Municipal Employees' Annuity and Benefit Fund of Chicago

A Pension Trust Fund of the City of Chicago

Procurement Opportunites

Cybersecurity Assessment – Updated

Logo

Description automatically generated

The Municipal Employee’s Annuity and Benefit Fund of Chicago (MEABF) is inviting proposals for a Cybersecurity Assessment guided by the NIST Cybersecurity Framework.  The required services are described in the Scope of Work, set forth below. Upon completion of the services, MEABF will be in the position to:

  1. Describe our current cybersecurity posture;
  2. Describe our target state for cybersecurity;
  3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  4. Assess progress toward the target state;
  5. Communicate among internal and external stakeholders about cybersecurity risk.  

MEABF’s Mission

Our mission is to provide benefits for our members by providing excellent customer service to our members and preserving the fiscal integrity and financial stability of the Fund.

Background

This Request for Proposal (“RFP”) is issued by the Municipal Employees’ Annuity and Benefit Fund of Chicago (the “MEABF” or the “Fund”) to solicit a proposal from Respondents ( “Firm” or “Respondent”), with the possibility of engaging a Respondent to provide a Cybersecurity Assessment of the MEABF’s information technology infrastructure and related systems. The Fund seeks a proposal from Respondents qualified to provide expert advice and assistance with respect to the MEABF’s information technology infrastructure. The MEABF is a statutorily created public pension plan administered pursuant to Article VIII of the Illinois Pension Code (40 ILCS 5/8‐1 et seq). The MEABF has 40 full‐time staff members and is governed by a five‐member Board of Trustees (the “Board”).

Information about the Fund’s Information Technology Infrastructure:

MEABF has about 50 employees. Our users access network resources via workstations and thin clients. Most of our servers are virtualized and we use MS Hyper‐V to manage these servers in the Azure Cloud. We protect our data using cloud backup. All data is protected by AES‐256 encryption both in transit and in the cloud. Point in time rollbacks allow us to resolve a ransomware attack and minimize down time during disaster recovery. Our main application servers use client/server model and they are Pension Benefit System (PBS), Insite (imaging), and Great Plains (accounting). For email we Microsoft 365. We use Midwest Time to handle our employees’ attendance and ADP to process their payroll. Northern Trust is our vendor we use to process our members’ benefit payments.

Our website is hosted outside (Siteground.com) our network and is maintained and supported by a managed services vendor.

The Fund also maintains and stores data regarding its participants that contains personal information that is confidential pursuant to the Illinois Personal Information Protection Act (the “Privacy Act”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Such information must be maintained on the MEABF server in compliance with the Privacy Act and HIPAA.

MEABF Pension Administration Statistics: December 31, 2021

ItemQuantity
Number of Active Members32,925
Number of Retirees and Beneficiaries receiving Monthly Payments25,863
Number of Tiers3
Number of Contributing Employers7
Annual number of New Annuities (Employee, Spouse and Child)1,433
Annual number of Disabilities (Ordinary, Duty and Occupational)273

Scope of Work

MEABF seeks a firm to provide a proposal for a Cybersecurity Assessment which will include providing a dedicated key individual or individuals to coordinate and oversee the assessment of all cybersecurity and physical security efforts at MEABF. The consultant will perform the following responsibilities with the goal of protecting the confidentiality and integrity of information and ensure the technical mechanisms of legitimate access:

  • Assist with the identifying and prioritizing of business/mission objectives to determine the breadth and scope of systems and assets that support our objectives
  • Perform a Risk Assessment
  • Vulnerability scan of systems and devices
  • Penetration Tests and Reporting of both internal and external networks
  • Facilitate the development of a NIST Cybersecurity Framework Program
  • Establish appropriate standards and risk controls associated with the MEABF environment.
  • Create and review information security audit reports and vulnerability test results, coordinate management responses, and track action plans to address issues and risks.
  • Create and manage key cybersecurity performance indicators to gauge information risk and develop plans to reduce risk which includes creation of necessary reports.
  • Review events, alerts, and logs from security tools, including Intrusion Detection System (IDS), firewalls, VPN, vulnerability assessment tools, antivirus, etc.
  • Participate in Business Continuity and Disaster Recovery Planning and assess control adequacy.
  • Develop procedures to ensure physical safety of employees and visitors
  • Initiate, facilitate, and promote activities to foster information security awareness within the organization.

Requested Information

The Fund seeks to gather the following information from qualified Firms. Firms may also provide the Fund with any information the Firm deems relevant for the Fund to consider possible engagement with a Firm able to undertake a cybersecurity consulting assessment of the fund’s information technology infrastructure and related systems.

Firm Overview

  • Provide background on the Firm’s capabilities to provide an assessment of the risk of the Fund’s information technology infrastructure and related systems.

Services

  • Provide information on the Firm’s ability to perform the following services for the Fund:
    • Perform a complete risk assessment of the MEABF’s information technology infrastructure and related systems, including the security levels of such systems.
    • Provide a detailed report assessing the risks to the MEABF’s information technology infrastructure and related software, including recommended actions to mitigate identified risks.
    • Provide information technology and cyber security policy recommendations to the MEABF.
    • Provide business continuity and disaster recovery plan recommendations to the MEABF.
    • Development the MEABF Cybersecurity Framework Program
    • Provide a detailed report describing any identified gaps in the needs of office staff and the capabilities of existing infrastructure and systems.

Project Team

  • Provide an organizational chart of the proposed team, primary point of contact, and the roles and responsibilities of the team members.

Relevant Experience

  • Describe the Firm’s Cybersecurity Assessment experience for similar assignments, specifically defined benefit pension fund plan assignments.
  • Provide three references of clients for whom the Firm has performed work similar to that discussed in this RFP. Include the reference name, title, company, address, telephone number, and a description of the services provided.
  • Provide information regarding the Firm’s experience and track record of providing Cybersecurity Assessments for governmental and/or corporate clients.

Conflicts of Interest & Due Diligence

  • Please lists any potential conflicts of interest the Firm may encounter.
  • Has the Firm ever been involved in a lawsuit, regulatory proceeding, or investigation in the last ten (10) years involving any services provided by the Firm?

Compensation

  • Describe the Firm’s compensation structure for the proposed services discussed in this RFP. State any special considerations with respect to billing or payment of fees and expenses that the Firm offers and that you believe would differentiate the Firm and make the Firm’s services more cost effective to the MEABF.

MWDBE Disclosures

  • It is the policy of the Fund to encourage vendor participation involving Minority Business Enterprises, Women‐owned Business Enterprises, or a Business Owned by a Person with a Disability, as such terms are defined in the Illinois Business Enterprise for Minorities, Females and Persons with Disabilities Act. Respondents should disclose the following numerical data as part of the information provided to the Fund pursuant to this RFP:
    • The number of the Firm’s staff who are (i) minority person, (ii) female, or (iii) persons with a disability;
    • The number of contracts, oral or written, that the Firm has in place for consulting services and professional and artistic services that constitute a (i) minority owned business, (ii) female owned business, or (iii) business owned by a person with a disability; and
    • The number of contracts, oral or written, that the Firm has in place for consulting services and professional and artistic services where more than 50% of services performed pursuant to a contract are performed by a (i) minority person, (ii) female, or (iii) persons with a disability but do not constitute a business owned by a minority, female, or persons with a disability.

Finalist Presentations

The MEABF may hold presentations with one or more Respondents.  The presentations can be virtual or in person at the MEABF offices at 321 North Clark Street, Suite 700, Chicago, Illinois 60654, and we will try to provide the finalist Respondents with as much advance notice as possible.

TaskEst. Completion Date
RFP DistributedOctober 27, 2022
Questions DueNovember 14, 2022
Questions & Answers PostedNovember 16, 2022
RFP Responses DueNovember 21, 2022
Response Analysis / Finalists SelectionNovember 28, 2022
Finalist Presentations (if necessary)December 2, 2022
Selection / Award ContractDecember 7, 2022

Conclusion

This RFP does not constitute an offer and should not be considered a contract with the MEABF. This RFP is solely a request for proposal from qualified Firms capable of providing a Cybersecurity Assessment of the Fund’s information technology infrastructure. The term of any future engagement will be governed by the negotiated contract or agreement with the MEABF. The Firm’s response to this RFP is to be prepared at the Firm’s sole cost and expense.

The information that a Firm submits will be subject to the Illinois Freedom of Information Act (5 ILCS 140/1 et seq.) (“FOIA”). FOIA provides generally that all records in the custody or possession of a public body are presumed to be open to inspection or copying. The MEABF will determine, in its sole discretion, whether the materials prepared in connection with this RFP are subject to public disclosure pursuant to FOIA. By submitting information pursuant to this RFP, the Firm agrees to indemnify, save, and hold the MEABF harmless from and against any and all claims arising from or relating to MEABF’s complete or partial disclosure of the Firm’s information if the MEABF determines, in its sole discretion, that such disclosure is required by law.

If a Firm is interested in providing any information to the Fund related to this RFP, please provide such information and have a representative from the Firm that is capable of binding the Firm with respect to the information provided execute where indicated below. Please email the Firm’s information to searches@meabf.org. Responses will be accepted until further notice. Any questions regarding the RFP can be submitted to searches@meabf.org. Questions and answers will be posted as additional information on the Fund’s Procurement page.