The target of HSL's ("Client") procurement is expert services in various areas of information security and data protection, "Cyber Security Expert Services".
The purpose of the procurement is to conclude a framework agreement on the procurement of cybersecurity expert services with several service providers and thus ensure sufficient resources to produce HSL's expert work related to information security and data protection.
The aim of procurement is to form a framework agreement from which individual experts or entire teams can be procured in an agile manner.
The expert tasks to be procured under a framework agreement that may result from this procurement procedure may consist of a wide range of definition, planning and implementation of different aspects of procurement, as well as audits/evaluations. These tasks can target both the maintenance and development of internal cybersecurity as well as projects.
The work is carried out under the guidance of HSL's information security and data protection process and in cooperation with IT and business units, as well as other service providers and stakeholders.
The teams may consist partly or entirely of the service provider's experts with different allocations and responsibilities. The composition of the teams will be specified on a case-by-case and need-by-case basis. The responsibility for the solutions, both functionally and technically, lies with the entire team.
The framework agreement does not have a lower limit in euros for the size or invoicing of projects, so the size of projects/assignments can vary significantly. The contract procedure of the framework agreement is set out in the procurement documents.
The framework agreement covers the following areas of activity and/or processes:
• Administrative information security
• Technical information security
• PCI DSS (Payment Card Industry Data Security Standard)
•Data protection
The acquisition is divided into parts. The information on the parts is further specified in the procurement documents. A single tenderer may be awarded all the lots. Not all parts have to be offered.
The contracting entity has set suitability requirements for tenderers. The contracting entity has set requirements for the service and the experience and competence of the experts acquired through it.
The procedure will be conducted in Finnish. The documents are available in Finnish.
No compensation shall be paid for participation in the proceedings.
Questions about the procurement and the offer can only be submitted through the Offer Service. IT questions concerning the use of the offer service (incl. the provider's user and contact information in the system) must be contacted by Cloudia support.
Administrative information securityHSL's information security management system (ISMS) has been implemented on the basis of ISO/IEC 27001:2013.
The procurement of this part focuses on the Supplier's administrative information security expert services, which can be used to design, implement, evaluate and develop secure products and services for HSL's users on a risk-based basis.
The range of administrative information security expert services is widely and widely understood. The priorities for the need for and use of professional services may vary significantly during the contract period.
Typically, administrative information security expert services will relate to the following areas (but not limited to the examples presented):
· Information security audits
· Tietoturvakoulutus
· Physical/facility security
· Jatkuvuudenhallinta (=jatkuvuussuunnittelu+toipumissuunnittelu+valmiussuunnittelu)
· Information risk management
· Lokihallinta
· Pääsynhallinta
Administrative information security expert services are expected to cover the key general methods, standards and other frameworks for each competence area (including possible legislation).
In the case of HSL, the general key frameworks applied in information security work are, in particular, the ISO/IEC 27000 series standards, the VAHTI guidelines, emergency preparedness legislation, PCI-DSS, and the GDPR.
The tenderer and its experts are required to have experience in developing sub-area-specific processes and controls (planning and implementation).
A maximum of five (5) vendors are selected for this section.
Technical information securityHSL's information security management system (ISMS) has been implemented on the basis of ISO/IEC 27001:2013.
The target of this section is the Supplier's technical information security expert services, which can be used to plan, implement, evaluate and develop secure products and services for HSL's users on a risk-based basis.
The range of technical information security expert services is widely and broadly understood.
The priorities for the need for and use of professional services may vary significantly during the contract period.
Typically, technical information security expert services will relate to the following areas (but not limited to the examples presented):
· Pilviympäristöjen tietoturvaratkaisut
· Application development security (agile methods, waterfall model)
· Security architecture and control planning
· Salausmenetelmät
· Database security
· Network information security management
· Data security of telecommunications
· Management of technical information risks
· Lokihallinta
· Forensiikka
· Security incident management
· Tietoturvatestaus
· Technical information security measurement/instrument clusters
· Hardware and embedded systems security
· Access control technical solutions
· Technical solutions for continuity management
The provider's technical information security expert services are expected to cover the key general methods, standards and other frameworks (including possible legislation) for each competence area.
In the case of HSL, the general key frameworks applied in information security work are, in particular, the ISO/IEC 27000 series standards, the VAHTI guidelines, emergency preparedness legislation, PCI-DSS, and the GDPR.
The provider and its experts are required to have practical knowledge of at least one of the commonly used services/service products for each of the technical information security competence areas they offer.
A maximum of five (5) vendors are selected for this section.
PCI DSSHSL has been awarded the PCI DSS (Payment Card Industry Data Security Standard) certificate. The services provided by HSL must meet the requirements of the standard that serves as a reference framework now and in the future.
This section focuses on PCI DSS compliance professional services. The services must make it possible to design, implement, evaluate and develop products and services for HSL users that meet the requirements of the relevant PCI DSS standard on a risk-based basis.
The procurement also includes professional services related to the maintenance of the PCI DSS certificate, which will be used to support the maintenance of the certificate to meet the requirements of the new versions of the PCI DSS standard.
In terms of quality, PCI DSS professional services can cover both technical and administrative aspects of information security. The Supplier shall maintain its PCI DSS know-how throughout the contract period.
The range of expert services of the PCI DSS standard is understood in a broad and broad sense.
The priorities for the need for and use of professional services may vary significantly during the contract period.
The provider's PCI DSS professional services are required to have knowledge of interfaces in relation to the key general methods, standards and other frameworks for information security (including possible legislation).
In the case of HSL, the general key frameworks applied in information security work are, in particular, the ISO/IEC 27000 series standards, the VAHTI guidelines, emergency preparedness legislation, PCI-DSS, and the GDPR.
A maximum of three (3) vendors will be selected for this section.
Data protectionIn terms of data protection, the target of the procurement is HSL's data protection expert services. They can be used to support the work of HSL's data protection organisation on a risk-based basis and to design, implement, evaluate and develop products and services with good data protection for HSL users.
The range of expert services in data protection is understood broadly and widely.
The priorities for the need for and use of professional services may vary significantly during the contract period.
Typically, data protection professional services will relate to the following areas (but not limited to the examples presented):
· Data protection consulting and legal services such as
· Data protection requirements in competitive tendering and public procurement
· Data protection as part of cloud services
· GDPR current state studies and development projects
· Legal support of the Data Protection Officer
· Tietosuojadokumentaatiot
· Privacy sections of the agreements (incl. Transfer or transfer agreements, international transfers)
· Cookie management and privacy
· Methods for implementing data protection by design (Privacy by design)
· Data protection risk assessments/analyses
· Impact Assessments (DPIA)
· Data protection audits
· Data protection program/process development
· Tietosuojajohtaminen
· Development of information for data subjects
· Tietoturvaloukkausprosessi
· Data protection training (incl. Planning the support of the Data Protection Officer, the Data Protection Specialist, and possibly training targeted at the employees of the organisation)
· Tietosuojan mystery shopping
The provider's data protection expert services are expected to cover the key general methods, standards and other frameworks of each competence area, such as legislation and other regulatory requirements at both the national and international level.
The provider and its experts are required to have experience in developing practical solutions that implement good data protection, such as data protection controls (design and implementation).
This requires sufficient know-how from the Supplier's experts to participate in the development of processes, the development of the data protection architecture and to present risk-based proposals for solutions that support data protection for the information security and data protection process.
The person selected as the supplier must also continuously maintain their know-how, follow the development of case law and communicate with HSL's data protection organisation about the changing requirements of the data protection work environment that they have identified.
A maximum of five (5) suppliers will be selected for this section.