August 31, 2015REQUEST FORPROPOSALManaged Information SecurityPartnership and ServicesRFP CML #15-018Columbus MetropolitanLibraryIssued by:Procurement Division96 S. Grant Ave.Columbus, OH 43215Deadline for Submittal:September 30, 2015No later than 12:00 NOON1 Page

Wanda Dixon, Procurement AnalystProcurement DepartmentTelephone: (614) 849-1034; FAX: (614) [email protected] Columbus Metropolitan Library (“CML” or “Library”) is issuing this Request for Proposal(“RFP”) Managed Information Security Partnership and Services. The Proposal IdentificationNumber is CML 15-018.Proposals must be received at the Columbus Metropolitan Library, 96 South Grant Avenue,Columbus, Ohio 43215 no later than 12:00 Noon on Friday, September 30, 2015. AnyProposal (“Proposal”) arriving after 12:00 Noon will be marked late and will receive noconsideration for selection to provide the specified services.All questions or requests for clarifications should be submitted no later than 5:00 p.m. onMonday, September 21, 2015 to [email protected] Offeror (“Offeror”) declares to have read and understood and affirms, by its signaturebelow, to be bound by all the instructions, terms, conditions and specifications of this RFP andagrees to fulfill the requirements of any contract (“Contract”) for which it is selected to providethe specified services at the prices proposed.The Offeror certifies, by signature affixed to this Request for Proposal Cover Sheet, that theinformation provided by in response to the RFP, including certified statements, is accurate andcomplete.Federal Taxpayer Identification Number (TIN)Name of person signing Proposal(Please print or type)TitleOfferor NameMailing addressCityStateZIPTelephoneToll Free TelephoneContact PersonFax NumberE-Mail addressAuthorized Signature (Original signature only) Please use Blue Ink.THIS FORM MUST BE SIGNED AND SUBMITTED WITH THE PROPOSAL2 Page

BackgroundThe Columbus Metropolitan Library consists of 25 locations throughout Franklin County, Ohio.The Library has approximately 800 employees. The Library also provides Outreach Services,serving a diverse population with varying needs, ranging from preschoolers to senior citizens.The Library adheres to a long-term strategic plan, first developed in 2003 and updated in 2012,with guidance from members of the community, library staff, Friends of the Library and theLibrary’s Board of Trustees. This strategic plan provides measurable objectives, clear initiativesand includes the following five sectors for concentrated focus:1. Young Minds: encouraging learning and growth for a foundation for a successful life2. My Library: building the next generation library that results in a library that works for me3. Life Skills: embracing challenges and providing opportunities for a community thatreaches its potential4. The Library’s Partners: leverage our community maximize the library’s reach and impact5. The Library’s Staff: grow our team to provide a world class experienceGoal of EngagementThe goal of the Library is to cost effectively develop and deliver Information Security Services.The provider should have experience in working with hybrid environments includingphysical/virtual infrastructures, storage, networking, and cloud solutions such as MS O365. Thegoal is to ensure a highly secure infrastructure. The Library is seeking an outside partner(s) tohelp manage this project from beginning to end. This partner would provide implementationresources that would work closely with the Library infrastructure resources.The Library understands that some of the partners potentially offer or can facilitate all of theservices being requested. The Library is open to receiving proposals from Offerors who canprovide all or some services.The Library currently maintains a datacenter at its Operations Center located in Gahanna, Ohio.All branch locations (22) are connected through point-to-point circuits to the Operations Centerat a speed of 50Mb/s or better.The Library maintains a virtualized environment using VMware technology and utilizes NetAppstorage connected via iSCSI and NFS. The current virtual and physical environment consists ofapproximately 200 servers. The Library is approximately 90% virtualized.The network and wireless environment currently consists primarily of Cisco equipment.Upon contract award, the Library’s team will engage with the successful Offeror’s engineers toplan, schedule, and execute the development of Managed Information Security Services.3 Page

PurposeThe Library is requesting Proposals from all interested and qualified Offerors to provideManaged Information Security Partnership and Services. CML is seeking Proposals to include,but not limited to:1. Information Security Consultingo General Advisingo Policy and Procedure developmento Threat Intelligenceo Incident Management and Response2. Service Managemento Firewall Managemento Managed Network IDS/IPS3. Service Monitoringo Security Monitoringo Log Managemento Managed Security Services Reporting4. Scanningo Penetration Testingo Vulnerability Scanning5. Desktop and Server Protectiono Endpoint Protectiono Malware Protectiono Database Securityo Web Security6. Other managed servicesNote: A qualified Offeror is not required to provide all services listed above in order to submit aProposal to this RFP.Single or multiple Offerors may be awarded Contract(s) for services.Scope of WorkThe successful Offeror will furnish all of the labor, services, and training for the timely andproper completion of implementing Managed Information Security Services.The successful Offeror will, at all times, furnish sufficient skilled workers, materials andequipment to perform all work. All materials and equipment provided will be new, free from alldefects, fit for the purpose for which they are intended, and merchantable.The successful Offeror, or contractor (“Contractor”), is expected to provide implementationservices including providing a comprehensive project plan. As part of the overall project plan,the Contractor must develop a project communication plan that ensures timely and appropriategeneration, collection and dissemination of project information. In addition, the Contractor mustprovide periodic reporting and attend status meetings. At key points throughout the project, theContractor may be required to make presentations to various stakeholders including, but notlimited to, the project team, the Library’s Strategy Planning Team and/or the Library’s Board ofTrustees.4 Page

As part of the overall project plan, the Contractor must develop a project implementation planidentifying the most efficient and effective approach to implementation based on theContractor’s experience.The Contractor shall complete a discovery phase to capture the Current State of theinfrastructure.The Contractor shall be responsible to perform an assessment to validate what InformationSecurity Services can be utilized immediately and what changes the Library must make to takefull advantage of managed services.The Contractor will provide training to ensure a transfer of knowledge sufficient enough toprepare IT staff for the proposed Managed Information Security Services. The Contractor shallprovide documentation supporting the system’s functionality and processes.The Contractor will provide ongoing support including, but not limited to, periodic upgrades andenhancements.Requirements and SpecificationsRefer to Appendix A.Projected TimelineActivityTarget Completion DateIssuance of RFP &Inquiry Period BeginsAugust 28, 2015Inquiry Period EndsSeptember 21, 2015 at 5:00 p.m.Final Response to Offeror QuestionsSeptember 23, 2015Proposal Due DateBy Noon on September 30, 2015DIVERSITYBecause Columbus Metropolitan Library serves a diverse central Ohio population, CML has astrong preference for professional service providers to propose teams made up ofMBE/DBE/WBE and/or EDGE certified staff to provide CML with a diverse professional staffrepresentative of the central Ohio region in which they will be working and of the customers thatCML serves every day. Minority Business Enterprises are encouraged to respond to thisProposal.5 Page

Proposal Submission RequirementsAll Proposals must be in a sealed envelope or appropriate packaging, with the ProposalIdentification Number (CML #15-018) and title of the Managed Information Security Partnershipand Services clearly marked on the outside, addressed and mailed to:Columbus Metropolitan LibraryAttn: Wanda Dixon, Procurement Analyst96 South Grant AvenueColumbus, OH 43215Proposals may also be delivered, in person, to the Loading Dock Area (south side of thebuilding), Columbus Metropolitan Library, 96 South Grant Avenue, Columbus, Ohio 43215.Proposals submitted via e-mail will not be considered.Any Proposal arriving after 12:00 NOON on the due date will be marked late and will receive noconsideration for selection to provide the specified services. The Library will return, unopened,any Proposal that is received after the deadline.Proposal InstructionsOfferors are cautioned to carefully review all parts of the RFP. No allowance will be made forany error or negligence of the Offeror.Proposals are to be prepared in such a way as to provide a straightforward, concise descriptionof the Offeror’s capabilities to satisfy the requirements of this RFP and provide sufficientinformation to fully establish the Offeror’s ability to perform all of the actions, activities andfunctions described in this RFP.Emphasis should be on conformance to the RFP instructions, responsiveness to the RFPrequirements, completeness and clarity of content and should minimize extraneous marketingmaterials.Each Offeror must submit its Proposal marked CML #15-018, Managed Information SecurityPartnership and Services. One (1) original, completed and signed in blue ink, and four (4)copies are required. An electronic file of the proposal must also be submitted in .pdf format oneither CD-ROM or flash drive.Costs for developing the Proposal are entirely the responsibility of the Offeror and shall not bechargeable to the Library.Proposal QuestionsAll questions or clarifications regarding this RFP should be sent [email protected] and reference the Proposal Identification Number (CML #15018. ) and title of the RFP (Managed Information Security Partnership and Services). Allquestions must be submitted no later than 5:00 p.m. on September 21, 2015.Offerors are encouraged to submit questions at any time during the inquiry period.6 Page

Answers to all questions will be documented and posted on the “Doing Business with theLibrary” page of the Library’s website at rs will be posted no later than 5:00 p.m. on September 23, 2015.Proposal FormatTo facilitate comparison of Proposals, Offerors must submit Proposals in a format thatcorresponds to the outline below. Proposals must include a table of contents listing all sections.1. Executive level summary of the proposed solution(s).2. Statement as to the Offeror’s particular abilities and qualifications3. If applicable, include a list of proposed Subcontractors for this project. For eachSubcontractor listed, identify whether or not the Subcontractor is a certified womanor minority-owned business. The Library reserves the right to reject anySubcontractor not identified within the Offeror’s response.4. Provide references for a minimum of three (3) projects completed during the last two(2) years. Include a description of scope and client references, including contactnames and telephone numbers.5. Include any other information documentation believed to be pertinent, but notspecifically mentioned in this RFP, that may be useful and applicable to this project.6. Offeror response to the statements and questions from the Requirements andSystem Specifications detailed in Appendix A.7. Offeror response to Appendix B, Cost ProposalSelection ProcessThe Library’s evaluation team, will review all Proposals and evaluate responses to the RFP.Evaluation CriteriaThe final decision will be based on the overall RFP response that is deemed mostadvantageous to the Library.Specific criteria that will be considered, during the evaluation, include:1. Quality and comprehensiveness of the Proposal:a. Demonstrated understanding, by the Offeror, of the Library and the Library’srequirements.b. Qualifications and ability to perform.c. Responsiveness and adherence to RFP instructions.2. Quality of the proposed solution.3. Stability and viability of the product and Offeror.4. Offeror’s experience on projects of similar scope.5. Input from reference contacts.Contract AwardThe Library is not, by virtue of issuing this RFP, obligated to enter into a Contract and reservesthe right to not issue a Contract as a result of this solicitation.7 Page

Columbus Metropolitan LibraryProcurement DepartmentStandard Contract Terms and ConditionsContract Components, Entirety, Changes InterpretationContract Components: This contract consists of this document, the Standard Contract Termsand Conditions, the Special Contract Terms and Conditions (if any), the specifications or scopeof work (SOW), and any written amendments to this document, valid Columbus MetropolitanLibrary (CML) purchase orders or other ordering documents (together referred to as the“Contract”).Entire Agreement; Parties to the Contract: This contract is the entire agreement between theindividual or entity selected to provide equipment, supplies and/or services on the basis of aSOW submitted to CML in response to a request (referred to as the Contractor in these Termsand Conditions) and Columbus Metropolitan Library (CML).Contract Changes: Waivers, Changes or Modifications to this Contract must be made inwriting and signed by both parties. If a party to this Contract does not demand strictperformance of any item of this Contract, the party has not waived or relinquished any of itsrights; the party may at any later time demand strict and complete performance of the term.Contract Orders: CML will order supplies or services under this Contract from the Contractordirectly. The Contractor may receive purchase orders by telephone, facsimile, electronically orin person by authorized employees of CML. The Contractor is not required to fill an order datemore than 30 days beyond the date of Contract expiration, termination or cancellation, unlessthe Contract provides for a quarterly delivery or quarterly service. Under a Contract thatprovides for quarterly delivery, the Contractor is not required to fill an order with a delivery dateof more than 90 days beyond the date of Contract expiration, termination or cancellation.Standard Invoice and PaymentInvoice: The Contractor shall submit two copies of invoices to Accounts Payable, FinanceDepartment, Columbus Metropolitan Library, 96 South Grant Avenue, Columbus, Ohio 43215.The invoice must be a proper invoice to receive consideration for payment. A “proper Invoice” isdefined as being free of defects, discrepancies, errors or other improprieties. Improper invoiceswill be returned to the Contractor noting the areas of discrepancy.Payment: In consideration for the Contractor’s performance, CML will pay the Contractor at therate specified in the contract. Payments will be made by electronic funds transfer (EFT). For alltransactions, the Contractor must have a valid W9 form on file with the Finance Department.The completed form should be mailed to: Finance Department, Columbus Metropolitan Library,96 South Grant Avenue, Columbus, Ohio 43215.Payment Due Date: CML will pay invoices 30 days after it has received an invoice for suppliesand services it has received and accepted, unless otherwise indicated herein.8 Page

Taxes: Columbus Metropolitan Library is exempt for all federal, state and local taxes as CML ispart of Franklin County Government and has a 501 nonprofit status.Term of Contract: This contract is effective upon the projected beginning date of the ContractCover Page or upon signature of CML by the Fiscal Officer, whichever comes later in time. ThisContract will remain in effect until the Contract is fully performed by both parties or cancelled inaccordance with the Terms found herein.Contract Renewal: This contract may be renewed solely at the discretion of CML for a periodof one month. Any further renewals will be by agreement of both parties, any number of timesfor any period of time. The cumulative time of all renewals may not exceed two years.DeliveryF.O. B. The Place of Destination: The Contractor must provide the supplies or services underthis Contract F.O.B., the place of delivery/destination, unless otherwise stated. The address ofdelivery will be specified by the purchase order or other ordering document. Freight will beprepaid unless otherwise stated.Time of Delivery: If the Contractor is not able to deliver the supplies or services on the dateand time specified by CML ordering department on the ordering document, the Contractor mustcoordinate an acceptable date and time for delivery. If the Contractor is not able to, or does not,provide the supplies or services to an ordering department by the time and date agreed upon,CML may obtain any remedy provided below or any other remedy at law.Minimum Orders-Transportation Charges: For purchase orders placed that are less than thestated minimum order, the transportation will be prepaid and added to the invoice by theContractor to the delivery location designated in the ordering documents. Shipment is to bemade by private or commercial freight service, airmail, water, parcel post, express orcommercial package delivery, whichever is the most economical and expeditious method forproper delivery of the item. Failure of the Contractor to utilize the most economical mode oftransportation shall result in the Contractor reimbursing CML the difference between the mosteconomical mode of transportation and the mode of transportation used by the contractor.Failure to reimburse CML shall be considered a default.Contract Cancellation; Termination; RemediesContract Cancellation: If a Contractor fails to perform any one of its obligations under thisContract, it will be in default, and CML may cancel this Contract in accordance with this section.The cancellation will be effective on the date delineated by CML.A. Contract Performance is Substantially Endangered: If the Contractor’s default issubstantial and cannot be cured within a reasonable time, or if CML determines thatthe performance of the contract is substantially endangered through no fault of CML,CML may cancel this Contract by written notice to the Contractor.B. Cancellation by Unremedied Default: If a Contractor’s default may be cured with areasonable time, CML will provide written notice to the Contractor specifying thedefault and the time within which the Contractor must correct the default. IfContractor fails to cure its default in the time required, CML may cancel this Contractby providing written notice to the Contractor. If CML does not give timely notice of9 Page

default to Contractor, CML has not waived any of its rights or remedies concerningthe default.C. Cancellation by Persistent Default: CML may cancel this Contract by written noticeto Contractor for defaults that are cured but persistent. “Persistent” means three ormore defaults. After CML has notified Contractor of its third default, CML may cancelthis Contract without providing Contractor with an opportunity to cure, if theContractor defaults a fourth time. CML shall provide written notice of the terminationto the Contractor.D. Cancellation for Financial Instability: CML may cancel this Contract by written noticeif Contractor does not pay its subcontractors and material suppliers within 10 days ofpayment to the Contractor by CML. To the extent permitted by law, CML may cancelthis Contract by written notice to Contractor if a petition in bankruptcy or similarproceedings has been filed by or against the Contractor.Contract Termination: CML may terminate this Contract for convenience after issuing 30 dayswritten notice to the Contractor.Remedies for Default:A. Actual Damages. The Contractor is liable to CML for all actual and direct damagescaused by the Contractor’s default. CML may buy substitute supplies or services,from a third party, for those that were to be provided by the Contractor, and CMLmay recover the costs associated with acquiring substitute supplies or service, lessany expenses or costs saved by the Contractor’s default, from the Contractor.B. Deduction of Damages for Contract Price. CML may deduct all or any part of thedamages resulting from Contractor’s default from any part of the price still due on theContract, after CML has provided prior written notice to Contractor of such defaultand intent to deduct damages from the Contract Price.Force Majeure: If CML or Contractor is unable to perform any part of its obligation under thisContract by reason of force majeure, the party is excused from its obligations, to the extent thatits performance is prevented by force majeure, for the duration of the event. The party mustremedy with all reasonable dispatch the cause preventing it from carrying out its obligationsunder this Contract. The term “force majeure” means without limitation: Acts of God, such asepidemics, lightning, earthquakes, fires, storms, hurricanes, tornadoes, floods, washouts,droughts, and any other severe weather; explosions; arrests; restraint of government andpeople; strikes; and any other like events or any other cause that could not be reasonableforeseen in the exercise of ordinary care, and that is beyond the reasonable control of the party.CML Consent to Assign or Delegate: The Contractor may not assign any of its rights underthis contract unless CML consents to the assignment or delegation in writing. Any purportedassignment or delegation made without CML’s written consent is void.Indemnification: Contractor will indemnify CML, its employees, members of the Board ofTrustees, and its Officers and administrators for any and all claims, damages, lawsuits, costs,judgments, expenses, liabilities that may arise out of, or are related to, the Contractor’sperformance under this Contract, including the performance by Contractor’s employees andagents and any individual or entity for which the Contractor is responsible.10 P a g e

Confidentiality: Contractor may learn of information, documents, data, records and othermaterial that is confidential in the performance of this Contract. Contractor may not discloseany information obtained by it as a result of the Contract without written permission from CML.Contractor must assume that all CML information, documents, data, records or other material isconfidential.Publicity: Contractor and any of its subcontractors may not use or refer to this Contract topromote of solicit Contractor’s or subcontractor’s supplies or services. Contractor and itssubcontractors may not disseminate information regarding this Contract, unless agreed to inwriting by CML.Governing Laws; Severability: The Laws of the State of Ohio govern this Contract, andvenue for any dispute will be exclusively with the appropriate court of competent jurisdiction inFranklin County, Ohio. If any provision of the Contract or the application of any provision is heldby a court of competent jurisdiction to be contrary to law, the remaining provisions of theContract will remain in full force and effect to the extent that the remaining provisions continueto make sense.Workers Compensation: The Contractor shall carry Workers’ Compensation LiabilityInsurance as required by Ohio law for any work to be performed within the State of Ohio.Failure to maintain Workers Compensation Liability Insurance for the duration of the contractand any renewal hereto will be considered a default.Automobile and General Liability Requirements: During the term of the Contract and anyrenewal hereto, the Contractor, and any agent of the Contractor, at its sole cost and expense,shall maintain a policy of automobile liability and commercial general liability insurance asdescribed in this clause. Copies of the respective insurance certificates shall be filed with theProcurement Department within seven (7) calendar days after notification by the CML of itsselection of the Contractor to provide the specified supplies and/or services. Failure to submitthe insurance certificates within the time period may result in the Contractor being considered indefault. Said certificates are subject to the approval of the CML Procurement Manager andshall contain a clause or endorsement providing thirty (30) days prior written notice ofcancellation, non-renewal or decrease in coverage will be given to the Procurement Manager.Failure of the Contractor to maintain this coverage for the duration of the Contract, and anyrenewals, thereto may be considered a default.Automobile Liability: Automobile Insurance is required for anyone coming onto CMLbranches and/or property to deliver goods or perform services using a vehicle, which is owned,leased, hired, or rented by the Contractor. Any Contractor, broker, or subcontractor who will beon CML property, but not delivering goods or performing services, is required to carryAutomobile Liability Insurance that complies with the state and federal laws regarding financialresponsibility. Automobile liability insurance, including hired, owned, and non-owned vehiclesused in connection with the Work, shall have a combined single limit coverage coveringpersonal injury, bodily injury (including death) and property damage of not less than 2,000,000per accident.Commercial General Liability: Insurance coverage with a 2,000,000 annual aggregate and a 1,000,000 per occurrence limit for bodily injury, personal injury, wrongful death and propertydamage. The defense cost shall be outside of the policy limits. Such policy shall designateCML as an Additional Insured, as its interest may appear. The policy shall also be endorsed to11 P a g e

include a blanket waiver of subrogation. The certificate shall be endorsed to reflect a perproject/per location General Aggregate limit of 2,000,000. If the Contractor uses anumbrella/excess policy to meet the required limits, it is understood that the policy shall followfrom per project/per location basis. It is agreed upon that the Contractor’s commercial generalliability insurance shall be primary over any other coverage. The Procurement Departmentreserves the right to approve all policy deductibles and levels of self-insurance retention.Contract Compliance: The participating CML branches and departments will be responsiblefor the administration of the Contract and will monitor the Contractor’s performance andcompliance with the terms, conditions and specifications of the Contract. If a branch ordepartment observes any infraction such shall be documented and conveyed to the Contractorfor immediate correction. If the Contractor fails to rectify the infraction, the department/branchwill notify the Procurement Department in order to resolve the issues. These terms andconditions will be used by the Procurement Department to resolve the issues.Warranties: Unless otherwise stated, all supplies shall be new and unused. All products shallcarry manufacturer’s warranties in addition to implied warranties. The Contractor warrants allsupplies to be free from defects in labor, material, and workmanship (manufacturing) and be incompliance with the contract specifications.ADDITIONAL TERMS:1. This Contract represents the entire agreement of the parties hereto, and may not beamended except in writing signed by both parties.2. All times referenced herein are Columbus, Ohio local times.3. The CML is not responsible for any work or services provided by Contractor prior to theissuance of a P.O. by CML.4. Contractor will supply its own tools and materials.5. Contractor will make arrangements for EFT (electronic funds transfer).6. A completed W9 form is required on file with CML prior to CML issuing payment forservices provided by Contractor. The W9 form can be found at Please fill out the form and return with the signedcontract to the Procurement Department of the Columbus Metropolitan Library at 96 S.Grant Avenue, Columbus, OH 43215 or email [email protected] P a g e

Appendix A: Requirements and SpecificationsThe Offeror is expected to provide clarification on each service below of which it is proposing.The Offeror is also expected to clarify its technical capabilities and proposes solutions for anyand all categories to which it responds in a detailed narrative.1. Security Consulting / Practice Development (if proposing)A. The Offeror shall describe how it will perform a deep-level assessment of theColumbus Metropolitan Library’s current information security practices and deliver acomprehensive plan for improvement of security practices.B. Once a plan is delivered, the Offeror shall describe how it will assist with engagingoutside security partners (if necessary) for security practice implementation.C. The Offeror shall provide detail on its experience with developing security policiesand procedures, documentation and any standards.D. The Offeror shall describe how it will work with the Columbus Metropolitan Librarytoward reassessing requirements and making ongoing recommendations as securityneeds change.E. The Offeror shall describe its organization’s consulting practice that is available forsecurity and technology support (e.g., deployment, incident response and forensics,etc.). What are the hours for client support? Does support change hands at anypoint? What locations is this support provided from? Indicate “N/A” if consultingservice or support is not available.F. Offerors may include any other relevant information.2. Managed Services (if proposing)A. Managed Service Viabilityi.The Offeror

REQUEST FOR PROPOSAL Managed Information Security Partnership and Services RFP CML #15-018 Columbus Metropolitan Library Issued by: Procurement Division 96 S. Grant Ave. Columbus, OH 43215 Deadline for Submi ttal: Sep