient resources to cover all of our engagements.

See PDF Pg. 66Over the past 5 years, Crowe has had over 16,000 clients, of which over 1,200 were government clients. Crowe currently has 871 government clients, with 32 in the Florida area.Crowe is well positioned to provide quality service to Broward County in a timely fashion. Crowe has a sophisticated Centralized Resource Management function that is responsible for ensuring that BrowardCounty’s needs are met with the experienced and trained staff from our local offices, and if needed, from across our firm. We realize that resource management is a crucial element to consistentlyproviding top quality service to Broward County, and all of our clients.

Verify that these questions are the same as in the advertised solicitation:1. Legal business name. 3K Technologies LLC AT&T Corp Carahsoft Technology Corporation Crowe Horwath LLP

2. Doing Business As/ Fictitious Name (if applicable): Not applicable

3. Federal Employer I.D. Number. 02‐0604148 13‐4924710 522189693 35‐09216804. Dun & Bradstreet Number. (If applicable). 113018282 00‐698‐0080 08‐8365767 7873240085. Website address (if applicable). www.3ktechnologies.com www.att.com www.carahsoft.com www.crowehorwath.com6. Principal place of business. 1114 Cadillac Ct, Milpitas, CA 95035 One AT&T Way, Bedminster, NJ 07921 1860 Michael Faraday Drive, Suite 100


7. Office Location for this project. 1114 Cadillac Ct, Milpitas, CA 95035 2002 NW 64th St., Ft. Lauderdale, FL 33309 1860 Michael Faraday Drive, Suite 100Reston, VA 20190


8. Telephone/Fax Number: Telephone no.:4087165901 Fax no.:4088842420

Telephone no.:305‐913‐3887 Fax no.: Telephone no.:703.871.8500 Fax no.:703.871.8505 Telephone no.:954.202.8600 Fax no.:954.202.8639

9. Type of Business LLC Corporation; New York Corporation; Maryland Limited Liability Partnership10. List Florida Registration Number. M09000002854 845822 GP0800003826


26 10/20/2017 1:35 PM


Licensing Matrix4. Workload of the Firm:List all completed and active projects that Vendor has managed within the past fiveyears. In addition, list all projected projects that Vendor will be working on in the nearfuture. Projected projects will be defined as a project(s) that Vendor is awarded acontract but the Notice to Proceed has not been issued. Identify any projects thatVendor worked on concurrently. Describe Vendor’s approach in managing theseprojects. Were there or will there be any challenges for any of the listed projects? Ifso, describe how Vendor dealt or will deal with the projects’ challenges.





8. Telephone/Fax Number:

9. Type of Business10. List Florida Registration Number.



See PDF Pg. 91ERM has completed approximately 100 IT Audit projects during the past 5 years and estimates it will beworking on approximately 3 per month during the remainder of 2017.ERM is able to manage several projects simultaneously based on our efficient project managementapproach. We have not experienced any challenges to complete these projects, nor do we expect toexperience challenges completed projects for the client.a. Past Five Years• Banking & Financial Services (30)• Credit Card Processing (5)• Education (5)• Local, City, State Government (5)• Federal Government (3)• Hospitality (5)• Insurance (5)• Legal (5)• Manufacturing (5)• Retail (5)• Technology (10)• Telecommunications (5)• Other (12)

See PDF Pg. 126Focal Point has completed over 3,000 audit projects over its 12 years of providing IT audit andcyber security services. Over the last five years, our audit teams have completed hundreds of ITand financial audits. Our South Florida office, who will be the audit team responsible forBroward, typically completes around 70 projects annually. We complete all of our projectsconcurrently with other projects, so the added workload that this project presents is not an issuefor our firm.As of now, our South Florida audit team has projects slated to begin later this summer and intothe fall and currently has 25 ongoing projects ranging from internal audit to SOX and ITGCtesting. We do not anticipate these other projects limiting us from providing the County with thehighest level of service.



Enterprise Risk Management, Inc. Focal Point Data Risk, LLC Foresite MSP LLC Global Information Intelligence LLC

65‐0827427 61‐1805201 38‐3916369 273548900610144201 08‐0541660 07‐8744163www.emrisk.com www.focal‐point.com www.foresite.com www.globalinfointel.com800 S. Douglas Road, Suite 940 North Tower, Coral Gables, FL 33134

201 E Kennedy Blvd, Suite 1750Tampa, FL 33602





Telephone no.:305‐447‐6750 Fax no.:305‐447‐6752 Telephone no.:(813) 402‐1208 Fax no.:813‐436‐5283 800‐940‐4699 Telephone no.:4082509045 Fax no.:N/A

Corporation; Florida LLC LLC Corp; DE ‐ LLCM16000008367

27 10/20/2017 1:35 PM











See PDF Pg. 89Marcum LLP provides these services to many clients in the private business arena. Given the confidential nature of our services we will provide a specific list of private company clients upon request.Identify any projects that Vendor worked on concurrently.1. City of Hollywood2. Miami‐Dade Water and Sewer Department3. Consolidated Water

See PDF Pgs. 111 ‐ 117.MGT has completed projects for the County, including:� Disparity Study of County Government (2000).� Cost Allocation Plans (2009, 2010, 2011, 2014, 2015, 2016).� Comprehensive Review of the Sheriff’s Office Department of Detention (2009).� Comprehensive Analysis of the Libraries Division (2010).Being a national company, MGT has completed many projects within the past five years. Therefore, instead of providing a list of the over 2,200 projects the firm has completed or is currently conducting, we are providing a list of clients served (presented in alphabetical order by state).....

See PDF Pg. 35Our team of 40+ cybersecurity consultants has completed projects for hundreds of organizations over the past five years. In addition, our team uses multiple firm wide project management tools to assist with working with dozens of clients each week. Should an unexpected conflict occur while working with the County, the County will be given priority as necessary.

See PDF Pg. 37The Presidio Cyber team averages 70 concurrent projects at any one time. Our project managers ensure that we have resources allocated for the projects. Our project sizes range from $8,000 to $1.6M. We monitor and manage the workload monthly and make decisions on whether we need to add additional security consultants to the team.

Marcum LLPMGT of America Consulting, LLC Plante & Moran, PLLC Presidio

Plante Moran

111986323 81‐0890071 381357951 58‐1667655968051180 02‐096‐7659 004913299 15‐405‐0959www.marcumllp.com www.mgtconsulting.com plantmoran.com www.presidio.com451 East Las Olas Boulevard, Ninth FloorFort Lauderdale, FL 33301

3800 Esplanade Way, Suite 210Tallahassee, FL 32311




Tallahassee, FL Southfield, MI 3250 W. Commercial BlvdFort Lauderdale, Fl 33309

954‐320‐8000 Fax no.:954‐320‐8001Telephone no.:850.386.3191 Fax no.:850.385.4501 Tel:248‐223‐3428 Fax no.:248‐603‐5997 305‐606‐2835

Limited Partnership LLC Limited Partnership LLCLLP090003311 L15000199435 M11000002358 L15000111335

28 10/20/2017 1:35 PM











RSM maintains confidentiality agreements with many of our clients. For this reason, we cannot namethem in proposals or marketing collateral without express permission. However, in the Past Performancesection on the prior page, we provide references from clients who can discuss our work with them on issues relevant to your operations. If we are engaged by the County, you will be a priority for our firm and to each member of your engagement team. Our workload fluctuates based on a number of factors, including timing and currently pending engagements. Regardless, our firm has excelled at managing its human resources so that our workload never surpasses the ability of our assigned teams to devote the time and attention necessary to add value to our clients’ organizations. Our ability to manage our workload is evidenced by relatively low turnover rates and is supported by clients’ opinions of our service. The engagement team along with County management will design a plan that will ensure expectations are met along with responsive and timely delivery of services as required by the County. The engagement in‐charge and staff will be solely dedicated to the County from start to finish for the audit. We believe thisto be a team effort so that all team members understand their roles, expectations, deliverables, andtimelines.

We are currently engaged on a number of client projects. We attempt to keep our workload commensuratewith our staff. However, we believe the best way to measure our ability to complete task orders on time isthrough discussion with our current clients (see client references on previous page). We guarantee that we will:� Properly staff each project with employees that are qualified and technical experts;� Begin all task orders on time;� Complete them within budget, within the required time frame; and� Deliver a draft report within one (1) week of fieldwork completion.Due to confidential nature of our work, we are not permitted to provide a complete list of similar projects.However, we guarantee that Securance is experienced with networks of your size and complexity. We haveprovided a sampling of our related experience of governmental agencies on page 30.

See Pages 21 ‐ 37. Due to the sensitivity and type of services, SHI cannot provide this information as it relates to other projects and customers either completed or in the future. SHI would be happy to meet with Broward County discuss our approach and any challenges we may have experienced on similar projects. SHI believes in transparency and any time we come upon a challenge with a project we work with the customer to let them know the issues and possible solutions. SHI has a clearly defined escalation path so if a challenge arises the proper people can be engaged to assist. In addition as one of the top provider of IT solutions, SHI has built solid relationships with IT manufacturers and has a network of partners to work with should any challenges encountered required additional products or resources.

RSM US LLP Securance LLCSeNet International Corporation

SHI International Corp

FEIN‐42‐0714325 03‐0392503 54‐1902349 22‐300964873482424 04‐1637542 07‐9941139 61‐142‐9481www.rsmus.com http://www.securanceconsulting.com www.senet‐int.com www.shi.com100 NE Third Ave, Suite, Fort Lauderdale, FL 33301 6922 West Linebaugh Avenue, Suite 101, Tampa, FL 33625

3040 Williams Drive, Suite 510, Fairfax, VA 22031290 Davidson Ave Somerset, New Jersey 08873

Fort Lauderdale 6923 West Linebaugh Avenue, Suite 101, Tampa, FL 33625

3040 Williams Drive, Suite 510, Fairfax, VA 22031

290 Davidson Ave Somerset, New Jersey 08873

954‐462‐6351 Telephone no.:877‐578‐0215 Fax no.:813‐960‐4946Telephone no.:(703) 206‐9383 Fax no.:(703) 206‐9

800‐477‐6479

Limited Partnership LLC Corporation; Virginia Corporation; New JerseyADP004384 L02000005108 F‐01000004066

29 10/20/2017 1:35 PM











Verizon is continuously working multiple projects concurrently and has the people, process and technology to ensure all active projects are meeting the milestones defined on the project scope. We do not anticipate any challenges; however, should issues arise we have a welldefined process for identifying the root cause and developing a remediation plan.

Verizon Business Network Services Inc. on behalf of MCI Communications Services Inc.d/b/a/ Verizon Business Services (VerizonBusiness or Verizon)13‐2745892556565836www.verizonenterprise.com

OneVerizon Way, Basking Ridge NJ 07920

Tampa, FL

no.:(813) 520‐9786 Fax no.:813‐978‐6751Corporation; Delaware829591

30 10/20/2017 1:35 PM


Licensing Matrix



Solution Provider: Trustwave Crowe Horwath LLP11. List name and title of each principal, owner, officer and major shareholder. a) Krishna K Chittabathini

b) Sireesha Chittabathinia. Thadeus Arroyo, President and CEO AT&T, 208 S. Akard St., Dallas, TX 75202b. Anne Chow, President‐Integrator Solutions, AT&T, 208 S. Akard St., Suite 3514, Dallas, TX 75202c. Frank Jules, President ‐ Global Business AT&T, 208 S. Akard St., Suite 3509, Dallas, TX 75202d. Cathy Martine‐Dolecki, President ‐ Natl Bus AT&T, 1 AT&T Way, Bedminster, NJ 07921e. Delores McCarty, Assistant Secretary AT&T, 675 W Peachtree St, NW, Atlanta, GA 30308f. George B. Goeke, CFO and Treasurer AT&T, 208 S. Akard St., Suite 1824, Dallas, TX 75202AT&T is a publicly held corporation. No single person owns more than 10% of the company. It is an independent, publicly traded telecommunications services provider.The names and titles of the AT&T Inc. officers are• Randall Stephenson—Chairman and Chief Executive Officer (CEO)• William Blase—Senior Executive Vice President, Human Resources• James Cicconi—Senior Executive Vice President, External and Legislative Affairs• Ralph de la Vega—President and Chief Executive Officer (CEO), AT&T Mobile andBusiness Solutions• John Donovan—Senior Executive Vice President, AT&T Technology and Operations and Corporate Strategy• Jose Gutierrez—Senior Vice President, Executive Operations• David Huntley—Chief Compliance Officer• Lori Lee—Senior Executive Vice President and Global Marketing Officer• John Stankey—CEO, AT&T Entertainment and Internet Services• John Stephens—Sr. Executive Vice President and Chief Financial Officer (CFO);Corporate Development• Wayne Watts—Senior Executive Vice President and General Counsel



12. Authorized contacts for your firm. Name: Krishna K ChittaathiniTitle: CEOE‐mail: [email protected] No.: 4087165901Name: Murali GomatamTitle: PresidentE‐mail: [email protected] No.: 4087165907




31 10/20/2017 1:35 PM




Enterprise Risk Management, Inc. Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLCa) Silka Gonzalez ‐ Presidentb) Michelle Miller ‐ COOc) Esteban Farao ‐ Director of Consulting Services









32 10/20/2017 1:35 PM





a) Michael Balter, Regional Managing Partnerb) Mark Agulnik, Partnerc) David Appel, Partnerd) Shaun Blogg, Partnere) Ilyssa Blum, Partner f) Marc Breslow, Partnerg) Michael Curto, Partner h) Adam Firestein, Partneri) Michael Futterman, Partner j) John Gabriel, Partner k) Cecelia Garber, Partner l) Kim Lamplough, Partner m) Michele Lipson, Partnern) Michael Novak, PartnerMarcum LLP is managed by more than 140 partners around the country. Below is a list of partners from our local Florida offices. A complete list of partners around the country is available at www.marcumllp.com/people‐search.

a) A. Trey Traviesa, Chairman & CEOb) Fred Seamon, Executive Vice Presidentc) Brad Burgess, Executive Vice President







33 10/20/2017 1:35 PM




RSM US LLP Securance LLC SeNet International Corporation SHI International CorpPaul Ashe a) Anatoly Kozushin, President

b) Ilan Katz, CEOc) Gus Fritschie, Chief Technology Officerd) Steve Davis, COO

Thai LeeKoguan Leo



Name: Anatoly KozushinTitle: PresidentE‐mail: toly.kozushin@senet‐int.comTelephone No.: (703) 206‐9383Name: Ilan KatzTitle: CEOE‐mail: Ilan.Katz@senet‐int.comTelephone No.: (703) 206‐9383


34 10/20/2017 1:35 PM







35 10/20/2017 1:35 PM


Licensing Matrix



Solution Provider: Trustwave Crowe Horwath LLP13. Has your firm, its principals, officers or predecessor organization(s) been debarred orsuspended by any government entity within the last three years? If yes, specify detailsin an attached written response.

No No No No


No No No No


No We are unaware of any work completion issues that would impair our ability to meet our obligations under any contract. AT&T is a large company with an international presence and significant contractual relations. Given the size and scope of our business, we from time to time over our history have been involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our abilityto meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.



No Yes No No


No No No No

36 10/20/2017 1:35 PM


Licensing Matrix13. Has your firm, its principals, officers or predecessor organization(s) been debarred orsuspended by any government entity within the last three years? If yes, specify detailsin an attached written response.





Enterprise Risk Management, Inc. Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLCNo No No No

No No No No

No No No No

No No Principal invests in multiple businesses No

No No No No

37 10/20/2017 1:35 PM








No No No No

No No No No

No No

p // p / / g pMarcum Group is an organization providing a comprehensive range of professional services spanning accounting and advisory, technology solutions, wealth management and executive and professional recruiting. MARCUM LLPMarcum LLP is one of the largest independent public accounting and advisory services firms in the nation, with offices in major business markets throughout the U.S., Grand Cayman and China. MARCUM FINANCIAL SERVICESMarcum Financial Services was founded in late 2009 by combining the expertise of several professionals and firms with extensive investment, financial and business experiences. MARCUM SEARCHMarcum Search LLC offers professional recruiting services. Our recruiters recognize the importance of working closely with companies and prospective candidates to ensure the perfect match. MARCUM TECHNOLOGYMarcum Technology LLC is a full‐service integrated solutions vendor (ISV) specializing in data storage, disaster recovery, network infrastructure, IT staffing and managed services. MARCUM BERNSTEIN & PINCHUKMarcum Bernstein & Pinchuk is an independent public accounting firm. We provide a full range of audit and assurance, tax and transaction advisory services for clients in a variety of industries.MARCUM RBK (IRELAND) LIMITEDMarcum RBK is a service center for current and future hedge fund and private equity fund clients of the Marcum Alternative Investment Group.

Yes. Principal is CEO of MGT of America Consulting, LLC and Strategos Public Affairs, LLC, both wholly owned subsidiaries of MGT of America, LLC.

No No

No No

38 10/20/2017 1:35 PM







RSM US LLP Securance LLC SeNet International Corporation SHI International CorpNo No No No

No No No No

No No No No

No No No No

No No No

39 10/20/2017 1:35 PM








No

No

No

No

No

40 10/20/2017 1:35 PM


Licensing Matrix



Solution Provider: Trustwave Crowe Horwath LLP18. Has your firm’s surety ever intervened to assist in the completion of a contract or havePerformance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

No No No No


No We are unaware of any work completion issues that would impair our ability to meet our obligations under any contract. AT&T is a large company with an international presence and significant contractual relations. Given the size and scope of our business,we from time to time over our history have been involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our ability to meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.



No Except for material matters that AT&T discloses in filings with the Securities and Exchange Commission or otherwise discloses in response to subpoenas or other valid court orders, AT&T is legally and contractually prohibited from disclosing information to third parties about contractual matters. Also, due to the size and scale of AT&T’s operations, as a practical matter, AT&T cannot state with absolute certainty whether AT&T has defaulted under a contract. Notwithstanding the legal and practical restrictions that limit AT&T’s ability to disclose specific contract performance issues, AT&T can assure Customer that AT&T is capable of performing the services requested under this RFP and that AT&T has no history or pattern of performance issues with other customers that would affect AT&T’s ability to perform the services requested by Customer. AT&T reiterates that AT&T is not aware of any circumstances involving performance under another contract which would materially and adversely impact AT&T’s ability to perform services for Customer. Moreover, AT&T is not aware of any circumstance when AT&T was not awarded a bid due to non‐performance concerns about AT&T by the entity sponsoring a particular procurement. AT&T is forced to qualify such assurances to the best of its knowledge due to the scale and scope of AT&T’s operations. AT&T will not be able to provide such assurances with absolute certainty with respect to every contract or bid opportunity in which AT&T has participated.


21. Living Wage solicitations only: N/A No N/A N/A

41 10/20/2017 1:35 PM






Enterprise Risk Management, Inc. Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLCNo No No No

No No No No

No No No No

N/A N/A N/A

42 10/20/2017 1:35 PM







No No No No

Our firm enters in to Engagement letters with clients that allow for cessation of work and/or termination by either party in certain circumstances.

No No No


No No – Plante Moran is not aware of any client terminating a contract involving the provision of information technology security and compliance services. As one of the country’s largest accounting and consulting firms with thousands of annual engagements, there likely have been instances during the last three years where clients receiving tax or accounting‐related services have elected to use other service providers for their particular needs. Plante Moran’s record of client service and satisfaction is best in class, with 99% of clients indicating they would recommend Plante Moran to others.

No

N/AN/A

43 10/20/2017 1:35 PM






RSM US LLP Securance LLC SeNet International Corporation SHI International CorpNo No No No

No No No No

No No No No

No No No

44 10/20/2017 1:35 PM







No

No

No

No

45 10/20/2017 1:35 PM

RFQ A2114499R1 ‐ Broward County IT Security and Compliance ServicesCategory 4 ‐ Security Penetration Testing

Licensing Matrix 1st Secure IT LLC


Services ATT

Servers and Workers Located in the USA Attestation Form Provided ‐ PDF Pg. 120 Provided Provided / See PDF Pg. 569AND

Offensive Security Certified Professional Certification (OSCP) on staff and proposed key team member




ORGIAC Penetration Tester (GPEN) on staff and proposed key team member




ORCertified Ethical Hacker (CEH) on staff and proposed key team member





Vendor Security Questionnaire FormProvided

Provided Provided


FORMS

1 10/20/2017 1:35 PM

RFQ A2114499R1 ‐ Broward County IT Security and ComCategory 4 ‐ Security Penetration Testing

Licensing Matrix








FORMS

BreakPoint LabsPrime: Carahsoft Technology Corp


Provided Provided ‐ See Page 47 Provided ‐ See PDF Pg. 9 Provided














Provided ProvidedProvided Provided

2 10/20/2017 1:35 PM


Licensing Matrix








FORMS

Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLCPrime: JohnsTek Inc.

Sub: IOMAXIS
















Provided

3 10/20/2017 1:35 PM


Licensing Matrix








FORMS


Merchant Preservation Services, LLC d/b/a CampusGuard MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude

Provided Provided Provided ‐ See PDF Pg. 23 Provided ‐ See PDF Pg. 42















4 10/20/2017 1:35 PM


Licensing Matrix








FORMS

Optiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP
















5 10/20/2017 1:35 PM


Licensing Matrix








FORMS

SeNet International Corporation SHI International CorpVerizon Business Network Services Inc. d/b/a Verizon Business Services













6 10/20/2017 1:35 PM




Services ATT

1. Ability of Professional Personnel:a. Describe the qualifications and relevant experience of the ProjectManager and all key staff that are intended to be assigned to servicesperformed within this category. Include resumes for the ProjectManager and all key staff described.

See PDF Pg. 155 ‐ 156. Resumes ‐ See PDF Pgs. 162 ‐ 171.Mark Akins, PCI QSA, CISSP, CISA, 24+ years experienceAlberto Espana, CISM, PCI‐QSA, 30+ years experienceOrencio Cardenas, MCSA, MCSE, CISSP, 20+ years experiencesAlan Kakareka, CISSP, GSEC, CEH, LPT, 20+ years in IT; 13+ years in IT SecurityAbelardo Rodrigues, PCI QSA, CISSP, CISA, 24+ years experience

See file "Evaluation ‐ Cat 4" Rajiv has extensive experience in Vulnerability and Penetration testing. He is experienced in industry standard tools like Qualys, Webking, Nessus, NMAP, ISIC‐TCPSIC, Codenomicon. he has done penetration testing and helped proactively remove the threats at different clients.

See PDF Pg. 521 ‐ 524

CONFIDENTIAL




b. List any other relevant Security and Compliance Industry certifications that the Project Manager and key staff described may have. Include copies of certificates, if applicable.

See PDF Pg. 155 ‐ 156. See PDF Pgs. 162 ‐ 171.Mark Akins, PCI QSA, CISSP, CISA, 24+ years experienceAlberto Espana, CISM, PCI‐QSA, 30+ years experienceOrencio Cardenas, MCSA, MCSE, CISSP, 20+ years experiencesAlan Kakareka, CISSP, GSEC, CEH, LPT, 20+ years in IT; 13+ years in IT SecurityAbelardo Rodrigues, PCI QSA, CISSP, CISA, 24+ years experience

1st Secure IT is an Active QSA Company and status can be looked up on the PCI council's website.https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessorsPCI QSA, CISSP, CISA, CEH

See file "Evaluation ‐ Cat 4" He has CEH certification. He has CCIE ‐ Routing and Switching (Written).

See PDF Pg. 521 ‐ 524

CONFIDENTIAL




EVALUATION CRITERIA

7 10/20/2017 1:35 PM


Licensing Matrix



EVALUATION CRITERIABreakPoint Labs

Prime: Carahsoft Technology CorpSolution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.

See PDF Pgs. 22 ‐ 23, 25 ‐ 29.Andrew McNicol, CTO, OSCE, OSCP, OSWP, GICSP,GCFA, GCIA, GCIH, GPEN, GREM, GSEC, GWAPT, GWEB, CISSP, CEH, Penetration Testing and Incident ResponseLucas Hudson, Senior Offensive Security Engineer, Vulnerability Enumeration and Exploitation; OSCE, OSCP, OSWP, GISCP, GCFA, GPEN, GWAPT, GWEB, CISSP, CEHZachary Meyers, Senior Offensive Security Engineer, OSCP, CISSP, GPEN, GWAPT, GCIH, GICSP, CEH

See PDF Pg. 29 Trustwave's penetration testing services are delivered by SpiderLabs® — an advanced security team within Trustwave focused on forensics, ethical hacking, application and network security testing. The team has performed hundreds of forensic investigations, ethical hacking exercises and application security tests globally. Made up of some of the top information security professionals in the world, the team has career experienceranging from Corporate Information Security to Security Research to Federal and Local Law Enforcement. Members of SpiderLabs frequently speak at security conferences around the world.

See PDF Pgs. 89 ‐ 91Mike Del Giudice, Project Manager, CISSP, 16 years experienceRyan Reynolds, Technical Lead, OSCP, 9 years experiencePiotr Marszalik, Technical Lead, OSCP, OSCE, 6 years experienceEric DePree, Project Team, OSCP, 3 years experienceMitch Hennigan, Project Team, OSCP, Experience in Network Security Assessments and External/Internal Penetration assessmentsMichael Raibick, Project Team, OSCP, Specializes in Information Assurance and Computer Networking

See Resumes PDF Pg. 99‐110; Certifications PDF Pgs. 111‐113Esteban Orlando Farao, CISSP, CISA, CISO, CRISC, CEH, QSA, and PCIP.PCI QSA, 20+ years experienceChristopher Sanchez, Information Security ConsultantAnimesh Srivastava, Information Security Consultant, Extensive experience competing regulatory compliance assessmentsSrivathsav Gandrathi, CEH, Information Security Consultant, Extensive experience in Implementation of Secure Network Protocols Haslyn Martin, Information Security Consultant, Extensive experience in implementation of Secure Network ProtocolsNoah Stahl, Infomration Security Consultant, Extensive experience in software testing and Digital Forensics

See PDF Pgs. 22 ‐ 23, 25 ‐ 29.Andrew McNicol, CTO, OSCE, OSCP, OSWP, GICSP,GCFA, GCIA, GCIH, GPEN, GREM, GSEC, GWAPT, GWEB, CISSP, CEH, Penetration Testing and Incident ResponseLucas Hudson, Senior Offensive Security Engineer, Vulnerability Enumeration and Exploitation; OSCE, OSCP, OSWP, GISCP, GCFA, GPEN, GWAPT, GWEB, CISSP, CEHZachary Meyers, Senior Offensive Security Engineer, OSCP, CISSP, GPEN, GWAPT, GCIH, GICSP, CEH

See PDF Pg. 29 Please see the representative biographies embedded below, including the typical certifications held by theresources who may be assigned to your project.

See PDF Pgs. 89 ‐ 91Mike Del Giudice, Project Manager, CISSP, 16 years experienceRyan Reynolds, Technical Lead, OSCP, 9 years experiencePiotr Marszalik, Technical Lead, OSCP, OSCE, 6 years experienceEric DePree, Project Team, OSCP, 3 years experienceMitch Hennigan, Project Team, OSCP, Experience in Network Security Assessments and External/Internal Penetration assessmentsMichael Raibick, Project Team, OSCP, Specializes in Information Assurance and Computer Networking

See PDF Pg. 111 ‐ 113• Esteban Farao: CISSP, CISA, CISO, CRISC, CEH, PCI QSA, and PCIP• Animesh Srivastava: CCFE• Srivathsav Gandrathi: CEHCopies of the Certification follow:Esteban Farao: CISSP

8 10/20/2017 1:35 PM


Licensing Matrix



EVALUATION CRITERIAFocal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC

Prime: JohnsTek Inc.Sub: IOMAXIS

See PDF Pgs. 157 ‐ 158Project Advisor – Andrew Cannata, Principal, CISSP, QSA, CISM, 25+ years experienceChris Sullo – Practice Lead, CISSP, RHCE, RHCT, 20+ yearsPeter Hefley – Senior Manager, GPEN, CISSP, GREM, CISA. Peter has a broad base ofexperience in systems administration, network security, information warfare, and cryptography.Steve Tornio – Senior Manager, OSCP, CISSP. Steve has been active within the securitycommunity for the past 20 yearsAnthony Miller‐Rhodes – Senior Consultant. Anthony has several years of securityexperience involving penetration testing and software development of offensive and defensivecapabilities.Eric Turner – Senior Consultant, OSCP. Eric is a Senior Consultant with over four years ofpenetration testing experience and as a general network....Jeremy Archer – Senior Consultant, GCED, OSCP, CCNA, CISSP. Jeremy has over 20years of information technology and security experience,....Rob Ditmer – Consultant, GPEN, CISSP. Rob has over six years of experience in informationtechnology and security......


See PDF Pg. 78Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD Information Security and Computing Sciences (Over 30 years of Professional Experience and 25 years of Research, Harvard and Yale Alumnus, Summa Cum Laude, and Oxford Research, etc.)Global Information Intelligence LLC (100% Small Business, Minority, and Women Owned)By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences and Information Security Founder, Consortium for Emerging Technologies‐Harvard, Exemplary Models forFederal, State, Local, Counties, Cities, Private/Public Sectors, Academia & Industry and GlobalCategory 4 – Security Penetration Testing:� Provided intelligent and effective services within this category including Security Penetration Testing Services.� Examples of specific activities includes activities but not be limited to Internal Network Penetration Testing, External Network Penetration Testing, Web Application Testing, Wireless Network Penetration Testing, and Social Engineering Test Cases.

See PDF Pgs. 47 ‐ 48Darnell Macapinlac, JohnsTek Program Manager and Prime Contract Representative, 20 years experience, PMP, CompTIA Security +, ITIL V3, CISSP, and CEHOsvaldo Perez, Project Manager and Senior Cybersecurity Consultant, 12 years experience, CISSP, CISA, C|EH, CPT, and Security+‐certified retired Army Officer with 9 years of experience serving as Program Manager, Team Chief, Senior Trainer, and Quality Assurance Officer of the Army’s NSA‐certified and USSTRATCOM‐accredited Cyber Red TeamPete Harris, Lead Offensive Security Engineer and Senior Penetration Tester, 12 years experience, OSWP, OSCP, CISSP, CISA, GPEN, GWAPT, CEH and MCSA‐certified professional with 12 years of experience in support of Army computer and network security, defense, management and procurementMatthew "Rudy" Benton, Senior Offensive Security Engineer and Senior Penetration Tester, 12 years experience, OSCE, OSCP, CISSP, CISA, GCIH, CEH and Security+‐certified professional with 12 years of experience as an Army officer leading Cyber Red TeamsBrian Dillansnyder, Senior Offensive Security Developer and Senior Penetration Tester, OSCE, OSWP, OSCP, CISSP, CISA, and CEH certified professional with 8 years of experience as a Software engineer/developer using .NET and 5 years of Java, 8 years ofweb development experience

See PDF Pgs. 157 ‐ 158Project Advisor – Andrew Cannata, Principal, CISSP, QSA, CISM, 25+ years experienceChris Sullo – Practice Lead, CISSP, RHCE, RHCT, 20+ yearsPeter Hefley – Senior Manager, GPEN, CISSP, GREM, CISA. Peter has a broad base ofexperience in systems administration, network security, information warfare, and cryptography.Steve Tornio – Senior Manager, OSCP, CISSP. Steve has been active within the securitycommunity for the past 20 yearsAnthony Miller‐Rhodes – Senior Consultant. Anthony has several years of securityexperience involving penetration testing and software development of offensive and defensivecapabilities.Eric Turner – Senior Consultant, OSCP. Eric is a Senior Consultant with over four years ofpenetration testing experience and as a general network....Jeremy Archer – Senior Consultant, GCED, OSCP, CCNA, CISSP. Jeremy has over 20years of information technology and security experience,....R b Dit C lt t GPEN CISSP R b h i f


See PDF Pg. 78Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD Information Security and Computing Sciences (Over 30 years of Professional Experience and 25 years of Research, Harvard and Yale Alumnus, Summa Cum Laude, and Oxford Research, etc.)Global Information Intelligence LLC (100% Small Business, Minority, and Women Owned)By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences and Information Security Founder, Consortium for Emerging Technologies‐Harvard, Exemplary Models forFederal, State, Local, Counties, Cities, Private/Public Sectors, Academia & Industry and GlobalCategory 4 – Security Penetration Testing:� Provided intelligent and effective services within this category including Security Penetration Testing Services.� Examples of specific activities includes activities but not be limited to Internal Network Penetration Testing, External Network Penetration Testing, Web Application Testing, Wireless Network Penetration Testing, and Social Engineering Test Cases.

See PDF Pgs. 47 ‐ 48Darnell Macapinlac, JohnsTek Program Manager and Prime Contract Representative, 20 years experience, PMP, CompTIA Security +, ITIL V3, CISSP, and CEHOsvaldo Perez, Project Manager and Senior Cybersecurity Consultant, 12 years experience, CISSP, CISA, C|EH, CPT, and Security+‐certified retired Army Officer with 9 years of experience serving as Program Manager, Team Chief, Senior Trainer, and Quality Assurance Officer of the Army’s NSA‐certified and USSTRATCOM‐accredited Cyber Red TeamPete Harris, Lead Offensive Security Engineer and Senior Penetration Tester, 12 years experience, OSWP, OSCP, CISSP, CISA, GPEN, GWAPT, CEH and MCSA‐certified professional with 12 years of experience in support of Army computer and network security, defense, management and procurementMatthew "Rudy" Benton, Senior Offensive Security Engineer and Senior Penetration Tester, 12 years experience, OSCE, OSCP, CISSP, CISA, GCIH, CEH and Security+‐certified professional with 12 years of experience as an Army officer leading Cyber Red TeamsBrian Dillansnyder, Senior Offensive Security Developer and Senior Penetration Tester, OSCE, OSWP, OSCP, CISSP, CISA, and CEH certified professional with 8 years of experience as a Software engineer/developer using .NET and 5 years of Java, 8 years ofweb development experience

9 10/20/2017 1:35 PM


Licensing Matrix



EVALUATION CRITERIA



See PDF Pg. 40For Marcum LLP’s proposed key staff, refer to profiles and certificates available in Appendix A.� Client Service and Engagement Partner:Mark Agulnik, Partner, CPA, CISA, PCI‐QSA� Principal:Heather Bearfield, Principal, CISA, CISM, CRISC, PCI‐QSA� Senior Manager (Project Lead):Jose Antigua, Senior Manager, CISA, ACDA, COBIT� Senior Manager:Robert Coro, Senior Manager, CISA, CISM, PCI‐QSA


Edward (Ed) Ko, Pen Test Manager, Multi Campus PCI Experience, Information Privacy, Network Analysis, Telecommunications, 12 years in security field; 16 years in experience and responsibilitiesChad Wheeler, ASV, Penetration Testing, Vulnerability Scanning, Ethical Hacking, 8 years experience in security related fieldsChristopher Wallace, Penetration Testing, Vulnerability Scanning, 5 years experience in security related fieldJudi Seguy, CRM Manager, Project Manager, E‐commerce, PCI DSS compliance, General Information Technology, 8 years experience in security related field in higher education and information technology security


See PDF Pg. 22.Patrick Matthews, Security Consultant � IACRB – Certified Expert Penetration Tester� IACRB – Certified SCADA Security Architect� IACRB – Certified Computer Forensics Examiner� Offensive Security Wireless Professional (OSWP)� Offensive Security Certified Professional (OSCP) Menachem Rothbart, Senior Security Consultant, 5+ years experience� Offensive Security Wireless Professional (OSWP)� Offensive Security Certified Professional (OSCP)� Offensive Security Certified Expert (OSCE)Milos Celic, Senior Consultant, 9 years experience� Offensive Security Certified Professional (OSCP)� Cisco Certified Network Associate (CCNA)

See PDF Pg. 40For Marcum LLP’s proposed key staff, refer to profiles and certificates available in Appendix A.� Client Service and Engagement Partner:Mark Agulnik, Partner, CPA, CISA, PCI‐QSA� Principal:Heather Bearfield, Principal, CISA, CISM, CRISC, PCI‐QSA� Senior Manager (Project Lead):Jose Antigua, Senior Manager, CISA, ACDA, COBIT� Senior Manager:Robert Coro, Senior Manager, CISA, CISM, PCI‐QSA

Ed Ko, QSA, ASV, CISSP, CPISM/AChad Wheeler, QSA, ASV, CISSP, CPISM/A, OSCP, SSCP, CEH, CVEChris Wallace, OSCP


See PDF Pg. 22.Patrick Matthews, Security Consultant � IACRB – Certified Expert Penetration Tester� IACRB – Certified SCADA Security Architect� IACRB – Certified Computer Forensics Examiner� Offensive Security Wireless Professional (OSWP)� Offensive Security Certified Professional (OSCP) Menachem Rothbart, Senior Security Consultant, 5+ years experience� Offensive Security Wireless Professional (OSWP)� Offensive Security Certified Professional (OSCP)� Offensive Security Certified Expert (OSCE)Milos Celic, Senior Consultant, 9 years experience� Offensive Security Certified Professional (OSCP)� Cisco Certified Network Associate (CCNA)

10 10/20/2017 1:35 PM


Licensing Matrix



EVALUATION CRITERIAOptiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP

See PDF Pg. 235been trained in the processes and procedures for conducting these assessments.The consultant resumes below are examples of the highly qualified Optiv consultants that Broward can expect to work on this engagement. Actual consultants will be determined based on availability at the time of proposal signature. Additional consultant biographies are available upon request.Practice Manager – Dan KottmannDan Kottmann has a decade of professional experience in information security focusing on vulnerability assessments, penetration testing and consulting. Dan has conducted security assessments that include components such as internal/external network and application penetration testing, social engineering, wireless assessment and intrusion, and vulnerability assessments. In addition, Dan has executed quarterly external scans for various clients based on the Payment Card Industry (PCI) Data Security Standard. Dan also has performed webapplication development using a number of common frameworks, technologies and languages. Lastly, Dan has acted as a primary resource for developing, executing and delivering advanced offerings and engagements including breach simulations and endpoint security assessments.........

See PDF Pgs. 37 ‐ 39Joseph Olekask, CISSP, CRISC, Partner, 17+ years experienceScott Petree, CPA, CISA, CFE, QSA, Principal, 17+ years experienceSaumil Shah, CISA, CEH, CCNA, Senior Manager, 8+ years experienceAndrea Selke, CISSP, Security+, Manager, 9+ years experiencePatrick Flanigan, CEH, Manager, 3+ years experienceShelby Mathers, Senior Consultant, Focus Area in attack & penetration, vulnerability assessments, social engineering, wireless security, IT security audits and other network security assessmentsAdam Cohen, Senior Consultant, 2+ years experienceShabaz Khan, CEH, Consultant, experience in information security, control and IT auditZachary Johnson, Consultant, Area of focus in penetration testing , vulnerability assessments, social engineering, web application security testing, wireless security testing, and IT security audits

Resumes See PDF Pgs 75 ‐ 89.PDF Pg. 40The Presidio Project Managers are responsible for managing all cyber security projects that include: Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), IT Audit Services, Security Penetration testing, and architecture consulting. Presidio’s project managers and key staff have an extensive list of industry certifications that include: CISSP, CISA, CISM, CRISC, OSCP, GPEN, GWAPT, G2700, CEH, ITIL Practitioner and ITIL (v3). In addition, Presidio has 1,600 engineers on the backend that provide architecture design and implementation services.

Andrew Weidenhamer, Director, National Secutiy Testing Lead, 15+ years experienceMartin Rubio, Manager, Security, Privacy and Risk Services, 18+ years experienceBen Johnson, Senior, Security, Privacy, and Risk Services, 5 years experienceWilliam Martin, Senior, Security, Privacy and Risk Services, 6 years experienceTyler Price, Associate, Security, Privacy and Risk Services, 3 years experience

See Pg. 236� Certified Information Systems Security Professional (CISSP)� Certified Information Security Manager (CISM)� Offensive Security Certified Professional (OSCP)� Offensive Security Certified Engineer (OSCE)� Microsoft Certified Systems Engineer (MCSE)� Cisco Certified Security Administrator (CCNA)� Cisco Certified Security Professional (CCSP)� GIAC Web Application Penetration Tester (GWAPT)� GIAC Certified Forensic Analyst (GCFA)� GIAC Certified UNIX Security Administrator (GCUX)� GIAC Security Essentials Certification (GSEC)

See PDF Pgs. 37 ‐ 39Joseph Olekask, CISSP, CRISC, Partner, 17+ years experienceScott Petree, CPA, CISA, CFE, QSA, Principal, 17+ years experienceSaumil Shah, CISA, CEH, CCNA, Senior Manager, 8+ years experienceAndrea Selke, CISSP, Security+, Manager, 9+ years experiencePatrick Flanigan, CEH, Manager, 3+ years experienceShelby Mathers, Senior Consultant, Focus Area in attack & penetration, vulnerability assessments, social engineering, wireless security, IT security audits and other network security assessmentsAdam Cohen, Senior Consultant, 2+ years experienceShabaz Khan, CEH, Consultant, experience in information security, control and IT auditZachary Johnson, Consultant, Area of focus in penetration testing , vulnerability assessments, social engineering, web application security testing, wireless security testing, and IT security audits

PDF Pg. 40Presidio brings Broward County our broad skill set and depth of experience. Our security engineering team is composed of Certified Information System Security Professionals (CISSPs), Certification and Accreditation Professionals (CAPs), InfoSec Assessment Methodology (IAM) professionals, Certified Ethical Hackers (CEHs), and Certified Information Security Managers (CISMs). This highly trained and experienced group has completed many Vulnerability Risk Assessment (VRA) and Security Certification and Accreditation (C&A) projects, tests, evaluations, and related services. Exhibit 4 illustrates Presidio’s Security Certifications. Our security professionals keep current with changes in the information security space and are considered thought‐leaders in the market. Each security team member has extensive experience performing VRA and C&A services for commercial, enterprise, and government clients and is well acquainted with applicable compliance regulations.Presidio other relevant Security and Compliance Industry certifications not required in theRFQ include CRISC, QWAPT, G2700, ITIL Practitioner and ITIL ( 3)

Andrew Weidenhamer, Offensive Security Certified Professional (OSCP), Certified information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Privacy Professional (CIPP), Payment Application Qualified Security Assessor (PA‐QSA), Payment Card Industry Qualified Security Assessor (PCI QSA), Information Organization for Standardization 27001 Provisional Auditor (ISO 27001) Martin Rubio, National Security Agency ‐ InfoSec Assessment Methodology (NSA IAM), Institute for Security Open Methodologies Open Source Security Testing Methodology Manual Professional Security Analyst (ISECOM OPSA), eSecurity Certified Professional Penetration Tester (eCPPT)Ben Johnson, Certified information Systems Security Professional (CISSP), Global Information Assurance Certification Mobile Device Security Analyst (GIAC GMOB), Global Information Assurance Certification Web Application Penetration Tester (GIAC GWAPT)William Martin, Offensive Security Certified Professional (OSCP)Tyler Price, Certified Ethical Hacker (CEH), Certified Penetration Tester (CPT)

11 10/20/2017 1:35 PM


Licensing Matrix



EVALUATION CRITERIASeNet International Corporation SHI International Corp



The SHI Security Services team are all senior level Security Professionals with each having 20+ years’ experience. Specific skill sets may vary but overall each has experience working with various industry security frameworks and providing Security Assessments and Penetration Testing. The team holds many different Security related certifications however all have CISSP certifications.

j gPenetration Testing engagements is performedby three roles:• Engagement Manager – The Engagement Manager is responsible for the overallquality and timeliness of the deliverables. The Engagement Manager will ensure that theoverall project schedule is met; that appropriate, skilled and knowledgeable resourcesare provided for each phase and task of the initiative. He will ensure that you aresatisfied with the collaborative support provided by Verizon.• Project Manager – The Project Manager will be responsible for running theproject, scheduling and conducting status meetings, facilitating data exchange, andserving as the primary point of contact for the engagement.• Expert Security Engineering Staff ‐ The Engagement Manager will be supportedby Verizon’s staff of trained consultants and engineers. The staff assigned to the projectwill be based upon the actual project schedule and the knowledge required foraccomplishing the scope of this engagement.Actual resumes will be provided upon contract award or down selection.



Security relevant certifications of Verizon’s US‐based Penetration Testing consulting staff include:• Certified Information Systems Security Professional [CISSP]• EC‐Council: Certified Ethical Hacker [CEH]• Mile2: Certified Pen Testing Specialist [CPTS]• Certified Wireless Network Administrator [CWNA]• Cisco CCNA Certified• Cisco CCSP (SECURE, CIDS) [CCSP]• SANS GREMAll Penetration Testing Project Managers have Project Management Professional (PMP) certifications.

12 10/20/2017 1:35 PM




Services ATT2. Project Approach:a. Describe the prime Vendor’s approach to performing similar work in this Category.

See PDF Pgs. 157 ‐ 159.IMPLEMENTATION ROADMAP AND TIMINGThe Payment Card Industry Data Security Standards (PCI DSS) includes 12 Requirement sections in which several sub‐requirements are within each main requirement. Overall, there are approximately 300+ individual requirements that must be met to be considered “PCI Certified”. The PCI DSS address all areas of operations to ensure the protection of cardholder data. Therefore, a significant effort is required by all departments within an organization to establish and maintain a PCI DSS certified environment. Here’s a high level overview of the standard: 1st Secure IT has a repeatable and proven methodology for helping our clients achieve PCI DSSCompliance. On Page 10 of the PCI Data Security Standard it states “The first step of a PCI DSS assessment is to accurately determine the scope of the review. At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or, if compromised, could impact the Cardholder Data Environment (CDE) to ensure they are included in the PCI DSS scope.” To this end, our PCI Compliance Implementation Roadmap will start with a comprehensive PCI DSS scope review. After the CDE has been accurately defined, the next step is to work with our client to implement scope reductionmethods as necessary.....

See file "Evaluation ‐ Cat 4" We are going to take a holistic approach to the project. First is to understand the complete environment at Broward county, including the network infrastructure, Linux machines, web servers, Linux servers, application running and the complete infrastructure. We are going to lay down a comprehensive effort to get this started. Then, we will identify the right tools to start using it upon vendor acceptance. The goal is to lay down a phased approach to penetration testing, including the pre‐work as well as any precautions that needs to be taken so that the results are accurate.

See PDF Pg. 525 ‐ 541

CONFIDENTIAL

Pgs 35: Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all othertrademarks, service marks, and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. affiliatedcompanies."



b. Number of employees, coordination efforts, servers and workers located within USA

1st Secure IT LLC has 7 employees located at their headquarters in Ft. Lauderdale, FL. They maintain 10 servers in a FTL Hosting facility.

See file "Evaluation ‐ Cat 4" Number of employees will be determined based on the infrastructure we have to maintain and cover for penetration testing. It will also depend on the timeframe required to complete the project.

CONFIDENTIAL




13 10/20/2017 1:35 PM






See PDF Pgs. 11 ‐ 20.Full External Perimeter Evaluation ‐ Our ApproachDuring an External Penetration Test, BreakPoint Labs will emulate the presence of an adversary trying to attack the organization externally. BPL will evaluate all externalsystems and services for the target organization utilizing the following methodology:1. Scoping2. Reconnaissance: Discovery3. Automated Testing: Enumeration4. Manual Testing5. Reporting6. Remediation SupportKey ObjectivesEnumerate to the Broward County Board of County Commissioners’ external technology footprint and evaluate the Internet facing services and current controlsto identify exploitable vulnerabilities. Attempt to leverage the vulnerabilities enumerated to gain elevated privilege (root/administrative level access) to the Broward County Board of County Commissioners’ systems. Enumerate any security concerns related to configuration of to the Broward County Board of County Commissioners’ DMZ, Internet facing services, Wireless, Email, Telecommunications, and DR environment....

See PDF Pg. 30Managed Security Testing (MST) service is a subscription based managed vulnerability scanning and penetration testing service. MST helps identify vulnerabilities and findings that can lead to data compromise in Networks, Applications, and Databases, which helps organizations measure and manage risk.The MST service consists of:� Reconnaissance, which is the information gathering and discovery process to understand the Client’s Target System(s) and the scope of the required scanning and/or testing of those systems.� Scanning & testing, this helps identify potential vulnerabilities or weak configurations of the Clients Target System(s), the confirmation and evaluation of those vulnerabilities and the attempted exploitation of, and extraction of data from, the Clients Target System(s).� Reporting, is the provision of results of the Client Target System(s) scans and where relevant tests, as a completed report available through the TrustKeeper Client Portal.

See PDF Pgs. 92 ‐ 102Security Penetration TestingIt is our understanding that it is the goal of the County is to engage a firm for Security Penetration Testing Services, including Internal Network Penetration Testing, External Network Penetration Testing,Web Application Testing, Wireless Network Penetration Testing, and Social Engineering Test Cases. To help the County achieve its goals, we have outlined the following approach.Crowe’s Penetration Assessments can provide a unique perspective into the security of an organization on multiple levels. Crowe’s approach is customized for each client and engagement providing value targeted toward your specific requirements. Flexibility is derived from clearly understanding your goals for the engagement and tailoring our service to complement the business requirements.Testing involves specialized Crowe Security and Privacy professionals who are adept at using the same tools and techniques as those leveraged by the hacking community. Thoroughly testing an organization for vulnerabilities includes testing both the technical aspects of information security as well as thehuman element...

See PDF Pg. 114 ‐ 115a. ApproachA review of the project’s objectives, scope, scheduled activities, assumptions and or possible constraints will be reviewed with client key personnel and staff during a project kickoff meeting.Client shall cooperate with ERM in the performance of ERM’s services. To comply with budgeted project estimates, ERM requires the timely, complete and accurate cooperation from the client.External/Internal Network Penetration TestThe main objective of this assessment is to perform an external/internal network penetration test of the organization’s technical infrastructure. We will assess the overall network security including the network perimeter devices residing on network segments (DMZ and internal) and the Internet for potential vulnerabilities that could expose critical organizational systems and applications; customer information; organization information, and financial assets. This assessment will be conducted combining the tools and techniques used by malicious "hackers" with disciplined scientific procedures to provide unique insight into the state of security in the information systems environment of theorganization. The security assessment will provide the organization with a diagnosis of network vulnerabilities from an external and internal perspective....

See PDF Pgs. 11 ‐ 20.Full External Perimeter Evaluation ‐ Our ApproachDuring an External Penetration Test, BreakPoint Labs will emulate the presence of an adversary trying to attack the organization externally. BPL will evaluate all externalsystems and services for the target organization utilizing the following methodology:1. Scoping2. Reconnaissance: Discovery3. Automated Testing: Enumeration4. Manual Testing5. Reporting6. Remediation SupportKey ObjectivesEnumerate to the Broward County Board of County Commissioners’ external technology footprint and evaluate the Internet facing services and current controlsto identify exploitable vulnerabilities. Attempt to leverage the vulnerabilities enumerated to gain elevated privilege (root/administrative level access) to the Broward County Board of County Commissioners’ systems. Enumerate any security concerns related to configuration of to the Broward County Board of County Commissioners’ DMZ, Internet facing services, Wireless, Email, Telecommunications, and DR environment....

See PDF Pg. 31Trustwave has a team of 100+ dedicated Penetration Testers. This is one of the largest teams in the industry. Unlike most of our competitors, our penetration testers are not general consultants. They only work in their area– which means they only perform penetration testing within their specialization. With suchlaser focus, they stay on top of the latest threats and attack vectors in a way that general consultants never could. All employees and servers would be within the United States. Trustwave has over 900 total employees in the US.

See PDF Pgs. 92 ‐ 102Security Penetration TestingIt is our understanding that it is the goal of the County is to engage a firm for Security Penetration Testing Services, including Internal Network Penetration Testing, External Network Penetration Testing, Web Application Testing, Wireless Network Penetration Testing, and Social Engineering Test Cases. To help the County achieve its goals, we have outlined the following approach.Crowe’s Penetration Assessments can provide a unique perspective into the security of an organization on multiple levels. Crowe’s approach is customized for each client and engagement providing value targeted toward your specific requirements. Flexibility is derived from clearly understanding your goals for the engagement and tailoring our service to complement the business requirements.Testing involves specialized Crowe Security and Privacy professionals who are adept at using the same tools and techniques as those leveraged by the hacking community. Thoroughly testing an organization for vulnerabilities includes testing both the technical aspects of information security as well as the human element...

See PDF Pg. 115ERM has approximately 30 full time employees. Of these employees, 25 are located in the USA. Onlyfull time employees located in the USA will work in these engagements.Regarding coordination efforts, Esteban Farao will be the Project Manager. He will lead a project kickoffmeeting, send the information requirements, manage the project, communicate with the clientproject team, lead project update calls and meeting as well as delivery the final reports andpresentations.All of ERM’s severs are located at the ERM’s headquarters in Coral Gables, Florida.

14 10/20/2017 1:35 PM





Sub: IOMAXIS

See PDF Pgs. 159 ‐ 164APPROACHFocal Point’s Approach to Project ManagementProject Lead – Focal Point’s project lead will be responsible for the communication of progress updates as well as the management and coordination of all staff activities.Quality Assurance (QA) – Focal Point’s objective is to exceed Broward’s expectations. As such, Focal Point will employ a team‐based approach to this engagement. Our team managerswill coordinate fieldwork and develop project deliverables, while our senior consultants and consultants perform project activities and gather data for our reports. Focal Point’s professionalsare trained to continuously review the quality of service and production provided at each level.As a result, prior to release to Broward, all reports and deliverables will undergo a stringent QA process. Once Focal Point has approved the draft report internally, the draft report will bereleased to Broward for review.The following phases offer a high‐level illustration of the approach we will take on this engagement....

See "Broward Security Services 2017" See PDF Pg.41Global Information Intelligence will apply its expert and proven methodology to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive recommendations and remediation sample for design and implementation operational effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Network assessment of BROWARD COUNTY Corporate Network and its Operations Technology Network....

See PDF Pgs. 49 ‐ 56JohnsTek Team’ approach to meeting the requirements outlined in the solicitation begins with the unique ability to tailor our level of support and align it to the client’s request. Depending on the size andcomplexity of the applications and specific work to be performed, we identify the appropriate staff with the specific skillsets best suited for the technology being tested, and use that to determine the actual stafflevels required to meet the scope and period of performance requirements of Broward County for each task.Figure 1 below illustrates JohnsTek Team’s approach to meeting Broward County’s requirements. The approach is incorporated into a Technical Assessment Plan (TAP) specifically designed to satisfy the penetration testing objectives required by Broward County. The TAP will be broken down into three (3) stages: Pre‐Engagement (Preparation), Engagement (Penetration Testing Activities), Post‐Engagement (Deliverables). The TAP also includes a detailed timeline that denotes milestones mapped to the outputs for each stage. The ROE is then generated and integrated as the final portion of the TAP, codifying JohnsTek Team’s boundaries, the scope and nature of the engagement, and the specific activitiesauthorized and/or prohibited by Broward County.

See PDF Pgs. 159 ‐ 164APPROACHFocal Point’s Approach to Project ManagementProject Lead – Focal Point’s project lead will be responsible for the communication of progress updates as well as the management and coordination of all staff activities.Quality Assurance (QA) – Focal Point’s objective is to exceed Broward’s expectations. As such, Focal Point will employ a team‐based approach to this engagement. Our team managerswill coordinate fieldwork and develop project deliverables, while our senior consultants and consultants perform project activities and gather data for our reports. Focal Point’s professionalsare trained to continuously review the quality of service and production provided at each level.As a result, prior to release to Broward, all reports and deliverables will undergo a stringent QA process. Once Focal Point has approved the draft report internally, the draft report will bereleased to Broward for review.The following phases offer a high‐level illustration of the approach we will take on this engagement....


See PDF Pg.41Global Information Intelligence will apply its expert and proven methodology to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive recommendations and remediation sample for design and implementation operational effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Network assessment of BROWARD COUNTY Corporate Network and its Operations Technology Network....

See PDF Pgs. 49 ‐ 56.JohnsTek Team’ approach to meeting the requirements outlined in the solicitation begins with the unique ability to tailor our level of support and align it to the client’s request. Depending on the size andcomplexity of the applications and specific work to be performed, we identify the appropriate staff with the specific skillsets best suited for the technology being tested, and use that to determine the actual stafflevels required to meet the scope and period of performance requirements of Broward County for each task. Figure 1 below illustrates JohnsTek Team’s approach to meeting Broward County’s requirements. The approach is incorporated into a Technical Assessment Plan (TAP) specifically designed to satisfy the penetration testing objectives required by Broward County. The TAP will be broken down into three (3) stages: Pre‐Engagement (Preparation), Engagement (Penetration Testing Activities), Post‐Engagement (Deliverables). The TAP also includes a detailed timeline that denotes milestones mapped to the outputs for each stage. The ROE is then generated and integrated as the final portion of the TAP, codifying JohnsTek Team’s boundaries, the scope and nature of the engagement, and the specific activities authorized and/or prohibited by Broward County....

15 10/20/2017 1:35 PM






See PDF Pg. 41Firm’s historyMarcum LLP is one of the largest independent public accounting and advisory services firms in the nation, with offices in major business markets throughout the U.S., Grand Cayman and China.Headquartered in New York City, Marcum provides a full spectrum of traditional tax, accounting and assurance services; advisory, valuation and litigation support; and an extensive range of specialty and niche industry practices. The Firm serves both privately held and publicly traded companies, as well as high net worth individuals, private equity and hedge funds, with a focus on middle‐market companies and closely held family businesses. Marcum is a member of the Marcum Group, an organization providing a comprehensive array of professional services.

See PDF Pg 515 ‐ 520.Penetration testing involves simulating an actual attack on the customer’s network to test the effectiveness of an organization’s investment in security defenses. This type of testing helps to determine what a malicious person may actually accomplish in a real world hacking effort. The goal of the penetration test is to ensure the best security posture for Broward County through the discovery of vulnerabilities that may affect the confidentiality, integrity, and availability of the institution’s data. Below, we address commonly asked questionsabout PCI penetration tests.

See PDF Pgs. 356 ‐ 358.We pride ourselves on our years of continuous business and these two cornerstone tenants of our business: In‐Depth Understanding of State and Local Government—MGT has worked almost exclusivelywith the public sector. As a result, we understand the challenges and unique issues inherent in the operations of state and local government programs and service delivery. Because many of our staff have worked in government, we have a clear understanding of the state and localgovernment structure, control agencies, budgetary processes, and political environment. Our Focus is on Business Understanding and Analysis—MGT consistently focuses on identifying and implementing the most effective and efficient methods for achieving operational objectives in all of our engagements. No matter what the task, we “cut to the chase,” and work to provide the most viable business solutions in the shortest amount of time, at the lowest cost. We understand the importance of streamlining business processes and we know how to pinpoint the most efficient and effective methodologies for specific situations. Based on our previous work with the County and more than 40 years of experience in providing consulting services to federal, state, and local government clients, MGT knows that the success of anyproject is based upon the project management. Our project manager will work in tandem with the County’s designated project lead to drive the MGT project management principals and guidelines for thedevelopment of your customized solutions.

See PDF Pgs. 23 ‐ 28.NETWORK PENTRATION TESTING METHODOLOGYOne of the primary objectives of a penetration test is to identify risk presented by a given system, in a safe and effective manner. A penetration test is an attack on a computer system or infrastructure that looks for security weaknesses, potentially gaining access to the environment and data. A penetration test can help determine whether a system is vulnerable to attack, if the defenses were sufficient, andwhich defenses (if any) the test defeated. It is therefore of high importance to ensure that the engagement is designed and planned effectively.....

See PDF Pg. 45Being a National firm with 29 offices and approximately 1,550 professionals, we serve as a strategic alternative to the much larger firms. The partners and managers with whom you will develop relationships, drive all major decisions; possessing both the appropriate resources and decision making authority. Our local firm approach provides hands‐on service and timely communication, resulting in the County receiving the best of both worlds. Marcum has more than 20 professionals dedicated to providing IT Audit and Technology Services....

See PDF Pg 520.Merchant Preservation Services LLC, d/b/a CampusGuard, was established for the sole purpose of providing information security services for multi campus environments. We deliver professional services in the areasof PCI DSS, Red Flags, FERPA, HIPAA, GLBA, and other areas regarding protecting personally identifiable information. CampusGuard was founded in 2009 as an alternative for public sector and education based sectors seeking a partner that has not only deep experience with information security, but understands the complexities of applying the standards into the culture that separates multi campus environments from all other areas of enterprise.

Our firm of over 60 professionals has successfully managed more than 8,500 client engagements nationally with a significant portion of MGT’s engagements being repeat business, reflecting the firm’s commitment to achieving a high level of customer satisfaction and ability to exceed the expectations of clients. Prior to working with public sector entities as consultants, many of our staff worked in government agencies as executives and managers. This insider's knowledge of government structure and process gives MGT a competitive advantage and an ability to hit the ground running from the very start of a project. Our organization leverages leading project management solutions, and highly qualified trained professionals throughout all aspects of our engagements in order to ensure the best customer experience at every stage.


16 10/20/2017 1:35 PM





See PDF Pg. 236Comprehensive Perimeter and Internal Penetration TestOptiv’s Comprehensive Penetration Test leverages an in‐depth methodology that uses commercial and customizedtools designed to ensure thorough analysis of the targets and attack surface. Optiv begins with a discovery phase,using proprietary methods and open source tools to establish a comprehensive view of Broward County’s network,systems, and applications. Multiple automated scans, paralleled with manual examination, are used to exposepotential weaknesses that may exist within the network. Optiv will perform penetration testing on unauthenticatedweb applications (and using authenticated application roles if defined in the scoping assumptions), looking forweaknesses such as those defined in the OWASP Top 10 Application vulnerability categories that could lead tosystem compromise or sensitive information disclosure....

See PDF Pgs. 39 ‐ 44.The Pen Test will focus on simulating various threat scenarios. These threats range from external nonknowledgeable “drive‐by” attacks, to targeted authorized knowledgeable insiders. Using current threat intelligence, our cybersecurity specialists will work with the County to identify specific targets andgoals and launch controlled attacks from common footholds including: network perimeter, remoteaccess, unauthenticated and authenticated internal network access, enterprise applications, and physical access....

Pdf Pg. 40The Presidio Cyber Security Penetration Testing is comprised of a group of subject matter experts with various disciplines and backgrounds that span all domains related to the cyber arena. Our expert knowledge provides us with the ability to act as the adversary’s advocate by implementing dynamic, multi‐faceted, and multi‐vectored attacks and knowledgeably role‐play the adversary, using a controlled, realistic, interactive process for defensive purposes.The sole purpose of Presidio’s Cyber Security Penetration Testing is to provide staged intrusions that will exercise Broward County’s incident response capabilities, measure organizational resilience (socially, physically, technically, and procedurally), and provide realistic attack scenarios through the use of threat modeling techniques. If utilized correctly, Penetration Testing will provide realistic training for incident response teams, improve decision making skills, increase efficiency and response times to real word incidents, increase security awareness among the organization, demonstrate true business risk, and assess Broward County’s defense‐in‐depth strategy.

See Pdf Pgs 48 ‐ 63The following section describes RSM’s approach in conducting similar work in this Category.External Penetration TestingPenetration testing attempts to actively identify and exploit vulnerabilities on the County’s networksystems and devices. Externally, the penetration test attempts to identify and exploit vulnerabilities on theCounty’s publically facing systems and devices. These types of devices include but are not limited to:• Web servers• File Transfer Protocol (FTP) servers• VPN concentrators• Mail serversAny critical finding discovered during the penetration testing phase will be immediately reported informallyto the County’s technical staff and point‐of‐contact. At the end of the assessment, all results of our testingactivities will be reported to you in a formal report that documents our activities, findings andrecommendations.

See PDF Pg. 247Optiv has approximately 55 employees dedicated to Security Penetration Testing consulting practice withplans to increase the size of the staff in the next few years. All coordination efforts, servers, and workers arelocated in the USA.

Plante Moran has over 2,000 employees and 500 serversin the USA.

PDF Pg. 42Presidio has twenty‐three (23) people on our Cyber Security Consulting team, all whom are Presidio employees located within the USA. The Presidio Cyber Security Project Managers coordinate all the resources on the Presidio team.

Our security testing service line is staffed by approximately 50 qualified penetration testers spread across the United States. All such testers have baseline skillsets that include vulnerability scanning, manual validation of findings, network and operating system penetration testing, and wireless penetration testing.The group is then further divided into specialties such as web application assessments, database assessments, ERP assessments, mobile app/device assessments, and social engineering. All coordination efforts provided to the County will be led by the penetration testing services projectmanager and tracked formally within RSM’s project management/tracking system. RSM conducts all external testing through their testing lab based out of Chicago. This lab has ~5 servers that have a myriad of both commercial and proprietary tools installed on them. For internal testing, RSMconsultants have firm provided laptops using full disk encryption. RSM never stores any client sensitivedata after the testing is complete other than the final deliverable which is stored on a single internal serverhosted at RSM.

17 10/20/2017 1:35 PM





See Pages 21 ‐ 37. See Pages 12 ‐ 13.SHI follows a tested and repeatable penetration testing methodology designed to provide consistent technical results and ensure full coverage of the defined scope. Although our penetration testers are guided by the following methodologies, results or findings from a particular phase may guide a testerdown a specific path that their experience indicates may be more productive; this is critical in many engagements which have limited levels of effort and permits SHI to provide the most value for resourcesapplied.

A Penetration testing service description is embeded in document but unable to open.

See Pages 5 ‐ 10.

The SHI Security Services team has 6 active members with 2 openings. Additionally each assessment is assigned a Project Manager from a team of 8 PM’s. All SHI services teams are US based.

10 Senior Level Penetration Testing Consultants5 Penetration Testing Project Managers3 Penetration Testing Principal ConsultantsAll servers needed to conduct the penetration test are physically located in the United States.

18 10/20/2017 1:35 PM




Services ATTc. Describe vendor’s plan to meet key milestones and deadline datesincluding communication plan.

See PDF Pgs. 158 ‐ 159.METHODOLOGYOur approach is to inform, assist and advise the assessed company each step of the way. We employ a proven project framework that will rapidly assess and document specific PCI‐DSS challenges. Recognizing that maximizing the time allocated for this engagement is critical, the assessment framework is conducted through scheduled work and project management sessions. The nine phases of our compliance methodology are:� Phase 1 ‐ Preliminary meeting/documentation request. This phase will review service requirements and deliverables and it helps us to identify significant system information that the1st Secure IT Auditor will need to collect and analyze.� Phase 2 – Review and Assess documentation. Determine primary audit focus and general CDE scope.� Phase 3 ‐ Discovery (interview, data discovery, Service Provider Identification) during this phase we will collect data and examine all existing business processes that involve cardholder data,interview key personnel, review and analyze cardholder dataflow and network topology and gather an inventory of all components that process, transmit or store cardholder data. Thefollowing chart defines the characteristics of cardholder data (CHD) and Sensitive Authentication Data (SAD): Since the CDE consists of all systems and functions that store, process and/or transmit cardholder data, it’s important to understand the elements of data that is permitted to be stored. The PCI DSS permits the storage of the PAN, Cardholder Name, Service Code, and Expiration Date. However, the PAN must be stored in an unreadable format.

See file "Evaluation ‐ Cat 4" We will have a project manager to help engage in the discussions and monitor the project and coordinate all the activities and players during the project.

CONFIDENTIAL




19 10/20/2017 1:35 PM


Licensing Matrixc. Describe vendor’s plan to meet key milestones and deadline datesincluding communication plan.


Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.See PDF Pgs. 11 ‐ 20.Full External Perimeter Evaluation ‐ Our ApproachDuring an External Penetration Test, BreakPoint Labs will emulate the presence of an adversary trying to attack the organization externally. BPL will evaluate all externalsystems and services for the target organization utilizing the following methodology:1. Scoping2. Reconnaissance: Discovery3. Automated Testing: Enumeration4. Manual Testing5. Reporting6. Remediation SupportKey ObjectivesEnumerate to the Broward County Board of County Commissioners’ external technology footprint and evaluate the Internet facing services and current controlsto identify exploitable vulnerabilities. Attempt to leverage the vulnerabilities enumerated to gain elevated privilege (root/administrative level access) to the Broward County Board of County Commissioners’ systems. Enumerate any security concerns related to configuration of to the Broward County Board of County Commissioners’ DMZ, Internet facing services, Wireless, Email, Telecommunications, and DR environment....

See PDF Pg. 31For Security Testing Services, all tests/scans are scheduled by you, the customer, who has ultimate control as to when tests get done. Penetration tests under our Managed Security Testing (MST) solution has a two(2) week lead time.

See PDF Pg. 131 ‐ 132Security Penetration TestingIt is our understanding that it is the goal of the County is to engage a firm for Security Penetration Testing Services, including Internal Network Penetration Testing, External Network Penetration Testing, Web Application Testing, Wireless Network Penetration Testing, and Social Engineering Test Cases. To help the County achieve its goals, we have outlined the following approach.Crowe’s Penetration Assessments can provide a unique perspective into the security of an organization on multiple levels. Crowe’s approach is customized for each client and engagement providing value targeted toward your specific requirements. Flexibility is derived from clearly understanding your goals for the engagement and tailoring our service to complement the business requirements.Testing involves specialized Crowe Security and Privacy professionals who are adept at using the same tools and techniques as those leveraged by the hacking community. Thoroughly testing an organization for vulnerabilities includes testing both the technical aspects of information security as well as the human element...

See PDF Pg. 115ERM Project Manager will develop a Project Plan which details all key milestones and deadline dates.ERM Project Manager will work with the client to adjust based on client needs. The CommunicationPlan will be discussed and agreed to during the kick‐off call. ERM’s communication plans typicallyinclude weekly status updates as well as updates based on key milestones and deadlines.

20 10/20/2017 1:35 PM




Sub: IOMAXISSee PDF Pgs. 159 ‐ 164APPROACHFocal Point’s Approach to Project ManagementProject Lead – Focal Point’s project lead will be responsible for the communication of progress updates as well as the management and coordination of all staff activities.Quality Assurance (QA) – Focal Point’s objective is to exceed Broward’s expectations. As such, Focal Point will employ a team‐based approach to this engagement. Our team managerswill coordinate fieldwork and develop project deliverables, while our senior consultants and consultants perform project activities and gather data for our reports. Focal Point’s professionalsare trained to continuously review the quality of service and production provided at each level.As a result, prior to release to Broward, all reports and deliverables will undergo a stringent QA process. Once Focal Point has approved the draft report internally, the draft report will bereleased to Broward for review.The following phases offer a high‐level illustration of the approach we will take on this engagement....



See PDF Pgs. 57 ‐ 59JohnsTek Team is a privately‐owned (no outside investors), zero‐debt, U.S cybersecurity and engineering company that maintains a TS Facility Clearance; additionally, 100% of our 135 employees are US citizens with approximately 80% cleared to the TS level, with many of those briefed for access to Sensitive Compartmented Information (SCI). Our cadre of cleared professionals are currently doing the same work described in the Broward County solicitation for multiple clients in the Department of Defense (DoD), Department of Homeland Security (DHS), Intelligence Community (IC), Law Enforcement Agencies (LEA), U.S. Federal Government and Commercial clients. All of our infrastructure, to includeour servers, are located within the United States. We have the necessary experience, accounting, organizational and operational controls to be an effective partner for Broward County. JohnsTek Team was founded in 2006 as a technology engineering company focused on the Research andDevelopment (R&D) of secure solutions. We are an International Organization for Standardization (ISO) 9001:2015 certified and Capability Maturity Model Integration for Development (CMMI‐DEV) Level 2 assessed Veteran‐Owned Small Business (VOSB) providing critical defensive and offensive cybersecurity support to our clients.

21 10/20/2017 1:35 PM





See PDF Pg. 45Effective Project Management is a key focus at Marcum. As a large audit, tax and consulting firm, the ability to provide services to clients on schedule and within a set budget is priority. Our techniques include best practices from the Project Management Body of Knowledge (PMBOK) and go from the Planning to the Reporting phase, going through quality assurance checks. Below is an overview of the milestones we will use throughout this engagement. We plan to communicate each of our findings upon the completion of each milestone. As we meet with your key personnel, we will work with management to lay out specific deadline dates for each milestone that take into consideration the needs of your professionals whose time will be required....

See PDF Pg 520 ‐ 521.Many of our milestones and communication coordination will come from a dedicated resource to Broward County. Our Penetration Testers are paired up with one of CampusGuard’s Customer RelationshipManagers who will work with the Penetration Tester and County directly to establish goals and milestones. Thiscommunication is continuous until the project is deemed completed by the County. Plans will be set by the CampusGuard team and those deemed appropriate from the County in a project “kickoff” call and key milestones will be set at that time. From there, continuous communication will be had by the CampusGuard and BrowardCounty teams on a time basis the County is most comfortable with. This can include weekly conference calls, summary emails or other methods the County may prefer.

See PDF Pgs. 358 ‐ 360As we have already done with other projects for Broward County, MGT will ensure accountability, compliance, and implementation of the services provided. We will adhere to all applicable federal andstate policies, procedures, and regulations. MGT will ensure accountability, compliance, and implementation of the services provided to the County. We will adhere to all applicable federal and state policies, procedures, and regulations. MGT's Project Manager will have primary responsibility for the supervision of all project operations and project administration and will ensure all deliverables meet the standards of quality set forth by the County. Our Project Manager is responsible for the day‐to‐day activities of all design and technical keystaff.


22 10/20/2017 1:35 PM



Optiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLPSee PDF Pg. 247 ‐ 248Optiv uses standard Project Management practices to manage key milestones and deadline dates.Project ManagementOverviewOptiv will conduct status meetings, which may include updates on project status and issues identified andaddressed (such as schedule, deliverables, project quality, and team interaction). In addition, Optiv will provideimmediate notification of any issues requiring Broward County Office of IT’s attention. Optiv expects that any issuesidentified will be resolved promptly to avoid impact to the project timelines.Optiv Project Coordination ActivitiesThe following list details Optiv's Project Coordination activities for this project:� Facilitation of the project kick‐off meeting� Project budget reporting and Change Order management (if needed)� Coordination of Optiv personnel logistics

Frequent communication, guided by a “no surprises” philosophy is the key to a successful project. Inthis way, expectations can be effectively managed and problems can either be avoided entirely, oraddressed early on to minimize wasted effort and keep the project on schedule. Prior to formallykicking off the project, we will work with the County to develop a communications plan for the project.We will identify project stakeholders, and for each:� What they will need to know throughout the project (e.g., status updates, risk and issues)� When and how frequently they will want communication (e.g., weekly, monthly)� How communications will be delivered (e.g., status updates reports, meetings, phone calls)� Who will be responsible for the communicationWe will maintain this communication plan on a shared collaboration site throughout the project toensure regular communication and ongoing collaboration.

PDF Pg. 42 ‐ 44Presidio would develop a project plan with all defined project milestones which includes weeklystatus meetings to track the project overall progress. Escalation methodology follows.

RSM’s management approach can be expressed in one simple phrase: “no surprises.” First, we will work with the County to establish a communication protocol and approach that you prefer, and we will use these channels and tools to share information on the engagement. Once the communications plan has been created, RSM will create a timeline and milestones project schedule and track those milestones to completion on a weekly basis. We will work with you and management to keep you informed of our progress throughout the engagement with periodic formal and informal status reports and meetings as appropriate. Continuous communication helps ensure that the County and the RSM team are in agreement on, and informed about every aspect of an engagement. Our team will work closely with County management to establish clear, open lines ofcommunication via face‐to‐face meetings, phone calls, and/or regular electronic or hard‐copy communications to keep you informed of progress andissues. In the event that RSM identifies that a particular engagement is behind schedule, this issue will be formally communicated to the client to discuss the issues and possible solutions to get back on track. Similarly, if observations or risk areas are identified during an engagement, we will be on hand to provide recommendations for remediation andprovide support to management in the enhancement of current processes.

23 10/20/2017 1:35 PM




See Pages 59 ‐ 62. Once an assessment is assigned to a Sr. Solutions Architect, they are dedicated to the project ensuring their availability to complete all project related task and milestones as agreed in the SOW and/or project kickoff meeting. Schedules are managed closely to ensure overlap in projects is minimal and allow all milestones to be met and assessments to be completed on time. All SHI assessments have an assigned PM who document and track all milestones and significant events for a particular project. The PM will work with all key stakeholders involved to ensure all communications are managed effectively to meet all customer expectations. Email is used for daily communication with secure solutions being utilized for all confidential documentation.

See Pages 53 ‐ 55.The overall Verizon engagement management and delivery approach consists of the following steps.

24 10/20/2017 1:35 PM




Services ATT3. Past Performance:a. Describe prime Vendor’s experience on projects of similar nature and scope, along with evidence of satisfactory completion, both on time and within budget, for the past five years. Provide a minimum of three projects with references, preferably government agencies (i.e. state, local) of similar size and structure and proven experience and skillset in evaluation a mixed credit card environment of web applications, point of sale (POS), and IVR systems.Vendor should provide references for similar work performed to show evidence of qualifications and previous experience. Refer to Vendor Reference Verification Form and submit as instructed. Only provide references for non‐Broward County Board of County Commissioners’ contracts. For Broward County contracts, the County will review performance evaluations in its database for vendors with previous or current contracts with the County. The County considers references and performance evaluations in the evaluation of Vendor’s past performance.

See Reference Verification Form PDF Pg. 126, 130, 131.See PDF Pg. 1591st Secure IT has been a Qualified Security Assessor Company since 2010 and has performed has performed hundreds of PCI DSS audit. 1st Secure IT, LLC is a Payment Card Industry Qualified SecurityAssessor Company (PCI‐QSA) certified and authorized to perform PCI DSS and PCI PIN audits it the United States and Latin America. We are headquartered in Coral Springs, FL and focus on compliance servicesand solutions related to regulations such as PCI, HIPAA, EI3PA, and SOC2. We specialize in and are focused on delivering industry standards compliance and fraud prevention services.SAMPLE LIST OF CLIENTS1st Secure IT, LLC has done well over 100 Reports of Compliance (ROC) in the last 12 months. The followingis a sample set of clients for whom 1st Secure IT, LLC has performed compliance/security engagements:Sample clients in USA1. Luihn Foods ‐ (Refer to Vendor Reference Verification Form)2. FPN ‐ (Refer to Vendor Reference Verification Form)3. Sedano’s Supermarket ‐ (Refer to Vendor Reference Verification Form)4. Great Health Works5. Softheon,Inc Amwest Venture Corp6. Apartment Owners Association of California, Inc.7. Bagshaw Enterprises8. BKK Management Co (Yakima)9. Burger Florida Group10. Century Fast Foods, Inc.

See file "Evaluation ‐ Cat 4" We have extensive experience in doing projects of similar nature and scope. We have consistently performed these tasks with high quality and within the time limits proposed at the beginning of the project.

CONFIDENTIAL




b. Provide evidence of similar work related to services identified similar work related to services identified in this Category, including sample executive summaries and reports

See Reference Verification Form PDF Pg. 126, 130, 131.See PDF Pg. 1591st Secure IT has been a Qualified Security Assessor Company since 2010 and has performed has performed hundreds of PCI DSS audit. 1st Secure IT, LLC is a Payment Card Industry Qualified SecurityAssessor Company (PCI‐QSA) certified and authorized to perform PCI DSS and PCI PIN audits it the United States and Latin America. We are headquartered in Coral Springs, FL and focus on compliance servicesand solutions related to regulations such as PCI, HIPAA, EI3PA, and SOC2. We specialize in and are focused on delivering industry standards compliance and fraud prevention services.SAMPLE LIST OF CLIENTS1st Secure IT, LLC has done well over 100 Reports of Compliance (ROC) in the last 12 months. The followingis a sample set of clients for whom 1st Secure IT, LLC has performed compliance/security engagements:Sample clients in USA1. Luihn Foods ‐ (Refer to Vendor Reference Verification Form)2. FPN ‐ (Refer to Vendor Reference Verification Form)3. Sedano’s Supermarket ‐ (Refer to Vendor Reference Verification Form)4. Great Health Works5. Softheon,Inc Amwest Venture Corp6. Apartment Owners Association of California, Inc.7. Bagshaw Enterprises8. BKK Management Co (Yakima)9. Burger Florida Group10. Century Fast Foods, Inc.

See file "Evaluation ‐ Cat 4" We performed Penetration testing for different clients. We generated Penetration testing reports that helped companies to take remediation steps.

CONFIDENTIAL




25 10/20/2017 1:35 PM


Licensing Matrix3. Past Performance:a. Describe prime Vendor’s experience on projects of similar nature and scope, along with evidence of satisfactory completion, both on time and within budget, for the past five years. Provide a minimum of three projects with references, preferably government agencies (i.e. state, local) of similar size and structure and proven experience and skillset in evaluation a mixed credit card environment of web applications, point of sale (POS), and IVR systems.Vendor should provide references for similar work performed to show evidence of qualifications and previous experience. Refer to Vendor Reference Verification Form and submit as instructed. Only provide references for non‐Broward County Board of County Commissioners’ contracts. For Broward County contracts, the County will review performance evaluations in its database for vendors with previous or current contracts with the County. The County considers references and performance evaluations in the evaluation of Vendor’s past performance.




See Reference Verification Forms (3) PDF Pgs. 31 ‐ 35.See PDF Pg. 7Over the past years BPL security engineers have performed hundreds of security assessments. BPLs security engineers have helped organizations identify exploitable vulnerabilities that would have had a large business impact if compromised. Below are highlights of some of the ways BPL security engineers have improved the security postureof its customers:● Iden fied a cri cal SQL Injec on (SQLi) vulnerability in an Internet‐facing applica on that when exploited allowed an adversary to access all the clear‐text usernames and passwords for the entire commercial company.● Discovered custom vulnerabili es in DoD research and educa onal organiza ons that would have allowed for a complete compromise of the organization.● Enumerated several unknown vulnerabili es in commercial applica ons in use by DoD organiza ons and followed a responsible disclosure process to communicate findings with the vendors.● Helped DoD research and educa onal organiza ons iden fy emerging high‐impact vulnerabili es (Shellshock, Heartbleed, etc.) by developing custom tools for use intheir environment prior to release of checks in commercial scanning tools.● Discovered a cri cal SMTP injec on vulnerability for a DoD organiza on that would have allowed for an a acker to send E‐mails as anyone in the organization.......

See PDF PG. 31 Trustwave completed approximately 4000 penetration tests in 2016. That means that our average penetration tester performs 40 or more tests each year – compared to the 3‐10 yearly tests consultants performat most firms.

See PDF Pgs. 103 ‐ 106Past PerformanceCrowe’s cybersecurity team conducts over 200 penetration assessments annually, including both internal and external penetration testing. Quality work, based upon strong competency and directed towards our client’s needs, is the core element of creating value for our clients. Quality service involves prompt andefficient service delivery and effective communications with clients. Business relationships involve gaining trust and respect by listening to our client’s needs and developing a comprehensive understanding of their business and vision for the future before providing advice. We have delivered high value to our clients for decades and we feel that we are well‐suited to help Broward County....

(3) Reference Verification Forms included. ‐ See PDF Pgs. 115 ‐ 118 a. ERM’s ExperienceERM has completed over 5,000 Penetration Test projects. All of our projects have been completed on time and within budget.As requested, below are three references for projects of similar size and structure.1. CSID2. State of New Hampshire3. Tecnicard

See Reference Verification Forms (3) PDF Pgs. 31 ‐ 35.See PDF Pg. 7Over the past years BPL security engineers have performed hundreds of security assessments. BPLs security engineers have helped organizations identify exploitable vulnerabilities that would have had a large business impact if compromised. Below are highlights of some of the ways BPL security engineers have improved the security postureof its customers:● Iden fied a cri cal SQL Injec on (SQLi) vulnerability in an Internet‐facing applica on that when exploited allowed an adversary to access all the clear‐text usernames and passwords for the entire commercial company.● Discovered custom vulnerabili es in DoD research and educa onal organiza ons that would have allowed for a complete compromise of the organization.● Enumerated several unknown vulnerabili es in commercial applica ons in use by DoD organiza ons and followed a responsible disclosure process to communicate findings with the vendors.● Helped DoD research and educa onal organiza ons iden fy emerging high‐impact vulnerabili es (Shellshock, Heartbleed, etc.) by developing custom tools for use intheir environment prior to release of checks in commercial scanning tools.● Discovered a cri cal SMTP injec on vulnerability for a DoD organiza on that would have allowed for an a acker to send E‐mails as anyone in the organization.......

See PDF PG. 31Please see addendum for Client References.

Past PerformanceCrowe’s cybersecurity team conducts over 200 penetration assessments annually, including both internal and external penetration testing. Quality work, based upon strong competency and directed towards our client’s needs, is the core element of creating value for our clients. Quality service involves prompt and efficient service delivery and effective communications with clients. Business relationships involve gaining trust and respect by listening to our client’s needs and developing a comprehensive understanding of their business and vision for the future before providing advice. We have delivered high value to our clients for decades and we feel that we are well‐suited to help Broward County....

See PDF Pg. 119 ‐ 121Sample outline of client report.

26 10/20/2017 1:35 PM





Sub: IOMAXIS

See PDF Pgs. 165 ‐ 167Focal Point has been providing information security advisory services, including vulnerabilityassessments, penetration testing, infrastructure analyses, and technical security assessments,for over 12 years. We have developed and evaluated the information technology departments ofmany leading organizations.Over the past five years, we’ve delivered hundreds of successful penetration testing projects forboth private organizations and government entities. On average, we complete around 100penetration testing projects annually, and can provide these services to several clientsconcurrently.Our excellence in penetration testing is evidenced by the long‐lasting relationships we maintainwith our clients, who continue to rely on us year after year to find and remediate thevulnerabilities in their networks....


See References. Reference Verification Forms included. See PDF Pgs. 67 ‐68, 94See PDF Pgs. 59 ‐ Director, Operational Test & Evaluation (DOT&E)Point of Contact: John BurnsPhone Number and Email Address: 571‐372‐3887; [email protected] Period of Performance: 12/17/2015 – 12/16/2017Description of Similar Work:IOMAXIS SMEs apply their collective knowledge, skills, and experience to support DOT&E’s Congressionallymandated Cybersecurity Assessment Program (CAP), providing operational Red Team subject matter expertise,operator augmentation, data collection & analysis, and other expert‐level consulting services to multiple facets of their mission......Alliance Technology GroupPoint of Contact: Jason SherbertPhone Number and Email Address: 443‐561‐0525; jason.sherbert@alliance‐it.comContract Period of Performance: 11/04/2016 – 11/05/2017IOMAXIS conducted a penetration test to evaluate the overall security posture of the clients’ externally‐facing system(s), application(s), and service(s), including their networking and security architecture. The objective was to gain unauthorized access to any of the internal architecture.

See PDF Pgs. 165 ‐ 167Focal Point has been providing information security advisory services, including vulnerabilityassessments, penetration testing, infrastructure analyses, and technical security assessments,for over 12 years. We have developed and evaluated the information technology departments ofmany leading organizations.Over the past five years, we’ve delivered hundreds of successful penetration testing projects forboth private organizations and government entities. On average, we complete around 100penetration testing projects annually, and can provide these services to several clientsconcurrently.Our excellence in penetration testing is evidenced by the long‐lasting relationships we maintainwith our clients, who continue to rely on us year after year to find and remediate thevulnerabilities in their networks....

similar to that of pci, security testing specific requirements are address on a custimized bases, actual phased approach can be seen in the Broward Security Services 2017 under PCI DSS managed services


Reference Verification Forms included. See PDF Pgs. 67 ‐68, 94See PDF Pgs. 59 ‐ Director, Operational Test & Evaluation (DOT&E)Point of Contact: John BurnsPhone Number and Email Address: 571‐372‐3887; [email protected] Period of Performance: 12/17/2015 – 12/16/2017Description of Similar Work:IOMAXIS SMEs apply their collective knowledge, skills, and experience to support DOT&E’s Congressionallymandated Cybersecurity Assessment Program (CAP), providing operational Red Team subject matter expertise,operator augmentation, data collection & analysis, and other expert‐level consulting services to multiple facets of their mission......Alliance Technology GroupPoint of Contact: Jason SherbertPhone Number and Email Address: 443‐561‐0525; jason.sherbert@alliance‐it.comContract Period of Performance: 11/04/2016 – 11/05/2017IOMAXIS conducted a penetration test to evaluate the overall security posture of the clients’ externally‐facing system(s), application(s), and service(s), including their networking and security architecture. The objective was to gain unauthorized access to any of the internal architecture.

27 10/20/2017 1:35 PM






See PDF Pg. 46See attached Vendor Reference Forms for:� City of Coconut Creek� City of Boca Raton� City of Hollywood

Reference Verification Forms included Pg. 524 ‐ 529. See PDF Pg 522.CampusGuard’s Pen Testing Team has worked in the most dynamic environments throughout their careers and have brought that experience to CampusGuard with them. All of CampusGuard’s clients operate in multi campus environments, this includes Higher Education, Local and County Government and the resort industry. Due to the nature of these networks, their environment is far more complicated to protect and has greater exposure for unethical hackers. As you will find through our references, CampusGuard is native to these environments and operates in them every day. Our Penetration Testing team works to provide results based off of a predetermined scope of work and deliver those results to our clients on time and within budget. Our CRM assists our Pen Testing Team with our goals and keep within the timelines for completion.

See Reference Verification Forms PDF Pgs. 363 ‐ 365See PDF Pg. 362.With a focus on organizational goals first, MGT provides business‐driven information security services keeping our clients’ interests at the forefront of our engagements ensuring we deliver the most efficient solution. MGT’s core cyber security capabilities include: security risk assessments.......(ISC)2: ON‐DEMAND PENETRATION TESTING SERVICES(ISC)2, the largest information security association in the world, selected us as their key penetration testing partner to test multi‐year rollout of enterprise applications as well as infrastructure upgrades. This engagement is ongoing and thus far, we have successfully tested several of their website back end applications, their learning management system, and will soon be completing an infrastructure test.....CITY OF ROSEVILLE: EXTERNAL AND INTERNAL PENETRATION TEST AND WIFI ACCESSPOINT TESTThe City of Roseville selected us to perform a full test on their external and internal IPs as well as their wireless access points. This was part of their yearly PCI effort. We were able to successfully deliver on all aspects of the engagement while focusing on transfer of knowledge in order to help the security team with on‐going operations as much as possible.VITAL RECORDS CONTROL COMPANIES: WEB APPLICATION PENETRATION TESTINGVital Records Control Companies (VRCC) selected us to do a full penetration test of their custom electronic medical records application. We successfully executed the engagement and provided all the necessary insight into addressing any and all vulnerabilities that came about.....


See PDF Pg. 46See attached sample report for Security Penetration Testing.

See PDF Pgs. 374 ‐ 432.Included in Appendix are four sample executive summaries and reports for:� Mobile App Pen Test� Network Layer� Web Application� Wireless Security

See PDF Pg. 28 ‐ 31.Nettitude has provided Broward County with a case study of a previous penetration test.Case Study 1: SharePoint TestingClient RequirementA long term client, a high profile FTSE 100 company, requested a penetration test of one of their critical applications which was built on Sharepoint. The data assets held by the Sharepoint application were of critical importance to the company; the testing was primarily requested to ensure that no authorisedaccess could be gained to the data, the backend database, and to ensure that there were no weakconfigurations that could lead to data compromise.Nettitude Engagement & DeliveryThe average engagement size for Sharepoint applications has been five days of testing and a day of report writing. The average SharePoint application tests conducted have followed our Web Application testing methodology covering all aspects of the OWASP Top 10....

28 10/20/2017 1:35 PM





See PDF Pg. 248The security, privacy and business concerns of our clients‐both current and past‐are of the highest priority.As such, we must respectfully decline to provide specific contact names and details for potentialreferences at this stage. However, a number of our clients from recent engagements would be willing toentertain an informal conversation with their peers to discuss their use of the products and services theywere provided which we can help facilitate at the appropriate time.


Reference Verification Forms included. PDF Pg. 44Presidio provides the following three references for which we have provided similar solutions toCategory 4 – Security Penetration Testing:� Virginia Credit Union� Inteva Products Manager� Dayton’s Children HospitalPresidio uploads these customer references on the required Vendor Verification Form, in aseparate file.

See PDF Pgs 187 ‐ 191

Brevard County, FloridaOctober 2014 ‐ OngoingRSM has performed enterprise internal, external and wireless penetration tests as well as web application security testing….Prince William County, VirginiaMarch 2014 ‐ August 2014RSM conducted internal and database testing along with web application penetration testing for PWC.City of SacramentoApril 2013 ‐ OngoingRSM has performed enterprise internal external and application penetration tests for the City of Sacramento...Cubic Corporatoin and Transportation SystemsMay 2014 ‐ OngoingRSM has performed enterprise internal and external penetration tests as well as web application security testing....District of Columbia Water & Sewer AuthorityOctober 2015 ‐ January 2016RSM conducted a myriad of security testing engagements for DC Water including internal, external and wireless penetration testing....

See PDF Pg. 248Please see the provided sample deliverables (attached separately).

Reference Verification Forms included. ‐ See PDF Pgs. 73 ‐ 77Examples ‐ See PDF Pgs. 45

Reference Verification Forms included. PDF Pg. 44Presidio provides the following three references for which we have provided similar solutions toCategory 4 – Security Penetration Testing:� Virginia Credit Union� Inteva Products Manager� Dayton’s Children HospitalPresidio uploads these customer references on the required Vendor Verification Form, in aseparate file.

Due to the sensitivity of the results of the work completed for our clients, results of our engagements, or final reports will not be provided as evidence for proof of completion. If the County desires, we are prepared to provide example templates used as part of our reporting process to help ensure you are comfortable with the final work products we are accustomed to delivering.

29 10/20/2017 1:35 PM






Penetration testing results vary greatly however it is typical to find, but not limited to, exposed websites providing detailed information, remote access points only requiring a password for access, outdated protocols and operating systems, easily identifiable staff with privileged access, lack of current patches or updates, improperly configured devices and lack of employee training in response to malicious activities. SHI understands the importance of quality references; however for services such as those being requested by the County, most customers feel the information associated with these services is confidential. SHI has included a list of a few customers that we have providedsimilar services as requested in this RFP. If needed, we agree to help coordinate a call between our customers and Broward County to discuss their experience with SHI. Please note that customers may not wish to discuss specifics of their project due to the sensitive nature.Gold’s Gym, Anthony (Tony) Wilkins, Director of IT Infrastructure and TelecomTampa General Hospital, Jason Powell, Chief Information Security OfficerCity of San Marcos, Lenora Newson, IT Infrastructure Manager

Verizon’s US testing team has conducted over 1000 penetration testing projects in the past five years. Verizon has highly relevant customers who can provide information on the work we have done and the quality of our relationship with their organizations. Due to the number of requestsVerizon receives for recommendations from these customers, it is our policy to provide contact information only when we are under serious consideration for a contract award.In addition, Verizon’s corporate nondisclosure policies – combined with the sensitive nature of our customers’ business – require that certain agreements be in place before we can release sensitive customer data. In order to protect the interests and confidentiality of our customers, and at the request of our customers, we prefer to facilitate references calls and/or visits at amutually convenient time for all.

See Pages 10 ‐20. SHI has attached sample reports with our submission. As a highly respected authority on Security and Compliance and one of the most trusted voicesin the security community, we truly appreciate your challenges, put payment security in the context of your industry‐specific regulations and standards, and make recommendations not just in terms of IT change, but business process transformation, too. These principles are embodied in our annual Data Breach Investigations Report, now in its tenth edition, report, which uses data and insights drawn directly from assessments we have conducted for global enterprisesacross a variety of industries. View the report at http://www.verizonenterprise.com/verizoninsights‐lab/dbir/2017/#report.

30 10/20/2017 1:35 PM




Services ATT4. Workload of the Firm:List all completed and active projects that Vendor has managed within the past five years. In addition, list all projected projects that Vendor will be working on in the near future. Projected projects will be defined as a project(s) that Vendor is awarded a contract but the Notice to Proceed has not been issued. Identify any projects that Vendor worked on concurrently. Describe Vendor’s approach in managing these projects. Were there or will there be any challenges for any of the listed projects? If so, describe how Vendor dealt or will deal with the projects’ challenges.

See PDF Pgs. 160 ‐ 161.1st Secure IT, LLC is a QSA company for the PCI SSC. Our core competencies are within the PCI andPenetration Testing arena. Over 90% of our revenue derives from direct PCI related work. PCI relatedwork includes:� PCI DSS Scoping Reviews� PCI DSS Reports on Compliance� PCI Self‐Assessment Questionnaire assistance� Penetration Testing – for PCI Compliance� IT Security Consultation Projects for PCI ComplianceApproximately, 10% of our revenue is generated from projects outside of PCI, but are synergistic to ITSecurity. These projects include:� Fraud Prevention Consultation� Visa Global Risk Assessments� PIN Security� Non‐PCI related Penetration Testing� General IT Security Consulting.....

See file "Evaluation ‐ Cat 4" We have recently completed projects with Counsyl, Creditshop. We have sufficient capacity to take on new projects and we are very confident that you will be pleased with our services.


CONFIDENTIAL




Verify that these questions are the same as in the advertised solicitation:1. Legal business name. 1ST SECURE IT LLC 3K Technologies LLC AT&T Corp

2. Doing Business As/ Fictitious Name (if applicable): N/A

3. Federal Employer I.D. Number. 27‐1776302 02‐0604148 13‐49247104. Dun & Bradstreet Number. (If applicable). N/A 113018282 00‐698‐00805. Website address (if applicable). https://www.1stsecureit.com/en/ www.3ktechnologies.com www.att.com6. Principal place of business. 6810 Lyons Technology Circle, Suite 190

Coconut Creek, FL 330731114 Cadillac Ct, Milpitas, CA 95035 One AT&T Way, Bedminster, NJ 07921

7. Office Location for this project. 6810 Lyons Technology Circle, Suite 190, Coconut Creek, FL 33073 1114 Cadillac Ct, Milpitas, CA 95035 2002 NW 64th St., Ft. Lauderdale, FL 33309

8. Telephone/Fax Number: Telephone no.:(954) 613‐0515 Fax no.:(866) 735‐3369 Telephone no.:4087165901 Fax no.:4088842420

Telephone no.:305‐913‐3887 Fax no.:

9. Type of Business LLC LLC Corporation; New York10. List Florida Registration Number. L10000009297 M09000002854 845822


31 10/20/2017 1:35 PM


Licensing Matrix4. Workload of the Firm:List all completed and active projects that Vendor has managed within the past five years. In addition, list all projected projects that Vendor will be working on in the near future. Projected projects will be defined as a project(s) that Vendor is awarded a contract but the Notice to Proceed has not been issued. Identify any projects that Vendor worked on concurrently. Describe Vendor’s approach in managing these projects. Were there or will there be any challenges for any of the listed projects? If so, describe how Vendor dealt or will deal with the projects’ challenges.










BreakPoint Labs (BPL) manages multiple security assessments at any given time in support of several customers. BPL assessment teams are broken into three (3) main categories: Application Security, Network Security, and Compliance. BPL’s assessment teams work to manage these assessments based on individual skillsets. The BPL Application Security Assessment team manages day to day application security assessments for a large scale DoD organization and several commercial organizations. This team provides support to other BPL assessment teams to ensure that applicable expertise is leveraged during other engagements. The BPL Network Security Assessment Team focuses on performing full scope penetration tests for a large scale DoD organization (Red Team Engagements) and supports numerous other commercial companies by conducting annual and recurring penetration tests. The Compliance Assessment team provides risk and vulnerability assessments focused on various compliance standards and requirements (PCI, HIPAA, RMF, etc.) for DoD and commercial customers. All of BPL’s assessment teams work together to ensure the right service is provided at the highest quality. Many customers know they need an assessment, but are unsure of how to plan and execute, define goals, or even what is possible. BPL’s assessment teams have extensive experience working with clients who are somewhat new to security assessments and provide extra guidance and information throughout the process to ensure our customersare informed and getting the most return on investment.BreakPoint Labs manages concurrent projects with an established approach by defining each project’s goals, deadlines and measurables that must be met. Clearly documenting and defining the project dates and deliverablesamongst the team for each customer has led to a successful outcome for BreakPoint Labs efforts prior and to date.BPL’s penetration testing team services have the flexibility to work multiple projects with a remote access approach to testing and/or an onsite presence when necessary for the accomplish mission. One of the challenges with these projects is a lack of communication and/or clearly defined scope before any testing has begun. BreakPoint Labs has established an internal document and process to better aid this challenge to clearly define theproject’s scope, rules of engagement and overall expected outcome. In addition, BPL adapts best practices from industry standards such as the Project Management Body of Knowledge (PMBOK) and the ISO Standard on Project Management.


See PDF Pg. 107Over the past 5 years, Crowe has had over 16,000 clients, of which over 1,200 were government clients. Crowe currently has 871 government clients, with 32 in the Florida area.Crowe is well positioned to provide quality service to Broward County in a timely fashion. Crowe has a sophisticated Centralized Resource Management function that is responsible for ensuring that Broward County’s needs are met with the experienced and trained staff from our local offices, and if needed, from across our firm. We realize that resource management is a crucial element to consistently providing top quality service to Broward County, and all of our clients.

See PDF Pg. 122ERM has completed over 600 Penetration Testing projects during the past 5 years and estimates it will be working on approximately 50 per month during the remainder of 2017.ERM is able to manage several projects simultaneously based on our efficient project management approach. We have not experienced any challenges to complete these projects, nor do we expect to experience challenges completed projects for the client.a. Past Five Years• Banking & Financial Services (100)• Credit Card Processing (100)• Education (25)• Local, City, State Government (50)• Federal Government (25)• Hospitality (25)• Insurance (100)• Retail (25)• Technology (50)• Other (100)....

Break Point Labs Carahsoft Technology Corporation Crowe Horwath LLP Enterprise Risk Management, Inc.

Break Point Labs Not applicable

47‐4581296 522189693 35‐0921680 65‐082742707‐79914189 08‐8365767 787324008 610144201https://breakpoint‐labs.com/ www.carahsoft.com www.crowehorwath.com www.emrisk.com8116 Arlington Blvd #255Falls Church, VA 22042

1860 Michael Faraday Drive, Suite 100Reston, VA 20190

225 West Wacker Drive, Suite 2600Chicago, Illinois 60606‐1224

800 S. Douglas Road, Suite 940 North Tower, Coral Gables, FL 33134

1860 Michael Faraday Drive, Suite 100Reston, VA 20190



1‐844‐442‐5632 Telephone no.:703.871.8500 Fax no.:703.871.8505 Telephone no.:954.202.8600 Fax no.:954.202.8639 Telephone no.:305‐447‐6750 Fax no.:305‐447‐6752

LLC Corporation; Maryland Limited Liability Partnership Corporation; FloridaGP0800003826

32 10/20/2017 1:35 PM











Sub: IOMAXIS

See PDF Pg. 168As mentioned previously, Focal Point completes around 100 penetration testing engagements annually, and has the resources to serve several clients concurrently. Over the last five years,our penetration testing team has completed more than 500 security testing projects for hundreds of different clients. We complete all of our projects concurrently with other projects, sothe added workload that this project presents is not an issue for our firm.As of now, we currently have several penetration testing projects slated to begin later this summer and into the fall, but we do not anticipate any challenges for these projects, and we donot anticipate these other projects limiting us from providing the County with the highest level of service.....



See PDF Pg. 64 ‐ 66The Quality Management approach utilized by JohnsTek Team provides quality control measures across the entire company, managing our workload holistically and ensuring out ability to develop, restructure,rebalance, transform, and sustain the requirements of our various client’s and contracts.We apply the “Plan‐Do‐Check‐Act” (PDCA) methodology tool as the basis for our Quality Control process, to define, implement and control actions and improvements as depicted in the Figure below...

Focal Point Data Risk, LLC Foresite MSP LLC Global Information Intelligence LLC JohnsTek, Inc

61‐1805201 38‐3916369 273548900 20‐035258908‐0541660 07‐8744163 142428510www.focal‐point.com www.foresite.com www.globalinfointel.com www.johnstek.com201 E Kennedy Blvd, Suite 1750Tampa, FL 33602

E Windsor Ct 6860 North Dallas Parkway, Suite 200,Plano, TX 75024 45 Almeria Ave, Coral Gables, FL 33134


New York 6861 North Dallas Parkway, Suite 200,Plano, TX 75024 45 Almeria Ave, Coral Gables, FL 33134

Telephone no.:(813) 402‐1208 Fax no.:813‐436‐5283 800‐940‐4699 Telephone no.:4082509045 Fax no.:N/A Telephone no.:786.375.9020 Fax no.:305.675.8373

LLC LLC Corp; DE ‐ LLC Corporation, S CorpM16000008367 P03000120232

33 10/20/2017 1:35 PM












See PDF Pg. 471. City of Coconut Creek2. City of Boca Raton3. City of HollywoodIdentify any projects that Vendor worked on concurrently.No projects were worked on concurrently.Describe Vendor’s approach in managing these projects.Effective Project Management is a key focus at Marcum. As a large audit, tax and consulting firm, the ability to provide services to clients on schedule and within a set budget is priority. Our techniques include best practices from the Project Management Body of Knowledge (PMBOK) and go from the Planning to the Reporting phase, going through quality assurance checks. Below is an overview of the milestones we will use throughout this engagement. We plan to communicate each of our findings upon the completion of each milestone. As we meet with your key personnel, we will work with management to lay out specific deadline dates for each milestone that take into consideration the needs of yourprofessionals whose time will be required.....

See PDF Pg 523.With over 90 penetration testing engagements completed between 2012 and today, CampusGuard is well versed in managing penetration testing projects for multi campus environments. Listed in section 3 is a sample of engagements CampusGuard has performed since 2012, if more projects are needed to help identify the capabilities that CampusGuard can provide, they will be made available. Actively CampusGuard is working on projects with Iowa State (Internal), Bowling Green State University (External and Internal), and Resolvity (External and Internal). At this time, Boar’s Head Resort, North Carolina State University and Virginia Alcohol Beverage Control are scheduled projects for the months of August and September.

See PDF Pgs. 367 ‐ 373.MGT has completed projects for the County, including:� Disparity Study of County Government (2000).� Cost Allocation Plans (2009, 2010, 2011, 2014, 2015, 2016).� Comprehensive Review of the Sheriff’s Office Department of Detention (2009).� Comprehensive Analysis of the Libraries Division (2010).Being a national company, MGT has completed many projects within the past five years. Therefore,instead of providing a list of the over 2,200 projects the firm has completed or is currently conducting,we are providing a list of clients served (presented in alphabetical order by state).

See PDF Pg. 28 ‐ 31.Nettitude has provided Broward County with a case study of a previous penetration test.Case Study 1: SharePoint TestingClient RequirementA long term client, a high profile FTSE 100 company, requested a penetration test of one of their critical applications which was built on Sharepoint. The data assets held by the Sharepoint application were of critical importance to the company; the testing was primarily requested to ensure that no authorisedaccess could be gained to the data, the backend database, and to ensure that there were no weakconfigurations that could lead to data compromise.Nettitude Engagement & DeliveryThe average engagement size for Sharepoint applications has been five days of testing and a day of report writing. The average SharePoint application tests conducted have followed our Web Application testing methodology covering all aspects of the OWASP Top 10....

Marcum LLP5820 Solutions, LLC MGT of America Consulting, LLC Netitude, Inc.

CampusGuard Netitude

111986323 203756873 81‐0890071 36‐4694227968051180 134960447 02‐096‐7659 968240825www.marcumllp.com www.campusguard.com www.mgtconsulting.com www.Nettitude.com451 East Las Olas Boulevard, Ninth FloorFort Lauderdale, FL 33301


3800 Esplanade Way, Suite 210Tallahassee, FL 32311

85 Broad Street, New York NY 10004



Tallahassee, FL 85 Broad Street, New York NY 10004

954‐320‐8000 Fax no.:954‐320‐8001419‐873‐7016 Fax no.:972‐867‐4861 Telephone no.:850.386.3191 Fax no.:850.385.4501 Telephone no.:646‐795‐1881 Fax no.:

Limited Partnership Limited Liability Company ‐ LLC LLC Corporation; SLLP090003311 L15000199435

34 10/20/2017 1:35 PM











See PDF Pg. 248 ‐ 249Optiv has the largest dedicated commercial attack and penetration team in the world. We performed more than600 engagements per year that total 73,000 hours of penetration testing. Optiv’s team of over 50 dedicated pentesters, average 600+ hours per consultant for training, mentoring and research annually. Our Attack and Penteam is 100% dedicated to penetration testing and is backed by more than 2000 Optiv engineers that can provideassistance and context across the full spectrum of security concerns. In addition to performing tests with opensource tools, Optiv leverages more than 50 custom developed and proprietary tools...

See PDF Pgs. 47 ‐ 50Our team of 40+ cybersecurity consultants has completed projects for hundreds of organizations over the past five years. In addition, our team uses multiple firm wide project management tools to assist with working with dozens of clients each week. Should an unexpected conflict occur while workingwith the County, the County will be given priority as necessary. The following is an example list of governmental clients that Plante Moran has conducted Information Technology Security and Audit engagements within the last five years:....

PDF Pg. 45The Presidio Cyber team averages 70 concurrent projects at any one time. Our project managers ensure that we have resources allocated for the projects. Our project sizes range from $8,000 to $1.6M. We monitor and manage the workload monthly and make decisions on whether we need to add additional security consultants to the team. Presidio would assign a project manager and key members upon award of the contract. We would require two‐weeks to get the team in place. Presidio’s project manager would create a project plan that clearly outlines the project timelinesand responsibilities for Presidio and Broward County. Presidio would schedule weekly meetings with Broward County to track the overall progress of the project. We will provide Broward County weekly updates so project status is communicated. Presidio requests Broward County to identify a project sponsor that our project manager would work directly with.

RSM maintains confidentiality agreements with many of our clients. For this reason, we cannot name them in proposals or marketing collateral without express permission. However, in the Past Performance section on the prior page, we provide references from clients who can discuss our work with them on issues relevant to your operations. If we are engaged by the County, you will be a priority for our firm and to each member of your engagement team. Our workload fluctuates based on a number of factors, including timing and currently pending engagements. Regardless, our firm has excelled at managing its human resources so that our workload never surpasses the ability of our assigned teams to devote the time and attention necessary to add value to our clients’ organizations. Our ability to manage our workload is evidenced by relatively low turnover rates and is supported by clients’ opinions of our service. The engagement team along with County management will design a plan that will ensure expectations are met along with responsive and timely delivery of services as required by the County. The engagement in‐charge and staff will be solely dedicated to the County from start to finish for the audit. We believe this to be a team effort so that all team members understand their roles, expectations, deliverables, and timelines. RSM has the bench strength of our eight Florida offices and our national publicsector practice that we can draw upon to ensure that the County is served to the best of our ability. Our public sector team works diligently to ensure our client engagements are scheduled such that our client’s timelines are considered and target dates are met. We do not anticipate any scenario under which we will have difficulty completing the requested work.

Optiv Security Plante & Moran, PLLC Presidio RSM US LLP

Optiv, Optiv Security Plante Moran

43‐1806449 381357951 58‐1667655 FEIN‐42‐071432501‐946‐6684 004913299 15‐405‐0959 73482424optiv.com plantmoran.com www.presidio.com www.rsmus.com1125 17th St., Suite 1700Denver, CO 80202‐2032



100 NE Third Ave, Suite, Fort Lauderdale, FL 33301

N/A Southfield, MI 3250 W. Commercial BlvdFort Lauderdale, Fl 33309

Fort Lauderdale

Telephone no.:(303) 298‐0600 Fax no.:(303) 298‐0868 Tel:248‐223‐3428 Fax no.:248‐603‐5997 305‐606‐2835 954‐462‐6351

Corporation; Delaware Limited Partnership LLC Limited PartnershipM11000002358 L15000111335 ADP004384

35 10/20/2017 1:35 PM











See Pages 10 ‐20. Due to the sensitivity and type of services, SHI cannot provide this information as it relates to other projects and customers either completed or in the future. SHI would be happy to meet with Broward County discuss our approach and any challenges we may have experienced on similar projects. SHI believes in transparency and any time we come upon a challenge with a project we work with the customer to let them know the issues and possible solutions. SHI has a clearly defined escalation path so if a challenge arises the proper people can be engaged to assist. In addition as one of the top provider of IT solutions, SHI has built solid relationships with IT manufacturers and has a network of partners to work with should any challenges encountered required additional products or resources.

Verizon is continuously working multiple projects concurrently and has the people, process and technology to ensure all active projects are meeting the milestones defined on the project scope. We do not anticipate any challenges; however, should issues arise we have a welldefined process for identifying the root cause and developing a remediation plan.

SeNet International CorporationSHI International Corp Verizon Business Network Services Inc. on behalf

of MCI Communications Services Inc.d/b/a/ Verizon Business Services (VerizonBusiness or Verizon)

54‐1902349 22‐3009648 13‐274589207‐9941139 61‐142‐9481 556565836www.senet‐int.com www.shi.com www.verizonenterprise.com

3040 Williams Drive, Suite 510, Fairfax, VA 22031290 Davidson Ave Somerset, New Jersey 08873 OneVerizon Way, Basking Ridge NJ 07920

3040 Williams Drive, Suite 510, Fairfax, VA 22031

290 Davidson Ave Somerset, New Jersey 08873 Tampa, FL

Telephone no.:(703) 206‐9383 Fax no.:(703) 206‐9666800‐477‐6479 no.:(813) 520‐9786 Fax no.:813‐978‐6751

Corporation; Virginia Corporation; New Jersey Corporation; DelawareF‐01000004066 829591

36 10/20/2017 1:35 PM




Services ATT11. List name and title of each principal, owner, officer and major shareholder.

a) Dewsnap, Stephenb) Espana, Albertoc) Akins, Markd) Rodrigues, Abelardoe) Finizio, Stephenf) Dewsnap, Edward

a) Krishna K Chittabathinib) Sireesha Chittabathini

a. Thadeus Arroyo, President and CEO AT&T, 208 S. Akard St., Dallas, TX 75202b. Anne Chow, President‐Integrator Solutions, AT&T, 208 S. Akard St., Suite 3514, Dallas, TX 75202c. Frank Jules, President ‐ Global Business AT&T, 208 S. Akard St., Suite 3509, Dallas, TX 75202d. Cathy Martine‐Dolecki, President ‐ Natl Bus AT&T, 1 AT&T Way, Bedminster, NJ 07921e. Delores McCarty, Assistant Secretary AT&T, 675 W Peachtree St, NW, Atlanta, GA 30308f. George B. Goeke, CFO and Treasurer AT&T, 208 S. Akard St., Suite 1824, Dallas, TX 75202AT&T is a publicly held corporation. No single person owns more than 10% of the company. It is an independent, publicly traded telecommunications services provider.The names and titles of the AT&T Inc. officers are• Randall Stephenson—Chairman and Chief Executive Officer (CEO)• William Blase—Senior Executive Vice President, Human Resources• James Cicconi—Senior Executive Vice President, External and Legislative Affairs• Ralph de la Vega—President and Chief Executive Officer (CEO), AT&T Mobile andBusiness Solutions• John Donovan—Senior Executive Vice President, AT&T Technology andOperations and Corporate Strategy• Jose Gutierrez—Senior Vice President, Executive Operations• David Huntley—Chief Compliance Officer

d d l b l k ff12. Authorized contacts for your firm. Name: STEPHEN M DEWSNAPTitle: Managing PartnerE‐mail: [email protected] No.: 866‐735‐3369 x110Name: MARK AKINSTitle: Managing PartnerE‐mail: [email protected] No.: 866‐735‐3369 x120

Name: Krishna K ChittaathiniTitle: CEOE‐mail: [email protected] No.: 4087165901Name: Murali GomatamTitle: PresidentE‐mail: [email protected] No.: 4087165907



No No No


No No No

37 10/20/2017 1:35 PM




13. Has your firm, its principals, officers or predecessor organization(s) been debarred orsuspended by any government entity within the last three years? If yes, specify detailsin an attached written response.14. Has your firm, its principals, officers or predecessor organization(s) ever beendebarred or suspended by any government entity? If yes, specify details in an attachedwritten response, including the reinstatement date, if granted.


Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.a) Thomas George, CEOb) William Glodek, Presidentc) Andrew McNicol, CTO




Name: Zachary MeyersTitle: Security EngineerE‐mail: Zmeyers@breakpoint‐labs.comTelephone No.:Name: Shane GarhartTitle: Business DevelopmentE‐mail: sgarhart@breakpoint‐labsTelephone No.: 301‐3516713




No No No No

No No No No

38 10/20/2017 1:35 PM






Sub: IOMAXISa) Andrew Cannata ‐ Principal, Cyber Securityb) Christie Verscharen ‐ Principal, PCI and Risk Servicesc) Eric Dieterich ‐ Principal, Data Privacy



Scott A Johnston





Name: Scott A JohnstonTitle: PresidentE‐mail: [email protected] No.: 786.375.9020

No No No No

No No No No

39 10/20/2017 1:35 PM







a) Michael Balter, Regional Managing Partnerb) Mark Agulnik, Partnerc) David Appel, Partnerd) Shaun Blogg, Partnere) Ilyssa Blum, Partner f) Marc Breslow, Partnerg) Michael Curto, Partner h) Adam Firestein, Partneri) Michael Futterman, Partner j) John Gabriel, Partner k) Cecelia Garber, Partner l) Kim Lamplough, Partner m) Michele Lipson, Partnern) Michael Novak, PartnerMarcum LLP is managed by more than 140 partners around the country. Below is a list of partners from our local Florida offices. A complete list of partners around the country is available at www.marcumllp.com/people‐search.

a) Harvey Gannon ‐ CEOb) Ronald E. King ‐ President

a) A. Trey Traviesa, Chairman & CEOb) Fred Seamon, Executive Vice Presidentc) Brad Burgess, Executive Vice President



Name: Andy GrantTitle: Director, National Business DevelopmentE‐mail: [email protected] No.: 419‐873‐7016Name: Ron KingTitle: PresidentE‐mail: [email protected] No.: 972‐964‐8884



No No No No

No No No No

40 10/20/2017 1:35 PM





Optiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLPa) Dan Burns ‐ CEOb) David Roshak ‐ CFOc) Nate Brady ‐ CAOd) Veena Bricker ‐ CHRO







No No No No

No No No No

41 10/20/2017 1:35 PM






a) Anatoly Kozushin, Presidentb) Ilan Katz, CEOc) Gus Fritschie, Chief Technology Officerd) Steve Davis, COO

Thai LeeKoguan Leo





No No No

No No No

42 10/20/2017 1:35 PM




Services ATT15. Has your firm ever failed to complete any services and/or delivery of products duringthe last three (3) years? If yes, specify details in an attached written response.

No No We are unaware of any work completion issues that would impair our ability to meet our obligations under any contract. AT&T is a large company with an international presence and significant contractual relations. Given the size and scope of our business, we from time to time over our history have been involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our abilityto meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.


Yes.Dewsnap, Stephen• Microliance, LLC – Partner• Interlink Commerce, LLC – PartnerEspana, Alberto• Payment Power, Inc.Finizio, Stephen• Advantage Networking ‐ Owner• Advantage Web Consulting ‐ Owner• Tend Skin Store ‐ PartnerDewsnap, Edward• Microliance, LLC – Partner• Interlink Commerce, LLC ‐ Partner

No Yes


No No No


No No No

43 10/20/2017 1:35 PM




17. Have any voluntary or involuntary bankruptcy petitions been filed by or against your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response.18. Has your firm’s surety ever intervened to assist in the completion of a contract or havePerformance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.


Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.No Yes, Like all large professional service firms, Crowe is, from time to

time, subject to contract disputes or issues where contracts may be terminated for a variety of reasons, including without limitation lack of client funding, disputes over the scope of the work, or payment disputes. Through active management and communication with our clients, Crowe is usually successful in anticipating such areas and working with the client to mitigate these issues.

No

No No No No

No No No

No No No No

44 10/20/2017 1:35 PM






Sub: IOMAXISNo No No No

No Principal invests in multiple businesses No No

No No No No

No No No No

45 10/20/2017 1:35 PM







No No No No

p // p / / g pMarcum Group is an organization providing a comprehensive range of professional services spanning accounting and advisory, technology solutions, wealth management and executive and professional recruiting. MARCUM LLPMarcum LLP is one of the largest independent public accounting and advisory services firms in the nation, with offices in major business markets throughout the U.S., Grand Cayman and China. MARCUM FINANCIAL SERVICESMarcum Financial Services was founded in late 2009 by combining the expertise of several professionals and firms with extensive investment, financial and business experiences. MARCUM SEARCHMarcum Search LLC offers professional recruiting services. Our recruiters recognize the importance of working closely with companies and prospective candidates to ensure the perfect match. MARCUM TECHNOLOGYMarcum Technology LLC is a full‐service integrated solutions vendor (ISV) specializing in data storage, disaster recovery, network infrastructure, IT staffing and managed services. MARCUM BERNSTEIN & PINCHUKMarcum Bernstein & Pinchuk is an independent public accounting firm. We provide a full range of audit and assurance, tax and transaction advisory services for clients in a variety of industries.MARCUM RBK (IRELAND) LIMITEDMarcum RBK is a service center for current and future hedge fund and private equity fund clients of the Marcum Alternative Investment Group.

No Yes. Principal is CEO of MGT of America Consulting, LLC and Strategos Public Affairs, LLC, both wholly owned subsidiaries of MGT of America, LLC.

No

No No No No

No No No No

46 10/20/2017 1:35 PM





Optiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLPNo

No No No No

No No No No

47 10/20/2017 1:35 PM






No No No

No No No

No No No

No No No

48 10/20/2017 1:35 PM




Services ATT19. Has your firm ever failed to complete any work awarded to you, services and/ordelivery of products during the last three (3) years? If yes, specify details in anattached written response.

No No We are unaware of any work completion issues that would impair our ability to meet our obligations under any contract. AT&T is a large company with an international presence and significant contractual relations. Given the size and scope of our business,we from time to time over our history have been involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our ability to meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.

20. Has your firm ever been terminated from a contract within the last three years? If yes, specify details in an attached written response.

No Except for material matters that AT&T discloses in filings with the Securities and Exchange Commission or otherwise discloses in response to subpoenas or other valid court orders, AT&T is legally and contractually prohibited from disclosing information to third parties about contractual matters. Also, due to the size and scale of AT&T’s operations, as a practical matter, AT&T cannot state with absolute certainty whether AT&Thas defaulted under a contract. Notwithstanding the legal and practical restrictions that limit AT&T’s ability to disclose specific contract performance issues, AT&T can assure Customer that AT&T is capable of performing the services requested under this RFP and that AT&T has no history or pattern of performance issues with other customers that would affect AT&T’s ability to perform the services requested by Customer. AT&T reiterates that AT&T is not aware of any circumstances involving performance under another contract which would materially and adversely impact AT&T’s ability to perform services for Customer. Moreover, AT&T is not aware of any circumstance when AT&T was not awarded a bid due to non‐performance concerns about AT&T by the entity sponsoring a particular procurement. AT&T is forced to qualify such assurances to the best of its knowledge due to the scale and scope of AT&T’soperations. AT&T will not be able to provide such assurances with absolute certainty with respect to every contract or bid opportunity in which AT&T has participated.

21. Living Wage solicitations only: N/A N/A No

49 10/20/2017 1:35 PM


Licensing Matrix19. Has your firm ever failed to complete any work awarded to you, services and/ordelivery of products during the last three (3) years? If yes, specify details in anattached written response.




Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc.No No Yes, Like all large professional service firms, Crowe is, from time to

time, subject to contract disputes or issues where contracts may be terminated for a variety of reasons, including without limitation lack of client funding, disputes over the scope of the work, or payment disputes. Through active management and communication with our clients, Crowe is usually successful in anticipating such areas and working with the client to mitigate these issues.

No

No No Yes, Like all large professional service firms, Crowe is, from time to time, subject to contract disputes or issues where contracts may be terminated for a variety of reasons, including without limitation lack of client funding, disputes over the scope of the work, or payment disputes. Through active management and communication with our clients, Crowe is usually successful in anticipating such areas and working with the client to mitigate these issues.

No

N/A N/A

50 10/20/2017 1:35 PM






Sub: IOMAXISNo No No No

No No No No

N/A N/A N/A N/A

51 10/20/2017 1:35 PM








No No No


No No No

N/A N/A N/A N/A

52 10/20/2017 1:35 PM





Optiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLPNo No No No

No No – Plante Moran is not aware of any client terminating a contract involving the provision of information technology security and compliance services. As one of the country’s largest accounting and consulting firms with thousands of annual engagements, there likely have been instances during the last three years where clients receiving tax or accounting‐related services have elected to use other service providers for their particular needs. Plante Moran’s record of client service and satisfaction is best in class, with 99% of clients indicating they would recommend Plante Moran to others.

No No

53 10/20/2017 1:35 PM






No No No

No No No

No No No

54 10/20/2017 1:35 PM

RFQ A2114499R1 ‐ Broward County IT Security and Compliance ServicesCategory 5 ‐ Security Incident Response



Servers and Workers Located in the USA Attestation Form Provided / See PDF Pg. 569 Provided ‐ See Page 47 Provided ‐ See PDF Pg. 9AND

1. GIAC Certified Incident Handler (GCIH) on staff and proposed key team memberNot Provided



Requirement Met

OREnCase Certified Examiner (EnCe) on staff and proposed key team member Provided



Requirement MetOR

Forensic Toolkit (FTK) on staff and proposed key team memberNot Provided



Requirement Met


Vendor Security Questionnaire Form Provided ProvidedProvided


FORMS

1 10/20/2017 1:36 PM


Licensing Matrix


1. GIAC Certified Incident Handler (GCIH) on staff and proposed key team member

OREnCase Certified Examiner (EnCe) on staff and proposed key team member

OR

Forensic Toolkit (FTK) on staff and proposed key team member




FORMS

Enterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLC













2 10/20/2017 1:36 PM


Licensing Matrix




OR





FORMS

MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Optiv Security

Provided ‐ See PDF Pg. 23 Provided ‐ See PDF Pg. 42 Provided












3 10/20/2017 1:36 PM


Licensing Matrix




OR





FORMS

Plante & Moran, PLLC dba Plante Moran RSM US LLP SeNet International Corporation


Not ProvidedRequirement Not Met

Not Provided Not Provided

Requirement Not Met





Not Provided Not Provided

Requirement Not Met



4 10/20/2017 1:36 PM


Licensing Matrix




OR





FORMS


Provided




Provided

Provided

5 10/20/2017 1:36 PM

Category 5 ‐ Security Incident Response



1. Ability of Professional Personnel:a. Describe the qualifications and relevant experience of the Project Manager and all key staffthat are intended to be assigned to services performed within this category. Include resumes forthe Project Manager and all key staff described.

See PDF Pgs. 546 ‐ 547.

CONFIDENTIAL




See PDF Pg. 33Having responded to more than 2,000 data security incidents, performed thousands of network penetration tests and carried‐out hundreds of application security tests, Trustwave SpiderLabs, and by extension its clients, stays apprised of the latest threats and methods of data compromise.We've worked cases involving the theft of Payment Card Industry (PCI) data, electronic protected health information (ePHI), personally identifiable information (PII), industry trade secrets, sensitive corporate information, classified data and other types of protected assets. Organizations large and small select Trustwave SpiderLabs to augment their team through our incident response and readiness expertise. This includes:� Free consultation to assess your business environment, risk and needs� Integrated security technologies through a single source� 24x7x365 support and dedicated security and compliance analysts� Access to our cloud‐based management portal� "Follow the Threat" global Security Operations Centers� $100,000 Breach Protection Program

See Resumes ‐ PDF Pgs. 138 ‐ 144Tim Bryan, CPA, CFF, CITP, CISA, EnCE, Partner, 15+ years experienceAaron Reyes, EnCE, CSx, MCTS, MCP, Senior Manager, 10+ years experienceDavid McKnight, CISSP, Senior Manager, 19+ years experienceKiel Murray, Senior Manager, 7+ years experience

b. List any other relevant Security and Compliance Industry certifications that the ProjectManager and key staff described may have. Include copies of certificates, if applicable.

See PDF Pgs. 546 ‐ 547.

CONFIDENTIAL




See PDF Pg. 33 Please see the representative biographies embedded below, including the typical certifications held by the resources who may be assigned to your project.

See Resumes ‐ PDF Pgs. 138 ‐ 144Tim Bryan, CPA, CFF, CITP, CISA, EnCE, Partner, 15+ years experienceAaron Reyes, EnCE, CSx, MCTS, MCP, Senior Manager, 10+ years experienceDavid McKnight, CISSP, Senior Manager, 19+ years experienceKiel Murray, Senior Manager, 7+ years experience

EVALUATION CRITERIA

6 10/20/2017 1:36 PM


Licensing Matrix



EVALUATION CRITERIAEnterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLC

See Resumes PDF Pg. 129‐135; Certifications PDF Pgs. 136‐139Esteban Orlando Farao, CISSP, CISA, CISO, CRISC, CEH, QSA, and PCIP.PCI QSA, 20+ years experienceMaria Rogers, CEH, CFE, Information Security Consultant, Extensive experience in software testing and Digital ForensicsHaslyn Martin, Information Security Consultant, Extensive experience in implementation of Secure Network Protocols

See Bios ‐ Jason L, Specialities: Compliance and Network Security, 20+ years experience, QSA PCI, PA QSA, PCIP PCI, SANS GIAC GSNA, GCIH, GPENThomas A, Specialities, Compliance and Network Security, 15+ years experience, QSA PCI, CISSP, HCISSPJohn W, Compliance, Network Security, and Incident Response/Digital Forensics, QSA PCI, PA QSA, CISSPKeith K, GRC, Security Architecture and Audit, 20+ years experience, CISSPBradley A, Penetration Testing, 15+ years of experience, CISSP,OSCE, OSCP, CEH, SANS GIAC

See PDF Pg. 78 ‐ 79Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD Information Security and Computing Sciences (Over 30 years of Professional Experience and 25 years of Research, Harvard and Yale Alumnus, Summa Cum Laude, and Oxford Research, etc.)Global Information Intelligence LLC (100% Small Business, Minority, and Women Owned)By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences and Information Security Founder, Consortium for Emerging Technologies‐Harvard, Exemplary Models for Federal, State, Local, Counties, Cities, Private/Public Sectors, Academia & Industry and GlobalCategory 5 – Security Incident ResponseApplied proven expertise and experience to apply intelligent, proactive and robust methodology to provide the following services category:� Provided intelligent and effective services within this category including Security Architecture Design, Security Incident Response, Policy Review and Digital Forensics.

See PDF Pgs. 136‐139• Esteban Farao: CISSP, CISA, CISO, CRISC, CEH, PCI QSA, and PCIP• Maria Rogers: CEHCopies of the Certification follow:Esteban Farao: CISSP

See Bios ‐ Jason L, Specialities: Compliance and Network Security, 20+ years experience, QSA PCI, PA QSA, PCIP PCI, SANS GIAC GSNA, GCIH, GPENThomas A, Specialities, Compliance and Network Security, 15+ years experience, QSA PCI, CISSP, HCISSPJohn W, Compliance, Network Security, and Incident Response/Digital Forensics, QSA PCI, PA QSA, CISSPKeith K, GRC, Security Architecture and Audit, 20+ years experience, CISSPBradley A, Penetration Testing, 15+ years of experience, CISSP,OSCE, OSCP, CEH, SANS GIAC

See PDF Pg. 78 ‐ 79Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD Information Security and Computing Sciences (Over 30 years of Professional Experience and 25 years of Research, Harvard and Yale Alumnus, Summa Cum Laude, and Oxford Research, etc.)Global Information Intelligence LLC (100% Small Business, Minority, and Women Owned)By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences and Information Security Founder, Consortium for Emerging Technologies‐Harvard, Exemplary Models for Federal, State, Local, Counties, Cities, Private/Public Sectors, Academia & Industry and GlobalCategory 5 – Security Incident ResponseApplied proven expertise and experience to apply intelligent, proactive and robust methodology to provide the following services category:� Provided intelligent and effective services within this category including Security Architecture Design, Security Incident Response, Policy Review and Digital Forensics.

7 10/20/2017 1:36 PM


Licensing Matrix



EVALUATION CRITERIAMGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Optiv Security


See PDF Pg. 35.Adrian Shaw, Senior Incident Response Consultant, Certified Incident Response (CRIA), CISSP, CEH, CHFI, andLPI.Jules Pagna Disso, Head of Research and Development, 15+ years experience, PhD in Intrusion Detection Systems

See PDF Pg. 249Project Manager – Erik SchmidtErik Schmidt has over twenty years of experience with information assurance, forensics, and incident management. Mr. Schmidt’s exposure to cyber security traverses across multiple industries including federal law enforcement, government, healthcare, financial, manufacturing, retail, and entertainment. He is experienced in performing strategic consulting including: incident response, information risk management, security strategy, network defense methodology, policy development, controls assessment, gap analysis, business impact analysis,SME testimonies, and best practices assessment. As an expert in computer security, Erik assists clients in efficiently responding to incidents, achieving better security awareness, and managing threats effectively and in a timely manner.Staff Member – Robert ReedRobert Reed is a seasoned investigator with 20 years of law enforcement experience. He has investigated incidents ranging from simple traffic investigations to criminal homicides. In the pursuance of these investigations, he has conducted or participated in surveillance and/or undercover operations. He leveraged this knowledge of the computer forensics field to develop and operate the first ASCLD (American Society of Crime Lab Directors) accredited computer forensic program in the State of Arizona.In the course of his career, Mr. Reed has investigated numerous crimes involving computers, computer systems, or digital evidence. He has been the affiant on countless search warrant applications, and participated in the service and execution of many warrants including those involving digital evidence. He has testified in hundreds of criminal, civil, and administrative hearings.Staff Member – Michael DoranMichael Doran is a certified computer examiner with over four years of digital forensics experience coupled with nine and half years............


See PDF Pg. 35.Adrian Shaw, Senior Incident Response Consultant, Certified Incident Response (CRIA), CISSP, CEH, CHFI, andLPI.Jules Pagna Disso, Head of Research and Development, 15+ years experience, PhD in Intrusion Detection Systems

See PDF Pg. 249 ‐ 250Certifications for Robert Reed• GCFA• CEH• CHFI• U.S. Treasury BCERT and ACERT• Certified EC Council Instructor (CEI)Certification for Michael Doran• CFCE• ACE• CCE• EC‐Council C|HFI• EC‐Council C|EH

8 10/20/2017 1:36 PM


Licensing Matrix



EVALUATION CRITERIAPlante & Moran, PLLC dba Plante Moran RSM US LLP SeNet International Corporation

See PDF Pgs. 51 ‐ 52.Michelle D. McHale‐Adams, CPA/CFF, CFE, Partner, 20+ years experienceEric Conforti, CPA, CFE, Senior Manager, Specializes in performing forensic investigations, data analytics, and internal control analysesAmanda Fletcher, CPA, CFE, Manager, Experience in expense reviews, asset misappropriation investigations, internal control assessments and insurance claimsKyle Sutton, CPA, CFE, Senior Consultant, Emphasis in not‐for‐profit and healthcare industries

Sean Renshaw, Director, National Lead, Digital Forensics and Incident Response, 28+ years experienceTom Luka, Manager, Security, Privacy and Risk ServicesLuke Emrich, Manager, Security, Privacy and Risk Services, 5+ years experience


See PDF Pgs. 51 ‐ 52.Michelle D. McHale‐Adams, CPA/CFF, CFE, Partner, 20+ years experienceEric Conforti, CPA, CFE, Senior Manager, Specializes in performing forensic investigations, data analytics, and internal control analysesAmanda Fletcher, CPA, CFE, Manager, Experience in expense reviews, asset misappropriation investigations, internal control assessments and insurance claimsKyle Sutton, CPA, CFE, Senior Consultant, Emphasis in not‐for‐profit and healthcare industries

Sean Renshaw, Certified Fraud Examiner (CFE), EnCase Certified Examiner (EnCE), Certified Computer Examiner (CCE), Certified Blacklight Examiner (CBE), Digital Forensics Certified Practitioner (DFCP‐Founders), Seized Computer Evidence Recovery Specialist (SCERS)Tom Luka, EnCase Certified Examiner (EnCE)Luke Emrich, EnCase Certified Examiner (EnCE), Certified Ethical Hacker (CEH), Global Information Assurance Certification (GIAC) Certified Forensic Analyst (GFCA)


9 10/20/2017 1:36 PM


Licensing Matrix



EVALUATION CRITERIA


See Pages 64 ‐ 66.Verizon sets the benchmark in the digital forensics, computer incident response, electronic discovery, and IT investigative arenas, providing both public and private sector organizations with leading services and support. Over the past ten years, Verizon has been retained to investigate many of the world's largest, most publicly visible and damaging data breaches on record, affording the team a rare perspective into global cyber crime related trends. This critical investigator's perspective is a core component of the team's service offerings: enabling fast identification of data breach sources, and helping Customer Short move more quickly toward incident containment, while limiting the extent of informational losses. Team personnel hail from a combination of military, law enforcement, and IT technical backgrounds, affording Customer Short direct access to a wealth of highly specialized investigative experience and expertise. Our technical experts are well versed in criminal and civil investigative requirements and have extensive experience providing in‐court testimony in both expert and fact witness capacities. These experts are located throughout the Americas, Europe/Middle East, and Asia‐Pacific,providing Customer Short leading evidentiary direction,digital forensics expertise, and general IT investigative know‐how when and where it is needed most.

As well as a leading global Qualified Security Assessor (QSA), Payment ApplicationQualified Security Assessor (PA‐QSA), and Qualified Security Assessor Point‐to‐Point Encryption (P2PE) company, we are one of few qualified PCI Forensic Investigators (PFI) for Visa and MasterCard. Our assessors are highly experienced, often industry thought‐leaders and maintain an array of security industry certifications including the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and Certified Ethical Hacker (CEH).

10 10/20/2017 1:36 PM



Solution Provider: Trustwave Crowe Horwath LLP2. Project Approach:a. Describe the prime Vendor’s approach to performing similar work in this Category. See PDF Pgs. 547 ‐ 550.

CONFIDENTIAL




See PDF Pg. 33 ‐ 35Trustwave's Forensics practice provides clients with a highly technical investigation into a system or network compromise...Payment card compromise investigations must be carried out by a qualified PCI Forensic Investigator (PFI) company. Trustwave is certified to conduct PFI engagements in all regions around the globe.We offer a number of forensics and incident response services, including the following:� Incident Response Planning� Incident Response Investigation� PCI Forensic Investigation (PFI)� Pre‐paid IR (Retainer)� Pre‐paid PFI (Retainer)Forensic Data AcquisitionWe identify accessible, recoverable and relevant data to locate and index all computer‐ and user‐generated evidence up to and including the recovery of content from non‐functioning storage devices. Forensic data can be gathered from physical devices, logical volumes, memory, volatile data and network traffic.Trustwave SpiderLabs handles all data in accordance with proper digital evidence handling procedures to ensure evidence admissibility in court....

See PDF Pg. 131 ‐ 132Security Architecture Design and Security Incident Response Policy ReviewThese following steps represent the actions Crowe will execute in order to deliver the Security Architecture Design and Security Incident Response Policy Reviewservices....

b. Number of employees, coordination efforts, servers and workers located within USA See PDF Pgs. 551.

CONFIDENTIAL



Pgs 418‐568 AT&T Proprietary: The information contained

See PDF Pg. 35All employees and servers would be within the United States. Trustwave has over 900 totalemployees in the US.


11 10/20/2017 1:36 PM





See PDF Pgs. 140 a. ApproachSecurity Incident Response Review and TestingERM will review the client organization’s incident response program/plan utilizing NIST SP 800‐61guidelines, industry best practices, and ERM’s comprehensive experience in incident response planning and mitigation. When reviewing the incident response program/plan, ERM will draw upon its experience of working with a vast variety of industry verticals to ensure that an all‐inclusive approach is utilized when drafting the program/plan.ERM will perform a thorough review of the program/plan, associatedpolicies, checklists, calling trees, and procedures to ensure that they are robust and capable of protecting the organization in the event of an incident. ERM will also conduct incident response testing and war games to gauge the effectiveness of the organization’s incident response capabilities.

See "Broward Security Services 2017" See PDF PG. 79Category 6 – Public Safety Network and Systems Audit Services� Provided intelligent and effective services within this category including Public Safety Network /Systems Audit and Review Services.� Examples of specific activities includes but not be limited to evaluation of IT General and Application controls, IT Governance, Security Strategy and Systems, General Public Safety Network Topology, Connections to External Parties, Inbound and Outbound Remote Access, IT Security Policies and Procedures, External Network Penetration Testing, Network Device Security (i.e. switches, routers, firewalls, wireless access points) – Firmware and Patching Standards, Endpoint Devices (Servers, workstations) – Patching and Antivirus checks, Physical Security, Data/Configuration Backup and Disaster Recovery, Network Management, Vendor/Contractor Access Management, System Administration/Privileged Access Management, and Network Documentation Creation and Maintenance. All services were relevant to Network and Systems Audit Services within the Public Safety Industry.

See PDF Pg. 141ERM has approximately 30 full time employees. Of these employees, 25 are located in the USA. Onlyfull time employees located in the USA will work in these engagements.Regarding coordination efforts, Esteban Farao will be the Project Manager. He will lead a project kickoff meeting, send the information requirements, manage the project, communicate with the client project team, lead project update calls and meeting as well as delivery the final reports and presentations.All of ERM’s severs are located at the ERM’s headquarters in Coral Gables, Florida.


See PDF PG. 42Global Information Intelligence will apply its expert and proven methodology to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive recommendations and remediation sample for design and implementation operational effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Network assessment of BROWARD COUNTY Corporate Network and its Operations Technology Network....

12 10/20/2017 1:36 PM





See PDF Pgs. 440 ‐ 442.We pride ourselves on our years of continuous business and these two cornerstone tenantsof ourbusiness:In‐Depth Understanding of State and Local Government—MGT has worked almost exclusively with the public sector. As a result, we understand the challenges and unique issues inherent in the operations of state and local government programs and service delivery. Because many of our staff have worked in government, we have a clear understanding of the state and local government structure, control agencies, budgetary processes, and political environment. Our Focus is on Business Understanding and Analysis—MGT consistently focuses on identifyingand implementing the most effective and efficient methods for achieving operational objectives in all of our engagements. No matter what the task, we “cut to the chase,” and work to providethe most viable business solutions in the shortest amount of time, at the lowest cost. We understand the importance of streamlining business processes and we know how to pinpointthe most efficient and effective methodologies for specific situations. Based on our previous work with the County and more than 40 years of experience in providing consulting services to federal, state, and local government clients, MGT knows that the success of any project is based upon the project management. Our project manager will work in tandem with theCounty’s designated project lead to drive the MGT project management principals and guidelines for thedevelopment of your customized solutions.

See PDF Pg. 35 ‐ 38.This is a high level overview of the system for responding to and managing Incident Response services with Nettitude. It is based around a number of fundamental concepts and industry standards including SANS, Critical Infrastructure guidelines and the CREST Incident Response Maturity model.Our services mirror the 3 phases of these models:1. Prepare (Strategic Plans and Risk Analysis)2. Respond (Management of Events and Incidents)3. Follow up (Adapt and Learn)....

See PDF Pg. 250Incident Response Readiness AssessmentThe assessment leverages an IMF designed by the Optiv Enterprise Incident Management Team. The framework aligns with multiple industry‐accepted standards and is ideally suited to provide structure and organization forincident response endeavors (see appendix for more information). The framework addresses various areas of the Incident Management process, including:� Review current policies, procedures, personnel, and training� Review network design, infrastructure, threat identification mechanisms, and security/investigative technologies and devices� Analyze results of recent vulnerability scans to determine what gaps exist on the devices and the network� Identify, through conversations with key stakeholders, where sensitive data is kept [e.g., Cardholder Data(CHD), Social Security Numbers (SSNs), Credit Card Numbers (CCNs), Personally Identifiable Information(PII), Intellectual Property (IP)], how it moves through the organization, and the risk of compromise� Create awareness of probable attack or loss vector(s) from internal and external breaches, whetherdeliberate or accidental� Review formal and repeatable procedures to handle probable types of breaches or compromises� Ensure proper communication channels are outlined and followed in the event of a breach includingreferences to internal operational hierarchy and legal counsel....

See PDF Pg. 440 ‐ 441.Our firm of over 60 professionals has successfully managed more than 8,500 client engagements nationally with a significant portion of MGT’s engagements being repeat business, reflecting the firm’s commitment to achieving a high level of customer satisfaction and ability to exceed the expectations of clients. Prior to working with public sector entities as consultants, many of our staff worked in government agencies as executives and managers. This insider's knowledge of government structure and process gives MGT a competitive advantage and an ability to hit the ground running from the very start of a project.See Our firm of over 60 professionals has successfully managed more than8,500 client engagements nationally with a significant portion of MGT’s engagements being repeat business, reflecting the firm’s commitment to achieving a high level of customer satisfaction and ability to exceed the expectations of clients. Prior to working with public sector entities as consultants, many of our staff worked in government agencies as executives and managers. This insider's knowledge of government structure and process gives MGT a competitive advantage and an ability to hit the ground running from the very start of a project.


See PDF Pg. 252Optiv has approximately fifteen employees dedicated to the Enterprise Incident Management consulting practice with plans to increase the size of the staff in the next few years. All coordination efforts, servers, and workers are located in the USA.

13 10/20/2017 1:36 PM





See PDF Pg. 52STEP 1 – PLANNING AND REVIEWWe will work with you and those designated by you to gather appropriate information prior to coming to your location and/or working remotely.STEP 2 –FIELDWORK, DATA TESTING AND DETAILED TESTINGWe will perform select data testing, as applicable, prior to arriving onsite. Our fieldwork involves detailed testing of the transactions identified from our data testing as well as those identified based upon our understanding of the alleged schemes. If necessary, we may interview key personnel whose duties correspond to the areas of focus. In these interviews, our approach is non‐confrontational andopen. Previous clients having remarked that the process was noninvasive and caused little‐to‐nodisruption.STEP 3 – PREPARATION OF DRAFT DELIVERABLESAt this phase, we will prepare draft deliverables, which will outline the results from Steps 1 and 2.Based upon our findings, our forensic report will be drafted to address specific needs . This mayinclude the report being submitted with the proof of loss and/or submitted as evidence of loss.STEP 4 – FINALIZATION OF REPORTUpon your review and approval, we will finalize our report.

See PDF Pgs 73 ‐ 78Phase 1: Incident response program assessment ‐ Policy Review, Security ArchitecturePhase 2: Incident response exercise ‐ Policy ReviewPhase 3: Incident response support ‐ Security Incident Response and Digital Forensics

See Pages 56 ‐ 59.

Plante Moran has over 2,000 employees and 500 servers in the USA. RSM’s core DFIR team is composed of ten practitioners located in strategic locations throughout the United States. In addition, the DFIR team can leverage over 100 additional RSM client facing technology personnel in other practice areas. Our primary DFIR lab is located in Chicago, with an additional lab in Iowa as a backup or supplemental facility.


14 10/20/2017 1:36 PM





See Pages 67 ‐ 69.Cyber attacks happen on a daily basis—and inevitably, security incidents occur. To successfully manage incidents, it’s critical for you to know where to look for indicators of compromise and how to handle them. Quickly identifying and reacting with an appropriate response strategy can help lessen the potential impact of an incident. Intelligence‐driven strategies speed up effective responses to compromises and breaches, strengthening your overall security plan. Our RISK (Research, Investigations, Solutions, Knowledge) Team has broad expertise creating effective security practices and is well known for authoring our annual Data Breach Investigations Report. The team actively gathers data from security incidents, correlates this information to provide alerts, analysis, and recommendations, and turns it into actionable risk management solutions that can help protect your entire organization.

Verizon operates a global QSA practice with over 70 assessors providing consistent delivery of high quality Security services around the world. 16 QSA are located in the USA.

15 10/20/2017 1:36 PM



Solution Provider: Trustwave Crowe Horwath LLPc. Describe vendor’s plan to meet key milestones and deadline dates including communication plan. CONFIDENTIAL




See PDF Pg. 35Please see the project management plan below as a representative sample of the type of project plan we typically follow.Project ManagementTrustwave has a formal procedure for the project organization and governance as well as adherence to the timelines. Project timelines will be established between Trustwave and Client upon project kick‐off. Project progress, needs and deadlines will be provided to Client through the CVS manager portal that is describedfurther below in this section.


3. Past Performance:a. Describe prime Vendor’s experience on projects of similar nature and scope, along withevidence of satisfactory completion, both on time and within budget, for the past five years.Provide a minimum of three projects with references, preferably government agencies (i.e. state,local) of similar size and structure and proven experience and skillset in evaluation a mixed creditcard environment of web applications, Point of Sale (POS), and Interactive Voice Response (IVR)Systems. Vendor should provide references for similar work performed to show evidence ofqualifications and previous experience. Refer to Vendor Reference Verification Form and submitas instructed. Only provide references for non‐Broward County Board of County Commissioners’contracts. For Broward County contracts, the County will review performance evaluations in itsdatabase for vendors with previous or current contracts with the County. The County considersreferences and performance evaluations in the evaluation of Vendor’s past pertted with

See PDF Pg. 552

CONFIDENTIAL




See PDF Pg. 37 Please see addendum for Client References.

See PDF Pgs. 134 ‐ 135We have completed and submitted the Vendor Reference Verification Form as requested.

16 10/20/2017 1:36 PM



3. Past Performance:a. Describe prime Vendor’s experience on projects of similar nature and scope, along withevidence of satisfactory completion, both on time and within budget, for the past five years.Provide a minimum of three projects with references, preferably government agencies (i.e. state,local) of similar size and structure and proven experience and skillset in evaluation a mixed creditcard environment of web applications, Point of Sale (POS), and Interactive Voice Response (IVR)Systems. Vendor should provide references for similar work performed to show evidence ofqualifications and previous experience. Refer to Vendor Reference Verification Form and submitas instructed. Only provide references for non‐Broward County Board of County Commissioners’contracts. For Broward County contracts, the County will review performance evaluations in itsdatabase for vendors with previous or current contracts with the County. The County considersreferences and performance evaluations in the evaluation of Vendor’s past perour staff

Enterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLCSee PDF Pg. 141ERM Project Manager will develop a Project Plan which details all key milestones and deadline dates.ERM Project Manager will work with the client to adjust based on client needs. The CommunicationPlan will be discussed and agreed to during the kick‐off call. ERM’s communication plans typicallyinclude weekly status updates as well as updates based on key milestones and deadlines.



(3) Reference Verification Forms included for this Category ‐ See PDF Pgs. 141 ‐ 144a. ERM’s ExperienceERM has completed approximately 400 Incident Response projects. All of our projects have beencompleted on time and within budget.As requested, below are three references for projects of similar size and structure.1. Barry University2. Ryder System3. Banco Santander


See References.

17 10/20/2017 1:36 PM




MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Optiv SecuritySee PDF Pgs. 441 ‐ 442.As we have already done with other projects for Broward County, MGT will ensure accountability, compliance, and implementation of the services provided. We will adhere toall applicable federal andstate policies, procedures, and regulations. MGT's Project Manager will have primary responsibility for the supervision of all project operations and project administration and will ensure all deliverables meet the standards of quality set forth by the County. Our Project Manager is responsible for the day‐to‐day activities of all design and technical key staff. In concert with the County’s Project Lead, MGT’s Project Manager will facilitate implementation of themain components of the project, including the installation, configuration, initiation, pilot, acceptancesystem, and the training of end users as well as generating progress reports on all project activities.Other major responsibilities will include:� Scheduling of project activities.� Financial management.� General tasks related to contract administration.� Serving as the primary point of contact for County inquiries or requests for project updates......


See PDF Pg. 252 ‐ 253Optiv uses standard Project Management practices to manage key milestones and deadline dates.Project ManagementOverviewOptiv will conduct status meetings, which may include updates on project status and issues identified andaddressed (such as schedule, deliverables, project quality, and team interaction). In addition, Optiv will provideimmediate notification of any issues requiring Broward County Office of IT’s attention. Optiv expects that any issuesidentified will be resolved promptly to avoid impact to the project timelines.Optiv Project Coordination ActivitiesThe following list details Optiv's Project Coordination activities for this project:� Facilitation of the project kick‐off meeting� Project budget reporting and Change Order management (if needed)� Coordination of Optiv personnel logistics� Optiv communications and project notifications, including weekly status reports outlining project status,issues noted, and issues addressed as they relate to schedule, Deliverables, project quality, and teaminteraction (as applicable)....

See PDF Pgs. 443.See Reference Verification Forms on PDF Pgs. 444‐446EXPERIENCE ON SIMILAR PROJECTSWith a focus on organizational goals first, MGT provides business‐driven information security services keeping our clients’ interests at the forefront of our engagements ensuring we deliver the most efficient solution.MGT’s core cyber security capabilities include: security risk assessments, full range of penetration testing services, physical penetration testing, secure application development, compliance engagements, training and awareness, policy and procedure development, among others.Having completed vulnerability assessments, full security risk assessments (including NIST, ISO, HIPAA, etc.), and physical penetration tests for both private and public organizations, along with a team with 18+ years of experience in the field, we believe to have the optimal mix to help the County enhance their overall security posture. Provided below are projects similar to those requested for Category 5 of the County’s RFP, conductedwithin the past five years.SEIBERT INSURANCE AGENCY: INFORMATION SECURITY PROGRAMAs part of their information security program, we developed a framework for their incident responseplan giving them the tools to not only be ready in case of an incident, but also evolve their plan as theirsecurity program continues to get optimized.HARRY LEVINE INSURANCE: INFORMATION SECURITY PROGRAMSimilar to Seibert Insurance agency, we developed a framework for their incident response plan as partof their information security program giving them the tools to not only be ready in case of an incident,

See References. See PDF Pg. 254The security, privacy and business concerns of our clients‐both current and past‐are of the highest priority.As such, we must respectfully decline to provide specific contact names and details for potential references at this stage. However, a number of our clients from recent engagements would be willing to entertain an informal conversation with their peers to discuss their use of the products and services theywere provided which we can help facilitate at the appropriate time.

18 10/20/2017 1:36 PM




Plante & Moran, PLLC dba Plante Moran RSM US LLP SeNet International CorporationSee PDF Pgs 52‐53Given the urgency usually surrounding a breach/fraud, our team is quick to respond, assessing thesituation and implementing an action plan with the approval of the client. Given the unknowns that canexist in these situations, we provide the client with weekly updates to include: We will provide weeklyupdates to include: a brief description of services performed, findings, fees incurredto date andestimated fees and work plan for the subsequent week. Upon receipt each week, management candecide if PM should proceed or halt analysis. Should circumstances become available that may impactour estimate of fees, we will immediately review these with you and agree on a mutually agreeablesolution.Frequent communication, guided by a “no surprises” philosophy is the key to a successful project. Inthis way, expectations can be effectively managed and problems can either be avoided entirely, oraddressed early on to minimize wasted effort and keep the project on schedule.

See Pdf pgs 78 ‐ 79RSM’s management approach can be expressed in one simple phrase: “no surprises.” First, we will workwith the County to establish a communication protocol and approach that you prefer, and we will use these channels and tools to share information on the engagement. Once the communications plan has been created, RSM will create a timeline and milestones project schedule and track those milestones to completion on a weekly basis. We will work with you and management to keep you informed of our progress throughout the engagement with periodic formal and informal status reports and meetings as appropriate. Continuous communication helps ensure that the County and the RSM team are in agreement on, and informed about every aspect of an engagement. Our team will work closely with County management to establish clear, open lines ofcommunication via face‐to‐face meetings, phone calls, and/or regular electronic or hard‐copy communications to keep you informed of progress and issues. In the event that RSM identifies that a particular engagement is behind schedule, it will be formally communicated to the client to discuss the issues and possible solutions to get back on track.

See Pages 59 ‐ 62.

Reference Verification Forms not included for Category 5 ‐ States "Confidential"See PDF Pg. 53We have forensic experience with multiple governmental entities in the last five years. Todemonstrate our vast capabilities, the following outlines several examples:Chicago Transit Authority, ILPerformed internal audits of their Point‐of‐Sale systemimplementation (Ventra), Supply Chain Management, PayrollForensic Audit and Transit Operator Performance System(TOPS) system implementationProject Timeline: May 2013 – December 2015Capital Area Transportation AuthorityWe were engaged to provide forensic investigative services due to IRS notifications of non‐payment of payroll taxes. Our team uncovered numerous issues, including emails that outlined the staff that knew of the issues, which led to the ultimate findings.Genesee Intermediate School DistrictWe were engaged to investigate an alleged embezzlement. The ISD’s Superintendent suspected the Assistant Superintendent of inappropriate activity. We performed analytical tests, conducted interviews, used data mining techniques, and searched emails using key words.

See References on PDF Pgs Lee County Electric CooperativeSeptember 2016 ‐ December 2016The objective of this review was to determine if changes applied to LCEC's flagship systemes were documented, tested and approved prior to implementation to production...District of Water & Sewer Authority (DC Water)October 2015 ‐ January 2016RSM conducted a myriad of security testing engagements for DC Water including internal, external,and wireless penetration testing.McDonald HopkinsMultiple projects over several years.RSM has worked with McDonald Hopkins on a number of incident response investigations over theyears.


19 10/20/2017 1:36 PM





Pages 69 ‐ 72.While breaches and security compromises can come in many forms, they all demand fast action. When there is a clear incident or even a threat thereof, you have a team of investigators and experts at your disposal, at the ready, and just a phone call away.

See Pages 72 ‐ 73.We have helped the following organizations—and we can help you too.� A large financial services company with headquarters in New York has leveraged our Professional Services on breach reduction and to investigate potential breaches that were fortunately stopped before they become serious incidents;� A global law firm took advantage of tabletop exercises, mock incident testing and policyand procedure review as they established a formal security program;� A large retailer with more than 600 stores around the world uses Rapid Response Retainer as an insurance policy to protect payment card data, Protected Health Information (PHI) and Personally Identifiable Information (PII) of its customers;� A large restaurant chain with thousands of locations around the globe needed security experts to supplement its staff to mitigate risks associated with handling and storing its customers’ credit card information.

20 10/20/2017 1:36 PM



Solution Provider: Trustwave Crowe Horwath LLPb. Provide evidence of similar work related to services identified in this Category, includingsample executive summaries and reports

See PDF Pg. 552

CONFIDENTIAL




See PDF Pg. 37 Please see addendum for Sample Reports.

See PDF Pgs. 134 ‐ 135We have completed and submitted the Vendor Reference Verification Form as requested.

21 10/20/2017 1:36 PM


Licensing Matrixb. Provide evidence of similar work related to services identified in this Category, includingsample executive summaries and reports

Enterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLCSee PDF Pgs. 145 ‐ 147Sample outline of client report.

similar to that of pci, IR specific requirements are address on a custimized bases, actual phased approach can be seen in the Broward Security Services 2017 under PCI DSS managed services


22 10/20/2017 1:36 PM



MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Optiv SecuritySee Sample Incident Response Framework in Appendix on PDF Pgs. 456 ‐ 468. See References. See PDF Pg. 254

Please see the provided sample deliverables.

23 10/20/2017 1:36 PM



Plante & Moran, PLLC dba Plante Moran RSM US LLP SeNet International CorporationSee PDF Pg 54Due to the confidential and legal nature of many of our projects, we are typically engaged by clients’ attorneys to maintain attorney work product protection and, therefore, we are not authorized to releasethe names of those clients, including governmental clients, to whom we provided forensic services. However, to provide additional on‐point examples, we offer the following:� We were engaged by a City to perform forensic investigative services. The City was made aware that the Michigan State Police was investigating several of its police officers for the misuse of drug forfeiture funds. We performed interviews and analyzed numerous financial records to assist the City in preparing an insurance claim while waiting for the criminal trials to occur. Our efforts resulted in the City recovering the full amount their insurance policy allowed, in addition to identifying supplemental evidence which assisted the Michigan State Police in strengthening their criminal investigation.� We were engaged by an organization to perform forensic investigative services. The organization’s internal investigation identified a forgery scheme, whereby the Controller altered the payee information on the physical check to differ from the payee listed in the accounting system. We were hired to assist the organization compile an independent proof of loss for insurance purposes, in addition to assisting them with restitution hearing, if needed. Our analysis included comparing check images to the accounting system to identify checkswith discrepancies and, further, researching the payees to determine if they were related to the Controller. We also reviewed the Controller’s email activity, which resulted in our discovery of additional schemes performed by the Controller. In total, we quantified $435,000 in lossesand the case is currently pending in the criminal court.

Due to the sensitivity of the results of the work completed for our clients, results of our engagements orfinal reports will not be provided as evidence for proof of completion. If the County desires, we areprepared to provide example templates used as part of our reporting process to help ensure you arecomfortable with the final work products we are accustomed to delivering.

See Pages 10 ‐20.

24 10/20/2017 1:36 PM




See Pages 73 ‐74.The Verizon RISK Team performs cyber investigations for hundreds of commercial enterprises and government agencies annually across the globe. In 2016, we were retained to investigate more than 550 cybersecurity incidents occurring in over 40 countries. In 2008, the results of our field investigations were the genesis of the first Data Breach Investigations Report (DBIR), an annual publication that dissects real‐world data breaches with the goal of enlightening the public about the nature of the threat actors behind the attacks, the methods they use, including the data they seek, and the victims they target.

25 10/20/2017 1:36 PM



Solution Provider: Trustwave Crowe Horwath LLP4. Workload of the Firm:List all completed and active projects that Vendor has managed within the past five years. Inaddition, list all projected projects that Vendor will be working on in the near future. Projectedprojects will be defined as a project(s) that Vendor is awarded a contract but the Notice toProceed has not been issued. Identify any projects that Vendor worked on concurrently. DescribeVendor’s approach in managing these projects. Were there or will there be any challenges for anyof the listed projects? If so, describe how Vendor dealt or will deal with the projects’ challenges.

See PDF Pg. 553 ‐ 554

CONFIDENTIAL





See PDF Pg. 136Over the past 5 years, Crowe has had over 16,000 clients, of which over 1,200 were government clients. Crowe currently has 871 government clients, with 32 in the Florida area. Crowe is well positioned to provide quality service to Broward County in a timely fashion. Crowe has asophisticated Centralized Resource Management function that is responsible for ensuring that Broward County’s needs are met with the experienced and trainedstaff from our local offices, and if needed,from across our firm. We realize that resource management is a crucial element to consistently providing top quality service to Broward County, and all of our clients.

Verify that these questions are the same as in the advertised solicitation:1. Legal business name. AT&T Corp Carahsoft Technology Corporation Crowe Horwath LLP

2. Doing Business As/ Fictitious Name (if applicable): Not applicable

3. Federal Employer I.D. Number. 13‐4924710 522189693 35‐09216804. Dun & Bradstreet Number. (If applicable). 00‐698‐0080 08‐8365767 7873240085. Website address (if applicable). www.att.com www.carahsoft.com www.crowehorwath.com6. Principal place of business. One AT&T Way, Bedminster, NJ 07921 1860 Michael Faraday Drive, Suite 100


7. Office Location for this project. 2002 NW 64th St., Ft. Lauderdale, FL 33309 1860 Michael Faraday Drive, Suite 100Reston, VA 20190


8. Telephone/Fax Number: Telephone no.:305‐913‐3887 Fax no.: Telephone no.:703.871.8500 Fax no.:703.871.8505 Telephone no.:954.202.8600 Fax no.:954.202.8639

9. Type of Business Corporation; New York Corporation; Maryland Limited Liability Partnership10. List Florida Registration Number. 845822 GP0800003826


26 10/20/2017 1:36 PM


Licensing Matrix4. Workload of the Firm:List all completed and active projects that Vendor has managed within the past five years. Inaddition, list all projected projects that Vendor will be working on in the near future. Projectedprojects will be defined as a project(s) that Vendor is awarded a contract but the Notice toProceed has not been issued. Identify any projects that Vendor worked on concurrently. DescribeVendor’s approach in managing these projects. Were there or will there be any challenges for anyof the listed projects? If so, describe how Vendor dealt or will deal with the projects’ challenges.









See PDF Pg. 147ERM has completed 25 Security Incident Response & Digital Forensic projects during the past 5 yearsand estimates it will be working on 1 per month for the remainder of 2017.ERM is able to manage several project simultaneously based on our efficient project management approach. We have not experienced any challenges to complete these projects, nor do we expect to experience challenges completed projects for the client.a. Past Five Years1. Education (5)2. Banking & Financial Services (10)3. Transportation (3)4. Hospitality (2)5. Other (5)b. Near FutureERM will complete Security Incident Response services for a wide range of clients.




65‐0827427 38‐3916369 273548900610144201 07‐8744163www.emrisk.com www.foresite.com www.globalinfointel.com800 S. Douglas Road, Suite 940 North Tower, Coral Gables, FL 33134




Telephone no.:305‐447‐6750 Fax no.:305‐447‐6752 800‐940‐4699 Telephone no.:4082509045 Fax no.:N/A

Corporation; Florida LLC Corp; DE ‐ LLC

27 10/20/2017 1:36 PM











See PDF Pgs. 448 ‐ 454.MGT has completed projects for the County, including:� Disparity Study of County Government (2000).� Cost Allocation Plans (2009, 2010, 2011, 2014, 2015, 2016).� Comprehensive Review of the Sheriff’s Office Department of Detention (2009).� Comprehensive Analysis of the Libraries Division (2010).Being a national company, MGT has completed many projects within the past five years. Therefore,instead of providing a list of the over 2,200 projects the firm has completed or is currently conducting,we are providing a list of clients served (presented in alphabetical order by state).

See References. See PDF Pg. 254The security, privacy and business concerns of our clients‐both current and past‐are of the highest priority.As such, we must respectfully decline to provide specific a list of all completed and active projects at thisstage.Optiv utilizes standard project management practices and dedicated resources to manage progress andcommunications on all Incident Response projects. We are able to identify potential issues early in theproject and address those quickly through communications with the client and adjusting resources asneeded.

MGT of America Consulting, LLC Netitude, Inc. Optiv Security

Netitude Optiv, Optiv Security

81‐0890071 36‐4694227 43‐180644902‐096‐7659 968240825 01‐946‐6684www.mgtconsulting.com www.Nettitude.com optiv.com3800 Esplanade Way, Suite 210Tallahassee, FL 32311

85 Broad Street, New York NY 10004 1125 17th St., Suite 1700Denver, CO 80202‐2032

Tallahassee, FL 85 Broad Street, New York NY 10004 N/A

Telephone no.:850.386.3191 Fax no.:850.385.4501 Telephone no.:646‐795‐1881 Fax no.: Telephone no.:(303) 298‐0600 Fax no.:(303) 298‐0868

LLC Corporation; S Corporation; DelawareL15000199435

28 10/20/2017 1:36 PM











Our forensic accounting team works on approximately 100 engagements per year. Due to the confidential and legal nature of many of our projects, we are typically engaged by clients’ attorneys to maintain attorney work product protection and, therefore, we are not authorized to release the namesof those clients, including governmental clients, to whom we provided forensic services.

See Pdf Pg 84As previously noted, RSM’s DFIR matters are extremely sensitive and we are not able to list the matters/clients. However, we have provided several references who can speak to our work performance. In addition, the following will summarize the number of DFIR cases performed in the past 5 years.• 2017: 101 matters* (year to date – estimated 184 based on monthly average)• 2016: 153 matters• 2015: 65 matters• 2014: 32 matters• 2013: 15 mattersAt any given time RSM is conducting 10‐15 DFIR investigations simultaneously. Given the nature of DFIR investigations, there tends to be a natural ebb and flow in the work plan, so we are able to balance the needs of multiple matters at once. If we are engaged by the County, you will be a priority for our firm and to each member of your engagement team. Our workload fluctuates based on a number of factors, including timing and currently pending engagements. Regardless, our firm has excelled at managing its human resources so that ourworkload never surpasses the ability of our assigned teams to devote the time and attention necessary to add value to our clients’ organizations. Our ability to manage our workload is evidenced by relatively low turnover rates and is supported by clients’ opinions of our service.

See Pages 10 ‐20.

Plante & Moran, PLLC RSM US LLP SeNet International Corporation

Plante Moran

381357951 FEIN‐42‐0714325 54‐1902349004913299 73482424 07‐9941139plantmoran.com www.rsmus.com www.senet‐int.com27400 Northwestern HwySouthield, MI 48037

100 NE Third Ave, Suite, Fort Lauderdale, FL 33301 3040 Williams Drive, Suite 510, Fairfax, VA 22031

Southfield, MI Fort Lauderdale 3040 Williams Drive, Suite 510, Fairfax, VA 22031

Tel:248‐223‐3428 Fax no.:248‐603‐5997 954‐462‐6351 Telephone no.:(703) 206‐9383 Fax no.:(703) 206‐9666

Limited Partnership Limited Partnership Corporation; VirginiaM11000002358 ADP004384

29 10/20/2017 1:36 PM











See Page 14.In any given year, Verizon handles approximately 400 – 500 cases involving the theft of consumer, personally identifiable information, and other forms of highly sensitive data. Verizon handles as many as one‐third of all publicly visible data breach investigations throughout the world, and to date, nine of the world’s eleven largest known data compromises. Verizon RISK team personnel are located in numerous countries in all regions of the globe. Additional Verizon personnel, including experienced incident responders, risk intelligence analysts, forensic lab support personnel, and other security professionals may beleveraged globally to assist in customer security emergencies under the Rapid Response Retainer. Verizon maintains several core forensic lab facilities with secure evidence storage capabilities around the world.

Verizon Business Network Services Inc. on behalf of MCI Communications Services Inc.d/b/a/ Verizon Business Services (VerizonBusiness or Verizon)13‐2745892556565836www.verizonenterprise.comOneVerizon Way, Basking Ridge NJ 07920

Tampa, FL

no.:(813) 520‐9786 Fax no.:813‐978‐6751

Corporation; Delaware829591

30 10/20/2017 1:36 PM



Solution Provider: Trustwave Crowe Horwath LLP11. List name and title of each principal, owner, officer and major shareholder. a. Thadeus Arroyo, President and CEO AT&T, 208 S. Akard

St., Dallas, TX 75202b. Anne Chow, President‐Integrator Solutions, AT&T, 208 S. Akard St., Suite 3514, Dallas, TX 75202c. Frank Jules, President ‐ Global Business AT&T, 208 S. AkardSt., Suite 3509, Dallas, TX 75202d. Cathy Martine‐Dolecki, President ‐ Natl Bus AT&T, 1 AT&T Way, Bedminster, NJ 07921e. Delores McCarty, Assistant Secretary AT&T, 675 W Peachtree St, NW, Atlanta, GA 30308f. George B. Goeke, CFO and Treasurer AT&T, 208 S. Akard St., Suite 1824, Dallas, TX 75202AT&T is a publicly held corporation. No single person owns more than 10% of the company. It is an independent, publicly traded telecommunications services provider.The names and titles of the AT&T Inc. officers are• Randall Stephenson—Chairman and Chief Executive Officer (CEO)• William Blase—Senior Executive Vice President, Human Resources• James Cicconi—Senior Executive Vice President, External and Legislative Affairs• Ralph de la Vega—President and Chief Executive Officer (CEO), AT&T Mobile andBusiness Solutions• John Donovan—Senior Executive Vice President, AT&T Technology and

d



12. Authorized contacts for your firm. Name: Dwayne StaffordTitle: Strategic Account LeadE‐mail: [email protected] No.: 786‐479‐4113Name: Esther MartinTitle: Strategic Account LeadE‐mail: [email protected] No.: 305‐582‐9541




No No No


No No No


We are unaware of any work completion issues that would impair our ability to meet our obligations under any contract. AT&T is a large company with an international presence and significant contractual relations. Given the size and scope of our business, we from time to time over our history have been involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our abilityto meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.


31 10/20/2017 1:36 PM





14. Has your firm, its principals, officers or predecessor organization(s) ever beendebarred or suspended by any government entity? If yes, specify details in an attachedwritten response, including the reinstatement date, if granted.15. Has your firm ever failed to complete any services and/or delivery of products duringthe last three (3) years? If yes, specify details in an attached written response.

Enterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLCa) Silka Gonzalez ‐ Presidentb) Michelle Miller ‐ COOc) Esteban Farao ‐ Director of Consulting Services







No No No

No No No

No No No

32 10/20/2017 1:36 PM






MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Optiv Securitya) A. Trey Traviesa, Chairman & CEOb) Fred Seamon, Executive Vice Presidentc) Brad Burgess, Executive Vice President






No No No

No No No

No No

33 10/20/2017 1:36 PM






Plante & Moran, PLLC dba Plante Moran RSM US LLP SeNet International Corporationa) James Proppe, Managing Partnerb) Dnnis Graham, Group Managing Partnerc) Frank Audia, CIOd) Beth Bialy, Government Industry Group Leader

a) Anatoly Kozushin, Presidentb) Ilan Katz, CEOc) Gus Fritschie, Chief Technology Officerd) Steve Davis, COO




No No No

No No No

No No

34 10/20/2017 1:36 PM









No

No

No

35 10/20/2017 1:36 PM



Solution Provider: Trustwave Crowe Horwath LLP16. Is your firm or any of its principals or officers currently principals or officers of another organization? If yes, specify details in an attached written response.

Yes No No


No No No


No No No


We are unaware of any work completion issues that would impair our ability to meet our obligations under any contract. AT&T is a large company with an international presence and significant contractual relations. Given the size and scope of our business,we from time to time over our history have been involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our ability to meetour obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.



Except for material matters that AT&T discloses in filings with the Securities and Exchange Commission or otherwise discloses in response to subpoenas or other valid court orders, AT&T is legally and contractually prohibited from disclosing information to third parties about contractual matters. Also, due to the size and scale of AT&T’s operations, as a practical matter, AT&T cannot state with absolute certainty whether AT&T has defaulted under a contract. Notwithstanding the legal and practical restrictions that limit AT&T’s ability to disclose specific contract performance issues, AT&T can assure Customer that AT&T is capable of performing the services requested under this RFP and that AT&T has no history or pattern of performance issues with other customers that would affect AT&T’s ability to perform the services requested by Customer. AT&T reiterates that AT&T is not aware of any circumstances involving performance under another contract which would materially and adversely impact AT&T’s ability to perform services for Customer. Moreover, AT&T is not aware of any circumstance when AT&T was not awarded a bid due to non‐performance concerns about AT&T by the entity sponsoring a particular procurement. AT&T is forced to qualify such assurances to the best of its knowledge due to the scale and scope of AT&T’soperations. AT&T will not be able to provide such assurances with absolute certainty with respect to every contract or bid opportunity in which AT&T has participated.


21. Living Wage solicitations only: No N/A N/A

36 10/20/2017 1:36 PM


Licensing Matrix16. Is your firm or any of its principals or officers currently principals or officers of another organization? If yes, specify details in an attached written response.17. Have any voluntary or involuntary bankruptcy petitions been filed by or against your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response.18. Has your firm’s surety ever intervened to assist in the completion of a contract or havePerformance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.




Enterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLCNo Principal invests in multiple businesses No

No No No

No No No

No No No

No No No

N/A N/A

37 10/20/2017 1:36 PM






MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Optiv SecurityYes. Principal is CEO of MGT of America Consulting, LLC and Strategos Public Affairs, LLC, both wholly owned subsidiaries of MGT of America, LLC.

No No

No No

No No No

No No No

No No No

N/A N/A

38 10/20/2017 1:36 PM






Plante & Moran, PLLC dba Plante Moran RSM US LLP SeNet International CorporationNo No No

No No

No No No

No No No

No – Plante Moran is not aware of any client terminating a contract involving the provision of information technology security and compliance services. As one of the country’s largest accounting and consulting firms with thousands of annual engagements, there likely have been instances during the last three years where clients receiving tax or accounting‐related services have elected to use other service providers for their particular needs. Plante Moran’s record of client service and satisfaction is best in class, with 99% of clients indicating they would recommend Plante Moran to others.

No No

No

39 10/20/2017 1:36 PM







No

No

No

No

No

No

40 10/20/2017 1:36 PM

RFQ A2114499R1 ‐ Broward County IT Security and Compliance ServicesCategory 6 ‐ Public Safety Network and Systems Audit Services

Licensing MatrixPrime: Carahsoft Technology Corp

Solution Provider: Trustwave Focal Point Data Risk LLC

Servers and Workers Located in the USA Attestation FormProvided ‐ See Page 47 Provided

AND1. Offensive Security Certified Professional Certification Not Provided


Requirement MetOR

Certified Information Systems Security Professional (CISSP)Provided


Requirement MetOR

Certified Information Systems Auditor (CISA)Not Provided


Requirement MetAND

2. Contractor must complete and submit the following attestation form affirming their understanding and acceptance of additional requirements pertaining to the Public Safety Network and Systems Audit Services:‐ Category 6 ‐ Public Safety Network and Systems Audit Services Attestation Form

Provided ‐ See Page 45 Provided ‐ See PDF Pg. 4

Vendor Questionnaire Form Provided Provided

Vendor Security Questionnaire FormProvided Provided


FORMS

1 10/20/2017 1:37 PM

RFQ A2114499R1 ‐ Broward County IT Security andCategory 6 ‐ Public Safety Network and Systems A

Licensing Matrix


AND1. Offensive Security Certified Professional Certification

OR

Certified Information Systems Security Professional (CISSP)OR

Certified Information Systems Auditor (CISA)AND





FORMS

Global Information Intelligence LLCPrime: JohnsTek Inc.

Sub: IOMAXIS

Provided Provided







Provided Provided ‐ PDF Pg. 23

Provided Provided

Provided Provided

2 10/20/2017 1:37 PM


Licensing Matrix


AND1. Offensive Security Certified Professional Certification

OR

Certified Information Systems Security Professional (CISSP)OR

Certified Information Systems Auditor (CISA)AND





FORMS

Securance LLC SHI International Corp

Provided Provided







Provided Provided

Provided Provided

Provided Provided

3 10/20/2017 1:37 PM



Solution Provider: Trustwave Focal Point Data Risk LLC

1. Ability of Professional Personnel:a. Describe the qualifications and relevant experience of theProject Manager and all key staff that are intended to beassigned to services performed within this category. Includeresumes for the Project Manager and all key staff described.

See PDF Pg. 38 Trustwave's testing services are delivered by SpiderLabs® — an advanced security team within Trustwavefocused on forensics, ethical hacking, application and network security testing. The team has performedhundreds of forensic investigations, ethical hacking exercises and application security tests globally.The broad experience of the team extends beyond regular corporate information technology enrvironementto various operational technology environments including:� Industrial Control Systems� Smart Grid� Building Management Systems� Telecommunications Infrastructure� Embedded Systems and Hardware

See PDF Pg. 199 ‐ 201Larry Burke, Principal, CPA, CITP, CGMA, HITRUST CCSFP....Franchesca Sanabria – Principal, CIPP/US, CISA, HITRUST CCSFP. Franchesca is a Principal at Focal Point in the National Data Privacy Practice. She has over 12 years of experience in governance, risk and compliance...Derek Parks – Director, CISSP, CBCP, CISA, QSA. Derek has a significant amount of experience delivering and managing IT risk assessments, PCI audit and gap assessments, disaster recovery and business continuity assessments, IT governance policy creation, and internal audit engagements with a focus on IT controls..........

EVALUATION CRITERIA

4 10/20/2017 1:37 PM


Licensing Matrix


EVALUATION CRITERIAGlobal Information Intelligence LLC

Prime: JohnsTek Inc.Sub: IOMAXIS

See PDF Pg. 79Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD Information Security and Computing Sciences (Over 30 years of Professional Experience and 25 years of Research, Harvard and Yale Alumnus, Summa Cum Laude, and Oxford Research, etc.)Global Information Intelligence LLC (100% Small Business, Minority, and Women Owned)By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences and Information Security Founder, Consortium for Emerging Technologies‐Harvard, Exemplary Models for Federal, State, Local, Counties, Cities, Private/Public Sectors, Academia & Industry and GlobalCategory 6 – Public Safety Network and Systems Audit Services� Provided intelligent and effective services within this category including Public Safety Network /Systems Audit and Review Services.� Examples of specific activities includes but not be limited to evaluation of IT General and Application controls, IT Governance, Security Strategy and Systems, General Public Safety Network Topology, Connections to External Parties, Inbound and Outbound Remote Access, IT Security Policies and Procedures, External Network Penetration Testing, Network Device Security (i.e. switches, routers, firewalls, wireless access points) – Firmware and Patching Standards, Endpoint Devices (Servers, workstations) – Patching and Antivirus checks, Physical Security, Data/Configuration Backup and Disaster Recovery, Network Management, Vendor/Contractor Access Management, System Administration/Privileged Access Management, and Network Documentation Creation and Maintenance. All services were relevant to Network and Systems Audit Services within the Public Safety Industry.

See PDF Pgs. 27 ‐ 31Scott Johnston, Program Manager and Contracts Manager, 30 years experienceDarnell Macapinlac, Project Manager and Key Rep, 20 years experience, PMP, CompTIA Security +, ITIL V3, CISSP, and CEHGilbert Garcia, Corporate Cybersecurity Program Manager, 25 years experienceEvin Colman, First Responder/Public Safety Functional Expert, 24 years experience

5 10/20/2017 1:37 PM


Licensing Matrix


EVALUATION CRITERIASecurance LLC SHI International Corp

Paul Ashe, President and Engagement Manager, CPA, CISA, CISSP, 15+ years experienceChris Bunn, Practice Director and Senior IT Security Consultant, CISA, CHP, 30+ years experienceChris Cook, Senior IT Security Consultant, CISSP, CISA, 20+ years experienceChris Thomas, Senior IT Security Consultant, CompTIA Security+, CompTIA Network+, 10+ years experience

The SHI Security Services team are all senior level Security Professionals with each having 20+ years’ experience working in public and private sector. Specific skill sets may vary but overall each has experience working with various industry security frameworks, including Criminal Justice Information Systems (CJIS) Policy. The team holds many different Security related certifications however all haveCISSP certifications.

6 10/20/2017 1:37 PM



Solution Provider: Trustwave Focal Point Data Risk LLCb. List any other relevant Security and Compliance Industrycertifications that the Project Manager and key staff describedmay have. Include copies of certificates, if applicable.

See PDF Pg. 38Please see the representative biographies embedded below, including the typical certifications held by the resources who may be assigned to your project.

See PDF Pg. 199 ‐ 201Larry Burke, Principal, CPA, CITP, CGMA, HITRUST CCSFP....Franchesca Sanabria – Principal, CIPP/US, CISA, HITRUST CCSFP. Franchesca is a Principal at Focal Point in the National Data Privacy Practice. She has over 12 years of experience in governance, risk and compliance...Derek Parks – Director, CISSP, CBCP, CISA, QSA. Derek has a significant amount of experience delivering and managing IT risk assessments, PCI audit and gap assessments, disaster recovery and business continuity assessments, IT governance policy creation, and internal audit engagements with a focus on IT controls..........

7 10/20/2017 1:37 PM


Licensing Matrixb. List any other relevant Security and Compliance Industrycertifications that the Project Manager and key staff describedmay have. Include copies of certificates, if applicable.


Sub: IOMAXISSee PDF Pg. 79Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD Information Security and Computing Sciences (Over 30 years of Professional Experience and 25 years of Research, Harvard and Yale Alumnus, Summa Cum Laude, and Oxford Research, etc.)Global Information Intelligence LLC (100% Small Business, Minority, and Women Owned)By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences and Information Security Founder, Consortium for Emerging Technologies‐Harvard, Exemplary Models for Federal, State, Local, Counties, Cities, Private/Public Sectors, Academia & Industry and GlobalCategory 6 – Public Safety Network and Systems Audit Services� Provided intelligent and effective services within this category including Public Safety Network /Systems Audit and Review Services.� Examples of specific activities includes but not be limited to evaluation of IT General and Application controls, IT Governance, Security Strategy and Systems, General Public Safety Network Topology, Connections to External Parties, Inbound and Outbound Remote Access, IT Security Policies and Procedures, External Network Penetration Testing, Network Device Security (i.e. switches, routers, firewalls, wireless access points) – Firmware and Patching Standards, Endpoint Devices (Servers, workstations) – Patching and Antivirus checks, Physical Security, Data/Configuration Backup and Disaster Recovery, Network Management, Vendor/Contractor Access Management, System Administration/Privileged Access Management, and Network Documentation Creation and Maintenance. All services were relevant to Network and Systems Audit Services within the Public Safety Industry.

See PDF Pgs. 31 ‐ 38JohnsTek takes an “intelligence‐based” approach when performing cybersecurity to Public Safety Industry customers. Our unique approach is a holistic view which considers all areas of influence on the client enterprise and accounts for all levels of needs and vulnerabilities when conducting trade studies, corporate strategy development, risk assessments, information systems development and systems integration. This approach is derived from the NIST Framework of Cybersecurity Framework, and expands beyond the NIST to include a risk based assessment of external threats, internal threats and ubiquitous influences on the enterprise or system vulnerabilities. Additionally, we bring in proven analytical techniques and data collection, analysis and monitoring processes and systems to secure our clients.

8 10/20/2017 1:37 PM


Licensing Matrixb. List any other relevant Security and Compliance Industrycertifications that the Project Manager and key staff describedmay have. Include copies of certificates, if applicable.

Securance LLC SHI International CorpPaul Ashe, President and Engagement Manager, CPA, CISA, CISSPChris Bunn, Practice Director and Senior IT Security Consultant, CISA, CHPChris Cook, Senior IT Security Consultant, CISSP, CISAChris Thomas, Senior IT Security Consultant, CompTIA Security+, CompTIA Network+


9 10/20/2017 1:37 PM



Solution Provider: Trustwave Focal Point Data Risk LLC2. Project Approach:a. Describe the prime Vendor’s approach to performing similarwork in this Category.

See PDF Pg. 39 ‐ 40ICS/Smart Grid Security AssessmentApproachAdvanced Metering Infrastructure and Smart Grids offer many benefits to energy providers and their customers however the interconnectedness of key systems required in Smart Grid environments presents expanded attack surface that increases the risk of security vulnerability in the system.SpiderLabs Smart Grid penetration tests are designed to effectively assess the security risks facing these systems while minimizing the risk of system disruption.MethodologyThe approach to testing Smart Grids builds on the standard ICS/SCADA penetration test methodology (see above) but is expanded to include elements unique to Smart Grid systems:� Remote metring systems� Remote billing systems� Demand/response energy systems� Remote connect/disconnect systems� Payment systems� Consumer face systems and applications (see Section A for our detailed application testingmethodology).� Physical smart grid devices (see below for our detailed hardware assessment methodology)....

See PDF Pg. 202 ‐ 206When providing co‐sourced services, our approach is to follow the client’s methodology while leveraging the foundational elements of the Focal Point methodology to provide the highest level of customer service. Focal Point uses a collaborative but disciplined approach to executing audit projects. We will ensure that there is proper planning, timely communication to the Internal Audit team prior to the start of audit fieldwork, complete and accurate workpapers, validated findings, and relevant and practical recommendations to correct deficiencies.We will take a risk‐based approach to performing a review of the information technology risks, related general controls, technical and network safeguards, information technology processes, and oversight activities in connection with these areas in accordance with applicable regulatory guidance and internal audit standards. As appropriate, we will also reference or utilize relevant guidance such as COBIT, the National Institute of Standards and Technology (NIST), ISO27000, and ITIL....

10 10/20/2017 1:37 PM


Licensing Matrix2. Project Approach:a. Describe the prime Vendor’s approach to performing similarwork in this Category.


Sub: IOMAXIS

See PDF PG. 43Global Information Intelligence will apply its expert and proven methodology to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive recommendations and remediation sample for design and implementation operational effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Category 6 – Public Safety Network and Systems Audit ServicesServices within this category shall include Public Safety Network /Systems Audit and Review Services. Examples of specific activities may include but not be limited to evaluation of IT General and Application controls, IT Governance, Security Strategy and Systems, General Public Safety Network Topology, Connections to External Parties, Inbound and Outbound Remote Access, IT Security Policies and Procedures, External Network Penetration Testing, Network Device Security (i.e. switches, routers, firewalls, wireless access points)....

See PDF Pgs. 31 ‐ 38.JohnsTek takes an “intelligence‐based” approach when performing cybersecurity to Public Safety Industry customers. Our unique approach is a holistic view which considers all areas of influence on the client enterprise and accounts for all levels of needs and vulnerabilities when conducting trade studies, corporate strategy development, risk assessments, information systems development and systems integration. This approach is derived from the NIST Framework of Cybersecurity Framework, and expands beyond the NIST to include a risk based assessment of external threats, internal threats and ubiquitous influences on the enterprise or system vulnerabilities. Additionally, we bring in proven analytical techniques and data collection, analysis and monitoring processes and systems to secure our clients. The NIST Cybersecurity Framework seeks to assist public and private organizations to strive for maturity of their Risk Profile. The profiles are defined by four tiers:Tier 1 Partial Risk Management is adhoc, and awareness is limitedTier 2 Risk Informed There are Risk Management programs in place, but are not well known throughout the enterprise.Tier 3 Repeatable Formal policies exist and Risk Management programs aremore matureTier 4 Adaptive Risk Management processes and programs are based onlessons learned and embedded within the corporate culture. We provide value to our clients through partnering with the client corporate team to design, build and integrate the ‘best of breed’ practices and technology solutions that ensure our clients get the most appropriate tailored solution based on comprehensive analysis of business processes, procedures and data, ensuring the most economical investment in technology that result in the greatest impact....

11 10/20/2017 1:37 PM


Licensing Matrix2. Project Approach:a. Describe the prime Vendor’s approach to performing similarwork in this Category.


See Audit Approach Pages PDF 137 ‐ 138.Each project we undertake will follow this standard methodology. While we are flexible in modifying our approach and methodology, we do so only in the best interest of our clients and their internal control initiatives.

Initially a kick off call will be scheduled to review the scope, tasks, contacts, communications plan and logistics required to complete the project. Requested documentation (Policies, Process and Procedures, network diagrams) are reviewed and an External Security Vulnerability Scan is completed prior to onsite activities. Onsite activities will consist of staff interviews, internal network scans, live network data capture analysis, device security configurations and physical site visits. All information gathered is reviewed for analysis and alignment with CJIS policy and security best practices with results and finding provided in a detailed report with findings and remediation recommendations.

12 10/20/2017 1:37 PM



Solution Provider: Trustwave Focal Point Data Risk LLCb. Number of employees, coordination efforts, servers andworkers located within USA

See PDF Pg. 40Trustwave has a team of 100+ dedicated Penetration Testers. This is one of the largest teams in the industry. Unlike most of our competitors, our penetration testers are not general consultants. They onlywork in their area– which means they only perform penetration testing within their specialization. With such laser focus, they stay on top of the latest threats and attack vectors in a way that general consultants never could. Trustwave also has a team of more than 100 Qualified Security Assessors (QSAs) around the world, providing a variety of security risk assessments, often working in conjunction with our SpiderLabsteam.



See PDF Pg. 41 ‐ 43Please see the project management plan below as a representative sample of the type of project plan we typically follow.Project ManagementTrustwave has a formal procedure for the project organization and governance as well as adherence to the timelines. Project timelines will be established between Trustwave and Client upon project kick‐off. Projectprogress, needs and deadlines will be provided to Client through the CVS manager portal that is described further below in this section.Project ResourcesTrustwave’s Managing ConsultantTrustwave will assign a Managing Consultant to oversee all assessment activities and serve as the primary contact for the length of the Agreement. The Managing Consultant will coordinate and schedule activitiesand resources with Client and ensure the quality of all Trustwave deliverables.



13 10/20/2017 1:37 PM


Licensing Matrixb. Number of employees, coordination efforts, servers andworkers located within USA




Sub: IOMAXIS See PDF PG. 43Global Information Intelligence will apply its expert and proven methodology to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive recommendations and remediation sample for design and implementation operational effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Category 6 – Public Safety Network and Systems Audit ServicesServices within this category shall include Public Safety Network /Systems Audit and Review Services. Examples of specific activities may include but not be limited to evaluation of IT General and Application controls, IT Governance, Security Strategy and Systems, General Public Safety Network Topology, Connections to External Parties, Inbound and Outbound Remote Access, IT Security Policies and Procedures, External Network Penetration Testing, Network Device Security (i.e. switches, routers, firewalls, wireless access points)....

See PDF Pgs. 34 ‐ 35The JohnsTek Team has put into place the organization, procedures and systems required to define and deploy the right level of expertise foreach Purchase Order or contingency presented to us during the life of this contract. Our Project Team will be well equipped for the task, and thecorporate staff, including the staffs of the contract team members, stand ready and available to provide quality services and superb coordination to deliver success to each and every Purchase Order! The JohnsTek Team Management Plan provides the organizational structure, leadership, and tools necessary to produce innovative, common sense order proposals coupled with responsive delivery that are on time and within budget...

See PDF PG. 43Global Information Intelligence will apply its expert and proven methodology to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive recommendations and remediation sample for design and implementation operational effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Category 6 – Public Safety Network and Systems Audit ServicesServices within this category shall include Public Safety Network /Systems Audit and Review Services. Examples of specific activities may include but not be limited to evaluation of IT General and Application controls, IT Governance, Security Strategy and Systems, General Public Safety Network Topology, Connections to External Parties, Inbound and Outbound Remote Access, IT Security Policies and Procedures, External Network Penetration Testing, Network Device Security (i.e. switches, routers, firewalls, wireless access points)....

See PDF Pgs. 36 ‐ 37Having been identified during the RFP response, as Task Orders are awarded the Project Management Team will organize to implement the task. The Contract Management Team develops the initial contract Management Plan, to include milestones, travel and key meetings. This information is compiled into a Project Schedule and presented to the Government forapproval. Schedules are a key element of project management, status reporting and expectations. Scheduling items will be maintained within the SKIF, and made available to the Key Stakeholders of each Task Order. The Contract Management Team review schedules with the Project Management Teams daily, and discrepancies, risks, and issues that affect changes to the schedule will be resolved immediately.....

14 10/20/2017 1:37 PM


Licensing Matrixb. Number of employees, coordination efforts, servers andworkers located within USA



Securance LLC SHI International CorpSee Audit Approach Pages PDF 137 ‐ 138.Each project we undertake will follow this standard methodology. While we are flexible in modifying our approach and methodology, we do so only in the best interest of our clients and their internal control initiatives.

The SHI Security Services team has 6 active members with 2 openings. Additionally each assessment is assigned a Project Manager from a team of 8 PM’s. All SHI services teams are US based.

See Project Management Approach Page PDF 139 ‐ 141Each project we undertake will follow this standard accountability model.1) Engagement Manager….2) Senior IT Security Consultants….3) Independent Reviewer…..4) Broward County's Project Manager…..5) Status Reports.....

No response.

15 10/20/2017 1:37 PM



Solution Provider: Trustwave Focal Point Data Risk LLCa. Describe prime Vendor’s experience on projects of similarnature and scope, along with evidence of satisfactorycompletion, both on time and within budget, for the past fiveyears within the Public Safety Industry. Provide a minimum ofthree projects with references, preferably government agencies(i.e. state, local) of similar size and structure and provenexperience and skillset.Vendor should provide references for similar work performed toshow evidence of qualifications and previous experience withinthe Public Safety Industry. Refer to Vendor ReferenceVerification Form and submit as instructed. Only providereferences for non‐ Broward County Board of CountyCommissioners’ contracts. For Broward County contracts, theCounty will review performance evaluations in its database forvendors with previous or current contracts with the County. TheCounty considers references and performance evaluations in theevaluation of Vendor’s past performance.

See PDF Pg. 43 Please see Addendum for Client References.

See PDF Pg. 207 ‐ 211Since its inception in 2005, Focal Point has provided IT Audits for hundreds of clients over thousands of different engagements. In our continued success, we’ve expanded our team to meet new demands with the highest of standards, cultivating both a seasoned workforce and expertly refined methodologies to deliver cost‐effective, industry‐recognized risk managementsolutions.We’ve had the pleasure of evaluating, developing, and strengthening the information technology postures of leading organizations across every industry, including government organizations. As a result of this experience, our professionals have an expert‐level understanding of the IT challenges that these organizations face. Our excellence in IT audit engagements is evidencedby the long‐lasting relationship we’ve cultivated with our clients, who return to us year after year for ITGC and application controls testing.....

16 10/20/2017 1:37 PM


Licensing Matrixa. Describe prime Vendor’s experience on projects of similarnature and scope, along with evidence of satisfactorycompletion, both on time and within budget, for the past fiveyears within the Public Safety Industry. Provide a minimum ofthree projects with references, preferably government agencies(i.e. state, local) of similar size and structure and provenexperience and skillset.Vendor should provide references for similar work performed toshow evidence of qualifications and previous experience withinthe Public Safety Industry. Refer to Vendor ReferenceVerification Form and submit as instructed. Only providereferences for non‐ Broward County Board of CountyCommissioners’ contracts. For Broward County contracts, theCounty will review performance evaluations in its database forvendors with previous or current contracts with the County. TheCounty considers references and performance evaluations in theevaluation of Vendor’s past performance.


Sub: IOMAXISSee References Reference Verification Forms included. See PDF Pgs. 87 ‐93

See PDF Pgs. 38 ‐ 414.1 Contract: International Law Enforcement, Aviation IT , Panama,Peru (October 2015‐Present)Solutions provided:• Provide support services to aid the organization in providing Information Technology and Information Assurance efforts Research and identify protected vehicle to meet speciation’s for the Ministry of Anti‐ Drugs• Provide project management, project oversight and technical services for system problem resolution, system upgrades, system monitoring, operating system patches, system security management, system administration support, firewall maintenance, information assurance,desktop support and configuration management.Reference:Name: Mr. Anthony Pesquera,Title: Government Task Monitor(305) 517‐76444.2 Contract: Emergency Operations Center Implementation , Nejapa ,El Salvador (May 2015)Solutions provided:• Design and implement a Regional Emergency Operations Center (24/7;365) and DisasterRelief Warehouse for the Secretary for National Emergencies in the Government of El Salvador.• Design and install of command and control systems, data management, and information sharing and communication technologies....

17 10/20/2017 1:37 PM


Licensing Matrixa. Describe prime Vendor’s experience on projects of similarnature and scope, along with evidence of satisfactorycompletion, both on time and within budget, for the past fiveyears within the Public Safety Industry. Provide a minimum ofthree projects with references, preferably government agencies(i.e. state, local) of similar size and structure and provenexperience and skillset.Vendor should provide references for similar work performed toshow evidence of qualifications and previous experience withinthe Public Safety Industry. Refer to Vendor ReferenceVerification Form and submit as instructed. Only providereferences for non‐ Broward County Board of CountyCommissioners’ contracts. For Broward County contracts, theCounty will review performance evaluations in its database forvendors with previous or current contracts with the County. TheCounty considers references and performance evaluations in theevaluation of Vendor’s past performance.

Securance LLC SHI International CorpCONFIDENTIAL



18 10/20/2017 1:37 PM



Solution Provider: Trustwave Focal Point Data Risk LLCb. Provide evidence of similar work related to servicesidentified in this Category, including sample executivesummaries and reports.

See PDF Pg. 43Please see Addendum for Sample Reports.

See PDF Pg. 207 ‐ 211Since its inception in 2005, Focal Point has provided IT Audits for hundreds of clients over thousands of different engagements. In our continued success, we’ve expanded our team to meet new demands with the highest of standards, cultivating both a seasoned workforce and expertly refined methodologies to deliver cost‐effective, industry‐recognized risk managementsolutions.We’ve had the pleasure of evaluating, developing, and strengthening the information technology postures of leading organizations across every industry, including government organizations. As a result of this experience, our professionals have an expert‐level understanding of the IT challenges that these organizations face. Our excellence in IT audit engagements is evidencedby the long‐lasting relationship we’ve cultivated with our clients, who return to us year after year for ITGC and application controls testing.....

19 10/20/2017 1:37 PM


Licensing Matrixb. Provide evidence of similar work related to servicesidentified in this Category, including sample executivesummaries and reports.


Sub: IOMAXISSee PDF Pgs. 353 ‐ 407See Sample Reports.

See PDF Pgs. 87 ‐93See PDF Pgs. 38 ‐ 414.1 Contract: International Law Enforcement, Aviation IT , Panama,Peru (October 2015‐Present)Solutions provided:• Provide support services to aid the organization in providing Information Technology and Information Assurance efforts Research and identify protected vehicle to meet speciation’s for the Ministry of Anti‐ Drugs• Provide project management, project oversight and technical services for system problem resolution, system upgrades, system monitoring, operating system patches, system security management, system administration support, firewall maintenance, information assurance,desktop support and configuration management.Reference:Name: Mr. Anthony Pesquera,Title: Government Task Monitor(305) 517‐76444.2 Contract: Emergency Operations Center Implementation , Nejapa ,El Salvador (May 2015)Solutions provided:• Design and implement a Regional Emergency Operations Center (24/7;365) and DisasterRelief Warehouse for the Secretary for National Emergencies in the Government of El Salvador.• Design and install of command and control systems, data management, and information sharing and communication technologies....

20 10/20/2017 1:37 PM


Licensing Matrixb. Provide evidence of similar work related to servicesidentified in this Category, including sample executivesummaries and reports.

Securance LLC SHI International CorpCONFIDENTIAL


SHI has attached sample reports with our submission.

21 10/20/2017 1:37 PM



Solution Provider: Trustwave Focal Point Data Risk LLC4. Workload of the Firm:List all completed and active projects that Vendor has managedwithin the past five years within the Public Safety Industry. Inaddition, list all projected projects that Vendor will be workingon in the near future. Projected projects will be defined as aproject(s) that Vendor is awarded a contract but the Notice toProceed has not been issued. Identify any projects that Vendorworked on concurrently. Describe Vendor’s approach inmanaging these projects. Were there or will there be anychallenges for any of the listed projects? If so, describe howVendor dealt or will deal with the projects’ challenges.

See PDF Pg. 43As a private firm, we do not go into specific details, but we can say we do about 4000 pen tests a year and about 850 RoCs ‐ but also have the most QSAs and Pen Testers than any other competitor – over 100 ineach case. We are busy, but have sufficient resources to cover all of our engagements.

See PDF Pg. 212Focal Point has completed over 3,000 audit projects over its 12 years of providing IT audit and cyber security services. Over the last five years, our audit teams have completed hundreds of IT and financial audits. Our South Florida office, who will be the audit team responsible for Broward, typically completes around 70 projects annually. We complete all of our projects concurrently with other projects, so the added workload that this project presents is not an issuefor our firm.As of now, our South Florida audit team has projects slated to begin later this summer and into the fall and currently has 25 ongoing projects ranging from internal audit to SOX and ITGC testing. We do not anticipate these other projects limiting us from providing the County with the highest level of service.While we are always engaged in performing multiple projects at once, we believe in the importance of personalized attention for each of our clients. The County will have direct communication lines to Focal Point Principals and project managers, who will ensure that our talented team of resources meets your needs and exceeds your expectations.

Verify that these questions are the same as in the advertised solicitation:1. Legal business name. Carahsoft Technology Corporation Focal Point Data Risk, LLC2. Doing Business As/ Fictitious Name (if applicable):3. Federal Employer I.D. Number. 522189693 61‐18052014. Dun & Bradstreet Number. (If applicable). 08‐8365767 08‐05416605. Website address (if applicable). www.carahsoft.com www.focal‐point.com6. Principal place of business. 1860 Michael Faraday Drive, Suite 100

Reston, VA 20190201 E Kennedy Blvd, Suite 1750Tampa, FL 33602

7. Office Location for this project. 1860 Michael Faraday Drive, Suite 100Reston, VA 20190



22 10/20/2017 1:37 PM


Licensing Matrix4. Workload of the Firm:List all completed and active projects that Vendor has managedwithin the past five years within the Public Safety Industry. Inaddition, list all projected projects that Vendor will be workingon in the near future. Projected projects will be defined as aproject(s) that Vendor is awarded a contract but the Notice toProceed has not been issued. Identify any projects that Vendorworked on concurrently. Describe Vendor’s approach inmanaging these projects. Were there or will there be anychallenges for any of the listed projects? If so, describe howVendor dealt or will deal with the projects’ challenges.

Verify that these questions are the same as in the advertised solicitation:1. Legal business name.2. Doing Business As/ Fictitious Name (if applicable):3. Federal Employer I.D. Number.4. Dun & Bradstreet Number. (If applicable).5. Website address (if applicable).6. Principal place of business.




Sub: IOMAXISSee PDF Pg. 43Global Information Intelligence will apply its expert and proven methodology to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive recommendations and remediation sample for design and implementation operational effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Category 6 – Public Safety Network and Systems Audit Services Services within this category shall include Public Safety Network /Systems Audit and Review Services. Examples of specific activities may include but not be limited to evaluation of IT General and Application controls, IT Governance, Security Strategy and Systems, General Public Safety Network Topology, Connections to External Parties, Inbound and Outbound Remote Access....

See PDF Pgs. 41 ‐ 42We have been providing services on Federal Contracts since 2011, and will continue to perform into the foreseeable future. We are currently a Prime Contractor on the Department of Defense Humanitarian Assistance Planning contract for US Southern Command since October 2013; weare currently a subcontractor on the Department of State International Narcotics and Law Enforcement (INL/A) contract; we are a subcontractor on the DHS Intelligence and Counterintelligence Analysis and Training and Tradecraft Support (ICATTS) contract since November 2012; we are a recipient of the General Services Administration Contract, Schedule70; and we recently won the South Carolina Information Security and Privacy Service contract...

Global Information Intelligence LLC JohnsTek, Inc

273548900 20‐035258907‐8744163 142428510www.globalinfointel.com www.johnstek.com6860 North Dallas Parkway, Suite 200,Plano, TX 75024 45 Almeria Ave, Coral Gables, FL 33134

6861 North Dallas Parkway, Suite 200,Plano, TX 75024 45 Almeria Ave, Coral Gables, FL 33134

23 10/20/2017 1:37 PM


Licensing Matrix4. Workload of the Firm:List all completed and active projects that Vendor has managedwithin the past five years within the Public Safety Industry. Inaddition, list all projected projects that Vendor will be workingon in the near future. Projected projects will be defined as aproject(s) that Vendor is awarded a contract but the Notice toProceed has not been issued. Identify any projects that Vendorworked on concurrently. Describe Vendor’s approach inmanaging these projects. Were there or will there be anychallenges for any of the listed projects? If so, describe howVendor dealt or will deal with the projects’ challenges.

Verify that these questions are the same as in the advertised solicitation:1. Legal business name.2. Doing Business As/ Fictitious Name (if applicable):3. Federal Employer I.D. Number.4. Dun & Bradstreet Number. (If applicable).5. Website address (if applicable).6. Principal place of business.



Securance LLC SHI International CorpWe are currently engaged on a number of client projects. We attempt to keep our workload commensurate with our staff. However, we believe the best way to measure our ability to complete task orders on time is through discussion with our current clients (see client references on previous page). We guarantee that we will:� Properly staff each project with employees that are qualified and technical experts;� Begin all task orders on time;� Complete them within budget, within the required time frame; and� Deliver a draft report within one (1) week of fieldwork completion.Due to confidential nature of our work, we are not permitted to provide a complete list of similar projects.However, we guarantee that Securance is experienced with networks of your size and complexity. We have provided a sampling of our related experience of governmental agencies on page 41.

Due to the sensitivity and type of services, SHI cannot provide this information as it relates to other projects and customers either completed or in the future. SHI would be happy to meet with Broward County discuss our approach and any challenges we may have experienced on similar projects. SHI believes in transparency and any time we come upon a challenge with a project we work with the customer to let them know the issues and possible solutions. SHI has a clearly defined escalation path so if a challenge arises the proper people can be engaged to assist. In addition as one of the top provider of IT solutions, SHI has built solid relationships with IT manufacturers and has a network of partners to work with should any challenges encountered required additional products or resources.


03‐0392503 22‐300964804‐1637542 61‐142‐9481http://www.securanceconsulting.com www.shi.com6922 West Linebaugh Avenue, Suite 101, Tampa, FL 33625 290 Davidson Ave Somerset, New Jersey 08873

6923 West Linebaugh Avenue, Suite 101, Tampa, FL 33625 290 Davidson Ave Somerset, New Jersey 08873

24 10/20/2017 1:37 PM



Solution Provider: Trustwave Focal Point Data Risk LLC8. Telephone/Fax Number: Telephone no.:703.871.8500 Fax no.:703.871.8505 Telephone no.:(813) 402‐1208 Fax no.:813‐436‐52839. Type of Business Corporation; Maryland LLC10. List Florida Registration Number. M1600000836711. List name and title of each principal, owner, officer and major shareholder.



12. Authorized contacts for your firm. Name: Aaron GianniniTitle: Account RepresentativeE‐mail: [email protected] No.: 703.889.9848Name: Jennifer TahaTitle: Proposals DirectorE‐mail: [email protected] No.: 703.871.8556



No No


No No


No No


No No


No No

25 10/20/2017 1:37 PM


Licensing Matrix8. Telephone/Fax Number:9. Type of Business10. List Florida Registration Number.11. List name and title of each principal, owner, officer and major shareholder.



15. Has your firm ever failed to complete any services and/or delivery of products duringthe last three (3) years? If yes, specify details in an attached written response.16. Is your firm or any of its principals or officers currently principals or officers of another organization? If yes, specify details in an attached written response.17. Have any voluntary or involuntary bankruptcy petitions been filed by or against your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response.


Sub: IOMAXISTelephone no.:4082509045 Fax no.:N/A Telephone no.:786.375.9020 Fax no.:305.675.8373Corp; DE ‐ LLC Corporation, S Corp

P03000120232a) DR. EMMANUEL HOOPER, PHD, PHD, PHD, Harvard Yale Alumni, Presidentb) Theresa Marie Hooper, BA (Harvard),Senior Executive

Scott A Johnston


Name: Scott A JohnstonTitle: PresidentE‐mail: [email protected] No.: 786.375.9020

No No

No No

No No

No No

No No

26 10/20/2017 1:37 PM


Licensing Matrix8. Telephone/Fax Number:9. Type of Business10. List Florida Registration Number.11. List name and title of each principal, owner, officer and major shareholder.



15. Has your firm ever failed to complete any services and/or delivery of products duringthe last three (3) years? If yes, specify details in an attached written response.16. Is your firm or any of its principals or officers currently principals or officers of another organization? If yes, specify details in an attached written response.17. Have any voluntary or involuntary bankruptcy petitions been filed by or against your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response.

Securance LLC SHI International CorpTelephone no.:877‐578‐0215 Fax no.:813‐960‐4946 800‐477‐6479LLC Corporation; New JerseyL02000005108 F‐01000004066Paul Ashe Thai Lee

Koguan Leo



No No

No No

No No

No No

No No

27 10/20/2017 1:37 PM



Solution Provider: Trustwave Focal Point Data Risk LLC18. Has your firm’s surety ever intervened to assist in the completion of a contract or havePerformance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

No No

19. Has your firm ever failed to complete any work awarded to you, services and/or

No No


No No

21. Living Wage solicitations only: N/A N/A

28 10/20/2017 1:37 PM



19. Has your firm ever failed to complete any work awarded to you, services and/or20. Has your firm ever been terminated from a contract within the last three years? If yes,specify details in an attached written response.



Sub: IOMAXISNo No

No No

No No

N/A N/A

29 10/20/2017 1:37 PM



19. Has your firm ever failed to complete any work awarded to you, services and/or20. Has your firm ever been terminated from a contract within the last three years? If yes,specify details in an attached written response.


Securance LLC SHI International CorpNo No

No No

No No

No No

30 10/20/2017 1:37 PM

information technology security and compliance services · rfq a2114499r1 ‐ broward county it...

Documents