RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE COMMONWEALTH OF MASSACHUSETTS RESPONSE SUBMITTED FOR THE REQUEST FOR RESPONSES (RFR) FOR: TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE RFR # CTRPCI2007 BIDDER NAME: Lighthouse Computer Services, Inc Bidder Name: Lighthouse Computer Services, Inc.Page of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE INSTRUCTIONS: The Written RFR Response must be submitted using this “RFR Response Template” as posted on the “Forms & Terms” Tab of Comm-PASS This Template is being used so that all Responses appear uniform and consistent for selection purposes and to enable posting on Comm-PASS once selection is completed This WORD document must be used and may not be altered, reformatted or changed in any way or the Response will be subject to rejection Bidders must enter, or copy and paste information into the spaces provided for each question The space will expand to accommodate the data entered The Bidder may open the “footer” and add the Bidder’s Name to print on each page of the Response Bidders may not refer to outside attachments for key information related to answering the questions unless the Attachment is one of the Required Attachments for the RFR Response or is an attachment that must be completed as specified under the “Forms and Terms” tab for this RFR on Comm-PASS Each item must be addressed specifically by entering information in the required space If an item is inapplicable, the Response must indicate "N/A" or “Not applicable” or other appropriate explanation Bidders are responsible for reviewing the “Forms & Terms” tab under this RFR in Comm-PASS for all the listed specifications and the required Forms that must be submitted with the RFR Response (in order to be considered for selection) or upon contract award and execution Failure to submit the required Forms with the RFR Response, as specified, will be considered sufficient grounds for rejection of the Bidders Response Submission Of Responses Number Of Copies Of Responses (1) One Original hard copy of the Response All Attachments with original signatures must be included with the Original (2) Two Photocopies of the Response, including attachments (10) Twelve CDs each with a copy of the entire Response (attachments not have to be included) Format Of Hard Copy Responses: Bidders must submit RFR Response using the WORD document “RFR Response Template” posted on Comm-PASS using a standard (10 point or higher) font See INSTRUCTIONS above Printed hard paper copy format; 8½ x 11 paper All Responses and copies should minimize or eliminate use of non-recyclable or non re-usable materials such as plastic report covers, plastic dividers, vinyl sleeves and GBC binding Responses should be bound in such a way that allows easy access for copying and recycling of paper materials, such as 3-ring binders, folders clips or staples All copies should be printed double sided Bidder Name: Lighthouse Computer Services, Inc.Page of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE Submittals if possible should be printed on recycled paper with a minimum postconsumer content of 20% or on tree-free paper (i.e., paper made from raw materials other than trees, such as kenaf) Bids should note whether recycled paper or tree-free paper is being used Marketing materials, samples, attachments or documents should not be submitted unless specifically requested in this RFR Deadline for Submission: Submit Responses by mail, hand delivery by the submission date listed in the RFR, or as amended, to: COMMONWEALTH OF MASSACHUSETTS RFR # CTRPCI2007 Title: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE c/o Eric Berman, Procurement Team Leader Office of the Comptroller One Ashburton Place – 9th Floor Boston, MA 02108 FAX OR ELECTRONIC RESPONSES ARE NOT ACCEPTABLE Bidder Name: Lighthouse Computer Services, Inc.Page of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE RFR RESPONSE PART A BIDDER AUTHORIZED CONTACT, INTRODUCTION AND CERTIFICATIONS A-1 Authorized Representative and RFR Contact Please complete the information below for the Individual who is an Authorized Representative of the Bidder, who can legally bind the Bidder during the RFR Interview and subsequent negotiations, and who shall serve as the RFR Contact for any questions or communication necessary during the procurement Bidder Name: Lighthouse Computer Services, Inc Mailing Address:6 Blackstone Valley Place, Suite 205 Lincoln RI 02865 Authorized Representative/RFR Contact Name: Timothy Bernard Telephone: (508) 254-2804 TTY/TTD: N/A Email Address: tbernard@lighthousecs.com Fax: (401) 334-0719 A-2 INTRODUCTION: Please provide not to exceed pages in length the Bidder's understanding of the request for response, the requirements of the work the firm is bidding on, the work to be performed and bid upon, and provide an overview summary of the Bidders' qualifications and experience to perform the work requested Please reference if the Bidder is, or will intend to subcontract with or use resources from small, minority or women business owned entities Answer: After reviewing the Commonwealth of Massachusetts RFR # CTRPCI2007 for Payment Card Industry (PCI) Data Security Standards (DSS) Compliance, Lighthouse Computer Services, Inc is pleased to respond with the services outlined in this document Lighthouse Computer Services, Inc approved by PCI as a Qualified Security Assessor, believes that this proposal of services, presented in combination with Janus, a Qualified Security Assessor authorized to perform required onsite PCI Data Security Standard (DSS) Assessments and certified as a woman business enterprise by the Commonwealth of Massachusetts, State Office of Minority and Women Business Assistance (SOMWBA), and Qualys, a leader in vulnerability management and approved PCI scanning vendor, fully certified to help merchants and service providers assess and achieve continuous compliance with the PCI DSS, will offer to the Commonwealth of Massachusetts and its entities a competitive bid, with the technical skills and expertise required to assist them to be compliant with PCI-DSS All personnel assigned for the consulting services have more than five years experience with security evaluations For the Scanning service, we will use the product QualysGuard PCI, a demand Web application with no need for hardware or software installation and with a Six Sigma level of accuracy made possible by the industry's most complete vulnerability knowledgebase, an encyclopedic inventory of thousands of known vulnerabilities that covers all major operating systems, services and applications This RFR was printed on recycled paper with a minimum post-consumer content of 30% Bidder Name: Lighthouse Computer Services, Inc.Page of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE A.3 Bidders are not authorized to condition execution of a contract with the Commonwealth upon the Commonwealth’s execution of a Bidder contract form, or require that other Bidder Terms and Conditions automatically apply to this contract Any additional terms and conditions that the Bidder seeks to apply to this Contract must be specified below ANSWER: N/A A.4 It is expected that any legal review of the required contract forms and attachments will be done prior to submission of the RFR Response and that objections to any language in the RFR, RFR Response or attachments will not be raised after selection and during contract negotiations Therefore, if the Bidder has any questions related to the interpretation of any language in the required forms or Attachments, these questions must be identified as part of the on-line forum for this RFR and may not be raised at a later date Any issues or concerns with the language in the Contract forms or Attachments, or proposed additions or clarifications must be identified below, which will be evaluated as part of the selection process, and may not be raised after selection ANSWER: N/A Bidder Name: Lighthouse Computer Services, Inc.Page of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE A.5 Please list the following information if applicable Failure to identify such contingencies as part of a Response will be considered sufficient cause for immediate termination from the Statewide Contract if such information is discovered during the life of the Contract: a) Penalties and Bankruptcy: A list of all bankruptcy and other similar proceedings within the past five years relating to the Bidder, any officer, director, partner or member thereof, any affiliate or any related entity b) Litigation: List any outstanding contingencies, such as lawsuits or other claims or charges against the Bidder related to performance of the services sought under this RFR c) The Bidder shall submit a description of any and all investigations, indictments or pending litigation by any federal, state or local jurisdiction relating to the Bidder, any officer, director, partner or member thereof, any affiliate or any related company A list of all criminal convictions within the last five years relating to the Bidder, any officer, director, partner or member thereof, any affiliate or any related entity d) A list of all civil penalties, judgments, consent decrees and other sanctions within the last five years, as a result of any violation of any law, rule, regulation or ordinance in connection with its business activities relating to the Bidder, any officer, director, partner or member thereof, any affiliate or any related entity e) A list of all actions occurring within the last five years which have resulted in revocation or suspension of any permit or authority to business in any jurisdiction relating to the submitting entity, any officer, director, partner or member thereof, any affiliate or any related entity f) A list of all actions occurring within the last five years that have resulted in the barring from public bidding relating to the Bidder, an officer, director, partner or member thereof, any affiliate or any related entity ANSWER: a) b) c) d) e) f) N/A N/A N/A N/A N/A N/A A.6 Defaults: The Bidder shall provide a description, in detail, of any situation in which the Bidder’s firm (either alone or as part of a joint venture), or a subsidiary of the Bidder’s firm, defaulted or was deemed to be in noncompliance of any contractual obligations, explaining the situation, its outcome and all other relevant facts associated with the event described Please also provide the name, title and telephone number of the principal manager of the contract user who asserted the event of default or noncompliance ANSWER: N/A A.7 Other Adverse Situations: The Bidder shall provide a description of any present facts known Bidder Name: Lighthouse Computer Services, Inc.Page of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE to the Bidder that might reasonably be expected to affect adversely either its ability to perform any aspect of this Contract ANSWER: N/A A.8 Bidder must confirm that if selected for final contract negotiation and execution the Bidder must be willing to begin performance no later than the week of August 6, 2007 ANSWER: Lighthouse Computer Services, Inc has the resources required for this PCI – DSS Compliance and is willing to start no later than the week of August 6, 2007 A-9 RESPONSE CERTIFICATION: By signing in the space provided below, the Bidder through its Authorized Representative certifies that the Response will remain in effect for a period of 120 days from the submission deadline and thereafter until either the Bidder withdraws it, a Contract is executed, or the procurement is canceled, whichever occurs first, and that this Response is being submitted in good faith and without any collusion or fraud, and that the information provided is accurately represented and that the Bidder is ready, willing and able to perform the work required as specified in any resulting contract on schedule and should state that they agree to perform the work as put forth in this RFR Signature also confirms that the Bidder selected for final contract negotiation is willing to have authorized signatories meet during the period for final negotiation and contract execution as identified in the Procurement Calendar to execute the contract Authorized Representative Signature: Authorized Representative Printed Name and Title: Date: Anthony N Fiore, Jr., Chief Financial Officer 07/18/2007 Bidder Name: Lighthouse Computer Services, Inc.Page of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE RFR RESPONSE PART B - BIDDER QUALIFICATIONS B.1 Firm Profile a) Provide your company name, company address, company phone number, company fax number, and Internet address b) State whether the firm is local, national, or international and the total number of employees c) State your Commonwealth Vendpr/Customer number’ (if known): VC d) A short firm history e) State the location of the office(s) from which the work is to be managed and the location from which the work will be performed and the number of principals/ partners, managers, supervisors, or other seniors and professional staff employed at the office f) State the types of work performed by the office and the percentage of effort devoted to each type g) Include a description of the firm philosophy in providing PCI compliance services to clients, as well as an overview that summarizes the procedure your company uses when providing PCI compliance services ANSWER: a) Lighthouse Computer Services, Inc Blackstone Valley Place, Suite 205 Lincoln RI 02865 Phone: (401) 334-0799 Fax: (401) 334-0719 www.lighthousecs.com b) Lighthouse Computer Services, Inc is a local professional services firm, with presence in the East Coast Currently the company has 75 employees c) N/A d) Lighthouse Computer Services, Inc headquartered in Lincoln, Rhode Island, was founded in 1995 as a regionally-based organization, staffed with the most experienced people in the industry Today, Lighthouse is known throughout the Northeast as a leader in IT consulting and as a technical services provider and a trusted advisor to mid- to large-sized businesses in the financial, health care, retail, education, insurance, and utility industries Each consultant has a minimum 15 years experience, and collectively holds over 150 certifications The company offers a range of hardware, software, technical consulting, support, and education services to a broad range of industries in all stages of growth Lighthouse Computer Services, Inc is ranked among the top IT services firms in North America, and currently the 11th fastest growing IT solutions provider as measured by the 2006 VARBusiness listing Bidder Name: Lighthouse Computer Services, Inc.Page of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE Lighthouse Computer Services, Inc maintains close access to technology sources through active partnerships with IBM, Microsoft, Cisco, Enterasys, Avamar, Brocade, Tivoli, Symantec, NetApp, VMware, SEPATON, Acopia, APC, Oracle and other technology providers e) The main office is located in Lincoln, RI, from where this project will be managed and performed Lighthouse Computer Services, Inc has 50 consultants to perform projects in the different areas of services f) The services provided by Lighthouse are classified in the following six practice areas, including the percentage of effort: • IT Governance, Auditing & Compliance (20%) • Storage & Backup (20%) • Enterprise Servers (10%) • Microsoft Solutions (20%) • Networks & Security (15%) • Content Management (15%) g) Lighthouse PCI – The Compliance service group consist of seasoned IT Auditors all CISA/QSA-ASV certified, each possessing over 10 years of experience Lighthouse’s expertise in IT Governance, Assurance, and Compliance spans multiple industries, software platforms, and applications See Methodology in section C1.B5 below Bidder Name: Lighthouse Computer Services, Inc.Page of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE B.2 Overall Qualifications a) For CONSULTING SERVICES, the vendor/partner must provide evidence that it is a certified Qualified Security Assessor (QSA) approved by the PCI Security Standards Council: https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm as of the date of this RFR to perform on-site PCI Data Security Assessments for a Level 1, 2, 3, or merchant; and Level 1, 2, or service providers: • Must be United States firm able to perform on-site work in Massachusetts b) For SCANNING SERVICES, the vendor/partner must provide evidence that it is a certified Approved Scanning Vendor (ASV) approved by the PCI Security Standards Council: as https://www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm of the date of this RFR to perform network scans for all merchants and service providers with externally-facing IP addresses • Must be United States firm able to perform on-site work in Massachusetts c) Describe and document the ability / success of Bidder in providing PCI compliance services to prior large-organization clients, defined as organizations with above $1.0B in annual spending  List relevant work performed within the last five years, the scope of the work and for whom the work was performed  Include information demonstrating a minimum of three (3) consecutive years experience in PCI compliance services, or key personnel with a minimum of five (5) years experience in data security services immediately preceding submission of the RFR in PCI compliance services  Describe specific projects and contracts, specifically government engagements d) Because the Commonwealth conducts business via Internet technology, contractor must have demonstrated ability to communicate, send files, download files, etc from the Internet at all times Describe how the Bidder meets this requirement and what security is in place to guarantee Commonwealth data and systems e) Identify resources that Bidder has to ensure adequate security of its own employees’ conduct and behavior while working with Commonwealth information and / or in Commonwealth locations Note: Bidder must remain in good standing on the PCI Security Standards Council certified Qualified Security Assessors (QSAs) and Approved Scanning Bidders (ASVs) provider list for the duration of the contract ANSWER: a) Lighthouse Computer Services, Inc is a United States firm able to perform on site work in Massachusetts and is certified as a Qualified Security Assessor approved by the PCI Standards Council, Certificate # 111 to perform on-site Data Security Assessments for a Level 1,2,3, or merchant: and Level 1, 2, or service providers For the consulting services, Lighthouse will partner with JANUS Associates, Inc., which is certified as woman business enterprise by the Commonwealth of Massachusetts, State Office of Minority and Women Business Assistance (SOMWBA), renewal status effective March 23, 2007, as well as a Qualified Security Assessor approved by the PCI Standards Council, to perform on-site Data Security Assessments for a Level 1, 2, 3, or merchant: and Level 1, 2, or service providers Bidder Name: Lighthouse Computer Services, Inc.Page 10 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE ANSWER: Individual Name: Doug Gwinner Title: Support Manager Qualys, Inc Telephone: (650)-801-6119 Email Address: dgwinner@qualys.com Fax: (650)-801-6101 Responsibilities: QualysGuard PCI support and activation of customer account(s) Number of hours: N/A Individual Name: Margo Connell Title: Technical Account Manager Qualys, Inc Telephone: (845)-534-3586 Email Address: mconnell@qualys.com Fax: (845)-913-9272 Responsibilities: QualysGuard PCI support and activation of customer account(s) Number of hours: N/A B.7 References: The Response must include three (3) references for the most relevant, comparable work of the type requested in this RFR (a state or large local government entity) The Office of the Comptroller reserves the right to verify references included in the Response and to conduct other reference checks as deemed appropriate Reference name: Randy L Harris, Manager Network Operations Firm: Marine Corp Community Services Phone: (703)784-3830 Internet address: Randy.harris@usmc-mccs.org Description and date(s) of services provided: ASV Scanning since 7/2005 Reference name: Ms M.J Laliberte Firm: Twin Oaks Software Development, Inc Phone: (860)829-6000 Internet address: www.tosd.com Description and date(s) of services provided: PCI compliance services from May 2006 ongoing Reference name: Steve Curran, VP IT Firm: Bank of Rhode Island Phone: 401-333-2322 Fax: Internet address: www.BankRI.com Description and date(s) of services provided: IT Risk Assessment 2006 Security policies and procedures development Bidder Name: Lighthouse Computer Services, Inc.Page 20 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE RFR RESPONSE PART C – SCOPE OF PERFORMANCE C.1 This section of the Bidder’s response should be detailed enough to portray the experience of the Bidder in engagements such as the Commonwealth Please identify a work plan of how your firm would perform the following It is understood that specific engagements have not yet been identified; therefore Bidder should identify a work plan model that can be adapted to individual engagements A Consulting services for CTR on a statewide basis to ensure that the Commonwealth as a whole is PCI compliant, that high risk areas are identified, and what the Commonwealth needs to to ensure on-going PCI compliance 1) Describe what tasks / work is to be performed by your company What would CTR be asked to to facilitate your normal business process? 2) 3) 4) B Consulting services for individual state department merchants, assisting with completion of PCI questionnaire, identifying high risk areas, and what the Department needs to be ensure on-going PCI compliance 1) The Bidder/partner must facilitate the successful completion of the PCI Self-Assessment Questionnaire (SAQ) for all Commonwealth merchants The PCI SAQ must be used to address any system(s) or system resource component(s) involved in processing, storing, or transmitting cardholder data 2) For the Commonwealth of Massachusetts, this questionnaire applies to all entities transacting credit card business, regardless of channel The Bidder shall provide an on-line web-based product for the ePay shared service and the Commonwealth’s participating merchants to complete the PCI-Self Assessment Questionnaire Describe what tasks / work is to be performed by your company What would CTR be asked to to facilitate your normal business process? What Commonwealth resource requirements would your company have in terms of space, dedicated staff, and computer access? Please describe Based upon the information provided in this RFR, provide an estimate of the total length of time and materials you expect the services would require from start to completion, including final report(s) Schedule of Implementation: Summarize how this project would be implemented, accompanied by a Schedule of Implementation to include a project timetable, by phase if applicable 3) 4) 5) 6) C Please describe what Commonwealth resource requirements would your company have in terms of space, dedicated staff, and computer access? Based upon the information provided in this RFR, provide an estimate of the total length of time and materials you expect the services would require from start to completion, including final report(s) Schedule of Implementation: Summarize how this project would be implemented, accompanied by a Schedule of Implementation to include a project timetable, by phase if applicable SECURITY SCANS - Scanning services for individual state departments 1) Bidder Name: The Bidder/partner must conduct PCI network security scans for the ePay Lighthouse Computer Services, Inc.Page 21 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE 2) 3) 4) D shared service and Commonwealth entity merchants The network security scan is an automated tool that checks systems for vulnerabilities It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant Describe what tasks / work is to be performed by your company What would CTR be asked to to facilitate your normal business process? The Bidder/partner must complete these scans in accordance with the PCI Security Scanning Procedures What Commonwealth resource requirements would your company have in terms of space, dedicated staff, and computer access? Please describe how the Bidder will comply with the following (i) The Bidder/partner must provide each merchant account with a web-based tool to set-up and perform monthly scans for up to XXX? IP addresses, as well as up to 10 self-directed scans at the merchant or service provider’s discretion (ii) The Bidder/partner must notify each merchant or service provider with an automated e-mail notification of the pending scan at least five (5) business days prior to the scan occurring, as well as notification that the scanning process has begun and/or has completed (iii) Within three (3) business days upon completion of the scan, the Bidder/partner shall notify each merchant or service provider via an automated e-mail notification that the results of the scan are available for viewing in an on-line report (iv) The Bidder/partner must allow for multiple e-mail addresses on the automated e-mail notifications The Bidder/partner must provide an on-line monitoring/reporting system Describe how the Bidder/partner’s online system will: 1) Assist CTR, the ePay shared service, and the Commonwealth merchant community with managing their PCI Security Compliance needs (particularly, the PCI Self-Assessment Questionnaire and Network Scans) 2) Allow web-based access for central monitoring of compliance status for all Commonwealth merchants This central monitoring access shall be provided to CTR 3) Provide monitoring authority with on-line access to view reports resulting from the Commonwealth merchant community’s completion of the compliance questionnaire or network scans, within their respective areas of oversight responsibility 4) Provide each Commonwealth merchant with on-line access to view reports resulting from the completion of their compliance questionnaire or network scans 5) Allow for flexibility in scheduling scans 6) Provide detailed and summary level reporting to management specifying areas of risk, along with recommended corrective actions 7) Provide the ability to report compliance status of Commonwealth merchants to the Merchant Services Provider(s) 8) Bidder Name: Present an on-line Certification of Compliance Validation Lighthouse Computer Services, Inc.Page 22 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE E The Bidder must provide and describe their controls over confidentiality of client data The Bidder must describe their procedures for informing a client when the client’s data has been, or may have been, inadvertently disclosed/compromised C.2 List and describe types of reporting that your company would provide during the engagement and the frequency of the reports Also describe a final report that your company would provide at the completion of the engagement Provide a short sample summary of a final report ANSWER: C1.A.1) LCS will perform consulting services for QSA and ASV compliance for the entities defined An initial pre-assessment based on information provided and Self Assessment Questionnaires will be presented, identifying areas of risk related with the PCI standards The specific tasks to be performed for QSA and ASV are detail in the following sections (C1-B and C1-C) CTR should provide information related with the IT environment and Cardholder data, through Self Assessment Questionnaires and interviews, in order to determine the scope of the assessment for compliance with PCI DSS requirements C1.A.2) LCS will require an office with phone, internet access for at least three computers, as well a dedicated printer The Commonwealth will serve as a liaison with the entities in the scope and will help to set the meetings with the personnel in each entity responsible for the data cardholder environment Each entity in the scope should fill up the Self Assessment Questionnaire with LCS support C1.A.3) See C1.B.5 below C1.A.4) See C1.B.6 below C1.B1) LCS will provide a secure web base self assessment questionnaire tool to be used for all Commonwealth entities transacting credit card business, regardless of the channel, in order to identify high risk areas for the processing, storing or transmission of cardholder data LCS will assist the personnel responsible in each entity to develop of this SAQ as required via email, or phone C1.B2) See C1.B1 above C1.B3) CTR will identify the entities which this SAQ applies with their contact and will communicate opportunely to them the rules to perform this questionnaire Each entity’s contact will provide/facilitate the information, interviews and fill up the SAQ properly and on time according with schedules defined LCS will review and suggest initial recommendations based on this SAQ, in order to allow each entity to be complaint with PCI requirements Bidder Name: Lighthouse Computer Services, Inc.Page 23 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE Once the recommendations have been put in place, LCS will validate this information and will perform a full PCI assessment of compliance with PCI requirements As result of this Audit, a report on compliance (ROC) will be completed acknowledges entity’s compliance status If this report contains open items, LCS will provide recommendations to fix them, in which the entity must address LCS will revalidate and issue a new ROC, after the entity addresses these items C1.B4) LCS will require an office with a phone, internet access for at least three computers, as well a dedicated printer C1.B5) For each entity LCS will: • Assist each entity with SAQ, as required • Provide recommendation based on SAQ, in order to ensure compliance with PCI requirements • Perform an assessment of compliance with PCI requirements, validating the information provided in the SAQ • Issue, as result of this assessment, either a ROC or a report with open items and recommendation that need to be implemented • Validate remediation implemented in order ensure full compliance with PCI, is apply, as well a new ROC For each entity defined by the CTR, hours will be utilized in order to capture all information required as well to assist them with the SAQ The time for this QSA validation for each entity will be 120 hours (assuming only one network with data cardholder) For additional networks, 20 additional hours will be utilized If as result of the SAQ, adequate network segmentation that isolate data cardholder information is identified, the scope of the QSA validation could be reduced, once the network segmentation is verified For each entity LCS will perform: Phase 1, Pre-Assessment Task: Information Request Objective: Obtain understanding of the entity IT environment and cardholder data Provide assistance with SAQ development Process/Methodology: Through SAQ and request of information related with data Cardholder Entity responsibilities: Provide the information required and fill up SAQ Deliverables: SAQ web-base documented and recommendations (if apply) Based on SAQ and information provided, the scope of the on site review will be determined and redefined as necessary, based on components related with Cardholder data environment and networks involved and network segmentation identified Bidder Name: Lighthouse Computer Services, Inc.Page 24 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE Hours: 12 Phase 2, ROC certification Task: Assessment for Compliance Based on the information provided in the SAQ, LCS will perform interviews and on site assessment of controls related with the following PCI requirements: 1) Review of Firewalls/routers on scope according with PCI-DSS Objective: Validate the adequacy of firewall configuration to protect cardholder data Process/Methodology: Through interview with firewall manager LCS will gather information about standards used, protocols, services, users and rules and validate their controls Hours: 12 2) Review of security parameters and system passwords according with PCI-DSS Objective: Review of default passwords and configuration standards Process/Methodology: Using statistical sampling, LCS will evaluate and validate the appropriateness of the configuration standards used, as well as default passwords Hours: 12 3) Review of encryption to protect cardholder data according with PCI-DSS Objective: Identify the measures in place to protect stored cardholder data Process/Methodology: Evaluation and validation of data retention and disposal policies for cardholder information Validate through statistical sample of storage and protection according with requirements defined by PCI Hours: 12 4) Data cardholder transmission review according with PCI-DSS Objective: Identify sensitive information transmitted across open public networks and controls in place Process/Methodology: Identification encryption used for sensitive information transmitted over public networks Hours: 5) Antivirus Software Review according with PCI-DSS Objective: Identify the anti-virus software solutions in place Process/Methodology: Review of antivirus configuration and update process Hours: 6) Review of systems and applications security according with PCI-DSS Objective: Evaluation of change management process for applications, components and software development Bidder Name: Lighthouse Computer Services, Inc.Page 25 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE Process/Methodology: Identification of software development guidelines as well as change management process in place Hours: 7) Data cardholder access review according with PCI-DSS Objective: Ensure that critical data can only be accesses by authorized personnel Process/Methodology: Evaluation and validation of policies related with control access Hours: 12 8) Users ID review according with PCI-DSS Objective: Verify that each person has assigned a unique user name and password and his/her actions can be traced Process/Methodology: Through statistical sampling, user IDs configuration will be reviewed Review and validation of user ID and password policies and procedures Hours: 12 9) Physical access review according with PCI-DSS Objective: Ensure that systems with data card holder information has adequate physical access controls Process/Methodology: Walkthrough to the facilities that hold data cardholder information Review and validation of policies and procedures related with physical access controls Hours: 10) Review of network monitoring and log mechanism according with PCI-DSS Objective: Verify that networks with data cardholder information have in place audit trails and are reviewed in a daily basis Review and validate retention policies Process/Methodology: Through interviews, identify the audit logs active and their parameters Verify that they are daily reviewed Hours: 11) Review processes in place for systems testing according with PCI-DSS Objective: Verify that systems are tested regularly Process/Methodology: Identify and validate testing procedures in place Hours: 12) Information Security Policy review according with PCI-DSS Objective: Evaluate the Information security policies Process/Methodology: Verify and validate that the system security policy covers all PCI requirements Hours: 12 Entity responsibilities: Provide information requested and facilitate interviews and walk through Bidder Name: Lighthouse Computer Services, Inc.Page 26 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE Deliverables: Controls in place documented and recommendations for open items (if apply) and accreditation ROC (reassessment if open items were found) Total hours (per entity/per LCS resource): 120 C1.B6): See section C1.B5 above C1.C1): LCS will conduct remote security non-intrusive scans of external IP addresses in order to identify vulnerabilities of networks and web applications, according with the PCI DSS, through Qualys’ unique on-demand model QualysGuard PCI simply requires the activation of the customer account(s) This activation would be performed by Qualys QualysGuard PCI is offered as Software-as-a-Service As such, all database administration and maintenance are performed by Qualys, therefore, customers are not required to perform any type of database support or maintenance CTR will identify the entities and their IP addresses and domain name list C1.C2): As a PCI compliant scanning vendor, Qualys is certified to help merchants and their consultants evaluate the security of their entire externally facing network and achieve compliance with the PCI Data Security Standard C1.C3): As mentioned above, Qualys’ Software-as-a-Service model does not require space, dedicated staff or computer access from CTR C1.C4 (i): Authorized users of the Merchant accounts can conduct vulnerability and compliance scans from anywhere using a Web browser The QualysGuard PCI solution provides unlimited, highly accurate network security scans for an unlimited number of IP addresses and provides multiple user support for effective collaboration on PCI compliance C1.C4 (ii): LCS will notify each merchant or server provider via email of the upcoming scan, days prior the scan, as well as when it has been finalized C1-C4 (iii): QualysGuard PCI will be configured on a per user basis to send a summary email when a scan or map has been completed The e-mail summary provides highlevel, non-sensitive information including the number of vulnerabilities and overall trend per severity level E-mail recipients are configurable as part of the per user notification options With the e-mail is a hyperlink to securely access the complete detailed report C1-C4 (iv): Please see response C4 (iii) above C1.D1): The QualysGuard PCI On-Demand module is accessible via a web browser and provides an online version of the PCI Security Council self-assessment questionnaire as well as the ability to run/schedule network scans Draft versions can be saved at any time during the process for later completion Questionnaires can be collaboratively viewed and shared by multiple users Bidder Name: Lighthouse Computer Services, Inc.Page 27 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE C1.D2): QualyGuard provides web-based, multiple user support for effective collaboration on PCI compliance C1.D3): See D2 above C1.D4): See D2 above C1.D5): With QualysGuard PCI, scan jobs can be scheduled to run or can be initiated on demand through the web-based interface Any user with the granted privileges can create scheduled jobs on the assets they are responsible for The occurrence of jobs can be selected between daily, weekly or monthly, with a specific hour and time zone The day of the week or month is selected by the user if the job is either weekly or monthly Scan jobs can be set with or without recurrence In addition to setting the start time for a scan, a “hard” stop time can be provided so that if a scan is exceeding an approved window of time, it is automatically stopped permanently or can be automatically restarted during the next window If the job is stopped before completion, all of the completed hosts are available for reporting C1.D6): QualysGuard PCI provides both PCI technical reports, which include streamlined vulnerability remediation through comprehensive, step-by step instructions and PCI executive reports for submission to management and/or the Merchant’s acquiring bank as proof of PCI compliance C1.D7): QualysGuard PCI enables the Commonwealth merchants to automatically submit the scan results and self-assessment questionnaire directly to the acquiring bank on-line C1.D8): Please see D7 above C1-E) Enterprises entrust Qualys to collect and store information about their devices; therefore, it is imperative that QualysGuard safeguards that data in transit and storage Data in transit is encrypted via SSLv3 128 bit encryption Data at rest is encrypted in AES 128 and is not accessible by Qualys personnel as the encryption is based on a hash of an individual’s username and password Role based administration provides for authentication based upon separation of duties Qualys maintains two primary Qualys Secure Operations Centers (SOCs) The SOCs are located in Santa Clara, USA and Frankfurt, Germany The Santa Clara, USA data center undergoes annual 3rd party SAS70 certification The Frankfurt, Germany data center is audited under BS 7799 All Qualys machines and racks are secured in a locked, private vault that requires the use of a badge and biometric authentication for access Only customer-authorized personnel have any logical access to their own vulnerability scan data C2: LCS will provide the standard formats defined by PCI for Assessment for Bidder Name: Lighthouse Computer Services, Inc.Page 28 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE Compliance (ROC, Report on Compliance) on an annual basis as well as informative report based on the results of the network scans on a quarterly basis Recommendations will be presented as result of Self Assessment Questionnaire, Assessment for compliance (open items) and network scans C.3 CUSTOMER SERVICE, TRAINING, RESOLUTION PCI ISSUES: The Bidder/partner must provide training and support to the Commonwealth merchant community Describe how the Bidder will meet the following requirements: The Bidder/partner must provide training on the use of the Bidder’s on-line systems The Bidder/partner may deliver the initial training via an interactive web-based training solution or in person at a training facility, which at the discretion of the Commonwealth, may include multiple Regional/geographical locations within the Commonwealth of Massachusetts Training must be provided to all state and local governmental entities with merchant accounts falling under the scope of this solicitation Attendees would include a business and a technical contact from each Commonwealth entity The Bidder/partner must provide for a customer service arrangement to meet the needs of the Office of the State Comptroller and the Commonwealth’s merchant community Most servicing needs of the merchant community are anticipated to be coordinated through the entities themselves The Bidder/partner must provide technical support to the Office of the State Comptroller and its merchant community via a toll-free telephone number during normal business hours, which are between 8:00 a.m and 5:00 p.m Eastern Time, Monday through Friday The Bidder/partner must keep the Office of the State Comptroller and the Commonwealth merchant community informed of all PCI rule changes, and provide guidance for adherence to the changes in an adequate and timely manner The Bidder/partner must notify the Office of the State Comptroller and all Commonwealth merchants of any PCI rule changes within five business days after learning of the rule change The Bidder/partner must assist the Commonwealth and its merchant community with the resolution of issues resulting from any alleged violations of the PCI Data Security Standard requirements Bidder Name: Lighthouse Computer Services, Inc.Page 29 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE ANSWER: C.3-1): Core staff will be provided with onsite training, at no cost, for one full day Webbased “refreshers”, informational training regarding new releases, and telephone based Q/A is also provided at no cost Qualys offers free live QualysGuard certification training at many major cities in the United States and Europe The certification class schedule can be viewed at the following link: http://www.qualys.com/support/training/TCP/ All new users of Qualys starting after the initial adoption period may also receive no-cost training via live, web-based service C.3-2): LCS will provide support via phone and email Qualys Support tools are interconnected with Qualys Engineering tools to ensure prompt resolution of open tickets There are no costs associated with these calls or emails, all regions for the Commonwealth merchants are covered C.3-3): LCS will provide technical support to the Office, to the State Comptroller and its entities, via toll-free telephone during normal business hours, Monday through Friday and via email 24/7 C.3-4): In the case that PCI rule changes, these will informed in a timely manner, five business days after the rule change Guidance to be compliant with new rules will be provided to the Office to the State Comptroller and its entities For scan services, the Qualys product supports online updates of any new changes C.3-5): Any issue identified, as open items for Consulting services and vulnerabilities identified for scan services, that are in violation of the PCI Data security Standard will be presented to the Office to the State Comptroller and the entity, with recommendations intended to solve the issue and allow compliance with PCI requirements Bidder Name: Lighthouse Computer Services, Inc.Page 30 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE C.4 In addition to what has been identified in the Work Plan, describe what additional information, documents, data, staff assistance, facilities or other resources you would require from the Commonwealth to complete your work and declare any other critical assumptions upon which your work plan is based ANSWER: For Consulting services, LCS assumes that data cardholder information is maintained in only one network per entity For additional networks with data cardholder information, the scope of the compliance assessment will be increased in 20 hours No shared hosting provider is included in this scope C.5 Describe any related value-added services that would be advantageous to the Commonwealth Include any value-added services, specialties, enhanced reporting, cost-effective fees and services, experience, employee training, etc that you feel sets your company apart ANSWER: LCS personnel have more than 10 years experience in security evaluations, all CISA certified Janus is the oldest independent information security company in the nation, providing commercial, government and not-for-profit clients with leading edge information security solutions QualysGuard PCI is delivered as an on Demand Web application, it requires no software to deploy or manage, significantly reducing the total cost of ownership Qualys’ Six Sigma quality program drives the most accurate security scans in the industry PCI DSS-defined vulnerabilities are continuously kept up to date 24x7x365 live customer support C.6 Describe in full the security that you have in place to safeguard the confidentiality of Commonwealth data and systems With certain merchant Departments, access to data and systems is prohibited by state and federal law Personnel conducting performance may be required to sign confidentiality agreements and undergo a CORI Criminal Offender Report Bidder Name: Lighthouse Computer Services, Inc.Page 31 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE ANSWER: For Consulting services see section B2.d above For Scanning services, the information collected and stored is encrypted in AES 128 and is not accessible by Qualys personnel as the encryption is based on a hash of an individual’s username and password and data in transit is encrypted via SSLv3 128 bit encryption Qualys maintains two primary Qualys Secure Operations Centers (SOCs) The SOCs are located in Santa Clara, USA and Frankfurt, Germany The Santa Clara, USA data center undergoes annual 3rd party SAS70 certification The Frankfurt, Germany data center is audited under BS 7799 All Qualys machines and racks are secured in a locked, private vault that requires the use of a badge and biometric authentication for access Only customer-authorized personnel have any logical access to their own vulnerability scan data For all personnel involved in this project, criminal background checks have been performed and no exceptions were found If is required, confidentiality agreements will be signed and Criminal Offender Report can be completed RFR RESPONSE PART D– REQUIRED ATTACHMENTS All Required Response attachments are listed in the “Forms and Terms” tab for this RFR on Comm-PASS If the Action is “yes” and the “Action Description” requires “Review, Complete and Return with RFR”, the Attachment must be completed, printed, signed if necessary and returned with this Response See also: Guidance for Vendors The Attachments not have to be submitted in any specific order Attachments must be attached in this Section of the Response for printed or photocopied submissions only For Electronic CDs copies, the Attachments are not included Certificate of Good Standing Please be advised that any Bidder selected for a contract must obtain a Certificate of Good Standing from the Department of Revenue as part of Contract Execution Additional Information about this Certificate may be found at: https://wfb.dor.state.ma.us/webfile/Certificate/Public/WebForms/Help/LearnMore.aspx and http://www.dor.state.ma.us/rul_reg/AdminProcedure/AP613.htm Bidder Name: Lighthouse Computer Services, Inc.Page 32 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE RFR RESPONSE PART E - COST RESPONSE Bidders must provide a cost schedule that provides the most cost effective pricing for the Commonwealth for both consulting and scanning services Pricing must be identified for each fiscal year of the contract (FY 2008 – ending June 30, 2008, and FY 2009 ending FY 2009) Bidders must provide schedule that includes volume discounts based upon the number of Department merchants that participate in purchasing services Departments are required to encumber funds to cover the total cost of an engagement Therefore, hourly rates must be Composite Blended hourly rates that include all related fringe benefit costs and profit All other direct, clerical, administration, indirect, overhead and incidental costs, such as travel, accommodations, meals, non-deliverable related printing, equipment, and supplies must also be included in the blended rate and may not be separately billed Describe how the pricing for an engagement is calculated How should the Commonwealth structure engagements to be most cost effective? Contractor Name: Lighthouse Computer Services VC0000389868 Contact: Timothy Bernard Telephone: (508) 254-2804 Email Address: tbernard@lighthousecs.com Fax: (401) 334-0719 Web: www.lighthouseCS.com The following is a standard price list Prices and packages are subject to negotiation with each Department and will depend upon the Department’s payment application and negotiated PCI Quote Form/SOW Pre-Assessment Package Cost is $2600 • Review of network diagram • PCI Consulting assistance • Pre-SAQ readiness (recommendations) • Quarterly scans (review, SAQ recommendation, IP) • Recommendations (if apply) in order to be compliant ***All remediation is handled outside the scope of this package… Annual Assessment Package Cost is $2600 • PCI consulting assistance • Review of network diagram • SAQ Report • Quarterly Scans (review, SAQ, IP) Bidder Name: Lighthouse Computer Services, Inc.Page 33 of 34 RESPONSE SUBMITTED FOR RFR NUMBER: CTRPCI2007 TITLE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) COMPLIANCE • Offering the previous package (recommendations) and the SAQ report ready to go after implementation of recommendations (If any) ***All remediation is handled outside the scope of this package… Annual Penetration Testing (PCI requirement cite Cost per External IP Addresses - 1- IP ( Cost $372) Between 4-249 IPs the cost is $19 per each additional IP Over >249 IPs the cost is $12 per each additional IP Security Consulting/PCI Consulting assistance is $150 an hour/ recommend block of hours agreement Pricing will depend on the scope of the vulnerability assessment and penetration test/scan, network environment and number of internal/external IPs Wireless Scans $150 an hour block of hours agreement Pricing will depend on the scope of the vulnerability assessment and penetration test/scan, network environment and number of internal/external IPs Bidder Name: Lighthouse Computer Services, Inc.Page 34 of 34