Information Technology Security and Compliance Services

RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services

VENDOR NAME VENDOR NAM Prime: 3K Technologies Prime: LLC Carahsoft Subs: Managni Technology Systems, Inc. ; Corp Focal Global 1st Aujas Solution Enterprise Risk Point Information Secure IT Information Risk BreakPoint Provider: Crowe Management, Data Risk Foresite MSP Intelligence PROPOSED CATEGORY LLC Services ATT Labs Trustwave Horwath LLP Inc. LLC LLC LLC CATEGORY 1 ‐ PCI SERVICES XXXXXXX CATEGORY 2 ‐ HIPAA SERVICES XXXXXXX CATEGORY 3 ‐ IT AUDIT SERVICES XX XX XXX X CATEGORY 4 ‐ SECURITY PENETRATION TESTING XXXXXX XXXX CATEGORY 5 ‐ SECURITY INCIDENT RESPONSE XXXXXX CATEGORY 6 ‐ PUBLIC SAFETY NETWORK AND SYSTEMS AUDIT SERVICES XXX

# OF RESPONSES PROPOSED CATEGORY PER CATEGORY CATEGORY 1 ‐ PCI SERVICES 16 CATEGORY 2 ‐ HIPAA SERVICES 18 CATEGORY 3 ‐ IT AUDIT SERVICES 17 CATEGORY 4 ‐ SECURITY PENETRATION TESTING 22

CATEGORY 5 ‐ SECURITY INCIDENT RESPONSE 13 CATEGORY 6 ‐ PUBLIC SAFETY NETWORK AND SYSTEMS AUDIT SERVICES 6

Note: "X" indicates vendor responded to this category Note: Vendor did not propose team member with at least (1) of the required qualifying certifications RFQ A2114499R1 ‐ Broward County I

ME VENDOR NAME

Prime: Online Prime: Marcum Merchant Enterprises Plante & JohnsTek LLP Preservation MGT of Inc. d/b/a Moran, Inc. Sub: Services, LLC America Nettitude, Online PLLC dba Sub: 24by7 d/b/a Consulting, Inc. d/b/a Business Optiv Plante PROPOSED CATEGORY IOMAXIS Security CampusGuard LLC Nettitude Systems Security Moran Presidio CATEGORY 1 ‐ PCI SERVICES XX X XXXX CATEGORY 2 ‐ HIPAA SERVICES XXXXXXX CATEGORY 3 ‐ IT AUDIT SERVICES XX XX CATEGORY 4 ‐ SECURITY PENETRATION TESTING XX X X X X X X CATEGORY 5 ‐ SECURITY INCIDENT RESPONSE XX XX CATEGORY 6 ‐ PUBLIC SAFETY NETWORK AND S SERVICES X

PROPOSED CATEGORY CATEGORY 1 ‐ PCI SERVICES CATEGORY 2 ‐ HIPAA SERVICES CATEGORY 3 ‐ IT AUDIT SERVICES CATEGORY 4 ‐ SECURITY PENETRATION TESTING

CATEGORY 5 ‐ SECURITY INCIDENT RESPONSE CATEGORY 6 ‐ PUBLIC SAFETY NETWORK AND SYSTEMS AUDIT SERVICES

Note: "X" indicates vendor responded to this c Note: Vendor did not propose team member w RFQ A2114499R1 ‐ Broward County I

VENDOR NAME Verizon Business Network Services Inc. d/b/a SeNet SHI Verizon RSM US Securance International International Business PROPOSED CATEGORY LLP LLC Corporation Corp Services CATEGORY 1 ‐ PCI SERVICES XX CATEGORY 2 ‐ HIPAA SERVICES XX X X CATEGORY 3 ‐ IT AUDIT SERVICES XX X X X CATEGORY 4 ‐ SECURITY PENETRATION TESTING XXXX CATEGORY 5 ‐ SECURITY INCIDENT RESPONSE XX X CATEGORY 6 ‐ PUBLIC SAFETY NETWORK AND S SERVICES XX

PROPOSED CATEGORY CATEGORY 1 ‐ PCI SERVICES CATEGORY 2 ‐ HIPAA SERVICES CATEGORY 3 ‐ IT AUDIT SERVICES CATEGORY 4 ‐ SECURITY PENETRATION TESTING

CATEGORY 5 ‐ SECURITY INCIDENT RESPONSE CATEGORY 6 ‐ PUBLIC SAFETY NETWORK AND SYSTEMS AUDIT SERVICES

Note: "X" indicates vendor responded to this c Note: Vendor did not propose team member w RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Carahsoft Technology Corp Licensing Matrix 1st Secure IT LLC ATT Solution Provider: Trustwave RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided ‐ PDF Pg. 120 Provided ‐ PDF Pg. 569 Provided ‐ See Page 47 AND 1. Provide proof of Approved Qualified Security Assessor (QSA) company Provided ‐ PDF Pg. 17 Provided Provided AND 2. Provide proof of a Qualified Security Assessor on staff

Provided Provided Provided Requirement Met Requirement Met Requirement Met

AND 3. Provide proof that Contractor has not been in QSA Remediation Status at any time during the past twenty‐four (24) months) Provided ‐ PDF Pg. 119 Provided Provided ‐ See PDF Pg. 46

AND 4. Provide proof that Contractor's proposed QSA primary point of contact has not been in QSA Remediation Status at any time during the past twenty‐four (24) months Provided ‐ PDF Pg. 119 Provided Provided ‐ See PDF Pg. 46

AND 5. Provide certification for at least one (1) certified QSA proposed as the County's primary point of contact (i.e. Project Lead) Provided ‐ PDF Pg. 119 Provided Provided ‐ See PDF Pg. 46

AND 6. Contractor must complete and submit the following attestation form affirming their understanding and acceptance of additional requirements pertaining to the PCI Services: ‐ Category 1 ‐ PCI Attestation Form Provided ‐ PDF Pg. 119 Provided Provided ‐ See PDF Pg. 46

FORMS Vendor Questionnaire Form Provided Provided Provided

Vendor Security Questionnaire Form Provided Provided Provided

1 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLC RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided ‐ See PDF Pg. 9 Provided Provided AND 1. Provide proof of Approved Qualified Security Assessor (QSA) company Provided Provided Provided AND 2. Provide proof of a Qualified Security Assessor on staff

Provided Provided Provided Requirement Met Requirement Met Requirement Met

AND 3. Provide proof that Contractor has not been in QSA Remediation Status at any time during the past twenty‐four (24) months) Provided ‐ See PDF Pg. 43 Provided Provided ‐ Pg. 3

AND 4. Provide proof that Contractor's proposed QSA primary point of contact has not been in QSA Remediation Status at any time during the past twenty‐four (24) months Provided ‐ See PDF Pg. 43 Provided Provided ‐ Pg. 3

AND 5. Provide certification for at least one (1) certified QSA proposed as the County's primary point of contact (i.e. Project Lead) Provided ‐ See PDF Pg. 43 Provided Provided ‐ Pg. 3

FORMS Vendor Questionnaire Form Provided Provided Provided

Provided Provided Provided Vendor Security Questionnaire Form

2 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Marcum LLP Licensing Matrix Foresite MSP LLC Sub: 24by7 Security Merchant Preservation Services, LLC d/b/a CampusGuard RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided Provided AND 1. Provide proof of Approved Qualified Security Assessor (QSA) company Provided Provided Provided AND 2. Provide proof of a Qualified Security Assessor on staff

Provided Provided Provided Requirement Met Requirement Met Requirement Met

AND 3. Provide proof that Contractor has not been in QSA Remediation Status at any time during the past twenty‐four (24) months) Provided Provided Provided ‐ PDF Page 501

AND 4. Provide proof that Contractor's proposed QSA primary point of contact has not been in QSA Remediation Status at any time during the past twenty‐four (24) months Provided Provided Provided ‐ PDF Page 501

AND 5. Provide certification for at least one (1) certified QSA proposed as the County's primary point of contact (i.e. Project Lead) Provided Provided Provided ‐ PDF Page 4

FORMS Vendor Questionnaire Form Provided Provided Provided

Provided Provided Provided Vendor Security Questionnaire Form

3 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante Moran RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided ‐ See PDF Pg. 42 Provided ‐ See PDF Pg. 309 Provided Provided AND 1. Provide proof of Approved Qualified Security Assessor (QSA) company Provided Provided Provided Provided AND 2. Provide proof of a Qualified Security Assessor on staff

Provided Provided Provided Provided Requirement Met Requirement Met Requirement Met Requirement Met

AND 3. Provide proof that Contractor has not been in QSA Remediation Status at any time during the past twenty‐four (24) months) Provided ‐ PDF Pg 41 Provided ‐ PDF Pg 14 Provided Provided ‐ PDF Pg. 16

AND 5. Provide certification for at least one (1) certified QSA proposed as the County's primary point of contact (i.e. Project Lead) Provided ‐ PDF Pg 41 Provided ‐ PDF Pg 14 Provided Provided

FORMS Vendor Questionnaire Form Provided Provided Provided Provided

Provided Provided Provided Provided Vendor Security Questionnaire Form

4 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Verizon Business Network Services Licensing Matrix Presidio RSM US LLP Inc. d/b/a Verizon Business Services RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided Provided AND 1. Provide proof of Approved Qualified Security Assessor (QSA) company Provided Provided Provided AND 2. Provide proof of a Qualified Security Assessor on staff

Provided Provided Provided Requirement Met Requirement Met Requirement Met

AND 3. Provide proof that Contractor has not been in QSA Remediation See Category 1 ‐ PCI Attestation Form Status at any time during the past twenty‐four (24) months) Provided ‐ PDF Pgs 10 ‐11 See Category 1 ‐ PCI Attestation Form

AND 4. Provide proof that Contractor's proposed QSA primary point of See Category 1 ‐ PCI Attestation Form contact has not been in QSA Remediation Status at any time during the past twenty‐four (24) months Provided ‐ PDF Pgs 10 ‐11 See Category 1 ‐ PCI Attestation Form

AND 5. Provide certification for at least one (1) certified QSA proposed as See Category 1 ‐ PCI Attestation Form the County's primary point of contact (i.e. Project Lead) Provided ‐ PDF Pg 11 See Category 1 ‐ PCI Attestation Form

FORMS Vendor Questionnaire Form Provided Provided Provided

Provided Provided Provided Vendor Security Questionnaire Form

5 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Carahsoft Technology Corp Licensing Matrix 1st Secure IT LLC ATT Solution Provider: Trustwave EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project See PDF Pg. 138. Resumes ‐ See PDF Pgs. 145 ‐ 154. See PDF Pgs. 453 ‐ 458 Manager and all key staff that are intended to be assigned to services Mark Akins, PCI QSA, CISSP, CISA, 24+ years experience See PDF Pg. 9 performed within this category. Include resumes for the Project Alberto Espana, CISM, PCI‐QSA, 30+ years experience "CONFIDENTIAL" Trustwave knows the ins and outs of risk. Additionally, we want you to understand risk, Manager and all key staff described. Orencio Cardenas, MCSA, MCSE, CISSP, 20+ years experiences too. Our Global Compliance and Risk Services team serves as trusted advisors who operate Alan Kakareka, CISSP, GSEC, CEH, LPT, 20+ years in IT; 13+ years in IT Security Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by alongside your internal team. Our Global Compliance and Risk Services staff is comprised of Abelardo Rodrigues, PCI QSA, CISSP, CISA, 24+ years experience authorized persons only and is not for general distribution. Qualified Security Assessors (QSAs) and our consultants hold various other industry certifications including CISSP, CISM, and CISA certifications, among others. The team averages more than eight years of experience in IT security, information security as well as extensive compliance, audit and consulting expertise. The Global Compliance and Risk Services team (GCRS) is backed by our SpiderLabs team to keep you ahead of the latest threats and is also sponsored by a Senior Compliance Support Analyst to ensure your project runs smoothly. We will customize your engagement, assess what is unique about your business challenges and scale with your business needs.

b. List any other relevant Security and Compliance Industry See PDF Pg. 138 CONFIDENTIAL See PDF Pg. 9 certifications, such as a PCI Forensic Investigator (PFI), that the Project Mark Akins, PCI QSA, CISSP, CISA, 24+ years experience Please see the representative biographies embedded below, which includes the typical Manager and key staff described may have. Include copies of Alberto Espana, CISM, PCI‐QSA, 30+ years experience Pgs 35: certifications held by the resources who may be assigned to your project. certificates, if applicable. Orencio Cardenas, MCSA, MCSE, CISSP, 20+ years experiences Non‐Disclosure Statement "The information in this document is AT&T Corp. Alan Kakareka, CISSP, GSEC, CEH, LPT, 20+ years in IT; 13+ years in IT Security Confidential, and cannot be reproduced or redistributed in any way, shape, or form Abelardo Rodrigues, PCI QSA, CISSP, CISA, 24+ years experience without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, and designs are See PDF Pg. 139 registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or 1st Secure IT is an Active QSA Company and status can be looked up on the PCI AT&T Corp. affiliated council's website. companies."

Pgs 36‐ 223: "AT&T Consulting Proprietary and Confidential Information"

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

2. Project Approach:

6 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLC EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project See PDF Pgs. 29 ‐ 30. Appendix A ‐ Resumes (PDF Pgs. 39 ‐ 41). Appendix B ‐ Relevant Certifications See PDF Pgs. 8 ‐ 20 See PDF Pgs. 11 ‐ 12 Manager and all key staff that are intended to be assigned to services (PDF Pgs. 44 ‐ 45). Silka M. Gonzalez, CPA, CISSP, CISM, CISA, CITP, CRISC, 30+ years Andrew Cannata – Principal, QSA, CISSP, CISM, 25+ years experience performed within this category. Include resumes for the Project Craig D. Sullivan, CPA, CISA, QSA, Partner, 32+ years experience experience Christie Verscharen – Principal, QSA, CISSP, CISA. Christie leads Focal Point’s Manager and all key staff described. Jeffrey A. Palgon, CPA, CISSP, CISM, CISA, Senior Manager Esteban Orlando Farao, CISSP, CISA, CISO, CRISC, CEH, QSA, and PCI and Risk Services practice. Christie has 15 years of information security Sean F. McAloon, CISA, Manager PCIP.PCI QSA, 20+ years experience and technology advisory work experience. Christopher Steven Sanchez, Information Security Consultant, Derek Parks – Director, QSA, CISSP, CISA, CBCP. Derek has a significant Extensive experience completing penetration testing amount of experience delivering and leading Sarbanes‐Oxley, PCI, IT risk Maria Rogers, CEH, CCFE, Extensive experience in software testing assessment, IT governance policy, and disaster recovery and business and Digital Forensics continuity assessment engagements. Animesh Srivastava, Extensive experience competing regulatory Jim Flannery – Director, QSA, CISSP, CISA. Jim is a Director in Focal Point’s compliance assessments security practice. Brett Phillips – Director, QSA, CISSP, CISA. During his time with Focal Point, Brett has focused on several service offerings, including PCI, Sarbanes‐ Oxley/IT audit, SAP security, business continuity, business process redesign, and IT risk assessments. Terry Bristow – Manager, QSA, CISM. Terry is a Manager in Focal Point’s Information Security Risk Advisory Services practice. Adam Cotto – Manager, QSA, CISSP. Adam has performed PCI, IT risk assessments, and disaster recovery and business continuity assessment... Chris Thompson – Manager, QSA, CISSP, CCNA. Chris has focused on conducting PCI assessments, firewall and router rule set reviews.....

b. List any other relevant Security and Compliance Industry See PDF Pgs. 29 ‐ 30. Appendix A ‐ Resumes. Appendix B ‐ Relevant Certifications. See PDF Pgs. 8 ‐ 20 See PDF Pgs. 11 ‐ 12 certifications, such as a PCI Forensic Investigator (PFI), that the Project Craig D. Sullivan, CPA, CISA, QSA, Partner, 32+ years experience Silka M. Gonzalez, CPA, CISSP, CISM, CISA, CITP, CRISC, 30+ years Andrew Cannata – Principal, QSA, CISSP, CISM, 25+ years experience Manager and key staff described may have. Include copies of Jeffrey A. Palgon, CPA, CISSP, CISM, CISA, Senior Manager experience Christie Verscharen – Principal, QSA, CISSP, CISA. Christie leads Focal Point’s certificates, if applicable. Sean F. McAloon, CISA, Manager Esteban Orlando Farao, CISSP, CISA, CISO, CRISC, CEH, QSA, and PCI and Risk Services practice. Christie has 15 years of information security PCIP.PCI QSA, 20+ years experience and technology advisory work experience. Christopher Steven Sanchez, Information Security Consultant, Derek Parks – Director, QSA, CISSP, CISA, CBCP. Derek has a significant Extensive experience completing penetration testing amount of experience delivering and leading Sarbanes‐Oxley, PCI, IT risk Maria Rogers, CEH, CCFE, Extensive experience in software testing assessment, IT governance policy, and disaster recovery and business and Digital Forensics continuity assessment engagements. Animesh Srivastava, Extensive experience competing regulatory Jim Flannery – Director, QSA, CISSP, CISA. Jim is a Director in Focal Point’s compliance assessments security practice. Brett Phillips – Director, QSA, CISSP, CISA. During his time with Focal Point, Brett has focused on several service offerings, including PCI, Sarbanes‐Oxley/IT audit, SAP security, business continuity, business process redesign, and IT risk assessments. Terry Bristow – Manager, QSA, CISM. Terry is a Manager in Focal Point’s Information Security Risk Advisory Services practice. Adam Cotto – Manager, QSA, CISSP. Adam has performed PCI, IT risk assessments, and disaster recovery and business continuity assessment... Chris Thompson – Manager, QSA, CISSP, CCNA. Chris has focused on conducting PCI assessments, firewall and router rule set reviews.....

2. Project Approach:

7 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Marcum LLP Licensing Matrix Foresite MSP LLC Sub: 24by7 Security Merchant Preservation Services, LLC d/b/a CampusGuard EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project See Bios ‐ Jason L, Specialities: Compliance and Network Security, 20+ See PDF Pg. 5 See PDF Pgs 482 ‐ 483. Manager and all key staff that are intended to be assigned to services years experience, QSA PCI, PA QSA, PCIP PCI, SANS GIAC GSNA, GCIH, Marcum LLP is a Qualified Security Assessor (QSA) Company. Furthermore, three performed within this category. Include resumes for the Project GPEN of the team members assigned to this engagement are QSA employees at Edward (Ed) Ko, QSA Manager, Multi Campus PCI Experience, Information Privacy, Manager and all key staff described. Thomas A, Specialities, Compliance and Network Security, 15+ years Marcum. Each member has significant technology experience and has assisted Network Analysis, Telecommunications, 12 years in security field; 16 years in experience, QSA PCI, CISSP, HCISSP companies apply the provisions of Payment Card Industry Data Security Standard experience and responsibilities John W, Compliance, Network Security, and Incident Response/Digital (DSS) 3.2. Please refer to Appendix A for team profiles and relevant Judi Seguy, CRM Manager, Project Management, E‐Commerce, PCI DSS Compliance, Forensics, QSA PCI, PA QSA, CISSP certifications. General Information Technology, 8 years experience in security related field in higher Keith K, GRC, Security Architecture and Audit, 20+ years experience, education and information technology security CISSP Bradley A, Penetration Testing, 15+ years of experience, CISSP, OSCE, OSCP, CEH, SANS GIAC

b. List any other relevant Security and Compliance Industry See Bios ‐ Jason L, Specialities: Compliance and Network Security, 20+ See PDF Pg. 5 See PDF Pgs 482 ‐ 483. certifications, such as a PCI Forensic Investigator (PFI), that the Project years experience, QSA PCI, PA QSA, PCIP PCI, SANS GIAC GSNA, GCIH, For Marcum LLP’s proposed key staff, please see profiles and certificates Manager and key staff described may have. Include copies of GPEN available in Appendix A. Edward (Ed) Ko, QSA, ASV, CISSP, CPISM/A, PCIP certificates, if applicable. Thomas A, Specialities, Compliance and Network Security, 15+ years Client Service and Engagement Partner: Judi Seguy, PCIP experience, QSA PCI, CISSP, HCISSP Mark Agulnik, Partner, CPA, CISA, PCI‐QSA John W, Compliance, Network Security, and Incident Response/Digital Senior Audit Manager: Forensics, QSA PCI, PA QSA, CISSP Heather Bearfield, Principal, CISA, CISM, CRISC, PCI‐QSA Keith K, GRC, Security Architecture and Audit, 20+ years experience, Senior Manager: CISSP Robert Coro, Senior Manager, CISA, CISM, PCI‐QSA Bradley A, Penetration Testing, 15+ years of experience, CISSP, OSCE, OSCP, CEH, SANS GIAC

2. Project Approach:

8 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante Moran EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project See PDF Pg. 5. See PDF Pgs. 6 ‐ 7. See PDF Pg. 232 See PDF Pgs 7 ‐ 8. Manager and all key staff that are intended to be assigned to services Shai Canaan, Senior Security Consultant, 15+ years experience, PCI QSA, PA QSA, Steve Levinson (VP, Risk Security & Privacy Consulting), 25+ years The security, privacy and business concerns of our clients‐both Scott Petree, Principal, 16+ years experience performed within this category. Include resumes for the Project ISO 27001 Lead Auditor, Certified Information Systems Auditor (CISA), Certified experience, CISSP current and past‐are of the highest priority. Kyle Miller, Manager, 9+ years experience Manager and all key staff described. Information Systems Security Professional Rob Harvey, Director of Online's Risk, Security & Privacy Consulting As such, we must respectfully decline to provide specific Bob Funke, Manager, 25+ years experience (CISSP), Certified in Risk and Information Systems Control (CRISC) Practice, 12+ years experience contact names and details for potential references at this Ben Rothke, Senior Security Consultant, PCI QSA, Certified Information Security Mark Hannah, PCI Practice Lead, Sr. Consultant, 8 years experience stage. However, a number of our clients from recent Manager (CISM), Certified in the Governance of the Enterprise IT (CGEIT), Greg High, Principal Consultant, CISSP, CISM, 8+ years experience engagements would be willing to entertain an informal Certified Information Systems Auditor (CISA), Certified in Risk and Information conversation with their peers to discuss their use of the Systems Control (CRISC), Certified Information Systems Security Professional products and services they were provided which we can help (CISSP) facilitate at the appropriate time.

b. List any other relevant Security and Compliance Industry See PDF Pg. 5. See PDF Pgs. 6 ‐ 7. See PDF Pg. 232 See PDF Pgs 7 ‐ 8. certifications, such as a PCI Forensic Investigator (PFI), that the Project Shai Canaan, Senior Security Consultant, 15+ years experience, PCI QSA, PA QSA, Steve Levinson (VP, Risk Security & Privacy Consulting), 25+ years The security, privacy and business concerns of our clients‐both Scott Petree, CPA, CISA, CFE, QSA Manager and key staff described may have. Include copies of ISO 27001 Lead Auditor, Certified Information Systems Auditor (CISA), Certified experience, CISSP current and past‐are of the highest priority. Kyle Miller, CISA, QSA, CCSFP certificates, if applicable. Information Systems Security Professional Rob Harvey, Director of Online's Risk, Security & Privacy Consulting As such, we must respectfully decline to provide specific Bob Funke, MBA, CISA, QSA (CISSP), Certified in Risk and Information Systems Control (CRISC) Practice, 12+ years experience contact names and details for potential references at this Ben Rothke, Senior Security Consultant, PCI QSA, Certified Information Security Mark Hannah, PCI Practice Lead, Sr. Consultant, 8 years experience stage. However, a number of our clients from recent Manager (CISM), Certified in the Governance of the Enterprise IT (CGEIT), Greg High, Principal Consultant, CISSP, CISM, 8+ years experience engagements would be willing to entertain an informal Certified Information Systems Auditor (CISA), Certified in Risk and Information In addition to Certified QSA certifications, Online’s Risk, Security and conversation with their peers to discuss their use of the Systems Control (CRISC), Certified Information Systems Security Professional Privacy consultants hold certifications such as CISSP, CCSP, CIPP, CRISC, products and services they were provided which we can help (CISSP) PCI QSA, PCI‐P, and CISA to name only a few. facilitate at the appropriate time.

2. Project Approach:

9 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Verizon Business Network Services Licensing Matrix Presidio RSM US LLP Inc. d/b/a Verizon Business Services EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project Resumes See PDF Pgs 75 ‐ 89. The following table describes the qualifications of the proposed team, Pgs. 12‐15 Manager and all key staff that are intended to be assigned to services See PDF Pg 14. their roles and the value they will bring to the County. Detailed 1) Verizon performs around 1100 QSA performed within this category. Include resumes for the Project Presidio Cyber Security Project Managers are biographies containing each team member’s formal education and assessments each year, including readiness Manager and all key staff described. responsible for managing all cyber security projects, professional affiliations, are included in the Team resumes section assessments, as well as investigating 100 cases including: Payment Card Industry Data Security located in the Appendix of this proposal. per year for payment card related incidents. Standard (PCI DSS), Health Insurance Portability and Alan Guiterrez‐Arana, Director, Security, Privacy, and Risk Services, 20+ 2) We specialize in complex assessments that Accountability Act (HIPAA), IT Audit Services, Security years experience span multiple countries with different Penetration testing, and architecture consulting. Kerry Erickson, Manager, Security, Privacy and Risk Services; Lead QSA geopolitical, legal, and regulatory frameworks. Presidio’s project managers and key staff have an and Project Manager 3) Prior to the formal creation of the PCI SSC, extensive list of industry certifications that include Rex Johnson, Director, Security, Privacy and Risk Services; Lead field Verizon was a preferred vendor delivering Visa CISSP, CISA, CISM, CRISC, OSCP, GPEN, GWAPT, work QSA CISP security assessments as well as security G2700, CEH, ITIL Practitioner and ITIL (v3). In assessments for MasterCard’s SDP and addition, Presidio has 1,600 engineers on the backend American Express’ DSOP cardholder data that provide architecture design and implementation security programs, going back to 1999. services. Presidio includes resumes for the Project 4) As one of the first QSA companies, our Manager and key staff in Attachment A. practice has strong, long‐standing relationships Presidio has been providing PCI DSS QSA services with all the payment card brands and we since September 2013. participate on virtually every PCI SSC Special Interest Group. We have performed PCI DSS assessments for the card companies directly: Visa USA, Visa Canada, Visa France, MasterCard France, and MasterCard International and contributed to payment card program development over the years. 5) Our assessors are highly experienced, often industry thought‐leaders and maintain an array of security industry certifications including the b. List any other relevant Security and Compliance Industry Resumes See PDF Pgs 75 ‐ 89. Alan Guiterrez‐Arana ‐ Certified Information Systems Auditor (CISA); As wellfd as af leading global Qualified Security certifications, such as a PCI Forensic Investigator (PFI), that the Project See PDF Pgs 14 ‐ 15 Certified in Risk and Information Systems Controls (CRISC); Qualified Assessor (QSA), Payment Application Qualified Manager and key staff described may have. Include copies of Presidio brings Broward County our broad skill set Security Assessor (QSA); PCI Payment Card Professional (PCIP) Security Assessor (PA‐QSA), and Qualified certificates, if applicable. and depth of experience. Our security engineering Kerry Erickson ‐ PCI Payment Card Professional (PCIP); Certified Security Assessor Point‐to‐Point Encryption team is composed of Certified Information System Information Systems Auditor (CISA); Qualified Security Assessor (QSA) (P2PE) company, we are one of few qualified Security Professionals (CISSPs), Certification and Rex Johnson ‐ PCI Qualified Security Assessor (QSA); Certified PCI Forensic Investigators (PFI) for Visa and Accreditation Professionals (CAPs), InfoSec Information Systems Auditor (CISA); Certified Information Systems MasterCard. Our assessors are highly Assessment Methodology (IAM) professionals, Security Professional (CISSP); Certified Information Privacy Technologist experienced, often industry thought‐leaders Certified Ethical Hackers (CEHs), and Certified (CIPT); Project Management Professional (PMP) and maintain an array of security industry Information Security Managers(CISMs). This highly certifications including the Certified Information trained and experienced group has completed many Systems Security Professional (CISSP), Certified Vulnerability Risk Assessment (VRA) and Security Information Systems Auditor (CISA), Certified Certification and Accreditation (C&A) projects, tests, Information Security Manager (CISM), and evaluations, and related services. Exhibit 5 illustrates Certified Ethical Hacker (CEH). Presidio’s Security Certifications.

2. Project Approach:

10 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Carahsoft Technology Corp Licensing Matrix 1st Secure IT LLC ATT Solution Provider: Trustwave a. Describe the prime Vendor’s approach to performing similar work in See PDF Pg. 140 ‐ 142. See PDF Pgs. 459 ‐ 466 See PDF Pg. 9 ‐ 13. this Category. IMPLEMENTATION ROADMAP AND TIMING Trustwave provides a comprehensive portfolio that can help organizations of any size The Payment Card Industry Data Security Standards (PCI DSS) includes 12 CONFIDENTIAL respond to PCI regulations. We are ideally suited to help support a compliance program Requirement sections in which centered on the administrative, physical and technical requirements of PCI. Trustwave has several sub‐requirements are within each main requirement. Overall, there are Pgs 35: a number of PCI related services available to Broward County. Trustwave can provide a full approximately 300+ Non‐Disclosure Statement "The information in this document is AT&T Corp. over‐arching Compliance Validation Service, specifically designed for customers needing to individual requirements that must be met to be considered “PCI Certified”. The Confidential, and cannot be reproduced or redistributed in any way, shape, or form supply a ROC (Report on Compliance), as well as PCI Readiness Subject Matter Expert PCI DSS address all areas of operations to ensure the protection of cardholder without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T Consulting, PCI Readiness Workshops, PCI Gap Assessments, Remediation Consulting, P2PE data. Therefore, a significant effort is required by all departments within an Corp., the AT&T Corp. logo, and all other trademarks, service marks, and designs are Solution Assessments, PA‐DSS Compliance Consulting, as well as ad‐hoc PCI Consulting organization to establish and maintain a PCI DSS certified environment. Here’s a registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or hours. A brief description of each of the offerings are listed below, as well as a sample high level overview of the standard: 1st Secure IT has a repeatable and proven AT&T Corp. affiliated project plan approach. methodology for helping our clients achieve PCI DSS companies." Compliance. On Page 10 of the PCI Data Security Standard it states “The first step of a PCI DSS assessment is to accurately determine the scope of the Pgs 36‐ 223: review..... "AT&T Consulting Proprietary and Confidential Information"

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

11 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLC a. Describe the prime Vendor’s approach to performing similar work in See PDF Pgs. 31 ‐ 33 See PDF Pgs. 21 ‐ 22 Planning and Project Administration this Category. PCI Data Security Assessment a. Approach Kick‐off – Fieldwork will begin with an initial Broward/Focal Point team kick‐ It is our understanding that it is the goal of the County is to engage a firm for services related to A review of the project’s objectives, scope, scheduled activities, off meeting. This meeting will communicate the scope and objectives of the PCI compliance, such as PCI auditing, web application assessment from Approved Scanning assumptions and or possible constraints will be reviewed with client engagement to internal Vendors (ASV), risk assessment, remediation and consulting, gap analysis, training, credit card data key personnel and staff during a project kickoff meeting. representatives. We will also provide detailed interview and documentation breach response, evaluating Point‐to‐Point Encryption (P2PE) systems, and implementations. To PCI DSS Analysis requests lists, so that we may perform our procedures as efficiently as help the County achieve its goals, we have outlined the following approach. ERM will perform a thorough PCI DSS analysis to identify the client possible once on‐site. Scoping organization’s preparedness levels to Status Reporting – Throughout the assessment period, we will For purposes of the PCI compliance assessment, the scope is defined to include all people, comply with PCI DSS requirements. ERM will audit the client’s communicate with management through semi‐monthly status reporting as processes, and systems (defined as network components, servers, or applications) that store, cardholder environment against the PCI to the progress made against our baseline project process, or transmit card data and are included in or connected to the cardholder data DSS listed requirements... plan. environment. This includes any system that could affect the security of cardholder data. The Project Close Meeting – We will conduct a formal project close meeting scoping portion of the assessment will determine the systems, processes, and people involved in with the Broward team to discuss lessons learned and areas for the processing of payment card transactions through the performance of a data discovery review. improvement. During the data discovery phase, all data flows, vendors, and systems will be inventoried to ensure Quality Assurance – Focal Point employs a team‐based approach to our that appropriate policies, procedures, and controls are in place to handle security of cardholder engagements. Each team is comprised of professionals from each of our data in alignment with the PCI Data Security Standards (DSS)..... resource levels. Our professionals are trained to continuously review the quality of service and work product provided at each level. As a result, prior to release to the client, all reports and deliverables are reviewed by one of our Directors or Principals. Furthermore, throughout the course of the engagement, we will solicit feedback from our project sponsor and incorporate that feedback accordingly.....

12 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Marcum LLP Licensing Matrix Foresite MSP LLC Sub: 24by7 Security Merchant Preservation Services, LLC d/b/a CampusGuard a. Describe the prime Vendor’s approach to performing similar work in See "Broward Security Services 2017" See PDF Pg. 6 See PDF Pgs 484 ‐ 496. this Category. The first step that we will apply will be to determine the scope of the review. DSS CampusGuard has developed an approach and methodology that takes into applies to all system consideration the standards of information security to include the PCI DSS, and how to components included in or connected to the cardholder data environment (CDE). apply those standards in the higher education environment. We have established a We will need to obtain proprietary gap analysis we call our Readiness Review that prepares all county an understanding of CDE, which will include determining which people, merchants and the IT organization for PCI DSS compliance. Department business processes and technologies processes and the networks that support them are analyzed for adherence to the PCI store, process, or transmit cardholder data or sensitive authentication data. DSS. Merchants and the IT organization are provided PCI awareness training. While conducting the scope CampusGuard delivers a detailed Final Findings Report and Roadmap that guides the review, we will assess whether there is segmentation, thereby reducing the institution to full compliance. Further, the PCI DSS version 3.2 presents unique scope. challenges to higher education. CampusGuard understands this environment and will Marcum’s approach will be consistent with applying PCI DSS Prioritized Approach apply its experience and knowledge to the critical PCI compliance issues and for PCI DSS 3.2 objectives at Broward County. (“Prioritized Approach”). This approach will help the County protect against the Phase 1 – Charter Meeting highest risk factors Phase 2 – Information Gathering and Review immediately while working towards compliance with PCI DSS. As noted in the Phase 3 – Onsite Review at Customer Site(s) Prioritized Approach, Phase 4 – Review Information Obtained During Onsite Visit certain benefits of applying this approach is as follows: Phase 5 – Presentation of Findings Report and Roadmap Roadmap that can be used to address risks in a priority order Phase 6 – Remediation Supports financial and operating planning Phase 7 – Attestation of Compliance Promotes objective and measurable progress indicators Phase 8 – Ongoing Advisory Services and Scanning

13 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante Moran a. Describe the prime Vendor’s approach to performing similar work in See PDF Pgs. 6 ‐ 9. See PDF Pgs. 7 ‐ 9. See PDF Pg. 232 See PDF Pgs 9 ‐ 12 this Category. This section details our strategy and approach when working with all our clients Online has developed a unique, risk‐based approach to help The security, privacy and business concerns of our clients‐both Plante Moran’s PCI DSS compliance program assists and provides the organizations implement the controls, technologies, policies, and current and past‐are of the highest priority. organizations in obtaining compliance by assessing their backdrop to our proposal. The methodology below will take Broward County procedures that align with their business, their threats, and their risk As such, we must respectfully decline to provide specific environment, providing recommendation to assist in through their PCI DSS tolerance. Online’s security professionals work from virtual offices ‐ we contact names and details for potential references at this remediating any deficiencies, and creating reporting journey from the initial stage to the ultimate goal of achieving compliance and average more than fifteen years of information security experience. stage. However, a number of our clients from recent documentation to prove the organizations compliance certification across the With our extensive business experience, at the C‐level in many cases, engagements would be willing to entertain an informal status. Our PCI DSS compliance team works with your team organization. we understand that security strategy must align with business conversation with their peers to discuss their use of the to define, and possibly reduce, your cardholder data Our Approach objectives. Online’s Risk, Security & Privacy team consists of products and services they were provided which we can help environment (CDE). This step is critical in the project as it No matter the size of your organization, our bespoke Project Management approximately 25 seasoned professionals, ten of whom are current facilitate at the appropriate time. determines the scope for all testing and compliance based methodology will help QSAs (note, we also have three penetration testers who were QSAs in requirements. you achieve and maintain your compliance objectives, applying SMART (Specific, the past). Online’s Risk, Security, and Privacy Practice focuses on Measurable, services, solutions, and subject matter expertise to provide strategic Achievable, Realistic & Time‐bound) objectives, to assist in making your end information security guidance to our clients. As a PCI Qualified Security goals more achievable. Assessor (“QSA”) Company, our QSAs are deeply experienced in the Payment Card Industry (PCI), security consulting, and information technology. Our security consultants have an average of ten years of working PCI experience, having performed hundreds of PCI assessments and gap assessments. All of our QSAs have obtained industry‐ recognized security certifications, including CISSP and CISA. Online has over forty PCI clients in the US and Canada and writes over fifty PCI ROCs a year.

14 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Verizon Business Network Services Licensing Matrix Presidio RSM US LLP Inc. d/b/a Verizon Business Services a. Describe the prime Vendor’s approach to performing similar work in See PDF Pgs 15 ‐ 17 See PDF Pgs 10‐14 See Pages 15 ‐ 16. this Category. As further described below, Presidio’s approach to Our PCI approach is based on established, proven methodology that is We will deliver projects using an efficient, performing PCI work includes the following: flexible to meet the County’s specific needs. Each PCI engagement is phased methodology, which is proven through 1. Compliance Assessment kicked off with planning and scoping activities allowing us to tailor our hundreds of PCI projects delivered by Verizon 2. Initial Discovery and CDE Definition approach. The project planning and scoping phase will include the initial for organizations around the world. The 3. Current‐State Assessment processes needed to experience gained from these engagements 4. Gap Analysis complete a successful engagement, including the following specific provides us with valuable insight into the critical 5. Deliverables tasks: steps required to initiate and complete a PCI • Performing a pre‐audit kickoff meeting project in the most efficient and cost‐effective • Internal education and training of the County’s staff about the PCI manner. The defined Card Holder Data (CHD) standard, as necessary environment is assessed for compliance against • Analysis of project scope against PCI criteria and audit procedures the current PCI DSS using our three‐phased • Review of prior year’s compensating controls, as well as all controls for approach, as shown in the table below. PCI DSS • In addition, to validate the scope of the cardholder data environment, the following will be performed: − Development of an audit plan and melines with the County’s input − Discovery and analysis of all credit card acceptance channels, where applicable − Discovery and analysis of network topology and network management − Discovery and analysis of soware architecture related to storage, processing or transmission of credit card data, where applicable Discovery and analysis of applications that store, process or transmit credit card data, where applicable − Discovery and analysis of any databases related to storage, processing or transmission of credit d d h lbl

15 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Carahsoft Technology Corp Licensing Matrix 1st Secure IT LLC ATT Solution Provider: Trustwave b. Number of employees, coordination efforts, servers and workers 1st Secure IT LLC has 7 employees located at their headquarters in Ft. See PDF Pg. 13. located within the USA Lauderdale, FL. They maintain 10 servers in a FTL Hosting facility. CONFIDENTIAL All employees and servers would be within the United States. Trustwave has over 900 employees in the US. Pgs 35: Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. affiliated companies."

Pgs 36‐ 223: "AT&T Consulting Proprietary and Confidential Information"

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

c. Describe vendor’s plan to meet key milestones and deadline dates See PDF Pgs. 141 ‐ 142. See PDF Pg. 13 ‐ 14 including communication plan. Our approach is to inform, assist and advise the assessed company each step of CONFIDENTIAL Project Phases and Methodology the way. We employ a proven project framework that will rapidly assess and The Compliance Validation Service consists of phases to ensure comprehensive and document specific PCI‐DSS challenges. Recognizing that maximizing the time Pgs 35: efficient service. Client must fulfill their obligations within each phase before progressing to allocated for this engagement is critical, the assessment framework is conducted Non‐Disclosure Statement "The information in this document is AT&T Corp. subsequent phases. Time frame and chronology are based on accurate completion of Client through scheduled work and project management sessions. The nine phases of Confidential, and cannot be reproduced or redistributed in any way, shape, or form obligations. Failure to fulfill obligations may require an addendum to this contract that will our compliance methodology are: without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T include additional charges for any time or materials above and beyond those agreed in this Phase 1 ‐ Preliminary meeting/documentation request. This phase will review Corp., the AT&T Corp. logo, and all other trademarks, service marks, and designs are contract. service registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or Phase 0: Project Initiation requirements and deliverables and it helps us to identify significant system AT&T Corp. affiliated Kickoff meeting between all designated stakeholders information that the companies." Identify key stakeholders 1st Secure IT Auditor will need to collect and analyze. Define roles and responsibilities of Client Phase 2 – Review and Assess documentation. Determine primary audit focus Pgs 36‐ 223: Agree on initial scope, including validation of segmentation, and discuss sampling and general CDE "AT&T Consulting Proprietary and Confidential Information" methodology scope. Define and agree to high‐level project plan key steps, estimates for duration, deliverables Phase 3 ‐ Discovery (interview, data discovery, Service Provider Identification) Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by and during this phase authorized persons only and is not for general distribution. resource requirements we will collect data and examine all existing business processes that involve Establish communication and escalation plans for both Trustwave and Client cardholder data, Action item creation and training interview key personnel, review and analyze cardholder dataflow and network Schedule periodic (weekly, bi‐monthly, or monthly) status meetings..... topology and gather an inventory of all components that process, transmit or store cardholder data. The following chart defines the characteristics of cardholder data (CHD) and Sensitive Authentication Data (SAD)......

3. Past Performance:

16 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLC b. Number of employees, coordination efforts, servers and workers See PDF Pg. 33 See PDF Pg. 22 located within the USA Crowe Horwath has 30 team members focused on PCI, however we have a group of 175 ERM has approximately 30 full time employees. Of these Information Technology and Cybersecurity specialists that we can utilize if necessary. Crowe employees, 25 are located in the USA. Only full time employees Horwath’s PCI team is distributed across the US. located in the USA will work in these engagements. Regarding coordination efforts, Esteban Farao will be the Project Manager. He will lead a project kickoff meeting, send the information requirements, manage the project, communicate with the client project team, lead project update calls and meeting as well as delivery the final reports and presentations. All of ERM’s severs are located at the ERM’s headquarters in Coral Gables, Florida.

c. Describe vendor’s plan to meet key milestones and deadline dates See PDF Pg. 32 ‐ 33 See PDF Pg. 22‐23 including communication plan. Throughout this engagement, the Crowe Project Leader(s) will provide oral progress reports to the ERM Project Manager will develop a Project Plan which details all County. We will also schedule a formal status meeting at the end of fieldwork that will include an key milestones and deadline dates. ERM Project Manager will work outline of the procedures completed, along with a detailed list of PCI scope, any non‐compliant with the client to adjust based on client needs. The Communication requirements, any documented compensating controls, and an updated timeline for completion. Plan will be discussed and agreed to during the kick‐off call. ERM’s Any issues identified as exposing your organization's network, Internet connectivity, and security communication plans typically include weekly status updates as to imminent risk will be well as updates based on key milestones and deadlines. communicated immediately, along with recommendations for mitigating the exposure.

3. Past Performance:

17 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Marcum LLP Licensing Matrix Foresite MSP LLC Sub: 24by7 Security Merchant Preservation Services, LLC d/b/a CampusGuard b. Number of employees, coordination efforts, servers and workers The consulting team has over 20 people across the US. Our servers See PDF Pg. 7 See PDF Pgs 496 ‐ 497 located within the USA are supported in SSAE18 Co‐Los As a national firm with 29 offices and approximately 1,550 professionals, we Merchant Preservation Services LLC, d/b/a CampusGuard, was established for the sole serve as a strategic alternative to the much larger firms. The partners and purpose of providing information security services for multi campus environments. We managers with whom you will develop relationships drive all major decisions, deliver professional services in the areas of PCI DSS, Red Flags, FERPA, HIPAA, GLBA, possessing both the appropriate resources and decision making authority. Our and other areas regarding protecting personally identifiable information. local firm approach provides hands‐on service and timely communication, which CampusGuard was founded in 2009 as an alternative for public sector and education will based sectors seeking apartner that has not only deep experience with information result in the County receiving the best of both worlds. Marcum has more than 20 security, but understands the complexities of applying the standards into the culture professionals dedicated to providing IT Audit and Technology Services. that separates multi campus environments from all other areas of enterprise. CampusGuard is the “doing business as” name of Merchant Preservation Services, a limited liability company. The company is certified by the PCI Security Standards Council (PCI SSC) as both a Qualified Security Assessor and Approved Scanning Vendor. The parent company, Nelnet, Inc. (NYSE: NNI) is an education planning and financing company focused on providing quality products and services to students, families, schools, and financial institutions nationwide. The company was formed in Nebraska in 1977. Built through a focus on long term organic growth and further enhanced by strategic acquisitions, the company earns its revenues from fee‐based revenues related to its diversified education finance and service operations. Our mission is to assist our clients to achieve and maintain PCI DSS compliance as well as meet other regulations and requirements currently being mandated at the federal and state levels (e.g., HIPAA and GLBA). CampusGuard provides a full range of services that are the result of our comprehensive knowledge of the PCI DSS as it applies to the multi campus environment.

c. Describe vendor’s plan to meet key milestones and deadline dates Deadlines are based objectives, current gaps, and risk based findings See PDF Pg. 7 See PDF Pg 496. including communication plan. of gaps. Phased approach to compliance can be reviewed in Broward Marcum’s initial step will be to meet with various personnel within IT and Many of our milestones and communication coordination is mentioned in section 2a Security Services 2017. All foresite services are customized to address compliance to determine the scope of our review. We will test the CDE to above but it is important to know that these milestones and coordination come from a client specific needs and can changed based on scope, level or not‐in‐ confirm our understanding of where cardholder data or sensitive authentication dedicated resource to Broward County. CampusGuard has introduced a full Customer place findings and budget. data is stored, processed or transmitted. Subsequently, we will apply each Relationship Management (CRM) team that supports our customers milestone by applying the Prioritized Approach. We plan to communicate each of throughout the entire PCI compliance project. Our CRMs are matched with the QSA our findings upon the completion of each milestone. As we meet with your key and become involved as an integral member of a customer’s PCI Team, beginning with personnel, we will work with management to lay out deadline dates for each the initial “kick‐off” and continuing through the assessment phase and ongoing Annual milestone. Support. The result is that our customers have a CampusGuard team who are familiar with their environment, issues and culture. Additionally, CampusGuard has implemented a CRM system that captures all relevant information and data of a customer engagement and creates a workflow that enables each participant to have the right information at the right time. CampusGuard will assign a QSA and Customer Relationship Manager to the Broward County project. The partnership is guaranteed unless there are extenuating circumstances that would require change. If there is any circumstance that may require change, our partnership with the County extends to mutual agreement of any modification.

3. Past Performance:

18 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante Moran b. Number of employees, coordination efforts, servers and workers Online’s Risk, Security, and Privacy practice has approximately 18 See PDF Pg. 232 See PDF Pg. 12 located within the USA consultants based in the USA. Online’s US Headquarters is located in The security, privacy and business concerns of our clients‐both Plante Moran has over 2,200 employees and 500 servers in Minneapolis, MN. current and past‐are of the highest priority. the USA. As such, we must respectfully decline to provide specific contact names and details for potential references at this stage. However, a number of our clients from recent engagements would be willing to entertain an informal conversation with their peers to discuss their use of the products and services they were provided which we can help facilitate at the appropriate time.

Not Provided

c. Describe vendor’s plan to meet key milestones and deadline dates See PDF Pgs. 9 ‐ 10. See PDF Pg. 232 See PDF Pg. 12 including communication plan. Online has a number of strategies in place for all engagements to deal The security, privacy and business concerns of our clients‐both Frequent communication, guided by a “no surprises” with the impact of any events on current and past‐are of the highest priority. philosophy is the key to a successful project. In this way, project milestones including: As such, we must respectfully decline to provide specific expectations can be effectively managed and problems can Iterative and Parallelized Approach contact names and details for potential references at this either be avoided entirely, or addressed early on to Online’s approach to conducting an assessment is a highly parallelized stage. However, a number of our clients from recent minimize wasted effort and keep the project on schedule. process. The review of multiple CHD engagements would be willing to entertain an informal Prior to formally kicking off the project, we will work with data flows with multiple departments and personnel are started conversation with their peers to discuss their use of the the County to develop a communications plan for the simultaneously. The collection and review products and services they were provided which we can help project. of information will progress at different rates for each of these parallel facilitate at the appropriate time. We will identify project stakeholders, and for each: activities. What they will need to know throughout the project Upfront Planning (e.g., status updates, risk and issues) The QSA will work closely with the County’s project personnel to When and how frequently they will want communication Not Provided mitigate the impact of factors such as (e.g., weekly, monthly) resource availability on compliance documentation activities. How communications will be delivered (e.g., status Acquiring and discussing upcoming holiday updates reports, meetings, phone calls) plans and important business activity schedules at the outset allows for Who will be responsible for the communication optimized task planning..... We will maintain this communication plan on a shared collaboration site throughout the project to ensure regular communication and ongoing collaboration.

3. Past Performance:

19 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Verizon Business Network Services Licensing Matrix Presidio RSM US LLP Inc. d/b/a Verizon Business Services b. Number of employees, coordination efforts, servers and workers See PDF Pg 17. RSM has approximately 25 PCI QSAs nationally and over 100 additional Verizon operates a global QSA practice with located within the USA Presidio has twenty‐three (23) people on our Cyber staff members who work on our over 70 assessors providing consistent delivery Security Consulting team, all whom are Presidio PCI engagements. Also see the Servers and Workers Located in the USA of high quality PCI services around the world. 16 employees located within the USA. The Presidio Attestation Form included in the Appendix section of this proposal. QSA are located in the USA Cyber Security Project Managers coordinate all the resources on the Presidio team.

c. Describe vendor’s plan to meet key milestones and deadline dates See PDF Pg 17 ‐ 19 RSM’s management approach can be expressed in one simple phrase: Verizon will designate a “Project Manager” who including communication plan. Presidio would develop a project plan with all defined “no surprises.” First, we will work with the County to establish a will act as the single point of contact project milestones which includes weekly status communication protocol and approach that you prefer, and we will use throughout the Project. The Project Manager meetings to track the project overall progress. these channels and tools to share information on the engagement. Once will oversee and coordinate the Project. The Escalation methodology follows. the communications plan has been created, RSM will create a timeline Project Manager will manage Verizon resources and milestones project schedule and track those milestones to to complete Project activities, such as milestone completion on a weekly basis. We will work with you and management tracking, coordinating tasks and dependencies, to keep you informed of our progress throughout the engagement with as well as providing weekly status reports (the periodic formal and informal status reports and meetings as “Weekly Report”). Customer will appoint a appropriate. Continuous communication helps ensure that the County single point of contact or program management and the RSM team are in agreement on, and informed about, every team to coordinate the Project activities with aspect of an engagement. Our team will work closely with County Verizon and ensure timely data flow and management to establish clear, open lines of communication via face‐to‐ exchange of information required for execution face meetings, phone calls, and/or regular electronic or hard‐copy of the Project within the agreed time frame. communications to keep you informed of progress and issues. In the Verizon will work with Customer to schedule a event that RSM identifies that a particular engagement is behind kick‐off meeting to initiate the Project. Verizon schedule, it will be formally communicated to the client to discuss the and Customer will collaborate to determine issues and possible solutions to get back on track. Similarly, if required stakeholders and other attendees, observations or risk areas are identified during an engagement, we will agenda, and meeting location (i.e. on site or be on hand to provide recommendations for remediation and provide virtual). support to management in the enhancement of current processes.

3. Past Performance:

20 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Carahsoft Technology Corp Licensing Matrix 1st Secure IT LLC ATT Solution Provider: Trustwave a. Describe prime Vendor’s experience on projects of similar nature See Reference Verification Form PDF Pg. 124, 128, 132. See References. and scope, along with evidence of satisfactory completion, both on See PDF Pg. 142. CONFIDENTIAL time and within budget, for the past five years. Provide a minimum of 1st Secure IT has been a Qualified Security Assessor Company since 2010 and has three projects with references, preferably government agencies (i.e. performed has performed hundreds of PCI DSS audit. 1st Secure IT, LLC is a Pgs 35: state, local) of similar size and structure and proven experience and Payment Card Industry Qualified Security Assessor Company (PCI‐QSA) certified Non‐Disclosure Statement "The information in this document is AT&T Corp. skillset in evaluation a mixed credit card environment of web and authorized to perform PCI DSS and PCI PIN audits it the United States and Confidential, and cannot be reproduced or redistributed in any way, shape, or form applications, point of sale (POS), and Interactive Voice Response (IVR) Latin America. We are headquartered in Coral Springs, FL and focus on without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T Systems. compliance services and solutions related to regulations such as PCI, HIPAA, Corp., the AT&T Corp. logo, and all other trademarks, service marks, and designs are Vendor should provide references for similar work performed to show EI3PA, and SOC2. We specialize in and are focused on delivering industry registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or evidence of qualifications and previous experience. Refer to Vendor standards compliance and fraud prevention services. AT&T Corp. affiliated Reference Verification Form and submit as instructed. Only provide SAMPLE LIST OF CLIENTS companies." references for non‐Broward County Board of County Commissioners’ 1st Secure IT, LLC has done well over 100 Reports of Compliance (ROC) in the last contracts. For Broward County contracts, the County will review 12 months. The following Pgs 36‐ 223: performance evaluations in its database for vendors with previous or is a sample set of clients for whom 1st Secure IT, LLC has performed "AT&T Consulting Proprietary and Confidential Information" current contracts with the County. The County considers references compliance/security engagements: and performance evaluations in the evaluation of Vendor’s past Sample clients in USA Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by performance. 1. Luihn Foods ‐ (Refer to Vendor Reference Verification Form) authorized persons only and is not for general distribution. 2. FPN ‐ (Refer to Vendor Reference Verification Form) 3. Sedano’s Supermarket ‐ (Refer to Vendor Reference Verification Form) 4. Great Health Works 5. Softheon,Inc Amwest Venture Corp 6. Apartment Owners Association of California, Inc. 7. Bagshaw Enterprises 8. BKK Management Co (Yakima) 9. Burger Florida Group 10. Century Fast Foods, Inc.

21 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLC a. Describe prime Vendor’s experience on projects of similar nature See PDF Pgs. 34 ‐ 37. (4) Reference Verification Forms included for this Category ‐ PDF See PDF Pgs. 16 ‐ 18 and scope, along with evidence of satisfactory completion, both on Client Experience 1 Pgs. 24‐27 Ace Hardware 2016 – Current PCI Compliance Risk Assessment time and within budget, for the past five years. Provide a minimum of A team of Crowe QSAs and SMEs helped a Fortune 100 company identify the scope of the a. ERM’s Experience three projects with references, preferably government agencies (i.e. environment subject to PCI DSS and help the company achieve PCI DSS compliance. The project ERM has completed approximately 100 PCI projects. All of our Beall’s 2005 – Current state, local) of similar size and structure and proven experience and scope included the company’s retail operations in 15 countries with various in‐store network projects have been completed on time Approved Scanning Vendor (ASV) Testing skillset in evaluation a mixed credit card environment of web configurations. Over the course of the relationship, Crowe has consulted with the client on a and within budget. Annual PCI QSA Audit applications, point of sale (POS), and Interactive Voice Response (IVR) variety of information security and compliance issues including virtualization, tokenization, point‐ As requested, below are three references for projects of similar size Incident Response Systems. to‐point encryption, and network segmentation including tools such as VMWare, Lumigent, and structure. IT Audit Assistance Vendor should provide references for similar work performed to show Q1Radar, and DLP. The companies environment included various operating systems types 1. Miami Dade County Ongoing PCI & Security Trusted Advisory Assistance evidence of qualifications and previous experience. Refer to Vendor including Stratus VOS, AIX, HP‐UX, CentOS, 2. Entertainment Benefits Group, LLC Penetration Testing Reference Verification Form and submit as instructed. Only provide Red Hat, and Windows. The assessment also covered the review of various databases including 3. General Growth Properties PCI Gap Analysis and Compliance Roadmap references for non‐Broward County Board of County Commissioners’ DB2, Informix, Oracle, and SQL. The scope of the assessment required Crowe to review various 4. Banco Popular Dominicano PCI Infrastructure and Architecture Assistance contracts. For Broward County contracts, the County will review applications Security Training performance evaluations in its database for vendors with previous or The result has been an ongoing relationship in which Crowe has helped the client reduce scope, Social Engineering current contracts with the County. The County considers references create repeatable processes and controls, and maintain compliance for over six years. and performance evaluations in the evaluation of Vendor’s past Client Experience 2 Borgata Hotel and Casino 2009 – Current performance. Crowe performed a scoping and gap analysis for a global payment processor that had recently Approved Scanning Vendor (ASV) Testing acquired a new business subject to PCI DSS. The company was using a custom developed Ongoing PCI Trusted Advisory Assistance application that was Annual Penetration Testing using an Oracle back end for card storage and processing. Crowe helped the client prioritze gaps in compliance and developed a roadmap for the client to achieve compliance. The end result was a Bright House Networks compliant, first year Report on Compliance that was delivered to the card brands on time. (Charter Communications) 2014 – Current Annual PCI QSA Audit Client Experience 3 PCI Gap Analysis and Compliance Roadmap A team of Crowe QSAs and SMEs performed a scoping and gap analysis for a cloud services provider. Crowe helped the company minimize scope subject to PCI DSS and helped the client ...... prioritize its remediation efforts......

22 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Marcum LLP Licensing Matrix Foresite MSP LLC Sub: 24by7 Security Merchant Preservation Services, LLC d/b/a CampusGuard a. Describe prime Vendor’s experience on projects of similar nature See References. See PDF Pg. 8 Page 497 and scope, along with evidence of satisfactory completion, both on Foresite supplies services to forture 500 companies within the US and Marcum has several clients that are required to comply with PCI DSS, and University of Virginia: The University of Virginia is a four‐year, public university with time and within budget, for the past five years. Provide a minimum of address specific needs based on a phased approach. The approach Marcum provides guidance on an enrollment of over 23,000 students. CampusGuard performed a PCI Readiness three projects with references, preferably government agencies (i.e. starts with a gap assessment to determin actual scope followed by PCI matters frequently. Review identifying the complete cardholder environment, prescanned for state, local) of similar size and structure and proven experience and findings and observations, recommendations for remediation then a See attached Vendor Reference Form for: vulnerabilities, recommended options for correcting deficiencies referenced directly to skillset in evaluation a mixed credit card environment of web road map plan to address all aspects of the overall objectives. Eastern Account Systems associated PCI DSS controls and requirements... applications, point of sale (POS), and Interactive Voice Response (IVR) Virgina Department of Alcholic Beverage Control: The Virginia ABC has more than Systems. 350 locations across the Commonwealth of Virginia. Vendor should provide references for similar work performed to show Based on the volume of credit card transactions, ABC is required to verify compliance evidence of qualifications and previous experience. Refer to Vendor with the PCI DSS annually Reference Verification Form and submit as instructed. Only provide with a Report on Compliance (ROC)... references for non‐Broward County Board of County Commissioners’ Indiana University: Indiana University is a four‐year public research university serving contracts. For Broward County contracts, the County will review over 110,000 students and 19,000 employees across eight campuses. The University performance evaluations in its database for vendors with previous or uses PeopleSoft as the ERP system for the main functional areas of student, financial, current contracts with the County. The County considers references and human resources operations... and performance evaluations in the evaluation of Vendor’s past performance.

23 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante Moran a. Describe prime Vendor’s experience on projects of similar nature See PDF Pgs. 10 ‐ 11. (3) Reference Verification Forms included ‐ See PDF Pgs. 311‐315. See PDF Pg. 232 Reference Verification Forms included. ‐ See PDF Pgs. 66 ‐ and scope, along with evidence of satisfactory completion, both on How many years of experience does Nettitude have performing PCI‐DSS Estee Lauder Companies: Online performed PCI assessments for three The security, privacy and business concerns of our clients‐both 68 time and within budget, for the past five years. Provide a minimum of assessments? different business units and current and past‐are of the highest priority. Examples ‐ See PDF Pgs. 13 ‐ 15 three projects with references, preferably government agencies (i.e. Nettitude has been performing PCI‐DSS assessments since 2007. provided ROCs and AOCs for each. As such, we must respectfully decline to provide specific state, local) of similar size and structure and proven experience and 2. How many PCI‐DSS assessments did Nettitude complete last year? Macy’s Technology: Online provided QSA Services for Macy’s, providing contact names and details for potential references at this skillset in evaluation a mixed credit card environment of web Nettitude performed 26 formal PCI‐DSS assessments. There are many more assessment reviews, ROC stage. However, a number of our clients from recent applications, point of sale (POS), and Interactive Voice Response (IVR) including consultative and AOC reports, and post assessment feedback. engagements would be willing to entertain an informal Systems. and other engagements. Next Jump Inc.: Online has been providing Next Jump advisory and conversation with their peers to discuss their use of the Vendor should provide references for similar work performed to show 3. How long has your company been a PCI SSC authorized QSA? assessment services in the products and services they were provided which we can help evidence of qualifications and previous experience. Refer to Vendor Nettitude has been a PCI SSC authorized QSA since 2007. context of PCI Data Security Standards since 2013. facilitate at the appropriate time. Reference Verification Form and submit as instructed. Only provide Nettitude has provided Broward County with a case study of a previous PCI references for non‐Broward County Board of County Commissioners’ project.... contracts. For Broward County contracts, the County will review performance evaluations in its database for vendors with previous or current contracts with the County. The County considers references and performance evaluations in the evaluation of Vendor’s past performance.

24 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Verizon Business Network Services Licensing Matrix Presidio RSM US LLP Inc. d/b/a Verizon Business Services a. Describe prime Vendor’s experience on projects of similar nature Reference Verification Forms included. See PDF Pg. The best measure of client satisfaction can only come from our clients. Verizon has highly relevant customers who can and scope, along with evidence of satisfactory completion, both on 19 As requested, we present below references from other clients where we provide information on the work we have done time and within budget, for the past five years. Provide a minimum of PCI DSS is a core competency of our cyber security have performed comparable work. To respect the availability and and the quality of our relationship with their three projects with references, preferably government agencies (i.e. consulting team. Presidio provides the following cooperation of our clients, and to help ensure a prompt reception of organizations. Due to the number of requests state, local) of similar size and structure and proven experience and three references for which we have provided similar your contact, please advise Alexandra M. Lorie at +1 305 742 7117, of Verizon receives for recommendations from skillset in evaluation a mixed credit card environment of web solutions to Category 1 – PCI DSS: your intent to contact them. She will arrange the calls at your these customers, it is our policy to provide applications, point of sale (POS), and Interactive Voice Response (IVR) U.S Naval Academy Alumni Association & convenience, while helping to ensure these references’ availability. In contact information only when we are under Systems. Foundation addition to the references listed below, we are prepared to provide serious consideration for a contract award. In Vendor should provide references for similar work performed to show Dayton’s Children Hospital additional client references to help ensure that you are comfortable with addition, Verizon’s corporate nondisclosure evidence of qualifications and previous experience. Refer to Vendor Broward Healthcare the experience and levels of client service our team is accustomed to policies – combined with the sensitive nature of Reference Verification Form and submit as instructed. Only provide Presidio uploads these customer references on the delivering. our customers’ business – require that certain references for non‐Broward County Board of County Commissioners’ required Vendor Verification Form, in a separate file. Prince William County, Virginia agreements be in place before we can release contracts. For Broward County contracts, the County will review March 2015 ‐ May 2015 sensitive customer data. In order to protect the performance evaluations in its database for vendors with previous or RSM completed an evaluation of the Payment Card Industry (PCI) interests and confidentiality of our customers, current contracts with the County. The County considers references compliance program at PWC. and at the request of our customers, we prefer and performance evaluations in the evaluation of Vendor’s past City of Sacramento to facilitate references calls and/or visits at a performance. April 2013 ‐ Present mutually convenient time for all. It is standard RSM conducts the City’s annual PCI report on compliance assessment policy of Verizon to not publish reference lists and penetration testing. due, in large part, to Non‐Disclosure Kansas Turnpike Authority Agreements between Verizon and its April 2017 ‐ May 2017 customers. Annual assessment of PCI compliance along with Attestation of Compliance (ACC), recommendations for strengthening PCI compliance for future years.

25 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Carahsoft Technology Corp Licensing Matrix 1st Secure IT LLC ATT Solution Provider: Trustwave b. Provide evidence of similar work related to services identified in this See Reference Verification Form PDF Pg. 124, 128, 132. See Forensic Report PDF Pgs. 147‐178, 223‐301 See References. Category. See PDF Pg. 142. 1st Secure IT has been a Qualified Security Assessor Company since 2010 and has performed has performed hundreds of PCI DSS audit. 1st Secure IT, LLC is a Payment Card Industry Qualified Security Assessor Company (PCI‐QSA) certified and authorized to perform PCI DSS and PCI PIN audits it the United States and Latin America. We are headquartered in Coral Springs, FL and focus on compliance services and solutions related to regulations such as PCI, HIPAA, EI3PA, and SOC2. We specialize in and are focused on delivering industry standards compliance and fraud prevention services. SAMPLE LIST OF CLIENTS 1st Secure IT, LLC has done well over 100 Reports of Compliance (ROC) in the last 12 months. The following is a sample set of clients for whom 1st Secure IT, LLC has performed compliance/security engagements: Sample clients in USA 1. Luihn Foods ‐ (Refer to Vendor Reference Verification Form) 2. FPN ‐ (Refer to Vendor Reference Verification Form) 3. Sedano’s Supermarket ‐ (Refer to Vendor Reference Verification Form) 4. Great Health Works 5. Softheon,Inc Amwest Venture Corp 6. Apartment Owners Association of California, Inc. 7. Bagshaw Enterprises 8. BKK Management Co (Yakima) 9. Burger Florida Group 10. Century Fast Foods, Inc.

4. Workload of the Firm: List all completed and active projects that Vendor has managed within See PDF Pgs. 143 ‐ 144. See PDF Pg. 16 the past five years. In addition, list all projected projects that Vendor 1st Secure IT, LLC is a QSA company for the PCI SSC. Our core competencies are CONFIDENTIAL As a private firm, we do not go into specific details, but we can say we do about 4000 pen will be working on in the near future. Projected projects will be defined within the PCI and Penetration Testing arena. Over 90% of our revenue derives tests a year and about 850 RoCs ‐ but also have the most QSAs and Pen Testers than any as a project(s) that Vendor is awarded a contract but the Notice to from direct PCI related work. PCI related Pgs 35: other competitor – over 100 in each case. We are busy, but have sufficient resources to Proceed has not been issued. Identify any projects that Vendor worked work includes: Non‐Disclosure Statement "The information in this document is AT&T Corp. cover all of our engagements. on concurrently. Describe Vendor’s approach in managing these PCI DSS Scoping Reviews Confidential, and cannot be reproduced or redistributed in any way, shape, or form projects. Were there or will there be any challenges for any of the PCI DSS Reports on Compliance without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T listed projects? If so, describe how Vendor dealt or will deal with the PCI Self‐Assessment Questionnaire assistance Corp., the AT&T Corp. logo, and all other trademarks, service marks, and designs are projects’ challenges. Penetration Testing – for PCI Compliance registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or IT Security Consultation Projects for PCI Compliance AT&T Corp. affiliated Approximately, 10% of our revenue is generated from projects outside of PCI, companies." but are synergistic to IT Security. These projects include: Pgs 36‐ 223: Fraud Prevention Consultation "AT&T Consulting Proprietary and Confidential Information" Visa Global Risk Assessments PIN Security Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by Non‐PCI related Penetration Testing authorized persons only and is not for general distribution. General IT Security Consulting....

26 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLC b. Provide evidence of similar work related to services identified in this See PDF Pgs. 34 ‐ 37. (4) Reference Verification Forms included for this Category ‐ PDF Pg. See PDF Pgs. 16 ‐ 18 Category. Client Experience 1 28 Ace Hardware 2016 – Current PCI Compliance Risk Assessment A team of Crowe QSAs and SMEs helped a Fortune 100 company identify the scope of the ERM’s evidence of similar work is provided by the references above. environment subject to PCI DSS and help the company achieve PCI DSS compliance. The project Beall’s 2005 – Current scope included the company’s retail operations in 15 countries with various in‐store network Approved Scanning Vendor (ASV) Testing configurations. Over the course of the relationship, Crowe has consulted with the client on a Annual PCI QSA Audit variety of information security and compliance issues including virtualization, tokenization, point‐ Incident Response to‐point encryption, and network segmentation including tools such as VMWare, Lumigent, IT Audit Assistance Q1Radar, and DLP. The companies environment included various operating systems types Ongoing PCI & Security Trusted Advisory Assistance including Stratus VOS, AIX, HP‐UX, CentOS, Penetration Testing Red Hat, and Windows. The assessment also covered the review of various databases including PCI Gap Analysis and Compliance Roadmap DB2, Informix, Oracle, and SQL. The scope of the assessment required Crowe to review various PCI Infrastructure and Architecture Assistance applications Security Training The result has been an ongoing relationship in which Crowe has helped the client reduce scope, Social Engineering create repeatable processes and controls, and maintain compliance for over six years. Client Experience 2 Borgata Hotel and Casino 2009 – Current Crowe performed a scoping and gap analysis for a global payment processor that had recently Approved Scanning Vendor (ASV) Testing acquired a new business subject to PCI DSS. The company was using a custom developed Ongoing PCI Trusted Advisory Assistance application that was Annual Penetration Testing using an Oracle back end for card storage and processing. Crowe helped the client prioritze gaps in compliance and developed a roadmap for the client to achieve compliance. The end result was a Bright House Networks compliant, first year Report on Compliance that was delivered to the card brands on time. (Charter Communications) 2014 – Current Annual PCI QSA Audit Client Experience 3 PCI Gap Analysis and Compliance Roadmap A team of Crowe QSAs and SMEs performed a scoping and gap analysis for a cloud services provider. Crowe helped the company minimize scope subject to PCI DSS and helped the client ...... prioritize its remediation efforts......

4. Workload of the Firm: List all completed and active projects that Vendor has managed within See PDF Pg. 38 See PDF Pg. 29 See PDF Pg. 19 the past five years. In addition, list all projected projects that Vendor Over the past 5 years, Crowe has had over 16,000 clients, of which over 1,200 were government ERM has completed approximately 50 PCI projects during the past 5 Focal Point has completed hundreds of PCI assessments over its 12 years of will be working on in the near future. Projected projects will be defined clients. Crowe currently has 871 government clients, with 32 in the Florida area. Crowe is well years and estimates it will be providing security as a project(s) that Vendor is awarded a contract but the Notice to positioned to provide quality service to Broward County in a timely fashion. Crowe has a complete at least 2 per month through the remainder of 2017. and compliance services. Our PCI team completes around 75 projects Proceed has not been issued. Identify any projects that Vendor worked sophisticated Centralized Resource Management function that is responsible for ensuring that ERM is able to manage several projects simultaneously based on annually for companies on concurrently. Describe Vendor’s approach in managing these Broward County’s needs are met with the experienced and trained staff from our local offices, and our efficient project management across every industry. We complete all of our projects concurrently with projects. Were there or will there be any challenges for any of the if needed, from across our firm. We realize that resource management is a crucial element to approach. We have not experienced any challenges to complete other projects, so the listed projects? If so, describe how Vendor dealt or will deal with the consistently providing top quality service to Broward County, and all of our clients. these projects, nor do we expect to added workload that this project presents is not an issue for our firm. projects’ challenges. experience challenges completed projects for the client. As of now, our PCI team is engaged in 20 projects that include PCI DSS 3.2 a. Past Five Years assessments, gap Due to client confidentiality, ERM will provide project information analyses, and trusted advisory. We do not anticipate these other projects by industry type. limiting us from • Banking & Financial Services (7) providing the County with the highest level of service. • Credit Card Processing (7) • Federal Government (2) • Hospitality (2) • Insurance (2) • Local, City, State Government (4) • Real Estate (1) • Retail (2) • Other (15) ......

27 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Marcum LLP Licensing Matrix Foresite MSP LLC Sub: 24by7 Security Merchant Preservation Services, LLC d/b/a CampusGuard b. Provide evidence of similar work related to services identified in this See "Broward Security Services 2017" See PDF Pg. 8 Page 497 Category. Marcum has several clients that are required to comply with PCI DSS, and University of Virginia: The University of Virginia is a four‐year, public university with Marcum provides guidance on PCI matters frequently. This includes involvement an enrollment of over 23,000 students. CampusGuard performed a PCI Readiness with our clients SAQ and ROC reports. Review identifying the complete cardholder environment, prescanned for vulnerabilities, recommended options for correcting deficiencies referenced directly to associated PCI DSS controls and requirements... Virgina Department of Alcholic Beverage Control: The Virginia ABC has more than 350 locations across the Commonwealth of Virginia. Based on the volume of credit card transactions, ABC is required to verify compliance with the PCI DSS annually with a Report on Compliance (ROC)... Indiana University: Indiana University is a four‐year public research university serving over 110,000 students and 19,000 employees across eight campuses. The University uses PeopleSoft as the ERP system for the main functional areas of student, financial, and human resources operations...

4. Workload of the Firm: List all completed and active projects that Vendor has managed within Foresite has over 600 active projects and current has a client base of See PDF Pg. 9 See PDF Pgs 499 ‐ 500. the past five years. In addition, list all projected projects that Vendor over 2000 companies. Foresite has over 8 million US dollars currently We were formally engaged to conduct procedures related to Eastern Account With over 140 Readiness Reviews done between 2012 and today, CampusGuard is will be working on in the near future. Projected projects will be defined in the 6 month sales pipe. The request can certainly be discussed but Systems, Inc. compliance with PCI. There were no challenges noted. Refer to well versed in managing projects for multi campus environments with multiple as a project(s) that Vendor is awarded a contract but the Notice to would not seem logical to address at the level you are requesting. Vendor Reference verification form for more information. In addition, Marcum methods of accepting credit cards. A small example of clients over the past five years Proceed has not been issued. Identify any projects that Vendor worked has several clients that are required to comply with PCI DSS, and Marcum who have had Readiness Reviews (Gap Analysis) and Annual Support on concurrently. Describe Vendor’s approach in managing these provides guidance on PCI matters frequently. This includes involvement with our Agreements is listed below, if more projects are needed to help identify the projects. Were there or will there be any challenges for any of the clients SAQ and ROC reports. capabilities that CampusGuard can provide, they will be made available. listed projects? If so, describe how Vendor dealt or will deal with the projects’ challenges.

28 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante Moran b. Provide evidence of similar work related to services identified in this See PDF Pgs. 10 ‐ 11. See PDF Pgs. 11 & Appendix B (PDF Pgs. 21 ‐ 249) See PDF Pg. 232 Reference Verification Forms included. ‐ See PDF Pgs. 66 ‐ Category. How many years of experience does Nettitude have performing PCI‐DSS Online is pleased to include a Sample Report for a PCI engagement as The security, privacy and business concerns of our clients‐both 69 assessments? evidence of our PCI services. current and past‐are of the highest priority. Nettitude has been performing PCI‐DSS assessments since 2007. As such, we must respectfully decline to provide specific 2. How many PCI‐DSS assessments did Nettitude complete last year? contact names and details for potential references at this Nettitude performed 26 formal PCI‐DSS assessments. There are many more stage. However, a number of our clients from recent including consultative engagements would be willing to entertain an informal and other engagements. conversation with their peers to discuss their use of the 3. How long has your company been a PCI SSC authorized QSA? products and services they were provided which we can help Nettitude has been a PCI SSC authorized QSA since 2007. facilitate at the appropriate time. Nettitude has provided Broward County with a case study of a previous PCI project....

4. Workload of the Firm: List all completed and active projects that Vendor has managed within See PDF Pgs. 10 ‐ 11. See PDF Pg. 11 See PDF Pg. 232 Our team of 40+ cybersecurity consultants has completed the past five years. In addition, list all projected projects that Vendor How many years of experience does Nettitude have performing PCI‐DSS Online’s Risk, Security, and Privacy consulting practice has over 100 The security, privacy and business concerns of our clients‐both projects for hundreds of organizations over the past five will be working on in the near future. Projected projects will be defined assessments? clients and delivers well over 200 engagements annually. To protect current and past‐are of the highest priority. years. In addition, our team uses multiple firm wide project as a project(s) that Vendor is awarded a contract but the Notice to Nettitude has been performing PCI‐DSS assessments since 2007. the privacy of our clients, we cannot divulge client names, but we can As such, we must respectfully decline to provide specific management tools to assist Proceed has not been issued. Identify any projects that Vendor worked 2. How many PCI‐DSS assessments did Nettitude complete last year? guarantee that our team can meet any project deadlines that contact names and details for potential references at this with working with dozens of clients each week. Should an on concurrently. Describe Vendor’s approach in managing these Nettitude performed 26 formal PCI‐DSS assessments. There are many more Broward County establishes. Our 98% customer retention rate stage. However, a number of our clients from recent unexpected conflict occur while working with the County, projects. Were there or will there be any challenges for any of the including consultative speaks volumes of our ability to meet our clients’ needs while delivering engagements would be willing to entertain an informal the County will be given priority as necessary. listed projects? If so, describe how Vendor dealt or will deal with the and other engagements. high quality services. Our dedication to the customer experience conversation with their peers to discuss their use of the projects’ challenges. 3. How long has your company been a PCI SSC authorized QSA? combined with our strong team bond (there are rare all‐hands‐on‐deck products and services they were provided which we can help Nettitude has been a PCI SSC authorized QSA since 2007. moments) help us ensure that we deliver engagements on time. The facilitate at the appropriate time. Nettitude has provided Broward County with a case study of a previous PCI Risk, Security, and Privacy practice has never missed an engagement project.... deadline. Online spends a great deal of time reviewing our workloads and our forecast pipeline so that we work the fine balance of not having too many consultants on the bench but also not overloading our consultants. We ensure that we always have a handful of qualified recruits in our hiring queue for when we hit growth spurts.

29 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Verizon Business Network Services Licensing Matrix Presidio RSM US LLP Inc. d/b/a Verizon Business Services b. Provide evidence of similar work related to services identified in this Reference Verification Forms included. See PDF Pg. The best measure of client satisfaction can only come from our clients. Sample reports embeded in response but Category. 19 As requested, we present below references from other clients where we unable to open the documents. PCI DSS is a core competency of our cyber security have performed comparable work. To respect the availability and consulting team. Presidio provides the following cooperation of our clients, and to help ensure a prompt reception of three references for which we have provided similar your contact, please advise Alexandra M. Lorie at +1 305 742 7117, of solutions to Category 1 – PCI DSS: your intent to contact them. She will arrange the calls at your U.S Naval Academy Alumni Association & convenience, while helping to ensure these references’ availability. In Foundation addition to the references listed below, we are prepared to provide Dayton’s Children Hospital additional client references to help ensure that you are comfortable with Broward Healthcare the experience and levels of client service our team is accustomed to Presidio uploads these customer references on the delivering. required Vendor Verification Form, in a separate file. Prince William County, Virginia March 2015 ‐ May 2015 RSM completed an evaluation of the Payment Card Industry (PCI) compliance program at PWC. City of Sacramento April 2013 ‐ Present RSM conducts the City’s annual PCI report on compliance assessment and penetration testing. Kansas Turnpike Authority April 2017 ‐ May 2017 Annual assessment of PCI compliance along with Attestation of Compliance (ACC), recommendations for strengthening PCI compliance for future years.

4. Workload of the Firm: List all completed and active projects that Vendor has managed within The Presidio Cyber team averages 70 concurrent RSM maintains confidentiality agreements with many of our clients. For Verizon performs around 1100 QSA the past five years. In addition, list all projected projects that Vendor projects at any one time. Our project managers this reason, we cannot name them in proposals or marketing collateral assessments each year as well as investigating will be working on in the near future. Projected projects will be defined ensure that we have resources allocated for the without express permission. However, in the Past Performance section 100 cases per year for payment card related as a project(s) that Vendor is awarded a contract but the Notice to projects. Our project sizes range from $8,000 to above, we provide references from clients who can discuss our work incidents. Verizon is continuously working Proceed has not been issued. Identify any projects that Vendor worked $1.6M. We monitor and manage the workload with them on issues relevant to your operations. If we are engaged by multiple projects concurrently and has the on concurrently. Describe Vendor’s approach in managing these monthly and make decisions on whether we need to the County, you will be a priority for our firm and to each member of people, process and technology to ensure all projects. Were there or will there be any challenges for any of the add additional security consultants to the team. your engagement team. Our workload fluctuates based on a number of active projects are meeting the milestones listed projects? If so, describe how Vendor dealt or will deal with the factors, including timing and currently pending engagements. defined on the project scope. We do not projects’ challenges. Regardless, our firm has excelled at managing its human resources so anticipate any challenges; however, should that our workload never surpasses the ability of our assigned teams to issues arise we have a well‐defined process for devote the time and attention necessary to add value to our clients’ identifying the root cause and developing a organizations. Our ability to manage our workload is evidenced by remediation plan. relatively low turnover rates and is supported by clients’ opinions of our service. The engagement team along with County management will design a plan that will ensure expectations are met along with responsive and timely delivery of services as required by the County. The engagement in‐ charge and staff will be solely dedicated to the County from start to finish for the audit. We believe this to be a team effort so that all team members understand their roles, expectations, deliverables, and timelines. We do not anticipate any scenario under which we will have difficulty completing the requested work.

30 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Carahsoft Technology Corp Licensing Matrix 1st Secure IT LLC ATT Solution Provider: Trustwave VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. 1ST SECURE IT LLC AT&T Corp Carahsoft Technology Corporation

2. Doing Business As/ Fictitious Name (if applicable): N/A

3. Federal Employer I.D. Number. 27‐1776302 13‐4924710 522189693 4. Dun & Bradstreet Number. (If applicable). N/A 00‐698‐0080 08‐8365767 5. Website address (if applicable). https://www.1stsecureit.com/en/ www.att.com www.carahsoft.com 6. Principal place of business. 6810 Lyons Technology Circle, Suite 190 One AT&T Way, Bedminster, NJ 07921 1860 Michael Faraday Drive, Suite 100 Coconut Creek, FL 33073 Reston, VA 20190

7. Office Location for this project. 6810 Lyons Technology Circle, Suite 190, Coconut Creek, FL 33073 2002 NW 64th St., Ft. Lauderdale, FL 33309 1860 Michael Faraday Drive, Suite 100 Reston, VA 20190

8. Telephone/Fax Number: Telephone no.:(954) 613‐0515 Fax no.:(866) 735‐3369 Telephone no.:305‐913‐3887 Fax no.: Telephone no.:703.871.8500 Fax no.:703.871.8505 9. Type of Business LLC Corporation; New York Corporation; Maryland 10. List Florida Registration Number. L10000009297 845822 11. List name and title of each principal, owner, officer and major a) Dewsnap, Stephen a. Thadeus Arroyo, President and CEO AT&T, 208 S. Akard St., Dallas, TX 75202 a) Craig P. Abod ‐ President shareholder. b) Espana, Alberto b. Anne Chow, President‐Integrator Solutions, AT&T, 208 S. Akard St., Suite 3514, b) Robert Moore ‐ Vice President c) Akins, Mark Dallas, TX 75202 c) Jillian Szczepanek ‐ Controller d) Rodrigues, Abelardo c. Frank Jules, President ‐ Global Business AT&T, 208 S. Akard St., Suite 3509, Dallas, d) Jennifer Taha ‐ Proposals Director e) Finizio, Stephen TX 75202 f) Dewsnap, Edward d. Cathy Martine‐Dolecki, President ‐ Natl Bus AT&T, 1 AT&T Way, Bedminster, NJ 07921 e. Delores McCarty, Assistant Secretary AT&T, 675 W Peachtree St, NW, Atlanta, GA 30308 f. George B. Goeke, CFO and Treasurer AT&T, 208 S. Akard St., Suite 1824, Dallas, TX 75202 AT&T is a publicly held corporation. No single person owns more than 10% of the company. It is an independent, publicly traded telecommunications services provider. The names and titles of the AT&T Inc. officers are • Randall Stephenson—Chairman and Chief Executive Officer (CEO) • William Blase—Senior Executive Vice President, Human Resources • James Cicconi—Senior Executive Vice President, External and Legislative Affairs • Ralph de la Vega—President and Chief Executive Officer (CEO), AT&T Mobile and Business Solutions • John Donovan—Senior Executive Vice President, AT&T Technology and Operations and Corporate Strategy • Jose Gutierrez—Senior Vice President, Executive Operations • David Huntley—Chief Compliance Officer • Lori Lee—Senior Executive Vice President and Global Marketing Officer • John Stankey—CEO, AT&T Entertainment and Internet Services • John Stephens—Sr. Executive Vice President and Chief Financial Officer (CFO); Corporate Development d d l l

31 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLC VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk, LLC

2. Doing Business As/ Fictitious Name (if applicable): Not applicable

3. Federal Employer I.D. Number. 35‐0921680 65‐0827427 61‐1805201 4. Dun & Bradstreet Number. (If applicable). 787324008 610144201 08‐0541660 5. Website address (if applicable). www.crowehorwath.com www.emrisk.com www.focal‐point.com 6. Principal place of business. 225 West Wacker Drive, Suite 2600 800 S. Douglas Road, Suite 940 North Tower, Coral Gables, FL 33134 201 E Kennedy Blvd, Suite 1750 Chicago, Illinois 60606‐1224 Tampa, FL 33602

7. Office Location for this project. 401 East Las Olas Boulevard, Suite 1100 800 S. Douglas Road, Suite 940 North Tower, Coral Gables, FL We will utilize both our Tampa location and our Broward Fort Lauderdale, Florida 33301‐4230 33134 County location for this project. Our Broward County address is 1601 Sawgrass Corp. Pkwy., Suite 130, Sunrise, FL 33323 8. Telephone/Fax Number: Telephone no.:954.202.8600 Fax no.:954.202.8639 Telephone no.:305‐447‐6750 Fax no.:305‐447‐6752 Telephone no.:(813) 402‐1208 Fax no.:813‐436‐5283 9. Type of Business Limited Liability Partnership Corporation; Florida LLC 10. List Florida Registration Number. GP0800003826 M16000008367 11. List name and title of each principal, owner, officer and major a) James Powers, CEO a) Silka Gonzalez ‐ President a) Andrew Cannata ‐ Principal, Cyber Security shareholder. b) Joseph Santucci, COO b) Michelle Miller ‐ COO b) Christie Verscharen ‐ Principal, PCI and Risk Services c) Todd Welu, CFO c) Esteban Farao ‐ Director of Consulting Services c) Eric Dieterich ‐ Principal, Data Privacy d) Crowe Horwath LLP is a limited liability partnership with more than 275 partners/principals. If required, we will provide a complete listing of the partner/principals. The names and titles of the firm's leadership is available at www.crowehorwath.com/leadership.

32 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Marcum LLP Licensing Matrix Foresite MSP LLC Sub: 24by7 Security Merchant Preservation Services, LLC d/b/a CampusGuard VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. 5820 Solutions, LLC

Foresite MSP LLC Marcum LLP 2. Doing Business As/ Fictitious Name (if applicable): CampusGuard

3. Federal Employer I.D. Number. 38‐3916369 111986323 203756873 4. Dun & Bradstreet Number. (If applicable). 968051180 134960447 5. Website address (if applicable). www.foresite.com www.marcumllp.com www.campusguard.com 6. Principal place of business. 121 S.13th Street, STE 201 Lincoln NE 68508 451 East Las Olas Boulevard, Ninth Floor E Windsor Ct Fort Lauderdale, FL 33301 7. Office Location for this project. 121 S.13th Street, STE 201 Lincoln NE 68508 451 East Las Olas Boulevard, Ninth Floor New York Fort Lauderdale, FL 33301 8. Telephone/Fax Number: 800‐940‐4699 954‐320‐8000 Fax no.:954‐320‐8001 419‐873‐7016 Fax no.:972‐867‐4861 9. Type of Business LLC Limited Partnership Limited Liability Company ‐ LLC 10. List Florida Registration Number. LLP090003311 11. List name and title of each principal, owner, officer and major Robin Mano ‐ CEO a) Michael Balter, Regional Managing Partner a) Harvey Gannon ‐ CEO shareholder. George Farris ‐ Board Member b) Mark Agulnik, Partner b) Ronald E. King ‐ President David Cohen ‐ Board Member c) David Appel, Partner Gary Fish ‐ Board Member d) Shaun Blogg, Partner e) Ilyssa Blum, Partner f) Marc Breslow, Partner g) Michael Curto, Partner h) Adam Firestein, Partner i) Michael Futterman, Partner j) John Gabriel, Partner k) Cecelia Garber, Partner l) Kim Lamplough, Partner m) Michele Lipson, Partner n) Michael Novak, Partner Marcum LLP is managed by more than 140 partners around the country. Below is a list of partners from our local Florida offices. A complete list of partners around the country is available at www.marcumllp.com/people‐search.

33 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante Moran VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Netitude, Inc. Online Enterprises Inc. Optiv Security Plante & Moran, PLLC

2. Doing Business As/ Fictitious Name (if applicable): Netitude Online Business Systems Optiv, Optiv Security Plante Moran

3. Federal Employer I.D. Number. 36‐4694227 41‐180 5060 43‐1806449 381357951 4. Dun & Bradstreet Number. (If applicable). 968240825 08‐6535676 01‐946‐6684 004913299 5. Website address (if applicable). www.Nettitude.com www.obsglobal.com optiv.com plantmoran.com 6. Principal place of business. 85 Broad Street, New York NY 10004 US Headquarters: 7760 France Ave. S., Minneapolis, MN 55435 USA 1125 17th St., Suite 1700 27400 Northwestern Hwy Canadian Headquarters: 200‐115 Bannatyne Avenue, Winnipeg, MB Denver, CO 80202‐2032 Southield, MI 48037 Canada R3B 0R3

7. Office Location for this project. 85 Broad Street, New York NY 10004 000 Kruse Way Place, Bldg 1 Suite 360 N/A Southfield, MI Lake Oswego, OR 97035

8. Telephone/Fax Number: Telephone no.:646‐795‐1881 Fax no.: Telephone no.:866.884.0304 Fax no.:503.224.5962 Telephone no.:(303) 298‐0600 Fax no.:(303) 298‐0868 Tel:248‐223‐3428 Fax no.:248‐603‐5997 9. Type of Business Corporation; S Corporation; Minneapolis Corporation; Delaware Limited Partnership 10. List Florida Registration Number. In Progress M11000002358 11. List name and title of each principal, owner, officer and major a) Rowland Johnson a) Chuck Loewen (Founder, Owner & CEO) a) Dan Burns ‐ CEO a) James Proppe, Managing Partner shareholder. b) Ben Densham b) Tim Siemens (CTO) b) David Roshak ‐ CFO b) Dnnis Graham, Group Managing Partner c) Martin Watts c) Lynne Black (CFO) c) Nate Brady ‐ CAO c) Frank Audia, CIO d) Mitchell Titley d) Veena Bricker ‐ CHRO d) Beth Bialy, Government Industry Group Leader

34 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Verizon Business Network Services Licensing Matrix Presidio RSM US LLP Inc. d/b/a Verizon Business Services VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Presidio RSM US LLP Verizon Business Network Services Inc. on behalf of MCI Communications Services Inc.

2. Doing Business As/ Fictitious Name (if applicable): d/b/a/ Verizon Business Services (Verizon Business or Verizon) 3. Federal Employer I.D. Number. 58‐1667655 FEIN‐42‐0714325 13‐2745892 4. Dun & Bradstreet Number. (If applicable). 15‐405‐0959 73482424 556565836 5. Website address (if applicable). www.presidio.com www.rsmus.com www.verizonenterprise.com 6. Principal place of business. 12120 Sunset HIlls Rd, Sutie 202 100 NE Third Ave, Suite, Fort Lauderdale, FL 33301 OneVerizon Way, Basking Ridge NJ 07920 Reston, Va 20190

7. Office Location for this project. 3250 W. Commercial Blvd Fort Lauderdale Tampa, FL Fort Lauderdale, Fl 33309

8. Telephone/Fax Number: 305‐606‐2835 954‐462‐6351 no.:(813) 520‐9786 Fax no.:813‐978‐6751 9. Type of Business LLC Limited Partnership Corporation; Delaware 10. List Florida Registration Number. L15000111335 ADP004384 829591 11. List name and title of each principal, owner, officer and major Regarding principals, owners, etc., not applicable. please see: shareholder. Presidio is a publicly owned company. http://www.verizon.com/about/investors/corp orate‐governance MCI Communications Services Inc. (100% Shareholder)

35 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Carahsoft Technology Corp Licensing Matrix 1st Secure IT LLC ATT Solution Provider: Trustwave 12. Authorized contacts for your firm. Name: STEPHEN M DEWSNAP Name: Dwayne Stafford Name: Aaron Giannini Title: Managing Partner Title: Strategic Account Lead Title: Account Representative E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 866‐735‐3369 x110 Telephone No.: 786‐479‐4113 Telephone No.: 703.889.9848 Name: MARK AKINS Name: Esther Martin Name: Jennifer Taha Title: Managing Partner Title: Strategic Account Lead Title: Proposals Director E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 866‐735‐3369 x120 Telephone No.: 305‐582‐9541 Telephone No.: 703.871.8556

13. Has your firm, its principals, officers or predecessor organization(s) No No No been debarred or suspended by any government entity within the last three years? If yes, specify details in an attached written response.

14. Has your firm, its principals, officers or predecessor organization(s) No No No ever been debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted.

15. Has your firm ever failed to complete any services and/or delivery No We are unaware of any work completion issues that would impair our ability to meet No of products during our obligations under any contract. AT&T is a large company with an international the last three (3) years? If yes, specify details in an attached written presence and significant contractual relations. Given the size and scope of our response. business, we from time to time over our history have been involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐ capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our ability to meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.

36 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLC 12. Authorized contacts for your firm. Name: Craig Sullivan Name: Silka Gonzalez Name: Andrew Cannata Title: Partner Title: President Title: Principal, Cyber Security E‐mail: [email protected] E‐mail: [email protected] E‐mail: acannata@focal‐point.com Telephone No.: 574.236.7618 Telephone No.: 305‐447‐6750 Telephone No.: (813) 731‐9074 Name: Michelle Miller Name: Eric Dieterich Title: COO Title: Principal, Data Privacy E‐mail: [email protected] E‐mail: edieterich@focal‐point.com Telephone No.: 305‐447‐6750 Telephone No.: (786) 390‐1490

15. Has your firm ever failed to complete any services and/or delivery Yes, Like all large professional service firms, Crowe is, from time to time, subject to contract No No of products during disputes or issues where contracts may be terminated for a variety of reasons, including without the last three (3) years? If yes, specify details in an attached written limitation lack of client funding, disputes over the scope of the work, or payment disputes. response. Through active management and communication with our clients, Crowe is usually successful in anticipating such areas and working with the client to mitigate these issues.

37 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Marcum LLP Licensing Matrix Foresite MSP LLC Sub: 24by7 Security Merchant Preservation Services, LLC d/b/a CampusGuard 12. Authorized contacts for your firm. Jason Leduc Name: Mark Agulnik Name: Andy Grant VP Cyber Security Services Title: Partner Title: Director, National Business Development [email protected] E‐mail: [email protected] E‐mail: [email protected] 732‐674‐0871 Telephone No.: 954‐320‐8000, Ext. 38013 Telephone No.: 419‐873‐7016 Name: Jose Antigua Name: Ron King John Lavelle Title: Senior Manager Title: President Controller E‐mail: [email protected] E‐mail: [email protected] [email protected] Telephone No.: 954‐320‐800, 38054 Telephone No.: 972‐964‐8884 800‐940‐4699 ext 227 13. Has your firm, its principals, officers or predecessor organization(s) No No No been debarred or suspended by any government entity within the last three years? If yes, specify details in an attached written response.

15. Has your firm ever failed to complete any services and/or delivery No No No of products during the last three (3) years? If yes, specify details in an attached written response.

38 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante Moran 12. Authorized contacts for your firm. Name: Miles Corn Name: Steve Levinson Name: Doug Hart Name: Raj Patel Title: Head of Bid Management Title: Vice President, Risk, Security & Privacy Title: Client Manager Title: Partner E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 646‐795‐1881 Telephone No.: 619.701.8614 Telephone No.: 305‐972‐8137 Telephone No.: 248‐223‐3428 Name: Karen Bolton Name: Michael Mangra Name: Scott Eiler Title: EVP & Leader North America Title: Solutions Architects Title: Partner E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 646‐795‐1898 Telephone No.: 561‐670‐1536 Telephone No.: 248‐223‐3447

13. Has your firm, its principals, officers or predecessor organization(s) No No No No been debarred or suspended by any government entity within the last three years? If yes, specify details in an attached written response.

14. Has your firm, its principals, officers or predecessor organization(s) No No No No ever been debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted.

15. Has your firm ever failed to complete any services and/or delivery No No No No of products during the last three (3) years? If yes, specify details in an attached written response.

39 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Verizon Business Network Services Licensing Matrix Presidio RSM US LLP Inc. d/b/a Verizon Business Services 12. Authorized contacts for your firm. Name: Jill Finkelstein Jason Alexander Name: Frank Parra Title: Business Development Manager Principal Title: Sr. Client Executive E‐mail: [email protected] 786‐239‐4279 E‐mail: [email protected] Telephone No.: 305‐606‐2835 Telephone No.: (813) 520‐9786 Name: Ralph Gentile Title: Sales Lead E‐mail: [email protected] Telephone No.: 954‐817‐0690

15. Has your firm ever failed to complete any services and/or delivery No No No of products during the last three (3) years? If yes, specify details in an attached written response.

40 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Carahsoft Technology Corp Licensing Matrix 1st Secure IT LLC ATT Solution Provider: Trustwave 16. Is your firm or any of its principals or officers currently principals or Yes. Yes No officers of another organization? If yes, specify details in an attached Dewsnap, Stephen written response. • Microliance, LLC – Partner • Interlink Commerce, LLC – Partner Espana, Alberto • Payment Power, Inc. Finizio, Stephen • Advantage Networking ‐ Owner • Advantage Web Consulting ‐ Owner • Tend Skin Store ‐ Partner Dewsnap, Edward • Microliance, LLC – Partner • Interlink Commerce, LLC ‐ Partner

18. Has your firm’s surety ever intervened to assist in the completion No No No of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

19. Has your firm ever failed to complete any work awarded to you, No We are unaware of any work completion issues that would impair our ability to meet No services and/or our obligations under any contract. AT&T is a large company with an international delivery of products during the last three (3) years? If yes, specify presence and significant contractual relations. Given the size and scope of our details in an business, attached written response. we from time to time over our history have been involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our ability to meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.

41 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLC 16. Is your firm or any of its principals or officers currently principals or No No No officers of another organization? If yes, specify details in an attached written response.

19. Has your firm ever failed to complete any work awarded to you, Yes, Like all large professional service firms, Crowe is, from time to time, subject to contract No No services and/or disputes or issues where contracts may be terminated for a variety of reasons, including without delivery of products during the last three (3) years? If yes, specify limitation lack of client funding, disputes over the scope of the work, or payment disputes. details in an Through active management and communication with our clients, Crowe is usually successful in attached written response. anticipating such areas and working with the client to mitigate these issues.

42 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Marcum LLP Licensing Matrix Foresite MSP LLC p// p /Sub: / 24by7 Securitygp Merchant Preservation Services, LLC d/b/a CampusGuard 16. Is your firm or any of its principals or officers currently principals or Principal invests in multiple businesses Marcum Group is an organization providing a comprehensive range of No officers of another organization? If yes, specify details in an attached professional services spanning accounting and advisory, technology solutions, written response. wealth management and executive and professional recruiting. MARCUM LLP Marcum LLP is one of the largest independent public accounting and advisory services firms in the nation, with offices in major business markets throughout the U.S., Grand Cayman and China. MARCUM FINANCIAL SERVICES Marcum Financial Services was founded in late 2009 by combining the expertise of several professionals and firms with extensive investment, financial and business experiences. MARCUM SEARCH Marcum Search LLC offers professional recruiting services. Our recruiters recognize the importance of working closely with companies and prospective candidates to ensure the perfect match. MARCUM TECHNOLOGY Marcum Technology LLC is a full‐service integrated solutions vendor (ISV) specializing in data storage, disaster recovery, network infrastructure, IT staffing and managed services. MARCUM BERNSTEIN & PINCHUK Marcum Bernstein & Pinchuk is an independent public accounting firm. We provide a full range of audit and assurance, tax and transaction advisory services for clients in a variety of industries. MARCUM RBK (IRELAND) LIMITED Marcum RBK is a service center for current and future hedge fund and private equity fund clients of the Marcum Alternative Investment Group.

19. Has your firm ever failed to complete any work awarded to you, No Our firm enters in to Engagement letters with clients that allow for cessation of No services and/or work and/or termination by either party in certain circumstances. delivery of products during the last three (3) years? If yes, specify details in an attached written response.

43 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante Moran 16. Is your firm or any of its principals or officers currently principals or No No No No officers of another organization? If yes, specify details in an attached written response.

18. Has your firm’s surety ever intervened to assist in the completion No No No No of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

19. Has your firm ever failed to complete any work awarded to you, No No No No services and/or delivery of products during the last three (3) years? If yes, specify details in an attached written response.

44 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Verizon Business Network Services Licensing Matrix Presidio RSM US LLP Inc. d/b/a Verizon Business Services 16. Is your firm or any of its principals or officers currently principals or No No No officers of another organization? If yes, specify details in an attached written response.

19. Has your firm ever failed to complete any work awarded to you, No No No services and/or delivery of products during the last three (3) years? If yes, specify details in an attached written response.

45 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Carahsoft Technology Corp Licensing Matrix 1st Secure IT LLC ATT Solution Provider: Trustwave 20. Has your firm ever been terminated from a contract within the last No Except for material matters that AT&T discloses in filings with the Securities and No three years? If yes, Exchange Commission or otherwise discloses in response to subpoenas or other valid specify details in an attached written response. court orders, AT&T is legally and contractually prohibited from disclosing information to third parties about contractual matters. Also, due to the size and scale of AT&T’s operations, as a practical matter, AT&T cannot state with absolute certainty whether AT&T has defaulted under a contract. Notwithstanding the legal and practical restrictions that limit AT&T’s ability to disclose specific contract performance issues, AT&T can assure Customer that AT&T is capable of performing the services requested under this RFP and that AT&T has no history or pattern of performance issues with other customers that would affect AT&T’s ability to perform the services requested by Customer. AT&T reiterates that AT&T is not aware of any circumstances involving performance under another contract which would materially and adversely impact AT&T’s ability to perform services for Customer. Moreover, AT&T is not aware of any circumstance when AT&T was not awarded a bid due to non‐performance concerns about AT&T by the entity sponsoring a particular procurement. AT&T is forced to qualify such assurances to the best of its knowledge due to the scale and scope of AT&T’s operations. AT&T will not be able to provide such assurances with absolute certainty with respect to every contract or bid opportunity in which AT&T has participated.

21. Living Wage solicitations only: N/A No N/A

46 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Crowe Horwath LLP Enterprise Risk Management, Inc. Focal Point Data Risk LLC 20. Has your firm ever been terminated from a contract within the last Yes, Like all large professional service firms, Crowe is, from time to time, subject to contract No No three years? If yes, disputes or issues where contracts may be terminated for a variety of reasons, including without specify details in an attached written response. limitation lack of client funding, disputes over the scope of the work, or payment disputes. Through active management and communication with our clients, Crowe is usually successful in anticipating such areas and working with the client to mitigate these issues.

21. Living Wage solicitations only: N/A N/A

47 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Prime: Marcum LLP Licensing Matrix Foresite MSP LLC Sub: 24by7 Security Merchant Preservation Services, LLC d/b/a CampusGuard 20. Has your firm ever been terminated from a contract within the last No Our firm enters in to Engagement letters with clients that allow for cessation of No three years? If yes, work and/or termination by either party in certain circumstances. specify details in an attached written response.

21. Living Wage solicitations only: N/A N/A N/A

48 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Licensing Matrix Nettitude, Inc. d/b/a Nettitude Online Enterprises Inc. d/b/a Online Business Systems Optiv Security Plante & Moran, PLLC dba Plante Moran 20. Has your firm ever been terminated from a contract within the last No No No No – Plante Moran is not aware of any client terminating a three years? If yes, contract involving the provision of information technology specify details in an attached written response. security and compliance services. As one of the country’s largest accounting and consulting firms with thousands of annual engagements, there likely have been instances during the last three years where clients receiving tax or accounting‐related services have elected to use other service providers for their particular needs. Plante Moran’s record of client service and satisfaction is best in class, with 99% of clients indicating they would recommend Plante Moran to others.

21. Living Wage solicitations only: N/A N/A N/A N/A

49 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 1 ‐ Payment Card Industry (PCI) Services

Verizon Business Network Services Licensing Matrix Presidio RSM US LLP Inc. d/b/a Verizon Business Services 20. Has your firm ever been terminated from a contract within the last No No No three years? If yes, specify details in an attached written response.

21. Living Wage solicitations only: N/A N/A N/A

50 10/20/2017 1:34 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 2 ‐ Health Insurance Portability and Accountability Act (HIPAA) Services

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Provided ‐ PDF Pg. 569 Provided ‐ See Page 47 Provided ‐ See PDF Pg. 9 Provided Attestation Form AND 1.Healthcare Information Security and Privacy Not Provided Not Provided Provided Not Provided Practitioner (HCISPP) on staff and proposed key Requirement Met Requirement Met Requirement Met Requirement Met team member OR Certified Information Systems Security Provided Provided Provided Provided Professional (CISSP) on staff and proposed key Requirement Met Requirement Met Requirement Met Requirement Met team member OR Certified Information Systems Auditor (CISA) on staff and proposed key team member Not Provided Not Provided Not Provided Provided Requirement Met Requirement Met Requirement Met Requirement Met

FORMS Vendor Questionnaire Form Provided Provided Provided Provided

Provided Provided Vendor Security Questionnaire Form Provided Provided

1 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Prime: Marcum LLP Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: 24by7 Security RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Provided Provided Provided Provided Attestation Form AND 1.Healthcare Information Security and Privacy Not Provided Provided Not Provided Provided Practitioner (HCISPP) on staff and proposed key Requirement Met Requirement Met Requirement Met Requirement Met team member OR Certified Information Systems Security Not Provided Provided Provided Provided Professional (CISSP) on staff and proposed key Requirement Met Requirement Met Requirement Met Requirement Met team member OR Certified Information Systems Auditor (CISA) on staff and proposed key team member Provided Not Provided Provided Provided Requirement Met Requirement Met Requirement Met Requirement Met

FORMS Vendor Questionnaire Form Provided Provided Provided Provided

Provided Provided Provided Vendor Security Questionnaire Form Provided

2 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Online Enterprises Inc. d/b/a Online Business Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Systems Optiv Security RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Provided ‐ See PDF Pg. 23 Provided ‐ See PDF Pg. 42 Provided ‐ See PDF Pg. 309 Provided Attestation Form AND 1.Healthcare Information Security and Privacy Not Provided Not Provided Not Provided Not Provided Practitioner (HCISPP) on staff and proposed key Requirement Met Requirement Met Requirement Met Requirement Met team member OR Certified Information Systems Security Provided Provided Provided Provided Professional (CISSP) on staff and proposed key Requirement Met Requirement Met Requirement Met Requirement Met team member OR Certified Information Systems Auditor (CISA) on staff and proposed key team member Not Provided Provided Not Provided Provided Requirement Met Requirement Met Requirement Met Requirement Met

FORMS Vendor Questionnaire Form Provided Provided Provided Provided

Provided Provided Provided Provided Vendor Security Questionnaire Form

3 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Licensing Matrix Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLC RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Provided Provided Provided Provided Attestation Form AND 1.Healthcare Information Security and Privacy Not Provided Not Provided Not Provided Not Provided Practitioner (HCISPP) on staff and proposed key Requirement Met Requirement Met Requirement Met Requirement Met team member OR Certified Information Systems Security Not Provided Provided Provided Provided Professional (CISSP) on staff and proposed key Requirement Met Requirement Met Requirement Met Requirement Met team member OR Certified Information Systems Auditor (CISA) on staff and proposed key team member Provided Provided Provided Provided Requirement Met Requirement Met Requirement Met Requirement Met

FORMS Vendor Questionnaire Form Provided Provided Provided Provided

Provided Provided Provided Provided Vendor Security Questionnaire Form

4 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Verizon Business Network Services Inc. d/b/a Licensing Matrix SHI International Corp Verizon Business Services RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Provided Provided Attestation Form AND 1.Healthcare Information Security and Privacy Not Provided Not Provided Practitioner (HCISPP) on staff and proposed key Requirement Met Requirement Met team member OR Certified Information Systems Security Provided Provided Professional (CISSP) on staff and proposed key Requirement Met Requirement Met team member OR Certified Information Systems Auditor (CISA) on staff and proposed key team member Not Provided Provided Requirement Met Requirement Met

FORMS Vendor Questionnaire Form Provided Provided

Provided Provided Vendor Security Questionnaire Form

5 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 2 ‐ Health Insurance Portability and Accountability Act (HIPAA) Services

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant See PDF Pg. 16. See PDF Pgs. 158‐159. Appendix A ‐ Resumes (PDF Pgs. 172‐176). See Resumes PDF Pgs. 35 ‐ 47; Certifications ‐ PDF Pgs. 48 experience of the Project Manager and all key "CONFIDENTIAL" Trustwave knows the ins and outs of risk. And we want you to Appendix B ‐ Relevant Certifications (PDF Pgs. 182‐184). ‐ 50 staff that are intended to be assigned to services understand risk, too. Our Global Compliance and Risk Services Jared Hamilton, CISSP, Senior Manager, 13 years experience Silka M. Gonzalez, CPA, CISSP, CISM, CISA, CITP, CRISC, performed within this category. Include resumes Pgs 418‐568 AT&T Proprietary: The information contained herein is for team serves as trusted advisors who operate alongside your Candice Moschell, CISSP, Manager 30+ years experience for the Project Manager and all key staff use by authorized persons only and is not for general distribution. internal team. Our Global Compliance and Risk Services staff is Amy Justice, Senior Staff, 10 years experience Esteban Orlando Farao, CISSP, CISA, CISO, CRISC, CEH, described particularly with respect to HIPAA’s made up of Qualified Security Assessors (QSAs) and our Morgan Strobel, Senior Consultant, 5+ years experience QSA, and PCIP.PCI QSA, 20+ years experience security regulations. consultants hold various other industry certifications including Christopher Steven Sanchez, Information Security CISSP, CISM, and CISA certifications, among others. The team Consultant, Extensive experience completing penetration averages more than eight years of experience in IT security, testing information security as well as extensive compliance, audit and Maria Rogers, CEH, CCFE, Extensive experience in consulting expertise. The Global Compliance and Risk Services software testing and Digital Forensics team (GCRS) is backed by our SpiderLabs team to keep you Animesh Srivastava, Extensive experience competing ahead of the latest threats and is also sponsored by a Senior regulatory compliance assessments Compliance Support Analyst to ensure your project runs smoothly. We will customize your engagement, assess what is unique about your business challenges and scale with your business needs.

b. List any other relevant Security and See PDF Pg. 472 ‐ 473 See PDF Pg. 16. See PDF Pgs. 158‐159. Appendix A ‐ Resumes (PDF Pgs. 172‐176). See Resumes PDF Pgs. 35 ‐ 47; Certifications ‐ PDF Pgs. 48 Compliance certifications that the Project Please see the representative biographies embedded below, Appendix B ‐ Relevant Certifications (PDF Pgs. 182‐184). ‐ 50 Manager and key staff described may have. "CONFIDENTIAL" which includes the typical certifications held Jared Hamilton, CISSP, Senior Manager, 13 years experience Silka M. Gonzalez, CPA, CISSP, CISM, CISA, CITP, CRISC, Include copies of certificates, if applicable. by the resources who may be assigned to your project. Candice Moschell, CISSP, Manager 30+ years experience Pgs 418‐568 AT&T Proprietary: The information contained herein is for Amy Justice, Senior Staff, 10 years experience Esteban Orlando Farao, CISSP, CISA, CISO, CRISC, CEH, use by authorized persons only and is not for general distribution. Morgan Strobel, Senior Consultant, 5+ years experience QSA, and PCIP.PCI QSA, 20+ years experience Christopher Steven Sanchez, Information Security Consultant, Extensive experience completing penetration testing Maria Rogers, CEH, CCFE, Extensive experience in software testing and Digital Forensics Animesh Srivastava, Extensive experience competing regulatory compliance assessments

6 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Prime: Marcum LLP Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: 24by7 Security EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant See PDF Pg. 60 ‐ See Bios ‐ Jason L, Specialities: Compliance and Network Security, 20+ years See PDF Pg. 7, 76 See PDF Pg. 19 experience of the Project Manager and all key *Eric Dieterich – Principal, CISA, CRISC, CIPP/US. Eric is a Principal with experience, QSA PCI, PA QSA, PCIP PCI, SANS GIAC GSNA, GCIH, GPEN Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY For Marcum LLP’s proposed key staff, please see profiles and certificates staff that are intended to be assigned to services Focal Point, leading their national privacy practice. Thomas A, Specialities, Compliance and Network Security, 15+ years AND COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, available in Appendix A. performed within this category. Include resumes Franchesca Sanabria – Principal, CIPP/US, CISA, HITRUST CCSFP. experience, QSA PCI, CISSP, HCISSP PhD, PhD Information Security and Computing Sciences (Over 30 Marcum has partnered with the firm of 24by7Security to help fulfill the for the Project Manager and all key staff Franchesca is a Principal at Focal Point in the National Data Privacy John W, Compliance, Network Security, and Incident Response/Digital years of Professional Experience and 25 years of Research, services of the engagement, please see profiles and certificates available in described particularly with respect to HIPAA’s Practice. She has over 12 years of experience in governance.... Forensics, QSA PCI, PA QSA, CISSP Harvard and Yale Alumnus, Summa Cum Laude, and Oxford Appendix A. security regulations. Jennifer Martin – Director, CIPP/US. Jennifer has over 15 years of Keith K, GRC, Security Architecture and Audit, 20+ years experience, CISSP Research, etc.) experience working in the compliance and audit industries, including Bradley A, Penetration Testing, 15+ years of experience, CISSP, OSCE, OSCP, Global Information Intelligence LLC (100% Small Business, privacy and SOX compliance. CEH, SANS GIAC Minority, and Women Owned) Melinda Tijerino – Senior Manager, CIPP/US. Melinda has been By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing involved in executing both audit and compliance assessments (e.g., Sciences and Information Security Founder, Consortium for HIPAA, GLBA, GAPP). Emerging Technologies‐Harvard, Exemplary Models for Donel Martinez – Senior Manager, CISA, CAMS. Donel Martinez is a Federal, State, Local, Counties, Cities, Private/Public Sectors, Senior Manager in the South Florida office of Focal Point. Academia & Industry and Global Conduct intelligent and Catherine Kim – Manager, Esq., CIPP/US, CIPM. Catherine is a HIPAA proactive services within this category based on proven and subject matter expert and has been involved with numerous HIPAA experience understanding of HIPAA regulations (including and data privacy related projects. HIPAA/HITECH, BAA, OCR, Audit, Breach Notification Enforcement, ...... NIST 800‐66, etc., including activities related to HIPAA compliance. Examples of specific activities included but not be limited to HIPAA auditing, risk analysis, technical and policy assessments, remediation and consulting.

b. List any other relevant Security and See PDF Pgs. 157 ‐ 158 See Bios ‐ Jason L, Specialities: Compliance and Network Security, 20+ years See PDF Pg. 7, 76 See PDF PG. 19 Compliance certifications that the Project Project Advisor – Andrew Cannata, Principal, CISSP, QSA, CISM, 25+ experience, QSA PCI, PA QSA, PCIP PCI, SANS GIAC GSNA, GCIH, GPEN Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY For Marcum LLP’s and 24by7Security’s proposed key staff, please see profiles Manager and key staff described may have. years experience Thomas A, Specialities, Compliance and Network Security, 15+ years AND COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, and certificates available Include copies of certificates, if applicable. Chris Sullo – Practice Lead, CISSP, RHCE, RHCT, 20+ years experience, QSA PCI, CISSP, HCISSP PhD, PhD Information Security and Computing Sciences (Over 30 in Appendix A. Peter Hefley – Senior Manager, GPEN, CISSP, GREM, CISA. Peter has a John W, Compliance, Network Security, and Incident Response/Digital years of Professional Experience and 25 years of Research, Client Service and Engagement Partner: broad base of experience in systems administration, network security, Forensics, QSA PCI, PA QSA, CISSP Harvard and Yale Alumnus, Summa Cum Laude, and Oxford Mark Agulnik, Partner information warfare, and cryptography. Keith K, GRC, Security Architecture and Audit, 20+ years experience, CISSP Research, etc.) CPA, CISA, PCI‐QSA Steve Tornio – Senior Manager, OSCP, CISSP. Steve has been active Bradley A, Penetration Testing, 15+ years of experience, CISSP, OSCE, OSCP, Global Information Intelligence LLC (100% Small Business, Marcum, LLP within the security community for the past 20 years CEH, SANS GIAC Minority, and Women Owned) Co‐Engagement Lead: Anthony Miller‐Rhodes – Senior Consultant. Anthony has several years By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sanjay Deo, Principal Security Consultant of security experience involving penetration testing and software Sciences and Information Security Founder, Consortium for CISSP, HCISPP development of offensive and defensive Emerging Technologies‐Harvard, Exemplary Models for 24By7Security, Inc. capabilities. Federal, State, Local, Counties, Cities, Private/Public Sectors, Senior Security Consultant: Eric Turner – Senior Consultant, OSCP. Eric is a Senior Consultant with Academia & Industry and Global Conduct intelligent and Michael Brown, Senior Security Consultant over four years of penetration testing experience and as a general proactive services within this category based on proven and CISSP, HCISPP, CISA, CRISC, CISM, CGEIT network.... experience understanding of HIPAA regulations (including 24By7Security, Inc. Jeremy Archer – Senior Consultant, GCED, OSCP, CCNA, CISSP. Jeremy HIPAA/HITECH, BAA, OCR, Audit, Breach Notification Enforcement, Senior Security Consultant: has over 20 years of information technology and security NIST 800‐66, etc., including activities related to HIPAA compliance. Patrick Parker, Senior Security Consultant experience,.... Examples of specific activities included but not be limited to 24By7Security, Inc. Rob Ditmer – Consultant, GPEN, CISSP. Rob has over six years of HIPAA auditing, risk analysis, technical and policy assessments, experience in information technology and security remediation and consulting......

7 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Online Enterprises Inc. d/b/a Online Business Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Systems Optiv Security EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant See PDF Pgs. 49‐52. See PDF Pg. 15. See PDF Pgs. 6 ‐ 7. See PDF . Pg. 234 experience of the Project Manager and all key Tony Martinez, Project Manager, Project Management, Vulnerability Shai Canaan, Senior Security Consultant, 15+ years experience, PCI QSA, PA Steve Levinson (VP, Risk Security & Privacy Consulting), The security, privacy and business concerns of our staff that are intended to be assigned to services Assessment, Physical Penetration Testing, Network Penetration Testing, Web QSA, ISO 27001 Lead Auditor, Certified Information Systems Auditor (CISA), 25+ years experience, CISSP clients‐both current and past‐are of the highest performed within this category. Include resumes Application Penetration Testing, Security Auditing, Secure Code Reviews, Certified Information Systems Security Professional Adam Kehler, 20+ years expereince, CISSP priority. for the Project Manager and all key staff Disaster Reovery/ Business Continuity Planning, Security Policy Design (CISSP), Certified in Risk and Information Systems Control (CRISC) Rob Harvey, Director of Online's Risk, Security & Privacy As such, we must respectfully decline to provide described particularly with respect to HIPAA’s Steve Porter, CISSP, GPEN, GWAPT, QSA, CEH, GICSP, GMOB, GCIH, Ben Rothke, Senior Security Consultant, PCI QSA, Certified Information Consulting Practice, 12+ years experience specific contact names and details for potential security regulations. Vulnerability Assessment, Network Penetration Testing, PCI‐DSS Preparation Security Manager (CISM), Certified in the Governance of the Enterprise IT Greg High, Principal Consultant, CISSP, CISM, 8+ years references at this stage. However, a number of our & Remediation, Security Auditing, Database Security, Secure Code Reviews, (CGEIT), Certified Information Systems Auditor (CISA), Certified in Risk and experience clients from recent engagements would be willing to Firewall Administration, System Hardening and Patching, Disaster Information Systems Control (CRISC), Certified Information Systems Security entertain an informal conversation with their peers to Recovery/Business Continuity Planning & Design, Security Policy Design, Log Professional (CISSP) discuss their use of the products and services they Management Planning, Design, Administration were provided which we can help facilitate at the Henri St. Louis, CISSP, QSA, GCFE, OPST, Vulnerability Assessment, Network appropriate time. Penetration Testing, PCI‐DSS Preparation & Remediation, Security Auditing, Database Security, Secure Code Reviews, System Hardening and Patching, Disaster Recovery/Business Continuity Planning & Design, Security Policy Design JJ Maria Giner, GPEN, Vulnerability Assessment, Network Penetration Testing, Web Application Penetration Testing

b. List any other relevant Security and See PDF Pgs. 49‐52. See PDF Pg. 15. See PDF Pg. 254 See PDF . Pg. 234 Compliance certifications that the Project Tony Martinez, Project Manager, Project Management, Vulnerability Shai Canaan, Senior Security Consultant, 15+ years experience, PCI QSA, PA The security, privacy and business concerns of our Manager and key staff described may have. Assessment, Physical Penetration Testing, Network Penetration Testing, Web QSA, ISO 27001 Lead Auditor, Certified Information Systems Auditor (CISA), Steve Levinson (VP, Risk Security & Privacy Consulting), clients‐both current and past‐are of the highest Include copies of certificates, if applicable. Application Penetration Testing, Security Auditing, Secure Code Reviews, Certified Information Systems Security Professional 25+ years experience, CISSP priority. Disaster Reovery/ Business Continuity Planning, Security Policy Design (CISSP), Certified in Risk and Information Systems Control (CRISC) Adam Kehler, 20+ years expereince, CISSP As such, we must respectfully decline to provide Steve Porter, CISSP, GPEN, GWAPT, QSA, CEH, GICSP, GMOB, GCIH, Ben Rothke, Senior Security Consultant, PCI QSA, Certified Information Rob Harvey, Director of Online's Risk, Security & Privacy specific contact names and details for potential Vulnerability Assessment, Network Penetration Testing, PCI‐DSS Preparation Security Manager (CISM), Certified in the Governance of the Enterprise IT Consulting Practice, 12+ years experience references at this stage. However, a number of our & Remediation, Security Auditing, Database Security, Secure Code Reviews, (CGEIT), Certified Information Systems Auditor (CISA), Certified in Risk and Greg High, Principal Consultant, CISSP, CISM, 8+ years clients from recent engagements would be willing to Firewall Administration, System Hardening and Patching, Disaster Information Systems Control (CRISC), Certified Information Systems Security experience entertain an informal conversation with their peers to Recovery/Business Continuity Planning & Design, Security Policy Design, Log Professional (CISSP) discuss their use of the products and services they Management Planning, Design, Administration See PDF Pgs. 6 ‐ 7. Online’s Risk, Security and Privacy were provided which we can help facilitate at the Henri St. Louis, CISSP, QSA, GCFE, OPST, Vulnerability Assessment, Network consultants hold certifications such as QSA, CISSP, CCSP, appropriate time. Penetration Testing, PCI‐DSS Preparation & Remediation, Security Auditing, CIPP, CRISC, CISM, PCI QSA, PCI‐P, CEH, and CISA to name Database Security, Secure Code Reviews, System Hardening and Patching, only a few. Disaster Recovery/Business Continuity Planning & Design, Security Policy Design JJ Maria Giner, GPEN, Vulnerability Assessment, Network Penetration Testing, Web Application Penetration Testing

8 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Licensing Matrix Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLC EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant See PDF Pg. 18 ‐ 19 Resumes See PDF Pgs 75 ‐ 89. The most critical element in the successful completion of any Paul Ashe, President and Engagement Manager, CPA, CISA, CISSP, 15+ years experience of the Project Manager and all key F. Alex Brown, CPA, CHP, Senior Manager, 18+ years experience See PDF Pgs. 23 engagement of this nature is the personnel experience staff that are intended to be assigned to services Phillip Long, CISA, CIA, CCSFP, CRISC, CRMA, CISM, Principal, The HIPAA and HITECH Acts, coupled with the Meaningful Use assigned to carry out the responsibilities and the depth of Chris Bunn, Practice Director and Senior IT Security Consultant, CISA, CHP, performed within this category. Include resumes Technical Expert / Project Advisor guidelines for Electronic Health Records (EHR), are intended to resources available to support the County. The 30+ years experience for the Project Manager and all key staff Alexis Mathers, CISA, CPA, CCSFP, Senior Manager, 7+ years protect patient confidentiality while enabling and incenting following table describes the qualifications of the proposed team, Chris Cook, Senior IT Security Consultant, CISSP, CISA, 20+ years experience described particularly with respect to HIPAA’s experience healthcare organizations to pursue initiatives that further their roles and the value they will bring security regulations. Kyle Miller, CISA, QSA, CCSFP, Manager, 9+ years experience innovation and patient care. The combination of rigorous to the County. Detailed biographies containing each team Grant Phillips, Consultant, Experience in information security, enforcement and financial incentives make it more important member’s formal education and professional internal control and IT audit than ever to ensure complete and ongoing compliance with all affiliations, are included in the Team resumes section located in aspects of these regulations. the Appendix of this proposal. Resumes included. Greg Vetter, Principal, Risk Advisory Services, HIPAA Practice Leader, 20+ years experience Charles Barley, Jr., Director, Risk Advisory Services, IT Security and Privacy Director, 18+ years experience Victor Carraway, Manager, Risk Advisory Services, IT and HIPAA Audit Manager Ryan Hay, Manager, Security and Privacy Services, IT and HIPAA Audit Manager

b. List any other relevant Security and See PDF Pg. 18 ‐ 19 See PDF Pgs 23 ‐24. Greg Vetter, Certified Common Security Framework Practitioner Paul Ashe, President and Engagement Manager, CPA, CISA, CISSP Compliance certifications that the Project F. Alex Brown, CPA, CHP, Senior Manager, 18+ years experience Presidio brings Broward County our broad skill set and depth (CCSFP), Certified Information Systems Security Professional Chris Bunn, Practice Director and Senior IT Security Consultant, CISA, CHP Manager and key staff described may have. Phillip Long, CISA, CIA, CCSFP, CRISC, CRMA, CISM, Principal, of experience. Our security engineering team is composed of (CISSP), Certified Information Systems Auditor (CISA), Certified Chris Cook, Senior IT Security Consultant, CISSP, CISA Include copies of certificates, if applicable. Technical Expert / Project Advisor Certified Information System Security Professionals (CISSPs), Information Privacy Professional (CIPP) Alexis Mathers, CISA, CPA, CCSFP, Senior Manager, 7+ years Certification and Accreditation Professionals (CAPs), InfoSec Charles Barley, Jr. Certified Information Systems Security experience Assessment Methodology (IAM) professionals, Certified Professional (CISSP), Certified Information Systems Auditor Kyle Miller, CISA, QSA, CCSFP, Manager, 9+ years experience Ethical Hackers (CEHs), and Certified Information Security (CISA), Certified Information Privacy Professional (CIPP) Grant Phillips, Consultant, Experience in information security, Managers (CISMs). This highly trained and experienced group Victor Carraway, Certified Information Systems Auditor (CISA), internal control and IT audit has completed many Vulnerability Risk Assessment (VRA) and Certified Fraud Examiner (CFE) Plante Moran is a Certified HITRUST Assessor organization that uses Security Certification and Accreditation (C&A) projects, tests, Ryan Hay, Certified Information Systems Security Professional the HITRUST Common Security Framework, CSF as the baseline for evaluations, and related services. Exhibit 4 illustrates (CISSP), Certified Information Systems Auditor our HIPAA control analysis over security and privacy and as a Presidio’s Security Certifications. comprehensive and certifiable security framework used by healthcare organizations and their business associates. In addition to the firm having HITRUST Assessor Certification status, we have four staff members with the Certified CSF Practitioner designation as granted by the HITRUST Alliance. We believe Plante Moran is the right firm to assist you in performing this assessment.

9 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Verizon Business Network Services Inc. d/b/a Licensing Matrix SHI International Corp Verizon Business Services EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant The SHI Security Services team are all senior level Security Verizon’s Healthcare Governance Risk and Compliance Team has experience of the Project Manager and all key Professionals with each having 20+ years’ experience. over 10 years of professional experience supporting organizations staff that are intended to be assigned to services Specific skill sets may vary but overall each has experience with meeting their HIPAA requirements through the delivery of a performed within this category. Include resumes working with various industry security frameworks, range of consulting services. Verizon routinely conducts HIPAA for the Project Manager and all key staff including HIPAA. The team holds many different Security compliance and risk assessments as well as provide security advisor described particularly with respect to HIPAA’s related certifications however all have CISSP certifications. support to help customers, such as Broward County, avoid common security regulations. risks to Personal Healthcare Information (PHI) and better align their security and privacy programs to their mandatory HIPAA requirements. Verizon has the capability to provide multiple HIPAA SMEs each with over 10 years and 50 + projects worth of experience in assessing and improvement compliance for both Healthcare providers and Payers. Verizon’s Project Management organization comprises over 60 PMs with significant experience in managing large programs and projects. In order to ensure the successful delivery of all projects and meet the standards required by our Clients, Verizon’s PMs hold the highest levels of certification recognized globally across the Project/Program Management field. Furthermore, Verizon’s Project Management organization has chosen the Project Management Institute’s (PMI’s) Project Management Body of Knowledge (PMBOK®) Guide and Standards as the baseline of its Project Management Delivery Method.

b. List any other relevant Security and MBA – Master of Business Administration Verizon Professional Services team holds CISSP, CISA, and CHSPE Compliance certifications that the Project CGEIT – Certified in Governance of Enterprise Information certifications, as identified in Category 1. In addition our Health Manager and key staff described may have. Technology Care security consultants have Include copies of certificates, if applicable. ISSAP –Information Systems Security Architecture Supported HITRUST assessment and certifications, Professional Have gotten customer HITRUST certified, GIAC – Global Information Assurance Certification Have co‐authored industry guidelines to meet Health Care o GPEN – GIAC Penetration Tester Certification requirements, o GCFA – GIAC Certified Forensic Analyst Have supported legal councils in forming Health Care compliance o GAWN – GIAC Auditing Wireless Networks opinions CEH – Certified Ethical Hacker Have helped payers, providers, and Business Associates achieve TCNA – Tenable Certified Nessus Auditor Health Care compliance. PMP – Project Management Professional ITILv3 – Information Technology Infrastructure Library version 3

10 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 2 ‐ Health Insurance Portability and Accountability Act (HIPAA) Services

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. c. Describe the Project Manager and key staff’s See PDF Pg. 472 ‐ 473 See PDF Pg. 16. See PDF Pgs. 158‐159. Appendix A ‐ Resumes (PDF Pgs. 172‐176). See Resumes PDF Pgs. 35 ‐ 47; Certifications ‐ PDF Pgs. 48 experience in performing technical as well as Please see the representative biographies embedded below, Appendix B ‐ Relevant Certifications (PDF Pgs. 182‐184). ‐ 50 policy assessments. "CONFIDENTIAL" which includes the typical certifications held Jared Hamilton, CISSP, Senior Manager, 13 years experience Silka M. Gonzalez, CPA, CISSP, CISM, CISA, CITP, CRISC, by the resources who may be assigned to your project. Candice Moschell, CISSP, Manager 30+ years experience Pgs 418‐568 AT&T Proprietary: The information contained herein is for Amy Justice, Senior Staff, 10 years experience Esteban Orlando Farao, CISSP, CISA, CISO, CRISC, CEH, use by authorized persons only and is not for general distribution. Morgan Strobel, Senior Consultant, 5+ years experience QSA, and PCIP.PCI QSA, 20+ years experience Christopher Steven Sanchez, Information Security Consultant, Extensive experience completing penetration testing Maria Rogers, CEH, CCFE, Extensive experience in software testing and Digital Forensics Animesh Srivastava, Extensive experience competing regulatory compliance assessments

11 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Prime: Marcum LLP Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: 24by7 Security c. Describe the Project Manager and key staff’s See PDF Pgs. 157 ‐ 158 See Bios ‐ Jason L, Specialities: Compliance and Network Security, 20+ years See PDF Pg. 7, 76 See PDF PG. 19 experience in performing technical as well as Project Advisor – Andrew Cannata, Principal, CISSP, QSA, CISM, 25+ experience, QSA PCI, PA QSA, PCIP PCI, SANS GIAC GSNA, GCIH, GPEN Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY For Marcum LLP’s and 24by7Security’s proposed key staff, please see profiles policy assessments. years experience Thomas A, Specialities, Compliance and Network Security, 15+ years AND COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, and certificates available Chris Sullo – Practice Lead, CISSP, RHCE, RHCT, 20+ years experience, QSA PCI, CISSP, HCISSP PhD, PhD Information Security and Computing Sciences (Over 30 in Appendix A. Peter Hefley – Senior Manager, GPEN, CISSP, GREM, CISA. Peter has a John W, Compliance, Network Security, and Incident Response/Digital years of Professional Experience and 25 years of Research, Client Service and Engagement Partner: broad base of experience in systems administration, network security, Forensics, QSA PCI, PA QSA, CISSP Harvard and Yale Alumnus, Summa Cum Laude, and Oxford Mark Agulnik, Partner information warfare, and cryptography. Keith K, GRC, Security Architecture and Audit, 20+ years experience, CISSP Research, etc.) CPA, CISA, PCI‐QSA Steve Tornio – Senior Manager, OSCP, CISSP. Steve has been active Bradley A, Penetration Testing, 15+ years of experience, CISSP, OSCE, OSCP, Global Information Intelligence LLC (100% Small Business, Marcum, LLP within the security community for the past 20 years CEH, SANS GIAC Minority, and Women Owned) Co‐Engagement Lead: Anthony Miller‐Rhodes – Senior Consultant. Anthony has several years By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sanjay Deo, Principal Security Consultant of security experience involving penetration testing and software Sciences and Information Security Founder, Consortium for CISSP, HCISPP development of offensive and defensive Emerging Technologies‐Harvard, Exemplary Models for 24By7Security, Inc. capabilities. Federal, State, Local, Counties, Cities, Private/Public Sectors, Senior Security Consultant: Eric Turner – Senior Consultant, OSCP. Eric is a Senior Consultant with Academia & Industry and Global Conduct intelligent and Michael Brown, Senior Security Consultant over four years of penetration testing experience and as a general proactive services within this category based on proven and CISSP, HCISPP, CISA, CRISC, CISM, CGEIT network.... experience understanding of HIPAA regulations (including 24By7Security, Inc. Jeremy Archer – Senior Consultant, GCED, OSCP, CCNA, CISSP. Jeremy HIPAA/HITECH, BAA, OCR, Audit, Breach Notification Enforcement, Senior Security Consultant: has over 20 years of information technology and security NIST 800‐66, etc., including activities related to HIPAA compliance. Patrick Parker, Senior Security Consultant experience,.... Examples of specific activities included but not be limited to 24By7Security, Inc. Rob Ditmer – Consultant, GPEN, CISSP. Rob has over six years of HIPAA auditing, risk analysis, technical and policy assessments, experience in information technology and security remediation and consulting......

12 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Online Enterprises Inc. d/b/a Online Business Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Systems Optiv Security c. Describe the Project Manager and key staff’s See PDF Pg. 52. See PDF Pg. 254 See PDF . Pg. 234 experience in performing technical as well as The Project Manager, as well as the entire team assigned to this proposal is The security, privacy and business concerns of our policy assessments. well versed in performing technical and policy related assessments. We Steve Levinson (VP, Risk Security & Privacy Consulting), clients‐both current and past‐are of the highest leverage our over 18 years of experience in information security as well as 25+ years experience, CISSP priority. industry best standards with all IT audits and assessments. This allows the Adam Kehler, 20+ years expereince, CISSP As such, we must respectfully decline to provide firm to create a tailored approach when it comes to assessing a specific Rob Harvey, Director of Online's Risk, Security & Privacy specific contact names and details for potential aspect of our clients’ environment and ensure we provide the most efficient Consulting Practice, 12+ years experience references at this stage. However, a number of our solution for the task at hand. Whether we need to evaluate third Greg High, Principal Consultant, CISSP, CISM, 8+ years clients from recent engagements would be willing to party vendor security policies and procedures, assess the current physical experience entertain an informal conversation with their peers to security policy in place, take a deep dive into network device security discuss their use of the products and services they controls, or analyze the organization’s disaster recovery plans, we have the See PDF Pgs. 6 ‐ 7. Online’s Risk, Security and Privacy were provided which we can help facilitate at the right experience and tools to become a long‐term trusted resource. consultants hold certifications such as QSA, CISSP, CCSP, appropriate time. CIPP, CRISC, CISM, PCI QSA, PCI‐P, CEH, and CISA to name Not Provided only a few.

13 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Licensing Matrix Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLC c. Describe the Project Manager and key staff’s The staff and project managers involved in HIPAA Security services See PDF Pg 24. See Pdf Pgs 19 ‐21 See Proposed Project Team ‐ Page 3. experience in performing technical as well as have experience delivering HIPAA Risk Assessments, HIPAA Security Presidio’s Project Manager and key staff have been See Executive Profile ‐ Page 4. policy assessments. Rule compliance assessments, HITRUST Validated assessments and performing HIPAA assessments since 2006. See Staff Profiles ‐ Page 6. HIPAA Security specific policy assessments. Our managers and staff HIPAA is 40% of the Cyber Security revenue. The Presidio have experience apply the HIPAA security rule to multiple industries Cyber Security team is comfortable including the public sector. in performing the HIPAA assessment following the NIST 800‐ 66 Security Rule. We are comfortable testing administration safeguards, physical safeguards, technical safeguards and documentation.

14 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Verizon Business Network Services Inc. d/b/a Licensing Matrix SHI International Corp Verizon Business Services c. Describe the Project Manager and key staff’s SHI Security Services team has consistently delivered 20 Verizon’s Health Care consulting team has conducted both technical experience in performing technical as well as security related assessments annually of which and operational assessments as part of our compliance and risk policy assessments. approximately 6 are HIPAA focused. All SHI Security assessment processes. Verizon routinely conducts HIPAA Assessment include technical review, both compliance assessments, and also conducts HIPAA risks documentation and hands on, and Policy review. All assessments of PHIexposed systems. Verizon reviews and writes assessment reports include detailed Health Care policy, procedures, and standard. recommendations and on occasion have resulted in a remediation project focused specifically on Policy.

15 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 2 ‐ Health Insurance Portability and Accountability Act (HIPAA) Services

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. a. Describe the prime Vendor’s approach to See PDF Pgs. 473 ‐ 491. See PDF Pg. 17 ‐ 19 See PDF Pgs. 160 ‐ 165. See PDF Pgs. 51 ‐ 52 performing similar work in this Category. Trustwave provides a comprehensive portfolio that can help As part of HIPAA Security Compliance, there are various elements a. Approach "CONFIDENTIAL" organizations of any size respond to HIPAA regulations. We are that must be in place to comply with the HIPAA Security Rule. A review of the project’s objectives, scope, scheduled ideally suited to help support a compliance program centered on Policies, procedures, and processes must be documented to show the activities, assumptions and or possible constraints Pgs 418‐568 AT&T Proprietary: The information contained herein is for the administrative, physical and technical requirements of safeguards in place to protect electronic protected health will be reviewed with client key personnel and staff use by authorized persons only and is not for general distribution. HIPAA. Trustwave has a number of HIPAA related services information (ePHI). Such documents should also be implemented during a project kickoff meeting. Client shall available to Broward County. Trustwave can provide HIPAA within the organization to guide the workforce in the proper cooperate with ERM in the performance of ERM’s Compliance Pre‐Assessment Service, HIPAA Compliance protection and handling of ePHI. Additionally, proper Security services. To comply with budgeted project estimates, Readiness Service, HIPAA Risk Assessment, and HIPAA Awareness Training should be in place to further guide ERM requires the timely, complete and accurate Remediation Consulting. A brief description of each of the workforce members on the intent of policies, procedures, and cooperation from the client. offerings are listed below, as well as a sample project plan processes but also best practices with regards to safeguarding ePHI Executive Risk Assessment ‐ Focused on Organizational approach. as well. Covered entities should also have a good understanding of Wide Data HIPAA – Compliance Pre‐Assessment – Service Description risks to ePHI through applications and systems given the control ERM will identify vulnerabilities across people, process Client requests an assessment regarding compliance with the environment in place. It is a good practice and technologies and identify the top cyber risks. Health Insurance Portability and Accountability Act (HIPAA) of to conduct a HIPAA risk analysis annually by constantly managing Key phases include 1996 via an evaluation of Client’s security, privacy and incident risks through an established risk governance approach ‐ consistent • Asset Inventory readiness posture as required by the HIPAA. Trustwave is response and treatment of risks through avoidance, transferring, • Asset Classification authorized to perform the following service to assess Client’s acceptance, and mitigation of risks. • Threat and Vulnerability Analysis data security and privacy practices... Crowe understands the importance of a risk management process, • Controls/Safeguard Analysis which will ultimately lead to the organization having a better • Report Generation understanding of its risk conditions. Our process and tools will utilize the NIST 800‐30 Risk Assessment process to assess risk to ePHI assets defined within the scope. Our process will include a qualitative risk assessment of the environment in which ePHI is stored, processed, and transmitted ‐ includes applications and systems processing ePHI, interconnections to other systems via direct connections, the Internet, participant networks....

16 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Prime: Marcum LLP Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: 24by7 Security a. Describe the prime Vendor’s approach to See PDF Pg. 63 ‐ 70 See "Broward Security Services 2017" See PDF Pg. 39 See PDF PG. 20 ‐ 22 performing similar work in this Category. To evaluate Broward’s alignment with the HIPAA Security Rule Global Information Intelligence will apply its expert and proven Marcum and 24By7Security's approach to HIPAA compliance is consistent. To requirements and the related methodology to provide BROWARD COUNTY with INFORMATION avoid redundancy in risks to ePHI and subsequent IT systems, our proposed activities would TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using noting both approaches, Marcum and 24By7Security will apply the following include discovery Intelligent, Proactive and Robust and Resilient methods that approach: sessions and onsite visits. Through detailed discovery sessions, an in‐ include proactive recommendations and remediation sample for Our team places emphasis on commitment to being an agile vendor partner depth analysis of existing design and implementation operational effectiveness for to help reduce the cost of implementing healthcare by delivering nimble, documentation and processes, and a review of relevant technical INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE innovative solutions. Our proactive approach is based on continuous safeguards, Focal Point will SERVICES: Network assessment of BROWARD COUNTY Corporate communication, thereby we can rapidly integrate your feedback to meet identify key HIPAA risks and areas of potential non‐alignment with the Network and its Operations Technology Network. INFORMATION your current and future needs. Our nationwide network of professionals applicable HIPAA TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES along with our expertise allows us to evaluate and Security Rule requirements. Based on our understanding of your Qualified Proponents are to provide services for the Broward deploy experts on your project. Our team will use a tried and tested phased operations and supporting County.... methodology... technology, we will identify the project activities that we feel should take place. These typical activities have been detailed through the project phases below.....

17 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Online Enterprises Inc. d/b/a Online Business Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Systems Optiv Security a. Describe the prime Vendor’s approach to See PDF Pgs. 53 ‐ 54. See PDF Pgs. 16 ‐ 18. See PDF Pgs. 255 ‐ 256. Not Provided performing similar work in this Category. We pride ourselves on our years of continuous business and these two The methodology proposed by Nettitude is based on information provided by Online has developed a unique, risk‐based approach to cornerstone tenants of our business: Broward County key help organizations implement the controls, technologies, In‐Depth Understanding of State and Local Government—MGT has worked personnel to date and draws upon the expertise of Nettitude working with policies, and procedures that align with their business, their almost exclusively with the public sector. As a result, we understand the similar organizations. Having threats, and their risk tolerance. Online’s security challenges and unique issues inherent in read Broward County’s requirements, the following proposal has been defined:professionals work from virtual offices ‐ we average more the operations of state and local government programs and service delivery. A. Define HIPAA Scope than fifteen years of information Because many of our staff have worked in government, we have a clear B. Gap Analysis & Risk Assessment ‐ Allow Broward County to gain a firm security experience. With our extensive business understanding of the state and local understanding of how experience, at the C‐level in many cases, we understand government structure, control agencies, budgetary processes, and political security processes within designated environment are applied that security strategy must align with business objectives. environment. Our Focus is on Business Understanding and Analysis—MGT o Develop a way to measure those processes against the HIPAA CSF Online’s Risk, Security & Privacy team consists of consistently focuses on identifying and implementing the most effective and o Obtain a firm understanding of security operations throughout organization approximately 25 seasoned professionals. Online’s Risk, efficient methods for achieving operational objectives in all of our C. Remediation Phase Security, and Privacy Practice focuses on services, engagements. No matter what the task, we “cut to the chase,” and work to o Complete all tasks identified in Gap analysis reports solutions, and subject matter expertise to provide strategic provide the most viable business solutions in the shortest amount of time, at D. HIPAA PRE Audit‐ Ensure all remediation advice prescribed by Nettitude has information security guidance to our clients. the lowest cost. We understand the importance of streamlining business been carried out processes and we know how to pinpoint to the fullest extent. the most efficient and effective methodologies for specific situations. Based o Task List Completion Check Up. on our more than 40 years of experience in providing consulting services to o Designed to ensure Broward County is fully prepared for HIPAA Audit federal, state, and local government clients, MGT knows the success of any E. HIPAA Audito project is based upon the project management. Our project manager will Audit against HIPAA CSF work in tandem with the County’s designated project lead to drive the MGT o HIPAA certification project management principals and guidelines for the development of your customized solutions.

18 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Licensing Matrix Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLC a. Describe the prime Vendor’s approach to See PDF Pgs. 20 ‐ 24. See PDF Pgs. 24 ‐26. See Pdf Pgs 21‐24 See Audit Approach See PDF Pgs. 137‐138 performing similar work in this Category. Plante Moran uses a phased approach for assisting organizations in Presidio follows the NIST 800‐66 Security Rule to evaluate the The following section describes RSM’s approach in conducting Each project we undertake will follow this standard methodology. While we successfully completing a report on compliance with the HIPAA overall security posture. Project approach to performing similar work in this category. are flexible in modifying our approach and methodology, we do so only in Security and HITECH Act. This approach provides for a structured HIPAA services includes: Our HIPAA privacy and security audit methodology the best interest of our clients and their internal control initiatives. and focused effort throughout the project. The major tasks are Compliance Assessment – HIPAA Security Rule A HIPAA risk assessment is a security rule‐required standard. organized into five phases. At the conclusion of each phase, there is Initial Discovery and In‐Scope Environmental Definition Management, as part of their compliance a scheduled management meeting to confirm progress and to gain Current‐State Assessment evaluation, must evaluate the accuracy and thoroughness of the synergy for the next phase. Upon conclusion of the assessment, we Gap Analysis assessment during their review of provide continued support to your organization. As operating Deliverables established administrative safeguards. Our risk‐based review environments, industry trends, or the demands of your user program is based on the threats and organizations change ‐‐ we will be available and quick to respond to vulnerabilities associated with the current technology and your needs. The major phases of the work plan are as follows.... operational environment in place relative to the HIPAA requirements. We will conduct a high‐level evaluation of the patient‐protected health information (PHI) security program, assessment of activities to manage and control risk, review of physical security, and review of system support and security administration duties, network administration and associated controls to adequately address HIPAA security compliance requirements. The objective of the HIPAA privacy and security compliance assessment is to identify potential gaps that may exist in their ongoing compliance efforts. With respect to HIPAA, this objective is to provide adequate safeguards to the confidentiality, integrity and availability of ePHI.

19 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Verizon Business Network Services Inc. d/b/a Licensing Matrix SHI International Corp Verizon Business Services a. Describe the prime Vendor’s approach to Initially a kick off call will be scheduled to review the scope, See page 27. performing similar work in this Category. tasks, contacts, communications plan and Verizon provides Healthcare‐Specific Security and Privacy logistics required to complete the project. Requested Assessments to help Customer ensure that their operational documentation (Policies, Process and Procedures, processes and procedures, align and meet mandated HIPAA network diagrams) are reviewed and an External Security Security Rule and Privacy Rules requirements, and provide a solid Vulnerability Scan is completed prior to onsite activities. foundation for the use of technical controls, and work together to Onsite activities will consist of staff interviews, internal prevent or reduce the potential for incidents and breaches. Verizon network scans, live network data provides Healthcare Security Assessments to determine where capture analysis, device security configuration review and Customer have gaps and weak spots,through which PHI could be physical site visits. All information gathered is lost, and provides effective recommendations to protect and secure reviewed for analysis and alignment with HIPAA guidelines Patient Information. Verizon primary product in the HC area of a HC and security best practices with results security assessment which validates the effectiveness of provided in a detailed report with findings and remediation Customer’s security controls to meet the customer’s HIPAA/HITECH recommendations. requirements. Each of these assessment includes data gathering with review of customer documentation and interviews to uncover AD HOC policies, processes, and standards in the workplace; analysis of customer’s overlapping primary and compensating controls to determine the rate of compliance with HIPAA/HITECH requirements; and reporting with written reports of compliance, presentations to identify compliance and any associated risks of noncompliance, and other mapping to help customers understand and overcome areas of noncompliance at specific locations, or in specific technical or operational areas.

20 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 2 ‐ Health Insurance Portability and Accountability Act (HIPAA) Services

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. b. Number of employees, coordination efforts, See PDF Pgs. 491 See PDF Pg. 19. See PDF Pgs. 160 ‐ 165. See PDF Pg. 52 servers and workers located within USA. All employees and servers would be within the United States. As part of HIPAA Security Compliance, there are various elements ERM has approximately 30 full time employees. Of these "CONFIDENTIAL" Trustwave has over 900 employees in the US. that must be in place to comply with the HIPAA Security Rule. employees, 25 are located in the USA. Only Policies, procedures, and processes must be documented to show the full time employees and subcontractors located in the Pgs 418‐568 AT&T Proprietary: The information contained herein is for safeguards in place to protect electronic protected health USA will work in these engagements. use by authorized persons only and is not for general distribution. information (ePHI). Such documents should also be implemented Regarding coordination efforts, Esteban Farao will be the within the organization to guide the workforce in the proper Project Manager. He will lead a project kickoff protection and handling of ePHI. Additionally, proper Security meeting, send the information requirements, manage the Awareness Training should be in place to further guide project, communicate with the client workforce members on the intent of policies, procedures, and project team, lead project update calls and meeting as processes but also best practices with regards to safeguarding ePHI well as delivery the final reports and as well. Covered entities should also have a good understanding of presentations. risks to ePHI through applications and systems given the control All of ERM’s severs are located at the ERM’s environment in place. It is a good practice headquarters in Coral Gables, Florida. to conduct a HIPAA risk analysis annually by constantly managing risks through an established risk governance approach ‐ consistent response and treatment of risks through avoidance, transferring, acceptance, and mitigation of risks. Crowe understands the importance of a risk management process, which will ultimately lead to the organization having a better understanding of its risk conditions. Our process and tools will utilize the NIST 800‐30 Risk Assessment process to assess risk to ePHI assets defined within the scope. Our process will include a qualitative risk assessment of the environment in which ePHI is stored, processed, and transmitted ‐ includes applications and systems processing ePHI, interconnections to other systems via direct connections, the Internet, participant networks....

21 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Prime: Marcum LLP Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: 24by7 Security b. Number of employees, coordination efforts, See PDF Pg. 63 ‐ 70 The consulting team has over 20 people across the US. Our servers are See PDF Pg. 39 See PDF Pg. 22 servers and workers located within USA. To evaluate Broward’s alignment with the HIPAA Security Rule supported in SSAE18 Co‐Los Global Information Intelligence will apply its expert and proven Marcum: As a national firm with 29 offices and approximately 1,550 requirements and the related methodology to provide BROWARD COUNTY with INFORMATION professionals, we serve as a risks to ePHI and subsequent IT systems, our proposed activities would TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using strategic alternative to the much larger firms. The partners and managers include discovery Intelligent, Proactive and Robust and Resilient methods that with whom you will develop sessions and onsite visits. Through detailed discovery sessions, an in‐ include proactive recommendations and remediation sample for relationships, drive all major decisions; possessing both the appropriate depth analysis of existing design and implementation operational effectiveness for resources and decision making documentation and processes, and a review of relevant technical INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE authority. Our local firm approach provides hands‐on service and timely safeguards, Focal Point will SERVICES: Network assessment of BROWARD COUNTY Corporate communication, resulting in the identify key HIPAA risks and areas of potential non‐alignment with the Network and its Operations Technology Network. INFORMATION County receiving the best of both worlds. Marcum has more than 20 applicable HIPAA TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES professionals dedicated to Security Rule requirements. Based on our understanding of your Qualified Proponents are to provide services for the Broward providing IT Audit and Technology Services. operations and supporting County.... 24by7: With a staff of 15 full‐time and part‐time employees and contractors, technology, we will identify the project activities that we feel should and with a strong reputation take place. These typical of performance, we have the experience and the HIPAA Compliance and activities have been detailed through the project phases below..... Cybersecurity knowledge to help the County in this project. Our technical staff members are well certified in information security and in IT, and fully qualified and experienced to perform this project. We intend to assign our senior staff members to this project if we were to be awarded the contract.

22 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Online Enterprises Inc. d/b/a Online Business Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Systems Optiv Security b. Number of employees, coordination efforts, See PDF Pg. 54. Online’s Risk, Security, and Privacy practice has Not Provided servers and workers located within USA. Our firm of over 60 professionals have successfully managed more than 8,500 approximately 18 consultants based in the USA. Online’s client engagements nationally with a significant portion of MGT’s US Headquarters is located in Minneapolis, MN. engagements being repeat business, reflecting the firm’s commitment to achieving a high level of customer satisfaction and ability to exceed the expectations of clients. Prior to working with public‐sector entities as consultants, many of our staff worked in government agencies as executives and managers. This insider's knowledge of government structure and process gives MGT a competitive advantage and an ability to hit the ground running from the very start of a project. Our organization leverages leading project management solutions and highly qualified trained professionals throughout all aspects of our engagements in order to ensure the best customer experience at every stage. Not Provided

23 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Licensing Matrix Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLC b. Number of employees, coordination efforts, Plante Moran has over 2,200 employees and 500 servers in the Presidio has twenty‐three (23) people on our Cyber Security Our team members are comprised of subject matter specialists See Audit Approach See PDF Pg. 137‐138 servers and workers located within USA. USA. Consulting team, all whom are that have extensive experience conducting information security Each project we undertake will follow this standard methodology. While we and risk assessment engagements. Our IT Risk Advisory are flexible in modifying our approach and methodology, we do so only in professionals comprise nearly 1,000 professionals who contain a the best interest of our clients and their internal control initiatives. deep understanding of widely adopted frameworks, best practices and standards such as Committee of Sponsoring Organizations of the Treadway Commission (COSO), Control Objectives for Information and related Technology (COBIT), Information Technology Infrastructure Library (ITIL) and International Organization for Standardization and the National Institute of Standards and Technology (NIST). Our IT Risk Advisory professionals hold various professional certifications such as Certified Public Accountant (CPA), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professionals (CISSP), Certified Information Privacy Professional (CIPP), Certified Business Continuity Professional (CBCP) and various SANS GIAC (Global Information Assurance Certification) security certifications. In addition, many of our professionals have technical certifications such as Microsoft Certified System Engineer (MCSE), Cisco Certified Network Associate (CCNA), Cisco Certified Design Associate (CCDA) and Certified Novell Engineer (CNE). Also see the Servers and Workers Located in the USA Attestation Form included in the Appendix section f h l

24 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Verizon Business Network Services Inc. d/b/a Licensing Matrix SHI International Corp Verizon Business Services b. Number of employees, coordination efforts, The SHI Security Services team has 6 active members with Verizon can provide up to twelve fully qualified (US‐based) Health servers and workers located within USA. 2 openings. Additionally each assessment is Care SMEs for consulting engagements. assigned a Project Manager from a team of 8 PM’s. All SHI services teams are US based.

25 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 2 ‐ Health Insurance Portability and Accountability Act (HIPAA) Services

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. c. Describe vendor’s plan to meet key milestones See PDF Pgs. 492 ‐ 496 See PDF Pg. 19 ‐ 20 See PDF Pgs. 160 ‐ 165. See PDF Pg. 52 and deadline dates including communication Project Phases and Methodology As part of HIPAA Security Compliance, there are various elements ERM Project Manager will develop a Project Plan which plan. "CONFIDENTIAL" The HIPAA Services typically consist of a planning phase and that must be in place to comply with the HIPAA Security Rule. details all key milestones and deadline dates. three assessment phases to ensure Policies, procedures, and processes must be documented to show the ERM Project Manager will work with the client to adjust Pgs 418‐568 AT&T Proprietary: The information contained herein is for complete and efficient service. Client must fulfill their obligations safeguards in place to protect electronic protected health based on client needs. The Communication use by authorized persons only and is not for general distribution. within each phase before progressing to subsequent phases. information (ePHI). Such documents should also be implemented Plan will be discussed and agreed to during the kick‐off Failure to do so may require an addendum to this contract that within the organization to guide the workforce in the proper call. ERM’s communication plans typically will include additional charges for any time or materials above protection and handling of ePHI. Additionally, proper Security include weekly status updates as well as updates based and beyond those agreed to in this contract. Awareness Training should be in place to further guide on key milestones and deadlines. Phase 0: Project Initiation workforce members on the intent of policies, procedures, and Initiation Meeting processes but also best practices with regards to safeguarding ePHI Kickoff meeting between all designated stakeholders as well. Covered entities should also have a good understanding of Define roles and responsibilities of Client overall program risks to ePHI through applications and systems given the control steering committee environment in place. It is a good practice Agree on formal scope, including validation of segmentation to conduct a HIPAA risk analysis annually by constantly managing and sampling methodology risks through an established risk governance approach ‐ consistent Define and agree to high‐level project plan key steps, response and treatment of risks through avoidance, transferring, estimates for duration, deliverables, resource acceptance, and mitigation of risks. requirements and escalation procedures... Crowe understands the importance of a risk management process, which will ultimately lead to the organization having a better understanding of its risk conditions. Our process and tools will utilize the NIST 800‐30 Risk Assessment process to assess risk to ePHI assets defined within the scope. Our process will include a qualitative risk assessment of the environment in which ePHI is stored, processed, and transmitted ‐ includes applications and systems processing ePHI, interconnections to other systems via direct connections, the Internet, participant networks....

26 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Prime: Marcum LLP Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: 24by7 Security c. Describe vendor’s plan to meet key milestones See PDF Pg. 63 ‐ 70 Deadlines are based objectives, current gaps, and risk based findings of See PDF Pg. 39 See PDF Pg. 23 ‐ 24 and deadline dates including communication To evaluate Broward’s alignment with the HIPAA Security Rule gaps. Phased approach to compliance can be reviewed in Broward Security Global Information Intelligence will apply its expert and proven Marcum: Effective Project Management is a key focus at Marcum. As a large plan. requirements and the related Services 2017. All foresite services are customized to address client specific methodology to provide BROWARD COUNTY with INFORMATION audit, tax and consulting risks to ePHI and subsequent IT systems, our proposed activities would needs and can changed based on scope, level or not‐in‐place findings and TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using firm, the ability to provide services to clients on schedule and within a set include discovery budget. Intelligent, Proactive and Robust and Resilient methods that budget is priority. Our sessions and onsite visits. Through detailed discovery sessions, an in‐ include proactive recommendations and remediation sample for techniques include best practices from the Project Management Body of depth analysis of existing design and implementation operational effectiveness for Knowledge (PMBOK) and go documentation and processes, and a review of relevant technical INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE from the Planning to the Reporting phase to going through quality assurance safeguards, Focal Point will SERVICES: Network assessment of BROWARD COUNTY Corporate checks. The Marcum LLP identify key HIPAA risks and areas of potential non‐alignment with the Network and its Operations Technology Network. INFORMATION team has an in‐house project manager who coordinates all projects for the IT applicable HIPAA TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES Audit and Technology Security Rule requirements. Based on our understanding of your Qualified Proponents are to provide services for the Broward Services division, ensuring all project deliverables and timelines are met. operations and supporting County.... 24by7: 24By7Security follows a proactive approach that is based on technology, we will identify the project activities that we feel should continuous communication; thereby take place. These typical we are able to rapidly integrate your feedback to meet your current and activities have been detailed through the project phases below..... future needs. We have found that this approach of open communication with our clients has yielded positive results not only with the projects but also in terms of client relations....

27 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Online Enterprises Inc. d/b/a Online Business Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Systems Optiv Security c. Describe vendor’s plan to meet key milestones See PDF Pgs. 54‐ 55. See PDF Pg. 256 ‐ 257. Not Provided and deadline dates including communication As we have already done with other projects for Broward County, MGT will Online understands that a project – whether it’s a multi‐ plan. ensure accountability, compliance, and implementation of the services year, multi‐million dollar initiative, or an eight‐week project provided. We will adhere to all applicable federal and state policies, for a single user – will represent an investment of time, procedures, and regulations. MGT's Project Manager will have primary resources and money for the County. We also understand responsibility for the supervision of all project operations and project that each project investment must meet the defined administration and will ensure all deliverables meet the standards of quality objectives. By carefully listening to the set forth by the County’s needs, ensuring regular communication, and then County. Our Project Manager is responsible for the day‐to‐day activities of all applying industry best practices, our team will create a design and technical key staff. In concert with the County’s Project Lead, project environment that delivers success. MGT’s Project Manager will facilitate implementation of the main Online recognizes the value of communication and ongoing components of the project, including the installation, configuration, initiation, collaboration with our customers to help ensure pilot, acceptance that engagements are well managed and deadlines are system, and the training of end users as well as generating progress reports Not Provided met. As such, Online will coordinate a project initiation on all project activities. meeting (kick‐off meeting) with the County that will: Other major responsibilities will include: Introduce key people at the County and Online. Scheduling of project activities. Exchange contact information (for regular reporting and Financial management. emergencies) General tasks related to contract administration. Review scope of services Serving as the primary point of contact for County inquiries or requests for Review communication, notification, and issue escalation project updates..... procedures and escalation points of contact Discuss the involvement of the County technical staff to facilitate knowledge transfer......

28 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Licensing Matrix Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLC c. Describe vendor’s plan to meet key milestones Frequent communication, guided by a “no surprises” philosophy is Presidio employees located within the USA. The Presidio RSM’s management approach can be expressed in one simple See Project Management Approach See PDF Pg. 139 and deadline dates including communication the key to a successful project. In this way, expectations can be Cyber Security Project Managers coordinate all the resources phrase: “no surprises.” First, we will work with the County to Each project we undertake will follow this standard accountability model. plan. effectively managed and problems can either be avoided entirely, on the Presidio team. establish a communication protocol and approach that you 1) Engagement Manager…. or addressed early on to minimize wasted effort and keep the prefer, and we will use these channels and tools to share 2) Senior IT Security Consultants…. project on schedule. Prior to formally kicking off the project, we will information on the engagement. Once the communications plan 3) Independent Reviewer….. work with the County to develop a communications plan for the has been created, RSM will create a timeline and milestones 4) Broward County's Project Manager….. project. project schedule and track those milestones to completion on a 5) Status Reports..... We will identify project stakeholders, and for each: weekly basis. We will work with you and management to keep What they will need to know throughout the project (e.g., status you informed of our progress throughout the engagement with updates, risk and issues) periodic formal and informal status reports and meetings as When and how frequently they will want communication (e.g., appropriate. Continuous communication helps ensure that the weekly, monthly) County and the RSM team are in agreement on, and informed How communications will be delivered (e.g., status updates about, every aspect of an engagement. Our team will work reports, meetings, phone calls) closely with County management to establish clear, open lines of Who will be responsible for the communication communication via face‐to‐face meetings, phone calls, and/or We will maintain this communication plan on a shared collaboration regular electronic or hard‐copy communications to keep you site throughout the project to ensure regular communication and informed of progress and issues. In the event that RSM identifies ongoing collaboration. that a particular engagement is behind schedule, it will be formally communicated to the client to discuss the issues and possible solutions to get back on track. Similarly, if observations or risk areas are identified during an engagement, we will be on hand to provide recommendations for remediation and provide support to management in the enhancement of current processes.

29 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Verizon Business Network Services Inc. d/b/a Licensing Matrix SHI International Corp Verizon Business Services c. Describe vendor’s plan to meet key milestones Once an assessment is assigned to a Sr. Solutions Architect, See Pages 28‐30. and deadline dates including communication they are dedicated to the project ensuring Throughout Verizon’s HIPAA projects, our engagement plan. their availability to complete all project related task and management and delivery process is generally the same. Verizon milestones as agreed in the SOW and/or project assigns a Project Manager to each engagement, who is Verizon’s kickoff meeting. Schedules are managed closely to ensure representative in the Engagement. Verizon’s Project Manager will overlap in projects is minimal and allow all work with a Customer’s Point of Contact (POC) to establish project milestones to be met and assessments to be completed on timings, identify all participants, defined the work steps on more time. All SHI assessments have an assigned PM who detail, and otherwise manage, coordinate, and communicate the document and track all milestones and significant events Engagement. for a particular project. The PM will work with all key stakeholders involved to ensure all communications are managed effectively to meet all customer expectations. Email is used for daily communication with secure solutions being utilized for all confidential documentation.

30 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 2 ‐ Health Insurance Portability and Accountability Act (HIPAA) Services

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. 3. Past Performance: a. Describe prime Vendor’s experience on CONFIDENTIAL See PDF Pg. 20 (3) Reference Verification Forms included for this Category ‐ See (3) Reference Verification Forms included for this projects of similar nature and scope, along with Please see Addendum for Client References and Sample Reports. PDF Pgs. 167 ‐ 169. Category. See PDF Pgs. 53‐55 evidence of satisfactory completion, both on Pgs 35: We have completed and submitted the Vendor Reference Verification ERM has completed approximately 30 HIPAA projects. All time and within budget, for the past five years. Non‐Disclosure Statement "The information in this document is AT&T Form as requested. of our projects have been completed on time Provide a minimum of three projects with Corp. Confidential, and cannot be reproduced or redistributed in any way, and within budget. references, preferably government agencies (i.e. shape, or form without prior written consent from AT&T Corp. © As requested, below are three references for projects of state, local) of similar size and structure and Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all similar size and structure. proven experience and skillset in evaluation a other trademarks, service marks, and designs are registered or 1. Barry University mixed credit card environment of web unregistered trademarks of AT&T Corp. Intellectual Property and/or 2. Hematology Oncology Associates of the Treasure Coast applications, point of sale (POS), and IVR AT&T Corp. affiliated 3. CSID systems. companies." Vendor should provide references for similar work performed to show evidence of Pgs 36‐ 223: qualifications and previous experience. Refer to "AT&T Consulting Proprietary and Confidential Information" Vendor Reference Verification Form and submit as instructed. Only provide references for non‐ Pgs 418‐568 AT&T Proprietary: The information contained herein is for Broward County Board of County Commissioners’ use by authorized persons only and is not for general distribution. contracts. For Broward County contracts, the County will review performance evaluations in its database for vendors with previous or current contracts with the County. The County considers references and performance evaluations in the evaluation of Vendor’s past performance.

b. Provide evidence of similar work related to See Attachment: See PDF Pg. 20 See PDF Pgs. 167 ‐ 169. See PDF Pgs. 56 ‐ 57 services identified in this Category, including ATT Sample Healthcare Risk and Compliance Assessment (PDFPgs. 32 ‐ Please see Addendum for Client References and Sample Reports. We have completed and submitted the Vendor Reference Verification Sample outline of client report. sample executive summaries and reports. 92) Form as requested.

31 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Prime: Marcum LLP Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: 24by7 Security 3. Past Performance: a. Describe prime Vendor’s experience on See PDF Pg. 71 ‐ 75 See References. See References. See PDF Pg. 25 projects of similar nature and scope, along with Focal Point has established robust methodologies that have been Foresite supplies services to forture 500 companies within the US and See attached Vendor Reference Forms for: evidence of satisfactory completion, both on successfully applied and address specific needs based on a phased approach. The approach starts Heart & Health System time and within budget, for the past five years. consistently tested over time at large Fortune 500, mid‐size, and small with a gap assessment to determin actual scope followed by findings and Femwell Health Group Provide a minimum of three projects with start‐up organizations. observations, recommendations for remediation then a road map plan to MCCI Group references, preferably government agencies (i.e. Focal Point has assessed and designed programs to enhance address all aspects of the overall objectives. Additional references are available upon request. state, local) of similar size and structure and compliance with the HIPAA proven experience and skillset in evaluation a Privacy Rule, Security Rule and Breach Notification Rule Standards as mixed credit card environment of web well as the HIPAA applications, point of sale (POS), and IVR Omnibus Final Rule requirements. Focal Point typically performs systems. around 30 HIPAA‐related Vendor should provide references for similar assessments annually. work performed to show evidence of qualifications and previous experience. Refer to Vendor Reference Verification Form and submit as instructed. Only provide references for non‐ Broward County Board of County Commissioners’ contracts. For Broward County contracts, the County will review performance evaluations in its database for vendors with previous or current contracts with the County. The County considers references and performance evaluations in the evaluation of Vendor’s past performance.

b. Provide evidence of similar work related to Similar to that of pci, HIPAA specific requirements are address on a See PDF Pgs. 290 ‐ 310 See PDF Pg. 25 services identified in this Category, including custimized bases, actual phased approach can be seen in the Broward See Sample Reports See attached executive summary for ACME Sanitized. sample executive summaries and reports. Security Services 2017 under PCI DSS managed services

32 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Online Enterprises Inc. d/b/a Online Business Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Systems Optiv Security 3. Past Performance: a. Describe prime Vendor’s experience on See Reference Verification Forms (3) ‐ See PDF Pgs. 57 ‐ 59. See Reference Verification Forms. Reference Verification Forms ‐ See PDF Pgs. 317 ‐321. Not Provided projects of similar nature and scope, along with FASTTRACK URGENT CARE: FULL HIPAA AUDIT Your Health Idaho (YHI) ‐ ATC MARS‐E NIST 800‐53 (a) evidence of satisfactory completion, both on A leading urgent care group in Florida, we coordinated all HIPAA compliance Authority to Connect Project: Online time and within budget, for the past five years. efforts for this organization including: complete risk assessment (full audit, led this project on behalf of GetInsured (YHI’s vendor for Provide a minimum of three projects with including physical, internal and external infrastructure, application pen Exchange and Security/Privacy). Online references, preferably government agencies (i.e. testing), development of all policies and procedures, and training and successfully completed a passing Security Assessment state, local) of similar size and structure and awareness program.We not only completed the work and took FastTrack Report within YHI’s challenging 4‐month proven experience and skillset in evaluation a Urgent Care into full HIPAA compliance (and beyond, as HIPAA compliance timeframe. mixed credit card environment of web doesn’t necessarily equal an adequate security posture), we were able to Public Knowledge, LLC ‐ Wyoming Department of Health applications, point of sale (POS), and IVR deliver under the projected budget. With a focus on knowledge transfer, and Independent Risk Assessment and systems. building a risk management program that truly gave this organization an Security Testing Support: Online supported the State of Vendor should provide references for similar optimal security posture, the end result was an organization where cyber Wyoming’s MARS‐Ev2 requirements by work performed to show evidence of security was a core competency. conducting third party security testing and risk assessment. qualifications and previous experience. Refer to IDEAL IMAGE: FULL HIPAA AUDIT Wayne Memorial Hospital – HIPAA Security Risk Vendor Reference Verification Form and submit Similar to Fast Track Urgent Care, Ideal Image chose us to take a deep dive Assessment and Penetration Test: Online as instructed. Only provide references for non‐ into their security posture and create a risk management program that not conducted a HIPAA security risk assessment and Broward County Board of County Commissioners’ only hardened their information security environment, penetration testing via on‐site and remote interviews contracts. For Broward County contracts, the but also met, and surpassed, HIPAA compliance requirements. We completed and technical tools. County will review performance evaluations in its a full risk assessment, revised and developed all of their policies and database for vendors with previous or current procedures, and set them up with the required training contracts with the County. The County considers and awareness efforts. Once again, we delivered under the quoted budget on references and performance evaluations in the a time and materials basis and were able to evaluation of Vendor’s past performance. provide them with all the knowledge transfer to continue to mature their risk management program.

b. Provide evidence of similar work related to See "Fast Track Urgent Care Sample Report" in Appendix ‐ PDF Pgs. 68 ‐95. Online is pleased to include a Sample Report for a HIPAA Not Provided services identified in this Category, including engagement as evidence of our HIPAA consulting sample executive summaries and reports. capabilities. It is enclosed under Appendix B.

Not Provided

33 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Licensing Matrix Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLC 3. Past Performance: a. Describe prime Vendor’s experience on Reference Verification Forms included. ‐ See PDF Pg. 69 See PDF Pg 27 ‐ 28. See Pdf Pg 25‐27 CONFIDENTIAL projects of similar nature and scope, along with Examples ‐ See PDF Pg. 25 Presidio would develop a project plan with all defined project District of Columbia Water & Sewer Authority evidence of satisfactory completion, both on milestones which includes weekly status meetings to track October 2016 ‐ April 2017 References remain confidential. time and within budget, for the past five years. the project overall progress. Escalation methodology follows. Evaluate DC Water's information privacy practices and how they Provide a minimum of three projects with aligh to NIST references, preferably government agencies (i.e. state, local) of similar size and structure and Cubic Corporation and Transportation Systems proven experience and skillset in evaluation a May 2014 ‐ Ongoing mixed credit card environment of web RSM monitors compliance with respect to HIPAA's security applications, point of sale (POS), and IVR regulations systems. Vendor should provide references for similar Prince William County, Virginia work performed to show evidence of May 2014 ‐ August 2014 qualifications and previous experience. Refer to Internal audit services provided to PWC include audit of policies, Vendor Reference Verification Form and submit procedures and compliance as they relate to HIPAA as instructed. Only provide references for non‐ Broward County Board of County Commissioners’ Vendor Reference Verification Forms included in Appendix contracts. For Broward County contracts, the County will review performance evaluations in its database for vendors with previous or current contracts with the County. The County considers references and performance evaluations in the evaluation of Vendor’s past performance.

b. Provide evidence of similar work related to See PDF Pg. 25 Reference Verification Forms included. Due to the sensitivity of the results of the work completed for our CONFIDENTIAL services identified in this Category, including Upon conclusion of the engagement described above, we will See PDF Pg. 29. clients, results of our engagements or final reports will not be sample executive summaries and reports. provide the County with a written HIPAA gap assessment report1 Presidio provides the following references for which we have provided as evidence for proof of completion. If the County References remain confidential. outlining each HIPAA Security and Privacy requirement and whether provided similar solutions to desires, we are prepared to provide example templates used as or not the County has implemented appropriate controls to address Category 2 ‐ HIPAA: part of our reporting process to help ensure you are comfortable compliance requirements. For areas e+CancerCare with the final work products we are accustomed to delivering. where control improvements should be made we will provide Broward Healthcare specific suggestions for enhancing the control structure. Dayton’s Children Hospital Plante Moran will also provide a written Network Security report Presidio uploads these customer references on the required detailing the results of the technical assessments performed. Vendor Verification Form, in a separate file.

34 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Verizon Business Network Services Inc. d/b/a Licensing Matrix SHI International Corp Verizon Business Services 3. Past Performance: a. Describe prime Vendor’s experience on SHI Security Services is very flexible in scoping a Security See Pages 30‐31. projects of similar nature and scope, along with Assessment with requirements focused on HIPAA, PCI, CJIS Verizon’s Health Care team has specific experience in assessing the evidence of satisfactory completion, both on or other Security frameworks such as SANS CIS Controls. It Health Care compliance and associated risk due to the use of time and within budget, for the past five years. is our experience most local government agencies have specific system, products, and communications architectures. Provide a minimum of three projects with requirements for all these areas with systems and data Verizon’s team has conducted detailed assessment to validate references, preferably government agencies (i.e. overlapping within departments. By scoping an assessment Verizon internal products and services, and has worked with other state, local) of similar size and structure and to include two or more of these regulatory requirements product and Health Care service providers to assess and report in proven experience and skillset in evaluation a we are able to minimize time and cost and greatly increase the security of their offerings. Verizon is specifically familiar with mixed credit card environment of web the value of the assessment. (Our PCI Assessments are for nontraditional Health Care compliance situations outside and above applications, point of sale (POS), and IVR Self‐Assessment or Gap analysis only as we do not staff a those typical to covered entities, and has wide ranging experience systems. QSA). SHI understands the importance of quality in assessment and improving call center, Vendor should provide references for similar references; however for services such as those being communications center, and other networked services. Verizon has work performed to show evidence of requested by the County, most customers feel the highly relevant customers who can provide information on the work qualifications and previous experience. Refer to information associated with these services is confidential. we have done and the quality of our relationship with their Vendor Reference Verification Form and submit SHI has included a list of a few customers that we have organizations. Due to the number of requests Verizon receives for as instructed. Only provide references for non‐ provided similar services as requested in this RFP. If recommendations from these customers, it is our policy to provide Broward County Board of County Commissioners’ needed, we agree to help coordinate a call between our contact information only when we are under serious consideration contracts. For Broward County contracts, the customers and Broward County to discuss their experience for a contract award. In addition, Verizon’s corporate nondisclosure County will review performance evaluations in its with SHI. Please note that customers may not wish to policies – combined with the sensitive nature of our customers’ database for vendors with previous or current discuss specifics of their project due to the sensitive business – require that certain agreements be in place before we contracts with the County. The County considers nature. can release sensitive customer data. In order to protect the references and performance evaluations in the Gold’s Gym, Anthony (Tony) Wilkins, Director of IT interests and confidentiality of our customers, and at the request of evaluation of Vendor’s past performance. Infrastructure and Telecom our customers, we prefer to facilitate references calls and/or visits Tampa General Hospital, Jason Powell, Chief Information at a mutually convenient time for all. It is standard policy of Verizon Security Officer to not publish reference lists due, in large part, to Non‐Disclosure City of San Marcos, Lenora Newson, IT Infrastructure Agreements between Verizon and its customers. Manager b. Provide evidence of similar work related to SHI has attached sample reports with our submission. Sample pdfs embedded in response. Unable to open. services identified in this Category, including sample executive summaries and reports.

35 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 2 ‐ Health Insurance Portability and Accountability Act (HIPAA) Services

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. 4. Workload of the Firm: List all completed and active projects that Vendor See PDF Pgs. 497 See PDF Pg. 21 See PDF Pg. 171 See PDF Pgs. 58 has managed within the past five years. In As a private firm, we do not go into specific details, but we can Over the past 5 years, Crowe has had over 16,000 clients, of which ERM has completed 10 HIPAA projects during the past 5 addition, list all projected projects that Vendor Pgs 35: say we do about 4000 pen tests a year and about 850 RoCs ‐ but over 1,200 were government clients. Crowe currently has 871 years and estimates it will be working on 1 per will be working on in the near future. Projected Non‐Disclosure Statement "The information in this document is AT&T also have the most QSAs and Pen Testers than any other government clients, with 32 in the Florida area. month for the remainder of 2017. projects will be defined as a project(s) that Corp. Confidential, and cannot be reproduced or redistributed in any way,competitor – over 100 in each case. We are busy, but have Crowe is well positioned to provide quality service to Broward County ERM is able to manage several projects simultaneously Vendor is awarded a contract but the Notice to shape, or form without prior written consent from AT&T Corp. © sufficient resources to cover all of our engagements. in a timely fashion. Crowe has a sophisticated Centralized Resource based on our efficient project management Proceed has not been issued. Identify any Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all Management function that is responsible for ensuring that Broward approach. We have not experienced any challenges to projects that Vendor worked on concurrently. other trademarks, service marks, and designs are registered or County’s needs are met with the experienced and trained staff from complete these projects, nor do we expect to Describe Vendor’s approach in managing these unregistered trademarks of AT&T Corp. Intellectual Property and/or our local offices, and if needed, experience challenges completed projects for the client. projects. Were there or will there be any AT&T Corp. affiliated from across our firm. We realize that resource management is a a. Past Five Years challenges for any of the listed projects? If so, companies." crucial element to consistently providing top quality service to 1. Education (2) describe how Vendor dealt or will deal with the Broward County, and all of our clients. 2. Hospital (4) projects’ challenges. Pgs 36‐ 223: 3. Physician Group (1) "AT&T Consulting Proprietary and Confidential Information" 4. Local, City, State Government (2) 5. Other (1) Pgs 418‐568 AT&T Proprietary: The information contained herein is for ..... use by authorized persons only and is not for general distribution.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. AT&T Corp Carahsoft Technology Corporation Crowe Horwath LLP Enterprise Risk Management, Inc.

2. Doing Business As/ Fictitious Name (if Not applicable applicable): 3. Federal Employer I.D. Number. 13‐4924710 522189693 35‐0921680 65‐0827427

4. Dun & Bradstreet Number. (If applicable). 00‐698‐0080 08‐8365767 787324008 610144201 5. Website address (if applicable). www.att.com www.carahsoft.com www.crowehorwath.com www.emrisk.com 6. Principal place of business. One AT&T Way, Bedminster, NJ 07921 1860 Michael Faraday Drive, Suite 100 225 West Wacker Drive, Suite 2600 800 S. Douglas Road, Suite 940 North Tower, Coral Reston, VA 20190 Chicago, Illinois 60606‐1224 Gables, FL 33134

7. Office Location for this project. 2002 NW 64th St., Ft. Lauderdale, FL 33309 1860 Michael Faraday Drive, Suite 100 401 East Las Olas Boulevard, Suite 1100 800 S. Douglas Road, Suite 940 North Tower, Coral Reston, VA 20190 Fort Lauderdale, Florida 33301‐4230 Gables, FL 33134

8. Telephone/Fax Number: Telephone no.:305‐913‐3887 Fax no.: Telephone no.:703.871.8500 Fax no.:703.871.8505 Telephone no.:954.202.8600 Fax no.:954.202.8639 Telephone no.:305‐447‐6750 Fax no.:305‐447‐6752 9. Type of Business Corporation; New York Corporation; Maryland Limited Liability Partnership Corporation; Florida 10. List Florida Registration Number. 845822 GP0800003826

36 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Prime: Marcum LLP Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: 24by7 Security 4. Workload of the Firm: List all completed and active projects that Vendor See PDF Pg. 76 Foresite has over 600 active projects and current has a client base of over See PDF Pg. 39 See PDF Pg. 26 ‐ 27 has managed within the past five years. In Since the company’s inception, Focal Point has provided HIPAA 2000 companies. Foresite has over 8 million US dollars currently in the 6 Global Information Intelligence will apply its expert and proven Marcum: addition, list all projected projects that Vendor compliance, privacy, and month sales pipe. The request can certainly be discussed but would not methodology to provide BROWARD COUNTY with INFORMATION 1. Independent Living Systems will be working on in the near future. Projected information security services to clients in both the private and public seem logical to address at the level you are requesting. TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using 2. Nordis Technologies, Inc. projects will be defined as a project(s) that sectors. Our team’s Intelligent, Proactive and Robust and Resilient methods that 3. Envolve Health Benefits Vendor is awarded a contract but the Notice to experience in providing HIPAA compliance services is unparalleled in include proactive recommendations and remediation sample for 4. International Union of Operating Engineers Proceed has not been issued. Identify any the marketplace. In design and implementation operational effectiveness for 24by7Security: projects that Vendor worked on concurrently. particular, the team has extensive experience within the technology, INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE 1. MCCI Group Health Describe Vendor’s approach in managing these healthcare, insurance, and SERVICES: Network assessment of BROWARD COUNTY Corporate 2. SantaFe Senior Living projects. Were there or will there be any government industries. Focal Point typically performs over 30 HIPAA Network and its Operations Technology Network. INFORMATION 3. Integra Health challenges for any of the listed projects? If so, assessments on an annual TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES 4. Arkansas Heart Health describe how Vendor dealt or will deal with the basis, and regularly perform multiple assessments concurrently with Qualified Proponents are to provide services for the Broward 5. Banyan Health Systems projects’ challenges. each other. County.... 6. Barry University 7. Clinical Information Systems 8. Doctor’s Medical Center 9. Primary Care Physician Group 10. ED Care Management, Inc. 11. Femwell Group Health 12. Henderson Behavioral Health 13. Insight Software 14. Miami Dade College 15. Mount Sinai Hospital 16. Network Health Plans 17. Northern Physician Organization 18. Nova University 19. Oncology Analytics 20. Orange Care Group VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Focal Point Data Risk, LLC Foresite MSP LLC Global Information Intelligence LLC Marcum LLP 2. Doing Business As/ Fictitious Name (if applicable): 3. Federal Employer I.D. Number. 61‐1805201 38‐3916369 273548900 111986323

4. Dun & Bradstreet Number. (If applicable). 08‐0541660 07‐8744163 968051180 5. Website address (if applicable). www.focal‐point.com www.foresite.com www.globalinfointel.com www.marcumllp.com 6. Principal place of business. 201 E Kennedy Blvd, Suite 1750 E Windsor Ct 6860 North Dallas Parkway, Suite 200,Plano, TX 75024 Tampa, FL 33602 451 East Las Olas Boulevard, Ninth Floor Fort Lauderdale, FL 33301 7. Office Location for this project. We will utilize both our Tampa location and our Broward New York 6861 North Dallas Parkway, Suite 200,Plano, TX 75024 County location for this project. Our Broward County address is 1601 Sawgrass Corp. Pkwy., Suite 130, 451 East Las Olas Boulevard, Ninth Floor Sunrise, FL 33323 Fort Lauderdale, FL 33301 8. Telephone/Fax Number: Telephone no.:(813) 402‐1208 Fax no.:813‐436‐5283 800‐940‐4699 Telephone no.:4082509045 Fax no.:N/A 954‐320‐8000 Fax no.:954‐320‐8001 9. Type of Business LLC LLC Corp; DE ‐ LLC Limited Partnership 10. List Florida Registration Number. M16000008367 LLP090003311

37 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Online Enterprises Inc. d/b/a Online Business Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Systems Optiv Security 4. Workload of the Firm: List all completed and active projects that Vendor See PDF Pgs. 61 ‐ 67. See PDF Pg. 258 Not Provided has managed within the past five years. In MGT has completed projects for the County, including: Online’s Risk, Security, and Privacy consulting practice has addition, list all projected projects that Vendor Disparity Study of County Government (2000). over 100 clients and delivers well over 200 engagements will be working on in the near future. Projected Cost Allocation Plans (2009, 2010, 2011, 2014, 2015, 2016). annually. To protect the privacy of our clients, we cannot projects will be defined as a project(s) that Comprehensive Review of the Sheriff’s Office Department of Detention divulge client names, but we can guarantee that our team Vendor is awarded a contract but the Notice to (2009). can meet any project deadlines that Broward County Proceed has not been issued. Identify any Comprehensive Analysis of the Libraries Division (2010). establishes. Our 98% customer retention rate speaks projects that Vendor worked on concurrently. Being a national company, MGT has completed many projects within the past volumes of our ability to meet our clients’ needs while Describe Vendor’s approach in managing these five years. Therefore,instead of providing a list of the over 2,200 projects the delivering high quality services. Our dedication to the projects. Were there or will there be any firm has completed or is currently conducting, we are providing a list of customer experience combined with our strong team bond challenges for any of the listed projects? If so, clients served (presented in alphabetical order by state). (there are rare all‐hands‐on‐deck moments) help us ensure describe how Vendor dealt or will deal with the that we deliver engagements on time. The Risk, Security, projects’ challenges. and Privacy practice has never missed an engagement Not Provided deadline. Online spends a great deal of time reviewing our workloads and our forecast pipeline so that we work the fine balance of not having too many consultants on the bench but also not overloading our consultants. We ensure that we always have a handful of qualified recruits in our hiring queue for when we hit growth spurts.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. MGT of America Consulting, LLC Netitude, Inc. Online Enterprises Inc. Optiv Security

2. Doing Business As/ Fictitious Name (if Netitude Online Business Systems Optiv, Optiv Security applicable): 3. Federal Employer I.D. Number. 81‐0890071 36‐4694227 41‐180 5060 43‐1806449

4. Dun & Bradstreet Number. (If applicable). 02‐096‐7659 968240825 08‐6535676 01‐946‐6684 5. Website address (if applicable). www.mgtconsulting.com www.Nettitude.com www.obsglobal.com optiv.com 6. Principal place of business. 3800 Esplanade Way, Suite 210 85 Broad Street, New York NY 10004 US Headquarters: 7760 France Ave. S., Minneapolis, MN 1125 17th St., Suite 1700 Tallahassee, FL 32311 55435 USA Denver, CO 80202‐2032 Canadian Headquarters: 200‐115 Bannatyne Avenue, Winnipeg, MB Canada R3B 0R3 7. Office Location for this project. Tallahassee, FL 85 Broad Street, New York NY 10004 000 Kruse Way Place, Bldg 1 Suite 360 N/A Lake Oswego, OR 97035

8. Telephone/Fax Number: Telephone no.:850.386.3191 Fax no.:850.385.4501 Telephone no.:646‐795‐1881 Fax no.: Telephone no.:866.884.0304 Fax no.:503.224.5962 Telephone no.:(303) 298‐0600 Fax no.:(303) 298‐0868 9. Type of Business LLC Corporation; S Corporation; Minneapolis Corporation; Delaware 10. List Florida Registration Number. L15000199435 In Progress

38 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Licensing Matrix Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLC 4. Workload of the Firm: List all completed and active projects that Vendor Our team of 40+ cybersecurity consultants has completed projects See PDF Pg. 29. RSM maintains confidentiality agreements with many of our See PDF Pg. 96. has managed within the past five years. In for hundreds of organizations over the past five years. In addition, The Presidio Cyber team averages 70 concurrent projects at clients. For this reason, we cannot name them in proposals or We are currently engaged on a number of client projects. We attempt to addition, list all projected projects that Vendor our team uses multiple firm wide project management tools to any one time. Our project managers marketing collateral without express permission. However, in the keep our workload commensurate with our staff. However, we believe the will be working on in the near future. Projected assist with working with dozens of clients each week. Should an ensure that we have resources allocated for the projects. Our Past Performance section on the prior page, we provide best way to measure our ability to complete task orders on time is through projects will be defined as a project(s) that unexpected conflict occur while working project sizes range from $8,000 to references from clients who can discuss our work with them on discussion with our current clients (see client references on previous page). Vendor is awarded a contract but the Notice to with the County, the County will be given priority as necessary. $1.6M. We monitor and manage the workload monthly and issues relevant to your operations. We guarantee that we will: Proceed has not been issued. Identify any make decisions on whether we need If we are engaged by the County, you will be a priority for our Properly staff each project with employees that are qualified and technical projects that Vendor worked on concurrently. to add additional security consultants to the team. Presidio firm and to each member of your engagement team. Our experts; Describe Vendor’s approach in managing these would assign a project manager and key members upon workload fluctuates based on a number of factors, including Begin all task orders on time; projects. Were there or will there be any award of the contract. We timing and currently pending engagements. Regardless, our firm Complete them within budget, within the required time frame; and challenges for any of the listed projects? If so, would require two‐weeks to get the team in place. has excelled at managing its human resources so that our Deliver a draft report within one (1) week of fieldwork completion. describe how Vendor dealt or will deal with the Presidio’s project manager would create a project plan that workload never surpasses the ability of our assigned teams to Due to confidential nature of our work, we are not permitted to provide a projects’ challenges. clearly outlines the project timelines devote the time and attention necessary to add value to our complete list of similar projects. However, we guarantee that Securance is and responsibilities for Presidio and Broward County. Presidio clients’ organizations. Our ability to manage our workload is experienced with networks of your size and complexity. We have provided a would schedule weekly meetings evidenced by relatively low turnover rates and is supported by sampling of our related experience of governmental agencies on page 19. with Broward County to track the overall progress of the clients’ opinions of our service. project. We will provide Broward The engagement team along with County management will County weekly updates so project status is communicated. design a plan that will ensure expectations are met along with Presidio requests Broward County to identify a project responsive and timely delivery of services as required by the sponsor that our project manager would work directly with. County. The engagement in‐charge and staff will be solely dedicated to the County from start to finish for the audit. We believe this to be a team effort so that all team members understand their roles, expectations, deliverables and timelines. We do not anticipate any scenario under which we will have difficulty completing the requested work.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Plante & Moran, PLLC Presidio RSM US LLP Securance LLC

2. Doing Business As/ Fictitious Name (if Plante Moran applicable): 3. Federal Employer I.D. Number. 381357951 58‐1667655 FEIN‐42‐0714325 03‐0392503

4. Dun & Bradstreet Number. (If applicable). 004913299 15‐405‐0959 73482424 04‐1637542 5. Website address (if applicable). plantmoran.com www.presidio.com www.rsmus.com http://www.securanceconsulting.com 6. Principal place of business. 27400 Northwestern Hwy 12120 Sunset HIlls Rd, Sutie 202 100 NE Third Ave, Suite, Fort Lauderdale, FL 33301 6922 West Linebaugh Avenue, Suite 101, Tampa, FL 33625 Southield, MI 48037 Reston, Va 20190

7. Office Location for this project. Southfield, MI 3250 W. Commercial Blvd Fort Lauderdale 6923 West Linebaugh Avenue, Suite 101, Tampa, FL 33625 Fort Lauderdale, Fl 33309

8. Telephone/Fax Number: Tel:248‐223‐3428 Fax no.:248‐603‐5997 305‐606‐2835 954‐462‐6351 Telephone no.:877‐578‐0215 Fax no.:813‐960‐4946 9. Type of Business Limited Partnership LLC Limited Partnership LLC 10. List Florida Registration Number. M11000002358 L15000111335 ADP004384 L02000005108

39 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Verizon Business Network Services Inc. d/b/a Licensing Matrix SHI International Corp Verizon Business Services 4. Workload of the Firm: List all completed and active projects that Vendor Due to the sensitivity and type of services, SHI cannot Workload at any one time varies across our Health Care consulting has managed within the past five years. In provide this information as it relates to other team and they are in demand for their services. Verizon always addition, list all projected projects that Vendor projects and customers either completed or in the future. works on more than one project at a time, and would work with will be working on in the near future. Projected SHI would be happy to meet with Broward you to schedule you projects into this larger plan. Verizon cannot projects will be defined as a project(s) that County discuss our approach and any challenges we may enumerate our current project as they are Customer confidential. Vendor is awarded a contract but the Notice to have experienced on similar projects. SHI Verizon is continuously working multiple projects concurrently and Proceed has not been issued. Identify any believes in transparency and any time we come upon a has the people, process and projects that Vendor worked on concurrently. challenge with a project we work with the technology to ensure all active projects are meeting the milestones Describe Vendor’s approach in managing these customer to let them know the issues and possible defined on the project scope. We do not anticipate any challenges; projects. Were there or will there be any solutions. SHI has a clearly defined escalation path so however, should issues arise we have a welldefined process for challenges for any of the listed projects? If so, if a challenge arises the proper people can be engaged to identifying the root cause and developing a remediation plan. describe how Vendor dealt or will deal with the assist. In addition as one of the top provider of IT solutions, projects’ challenges. SHI has built solid relationships with IT manufacturers and has a network of partners to work with should any challenges encountered required additional products or resources.

4. Dun & Bradstreet Number. (If applicable). 61‐142‐9481 556565836 5. Website address (if applicable). www.shi.com www.verizonenterprise.com 6. Principal place of business. 290 Davidson Ave Somerset, New Jersey 08873 OneVerizon Way, Basking Ridge NJ 07920

7. Office Location for this project. 290 Davidson Ave Somerset, New Jersey 08873 Tampa, FL

8. Telephone/Fax Number: 800‐477‐6479 no.:(813) 520‐9786 Fax no.:813‐978‐6751 9. Type of Business Corporation; New Jersey Corporation; Delaware 10. List Florida Registration Number. F‐01000004066 829591

40 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 2 ‐ Health Insurance Portability and Accountability Act (HIPAA) Services

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. 11. List name and title of each principal, owner, a. Thadeus Arroyo, President and CEO AT&T, 208 S. Akard St., Dallas, TX a) Craig P. Abod ‐ President a) James Powers, CEO a) Silka Gonzalez ‐ President officer and major shareholder. 75202 b) Robert Moore ‐ Vice President b) Joseph Santucci, COO b) Michelle Miller ‐ COO b. Anne Chow, President‐Integrator Solutions, AT&T, 208 S. Akard St., c) Jillian Szczepanek ‐ Controller c) Todd Welu, CFO c) Esteban Farao ‐ Director of Consulting Services Suite 3514, Dallas, TX 75202 d) Jennifer Taha ‐ Proposals Director d) Crowe Horwath LLP is a limited liability partnership with more than c. Frank Jules, President ‐ Global Business AT&T, 208 S. Akard St., Suite 275 partners/principals. If required, we will provide a complete listing 3509, Dallas, TX 75202 of the partner/principals. The names and titles of the firm's d. Cathy Martine‐Dolecki, President ‐ Natl Bus AT&T, 1 AT&T Way, leadership is available at www.crowehorwath.com/leadership. Bedminster, NJ 07921 e. Delores McCarty, Assistant Secretary AT&T, 675 W Peachtree St, NW, Atlanta, GA 30308 f. George B. Goeke, CFO and Treasurer AT&T, 208 S. Akard St., Suite 1824, Dallas, TX 75202 AT&T is a publicly held corporation. No single person owns more than 10% of the company. It is an independent, publicly traded telecommunications services provider. The names and titles of the AT&T Inc. officers are • Randall Stephenson—Chairman and Chief Executive Officer (CEO) Willi Bl S i EtiVi PidtH R 12. Authorized contacts for your firm. Name: Dwayne Stafford Name: Aaron Giannini Name: Craig Sullivan Name: Silka Gonzalez Title: Strategic Account Lead Title: Account Representative Title: Partner Title: President E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 786‐479‐4113 Telephone No.: 703.889.9848 Telephone No.: 574.236.7618 Telephone No.: 305‐447‐6750 Name: Esther Martin Name: Jennifer Taha Name: Michelle Miller Title: Strategic Account Lead Title: Proposals Director Title: COO E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 305‐582‐9541 Telephone No.: 703.871.8556 Telephone No.: 305‐447‐6750

13. Has your firm, its principals, officers or No No No No predecessor organization(s) been debarred or suspended by any government entity within the last three years? If yes, specify details in an attached written response.

14. Has your firm, its principals, officers or No No No No predecessor organization(s) ever been debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted.

41 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Prime: Marcum LLP Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: 24by7 Security 11. List name and title of each principal, owner, a) Andrew Cannata ‐ Principal, Cyber Security Robin Mano ‐ CEO a) DR. EMMANUEL HOOPER, PHD, PHD, PHD, Harvard Yale Alumni, a) Michael Balter, Regional Managing Partner officer and major shareholder. b) Christie Verscharen ‐ Principal, PCI and Risk Services George Farris ‐ Board Member President b) Mark Agulnik, Partner c) Eric Dieterich ‐ Principal, Data Privacy David Cohen ‐ Board Member b) Theresa Marie Hooper, BA (Harvard),Senior Executive c) David Appel, Partner Gary Fish ‐ Board Member d) Shaun Blogg, Partner e) Ilyssa Blum, Partner f) Marc Breslow, Partner g) Michael Curto, Partner h) Adam Firestein, Partner i) Michael Futterman, Partner j) John Gabriel, Partner k) Cecelia Garber, Partner l) Kim Lamplough, Partner m) Michele Lipson, Partner n) Michael Novak, Partner Marcum LLP is managed by more than 140 partners around the country. Below is a list of partners from our local Florida offices. A complete list of partners around the country is available at www.marcumllp.com/people‐ h 12. Authorized contacts for your firm. Name: Andrew Cannata Jason Leduc Name: DR. EMMANUEL HOOPER, PHD, PHD, PHD Name: Mark Agulnik Title: Principal, Cyber Security VP Cyber Security Services Title: President Title: Partner E‐mail: acannata@focal‐point.com [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: (813) 731‐9074 732‐674‐0871 Telephone No.: 408‐250‐9045 Telephone No.: 954‐320‐8000, Ext. 38013 Name: Eric Dieterich Name: Theresa M. Hooper Name: Jose Antigua Title: Principal, Data Privacy John Lavelle Title: Senior Executive Title: Senior Manager E‐mail: edieterich@focal‐point.com Controller E‐mail: [email protected] E‐mail: [email protected] Telephone No.: (786) 390‐1490 [email protected] Telephone No.: 714‐331‐1173 Telephone No.: 954‐320‐800, 38054 800 940 4699 ext 227 13. Has your firm, its principals, officers or No No No No predecessor organization(s) been debarred or suspended by any government entity within the last three years? If yes, specify details in an attached written response.

42 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Online Enterprises Inc. d/b/a Online Business Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Systems Optiv Security 11. List name and title of each principal, owner, a) A. Trey Traviesa, Chairman & CEO a) Rowland Johnson a) Chuck Loewen (Founder, Owner & CEO) a) Dan Burns ‐ CEO officer and major shareholder. b) Fred Seamon, Executive Vice President b) Ben Densham b) Tim Siemens (CTO) b) David Roshak ‐ CFO c) Brad Burgess, Executive Vice President c) Martin Watts c) Lynne Black (CFO) c) Nate Brady ‐ CAO d) Mitchell Titley d) Veena Bricker ‐ CHRO

12. Authorized contacts for your firm. Name: A. Trey Traviesa Name: Miles Corn Name: Steve Levinson Name: Doug Hart Title: Chairman & CEO Title: Head of Bid Management Title: Vice President, Risk, Security & Privacy Title: Client Manager E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 850.386.3191 Telephone No.: 646‐795‐1881 Telephone No.: 619.701.8614 Telephone No.: 305‐972‐8137 Name: Fred Seamon Name: Karen Bolton Name: Michael Mangra Title: Executive Vice President Title: EVP & Leader North America Title: Solutions Architects E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 850.386.3191 Telephone No.: 646‐795‐1898 Telephone No.: 561‐670‐1536

43 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Licensing Matrix Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLC 11. List name and title of each principal, owner, a) James Proppe, Managing Partner Regarding principals, owners, etc., not applicable. Presidio is a Paul Ashe officer and major shareholder. b) Dnnis Graham, Group Managing Partner publicly owned company. c) Frank Audia, CIO d) Beth Bialy, Government Industry Group Leader

12. Authorized contacts for your firm. Name: Raj Patel Name: Jill Finkelstein Jason Alexander Name: Paul Ashe Title: Partner Title: Business Development Manager Principal Title: President E‐mail: [email protected] E‐mail: [email protected] 786‐239‐4279 E‐mail: [email protected] Telephone No.: 248‐223‐3428 Telephone No.: 305‐606‐2835 Telephone No.: 877‐578‐0215 Name: Scott Eiler Name: Ralph Gentile Name: Gillian Tedeschi Title: Partner Title: Sales Lead Title: Director of Marketing E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 248‐223‐3447 Telephone No.: 954‐817‐0690 Telephone No.: 877‐578‐0215

44 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Verizon Business Network Services Inc. d/b/a Licensing Matrix SHI International Corp Verizon Business Services 11. List name and title of each principal, owner, Thai Lee please see: http://www.verizon.com/about/investors/corporate‐ officer and major shareholder. Koguan Leo governance MCI Communications Services Inc. (100% Shareholder)

12. Authorized contacts for your firm. Name: Meghan Flisakowski Name: Frank Parra Title: Public Program Manager Title: Sr. Client Executive E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 5125174088 Telephone No.: (813) 520‐9786 Name: Natalie Castagno Title: Director Response Team E‐mail: [email protected] Telephone No.: 732‐868‐5902

13. Has your firm, its principals, officers or No No predecessor organization(s) been debarred or suspended by any government entity within the last three years? If yes, specify details in an attached written response.

14. Has your firm, its principals, officers or No No predecessor organization(s) ever been debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted.

45 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 2 ‐ Health Insurance Portability and Accountability Act (HIPAA) Services

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. 15. Has your firm ever failed to complete any We are unaware of any work completion issues that would impair our No Yes, Like all large professional service firms, Crowe is, from time to No services and/or delivery of products during ability to meet our obligations under any contract. AT&T is a large time, subject to contract disputes or issues where contracts may be the last three (3) years? If yes, specify details in company with an international presence and significant contractual terminated for a variety of reasons, including without limitation lack an attached written response. relations. Given the size and scope of our business, we from time to time of client funding, disputes over the scope of the work, or payment over our history have been involved in occasional alleged contract disputes. Through active management and communication with our performance claims and legal actions. However, AT&T is a well‐ clients, Crowe is usually successful in anticipating such areas and capitalized company with assets in excess of any outstanding claims or working with the client to mitigate these issues. lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our ability to meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.

16. Is your firm or any of its principals or officers Yes No No No currently principals or officers of another organization? If yes, specify details in an attached written response.

17. Have any voluntary or involuntary bankruptcy No No No No petitions been filed by or against your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response.

46 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Prime: Marcum LLP Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: 24by7 Security 15. Has your firm ever failed to complete any No No No No services and/or delivery of products during the last three (3) years? If yes, specify details in an attached written response.

p// p / / gp 16. Is your firm or any of its principals or officers No Principal invests in multiple businesses No Marcum Group is an organization providing a comprehensive range of currently principals or officers of another professional services spanning accounting and advisory, technology solutions, organization? If yes, specify details in an attached wealth management and executive and professional recruiting. written response. MARCUM LLP Marcum LLP is one of the largest independent public accounting and advisory services firms in the nation, with offices in major business markets throughout the U.S., Grand Cayman and China. MARCUM FINANCIAL SERVICES Marcum Financial Services was founded in late 2009 by combining the expertise of several professionals and firms with extensive investment, financial and business experiences. MARCUM SEARCH Marcum Search LLC offers professional recruiting services. Our recruiters recognize the importance of working closely with companies and prospective candidates to ensure the perfect match. MARCUM TECHNOLOGY Marcum Technology LLC is a full‐service integrated solutions vendor (ISV) specializing in data storage, disaster recovery, network infrastructure, IT staffing and managed services. MARCUM BERNSTEIN & PINCHUK Marcum Bernstein & Pinchuk is an independent public accounting firm. We provide a full range of audit and assurance, tax and transaction advisory services for clients in a variety of industries. MARCUM RBK (IRELAND) LIMITED Marcum RBK is a service center for current and future hedge fund and private equity fund clients of the Marcum Alternative Investment Group.

47 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Online Enterprises Inc. d/b/a Online Business Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Systems Optiv Security 15. Has your firm ever failed to complete any No No No services and/or delivery of products during the last three (3) years? If yes, specify details in an attached written response.

16. Is your firm or any of its principals or officers Yes. Principal is CEO of MGT of America Consulting, LLC and Strategos Public No No No currently principals or officers of another Affairs, LLC, both wholly owned subsidiaries of MGT of America, LLC. organization? If yes, specify details in an attached written response.

48 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Licensing Matrix Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLC 15. Has your firm ever failed to complete any No No services and/or delivery of products during the last three (3) years? If yes, specify details in an attached written response.

16. Is your firm or any of its principals or officers No No No No currently principals or officers of another organization? If yes, specify details in an attached written response.

49 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Verizon Business Network Services Inc. d/b/a Licensing Matrix SHI International Corp Verizon Business Services 15. Has your firm ever failed to complete any No No services and/or delivery of products during the last three (3) years? If yes, specify details in an attached written response.

16. Is your firm or any of its principals or officers No No currently principals or officers of another organization? If yes, specify details in an attached written response.

17. Have any voluntary or involuntary bankruptcy No No petitions been filed by or against your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response.

50 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 2 ‐ Health Insurance Portability and Accountability Act (HIPAA) Services

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. 18. Has your firm’s surety ever intervened to No No No No assist in the completion of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

19. Has your firm ever failed to complete any We are unaware of any work completion issues that would impair our No Yes, Like all large professional service firms, Crowe is, from time to No work awarded to you, services and/or ability to meet our obligations under any contract. AT&T is a large time, subject to contract disputes or issues where contracts may be delivery of products during the last three (3) company with an international presence and significant contractual terminated for a variety of reasons, including without limitation lack years? If yes, specify details in an relations. Given the size and scope of our business, of client funding, disputes over the scope of the work, or payment attached written response. we from time to time over our history have been involved in occasional disputes. Through active management and communication with our alleged contract performance claims and legal actions. However, AT&T is clients, Crowe is usually successful in anticipating such areas and a well‐capitalized company with assets in excess of any outstanding working with the client to mitigate these issues. claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our ability to meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises. 20. Has your firm ever been terminated from a Except for material matters that AT&T discloses in filings with the No Yes, Like all large professional service firms, Crowe is, from time to No contract within the last three years? If yes, Securities and Exchange Commission or otherwise discloses in response time, subject to contract disputes or issues where contracts may be specify details in an attached written response. to subpoenas or other valid court orders, AT&T is legally and terminated for a variety of reasons, including without limitation lack contractually prohibited from disclosing information to third parties of client funding, disputes over the scope of the work, or payment about contractual matters. Also, due to the size and scale of AT&T’s disputes. Through active management and communication with our operations, as a practical matter, AT&T cannot state with absolute clients, Crowe is usually successful in anticipating such areas and certainty whether AT&T has defaulted under a contract. Notwithstanding working with the client to mitigate these issues. the legal and practical restrictions that limit AT&T’s ability to disclose specific contract performance issues, AT&T can assure Customer that AT&T is capable of performing the services requested under this RFP and that AT&T has no history or pattern of performance issues with other customers that would affect AT&T’s ability to perform the services requested by Customer. AT&T reiterates that AT&T is not aware of any circumstances involving performance under another contract which would materially and adversely impact AT&T’s ability to perform services for Customer. Moreover, AT&T is not aware of any circumstance when AT&T was not awarded a bid due to non‐performance concerns about AT&T by the entity sponsoring a particular procurement. AT&T is forced to qualify such assurances to the best of its knowledge due to the scale and scope of AT&T’s operations. AT&T will not be able to provide such assurances with absolute certainty with respect to every contract or bid opportunity in which AT&T has participated.

21. Living Wage solicitations only: No N/A N/A

51 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Prime: Marcum LLP Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: 24by7 Security 18. Has your firm’s surety ever intervened to No No No No assist in the completion of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

19. Has your firm ever failed to complete any No No No Our firm enters in to Engagement letters with clients that allow for cessation work awarded to you, services and/or of work and/or termination by either party in certain circumstances. delivery of products during the last three (3) years? If yes, specify details in an attached written response.

20. Has your firm ever been terminated from a No No No Our firm enters in to Engagement letters with clients that allow for cessation contract within the last three years? If yes, of work and/or termination by either party in certain circumstances. specify details in an attached written response.

21. Living Wage solicitations only: N/A N/A N/A N/A

52 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Online Enterprises Inc. d/b/a Online Business Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Systems Optiv Security 18. Has your firm’s surety ever intervened to No No No No assist in the completion of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

19. Has your firm ever failed to complete any No No No No work awarded to you, services and/or delivery of products during the last three (3) years? If yes, specify details in an attached written response.

20. Has your firm ever been terminated from a No No No No contract within the last three years? If yes, specify details in an attached written response.

21. Living Wage solicitations only: N/A N/A N/A N/A

53 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Licensing Matrix Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP Securance LLC 18. Has your firm’s surety ever intervened to No No No No assist in the completion of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

20. Has your firm ever been terminated from a No – Plante Moran is not aware of any client terminating a contract No No No contract within the last three years? If yes, involving the provision of information technology security and specify details in an attached written response. compliance services. As one of the country’s largest accounting and consulting firms with thousands of annual engagements, there likely have been instances during the last three years where clients receiving tax or accounting‐related services have elected to use other service providers for their particular needs. Plante Moran’s record of client service and satisfaction is best in class, with 99% of clients indicating they would recommend Plante Moran to others.

21. Living Wage solicitations only: N/A N/A N/A N/A

54 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward Coun Category 2 ‐ Health Insurance Por

Verizon Business Network Services Inc. d/b/a Licensing Matrix SHI International Corp Verizon Business Services 18. Has your firm’s surety ever intervened to No No assist in the completion of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

19. Has your firm ever failed to complete any No No work awarded to you, services and/or delivery of products during the last three (3) years? If yes, specify details in an attached written response.

20. Has your firm ever been terminated from a No No contract within the last three years? If yes, specify details in an attached written response.

21. Living Wage solicitations only: N/A N/A

55 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 3 ‐ IT Audit Services

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Prime: Carahsoft Technology Corp Licensing Matrix Services ATT Solution Provider: Trustwave Crowe Horwath LLP RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided ‐ PDF Pg. 569 Provided ‐ See Page 47 Provided ‐ See PDF Pg. 9 AND 1. Certified Information Systems Security Professional (CISSP) on staff and proposed key team member Provided Provided Provided Provided Requirement Met Requirement Met Requirement Met Requirement Met

OR Certified Information Systems Auditor (CISA) on staff and proposed key team member Not Provided Not Provided Not Provided Provided Requirement Met Requirement Met Requirement Met Requirement Met FORMS Vendor Questionnaire Form Provided Provided Provided Provided

Provided Vendor Security Questionnaire Form Provided Provided Provided

1 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix Enterprise Risk Management, Inc. Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided Provided Provided AND 1. Certified Information Systems Security Professional (CISSP) on staff and proposed key team member Not Provided Provided Provided Provided Requirement Met Requirement Met Requirement Met Requirement Met

OR Certified Information Systems Auditor (CISA) on staff and proposed key team member Provided Provided Not Provided Provided Requirement Met Requirement Met Requirement Met Requirement Met FORMS Vendor Questionnaire Form Provided Provided Provided Provided

Provided Provided Provided Vendor Security Questionnaire Form Provided

2 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Prime: Marcum LLP Licensing Matrix Sub: 24by7 Security MGT of America Consulting, LLC Plante & Moran, PLLC dba Plante Moran Presidio RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided ‐ See PDF Pg. 23 Provided Provided AND 1. Certified Information Systems Security Professional (CISSP) on staff and proposed key team member Not Provided Provided Not Provided Provided Requirement Met Requirement Met Requirement Met Requirement Met

OR Certified Information Systems Auditor (CISA) on staff and proposed key team member Provided Not Provided Provided Provided Requirement Met Requirement Met Requirement Met Requirement Met FORMS Vendor Questionnaire Form Provided Provided Provided Provided

Provided Provided Provided Provided Vendor Security Questionnaire Form

3 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix RSM US LLP Securance LLC SeNet International Corporation SHI International Corp RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided Provided Provided AND 1. Certified Information Systems Security Professional (CISSP) on staff and proposed key team member Provided Provided Provided Provided Requirement Met Requirement Met Requirement Met Requirement Met

OR Certified Information Systems Auditor (CISA) on staff and proposed key team member Provided Provided Not Provided Not Provided Requirement Met Requirement Met Requirement Met Requirement Met FORMS Vendor Questionnaire Form Provided Provided Provided Provided

Provided Provided Provided Provided Vendor Security Questionnaire Form

4 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Verizon Business Network Services Inc. d/b/a Licensing Matrix Verizon Business Services RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided AND 1. Certified Information Systems Security Professional (CISSP) on staff and proposed key team member Provided Requirement Met

OR Certified Information Systems Auditor (CISA) on staff and proposed key team member Provided Requirement Met FORMS Vendor Questionnaire Form Provided

Provided Vendor Security Questionnaire Form

5 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 3 ‐ IT Audit Services

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Prime: Carahsoft Technology Corp Licensing Matrix Services ATT Solution Provider: Trustwave Crowe Horwath LLP

EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project Manager and all See file "Evaluation ‐ Cat 3" See PDF Pgs. 498 ‐ 502 See PDF PG. 22 See PDF Pgs. 55‐56. Appendix A ‐ Resumes (PDF Pgs. 67 ‐ 70). Appendix key staff that are intended to be assigned to services performed within this category. Aman has extensive experience in IT audit services. He is Trustwave knows the ins and outs of risk. And we want you B ‐ Relevant Certifications (PDF Pgs. 76 ‐ 84). Include resumes for the Project Manager and all key staff described. experienced in doing audits from security standpoint for CONFIDENTIAL to understand risk, too. Our Global Compliance and Risk Craig D. Sullivan, CPA, CISA, QSA, Partner, 32+ years experience different companies. He has well proven industry standard Services team serves as trusted advisors who operate Jeffrey A. Palgon, CPA, CISSP, CISM, CISA, Senior Manager procedures and techniques help perform these audits and Pgs 35: alongside your internal team. Our Global Compliance and Kiel Murray, Senior Manager, 7+ years experience generate recommendations for the clients. Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be Risk Services staff is made up of Qualified Security Assessors Bert Valle, CISA, Security+, CobiT, Itil, Manager, 13+ years experience reproduced or redistributed in any way, shape, or form without prior written consent from AT&T Corp. (QSAs) and our consultants hold various other industry © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, certifications including CISSP, CISM, and CISA certifications, and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T among others. The team averages more than eight years of Corp. affiliated experience in IT security, information security as well as companies." extensive compliance, audit and consulting expertise. The Global Compliance and Risk Services team (GCRS) is backed Pgs 36‐ 223: by our SpiderLabs team to keep you ahead of the latest "AT&T Consulting Proprietary and Confidential Information" threats and is also sponsored by a Senior Compliance Support Analyst to ensure your project runs smoothly. We will Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only customize your engagement, assess what is unique about and is not for general distribution. your business challenges and scale with your business needs.

b. List any other relevant Security and Compliance Industry certifications that the See file "Evaluation ‐ Cat 3" See PDF Pgs. 498 ‐ 502 See PDF PG. 22 See PDF Pgs. 55‐56. Appendix A ‐ Resumes (PDF Pgs. 67 ‐ 70). Appendix Project Manager and key staff described may have. Include copies of certificates, if Aman has CISSP certification. In addition to that, he has Please see the representative biographies embedded below, B ‐ Relevant Certifications (PDF Pgs. 76 ‐ 84). applicable. additional certifications like AWS Certified Solutions CONFIDENTIAL including the typical certifications held by the resources who Craig D. Sullivan, CPA, CISA, QSA, Partner, 32+ years experience Architect, Infoexpress Certified CyberGatekeeper may be assigned to your project. Jeffrey A. Palgon, CPA, CISSP, CISM, CISA, Senior Manager Administrator, Certified SonicWall Security Administrator, Pgs 35: Kiel Murray, Senior Manager, 7+ years experience Cyberoam Certified Network & Security Professional Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be Bert Valle, CISA, Security+, CobiT, Itil, Manager, 13+ years experience (CCNSP), McAfee Certified System Security Technical reproduced or redistributed in any way, shape, or form without prior written consent from AT&T Corp. Professional (MCSSTP), Securing Network with Pix and ASA © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, (SNPA), CCNA, Check Point Certified Security and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Administrator, ISO 27001:2013 Lead Auditor. Corp. affiliated companies."

Pgs 36‐ 223: "AT&T Consulting Proprietary and Confidential Information"

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

6 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix Enterprise Risk Management, Inc. Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC

EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project Manager and all See PDF Pgs. 68 ‐ 78 See PDF Pg. 113 ‐ 115 See Bios ‐ Jason L, Specialities: Compliance and Network Security, 20+ See PDF Pg. 78 key staff that are intended to be assigned to services performed within this category. Esteban Orlando Farao, CISSP, CISA, CISO, CRISC, CEH, QSA, Larry Burke, Principal, CPA, CITP, CGMA, HITRUST CCSFP. years experience, QSA PCI, PA QSA, PCIP PCI, SANS GIAC GSNA, GCIH, Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND Include resumes for the Project Manager and all key staff described. and PCIP.PCI QSA, 20+ years experience Franchesca Sanabria – Principal, CIPP/US, CISA, HITRUST GPEN COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD Karen Livingstone, CPA, CIA, CISA, CRMA CCSFP. Franchesca is a Thomas A, Specialities, Compliance and Network Security, 15+ years Information Security and Computing Sciences (Over 30 years of Professional Ray Vazquez, CISA, CRISC, Senior Executive, Extensive Principal at Focal Point in the National Data Privacy experience, QSA PCI, CISSP, HCISSP Experience and 25 years of Research, Harvard and Yale Alumnus, Summa Cum experience in enterprise risk management, technology risk Practice. She has over 12 years of John W, Compliance, Network Security, and Incident Laude, and Oxford Research, etc.) management, Information Security, etc experience in governance, risk and compliance. Response/Digital Forensics, QSA PCI, PA QSA, CISSP Global Information Intelligence LLC (100% Small Business, Minority, and Christopher Sanchez, Information Security Consultant Derek Parks – Director, CISSP, CBCP, CISA, QSA. Keith K, GRC, Security Architecture and Audit, 20+ years experience, Women Owned) Maria Rogers, CEH, CCFE, Extensive experience in software Donel Martinez – Senior Manager, CISA, CAMS. Donel CISSP By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences and testing and Digital Forensics Martinez is a Senior Manager in the Bradley A, Penetration Testing, 15+ years of experience, CISSP, OSCE, Information Security Founder, Consortium for Emerging Technologies‐ Animesh Srivastava, Information Security Consultant, South Florida office of Focal Point. OSCP, CEH, SANS GIAC Harvard, Exemplary Models for Extensive experience competing regulatory compliance Ivan Reyes – Senior Manager, CISA, HITRUST CCSFP. Federal, State, Local, Counties, Cities, Private/Public Sectors, Academia & assessments Lascelles Gonsalves – Manager, CISA. Industry and Global Srivathsav Gandrathi, CEH, Information Security Consultant, Corey Gant – Manager, CISSP, CISM, PMP, CISA, CGEIT, Category 3 – IT Audit Services: Extensive experience in Implementation of Secure Network ITIL V3F, 12+ years experience Provided intelligent and effective services within this category including IT Protocols Adriel Camejo – Senior Consultant, CISA, CAPM. Audit and Review Services. Examples of specific activities includes but not be limited to evaluation of IT General and Application controls, IT Governance, Security Strategy and Systems, General Network Topology, Connections to External Parties, Inbound and Outbound Remote Access, IT Security Policies and Procedures, Network Device Security (i.e. switches, routers, firewalls, wireless access points) – Firmware and Patching Standards, Endpoint Devices (Servers, workstations) – Patching and Antivirus checks, Physical Security, Data/Configuration Backup and Disaster Recovery, Network Management, Vendor/Contractor Access Management, System Administration/Privileged Access Management, and Network Documentation Creation and Maintenance. b. List any other relevant Security and Compliance Industry certifications that the See PDF Pg. 79 See PDF Pg. 113 ‐ 115 See Bios ‐ Jason L, Specialities: Compliance and Network Security, 20+ See PDF Pg. 78 Project Manager and key staff described may have. Include copies of certificates, if • Esteban Farao: CISSP, CISA, CISO, CRISC, CEH, PCI QSA, Larry Burke, Principal, CPA, CITP, CGMA, HITRUST CCSFP. years experience, QSA PCI, PA QSA, PCIP PCI, SANS GIAC GSNA, GCIH, Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND applicable. and PCIP Franchesca Sanabria – Principal, CIPP/US, CISA, HITRUST GPEN COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD • Maria Rogers: CEH CCSFP. Franchesca is a Thomas A, Specialities, Compliance and Network Security, 15+ years Information Security and Computing Sciences (Over 30 years of Professional • Animesh Srivastava: CCFE Principal at Focal Point in the National Data Privacy experience, QSA PCI, CISSP, HCISSP Experience and 25 years of Research, Harvard and Yale Alumnus, Summa Cum • Srivathsav Gandrathi: CEH Practice. She has over 12 years of John W, Compliance, Network Security, and Incident Laude, and Oxford Research, etc.) experience in governance, risk and compliance. Response/Digital Forensics, QSA PCI, PA QSA, CISSP Global Information Intelligence LLC (100% Small Business, Minority, and Derek Parks – Director, CISSP, CBCP, CISA, QSA. Keith K, GRC, Security Architecture and Audit, 20+ years experience, Women Owned) Donel Martinez – Senior Manager, CISA, CAMS. Donel CISSP By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences and Martinez is a Senior Manager in the Bradley A, Penetration Testing, 15+ years of experience, CISSP, OSCE, Information Security Founder, Consortium for Emerging Technologies‐ South Florida office of Focal Point. OSCP, CEH, SANS GIAC Harvard, Exemplary Models for Ivan Reyes – Senior Manager, CISA, HITRUST CCSFP. Federal, State, Local, Counties, Cities, Private/Public Sectors, Academia & Lascelles Gonsalves – Manager, CISA. Industry and Global Corey Gant – Manager, CISSP, CISM, PMP, CISA, CGEIT, Category 3 – IT Audit Services: ITIL V3F, 12+ years experience Provided intelligent and effective services within this category including IT Adriel Camejo – Senior Consultant, CISA, CAPM. Audit and Review Services. Examples of specific activities includes but not be limited to evaluation of IT General and Application controls, IT Governance, Security Strategy and Systems, General Network Topology, Connections to External Parties, Inbound and Outbound Remote Access, IT Security Policies and Procedures, Network Device Security (i.e. switches, routers, firewalls, wireless access points) – Firmware and Patching Standards, Endpoint Devices (Servers, workstations) – Patching and Antivirus checks, Physical Security, Data/Configuration Backup and Disaster Recovery, Network Management, Vendor/Contractor Access Management, System Administration/Privileged Access Management, and Network Documentation Creation and Maintenance.

7 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Prime: Marcum LLP Licensing Matrix Sub: 24by7 Security MGT of America Consulting, LLC Plante & Moran, PLLC dba Plante Moran Presidio

EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project Manager and all See PDF PG. 84 See PDF Pgs. 99 ‐ 102. See PDF Pgs. 28 ‐ 29. Resumes See PDF Pgs 75 ‐ 89. key staff that are intended to be assigned to services performed within this category. For Marcum LLP’s proposed key staff, refer to profiles and certificates Tony Martinez, Project Manager, Project Management, Vulnerability Assessment, F. Alex Brown, CPA, Senior Manager, 18+ years See PDF Pgs. 32 Include resumes for the Project Manager and all key staff described. available in Appendix A. Physical Penetration Testing, Network Penetration Testing, Web Application experience The Presidio Project Managers are responsible for Client Service and Engagement Partner: Penetration Testing, Security Auditing, Secure Code Reviews, Disaster Reovery/ Collin Taggart, CPA, CISA, Senior Manager, 18+ years managing all cyber security projects that include: Mark Agulnik, Partner, CPA, CISA, PCI‐QSA Business Continuity Planning, Security Policy Design experience Payment Card Industry Data Security Standard (PCI Principal: Steve Porter, CISSP, GPEN, GWAPT, QSA, CEH, GICSP, GMOB, GCIH, Vulnerability Bob Funke, MBA, CISA, Manager, 25+ years experience DSS), Health Insurance Portability and Accountability Heather Bearfield, Principal, CISA, CISM, CRISC, PCI‐QSA Assessment, Network Penetration Testing, PCI‐DSS Preparation & Remediation, Tony Chan, CISA, CRISC, Manager, 10+ years experience Act (HIPAA), IT Audit Services, Security Penetration Senior Manager (Project Lead): Security Auditing, Database Security, Secure Code Reviews, Firewall Administration, Grant Phillips, Consultant, Experience in information testing, and architecture consulting. Presidio’s project Jose Antigua, Senior Manager, CISA, ACDA, COBIT System Hardening and Patching, Disaster Recovery/Business Continuity Planning & security, internal control and IT audit managers and key staff have an extensive list of industry Senior Manager: Design, Security Policy Design, Log Management Planning, Design, Administration certifications that include: CISSP, CISA, CISM, CRISC, Robert Coro, Senior Manager, CISA, CISM, PCI‐QSA Henri St. Louis, CISSP, QSA, GCFE, OPST, Vulnerability Assessment, Network OSCP, GPEN, GWAPT, G2700, CEH, ITIL Practitioner and Penetration Testing, PCI‐DSS Preparation & Remediation, Security Auditing, Database ITIL (v3). In addition, Presidio has 1,600 engineers on Security, Secure Code Reviews, System Hardening and Patching, Disaster the backend that provide architecture design and Recovery/Business Continuity Planning & Design, Security Policy Design implementation services. Presidio has been providing IT JJ Maria Giner, GPEN, Vulnerability Assessment, Network Penetration Testing, Web Audit services since September 2006. Application Penetration Testing

b. List any other relevant Security and Compliance Industry certifications that the See PDF PG. 84 See PDF Pgs. 99‐102. See PDF Pgs. 28 ‐ 29. See PDF Pgs 23 ‐24. Project Manager and key staff described may have. Include copies of certificates, if For Marcum LLP’s proposed key staff, refer to profiles and certificates Tony Martinez, Project Manager, Project Management, Vulnerability Assessment, F. Alex Brown, CPA, Senior Manager, 18+ years Presidio brings Broward County our broad skill set and applicable. available in Appendix A. Physical Penetration Testing, Network Penetration Testing, Web Application experience depth of experience. Our security engineering team is Client Service and Engagement Partner: Penetration Testing, Security Auditing, Secure Code Reviews, Disaster Reovery/ Collin Taggart, CPA, CISA, Senior Manager, 18+ years composed of Certified Information System Security Mark Agulnik, Partner, CPA, CISA, PCI‐QSA Business Continuity Planning, Security Policy Design experience Professionals (CISSPs), Certification and Accreditation Principal: Steve Porter, CISSP, GPEN, GWAPT, QSA, CEH, GICSP, GMOB, GCIH, Vulnerability Bob Funke, MBA, CISA, Manager, 25+ years experience Professionals (CAPs), InfoSec Assessment Methodology Heather Bearfield, Principal, CISA, CISM, CRISC, PCI‐QSA Assessment, Network Penetration Testing, PCI‐DSS Preparation & Remediation, Tony Chan, CISA, CRISC, Manager, 10+ years experience (IAM) professionals, Certified Ethical Hackers (CEHs), Senior Manager (Project Lead): Security Auditing, Database Security, Secure Code Reviews, Firewall Administration, Grant Phillips, Consultant, Experience in information and Certified Information Security Managers (CISMs). Jose Antigua, Senior Manager, CISA, ACDA, COBIT System Hardening and Patching, Disaster Recovery/Business Continuity Planning & security, internal control and IT audit This highly trained and experienced group has Senior Manager: Design, Security Policy Design, Log Management Planning, Design, Administration As noted above, related key staff have certifications for completed many Vulnerability Risk Assessment (VRA) Robert Coro, Senior Manager, CISA, CISM, PCI‐QSA Henri St. Louis, CISSP, QSA, GCFE, OPST, Vulnerability Assessment, Network CPA, CISA, CRISC, with additional teammates and Security Certification and Accreditation (C&A) Penetration Testing, PCI‐DSS Preparation & Remediation, Security Auditing, Database potentially involved in related projects also holding QSA, projects, tests, evaluations, and related services. Exhibit Security, Secure Code Reviews, System Hardening and Patching, Disaster CCSFP, CEH, and CCNA certifications. 4 illustrates Presidio’s Security Certifications. Our Recovery/Business Continuity Planning & Design, Security Policy Design security professionals keep current with changes in the JJ Maria Giner, GPEN, Vulnerability Assessment, Network Penetration Testing, Web information security space and are considered thought‐ Application Penetration Testing leaders in the market. Each security team member has extensive experience performing VRA and C&A services for commercial, enterprise, and government clients and is well acquainted with applicable compliance regulations.

8 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix RSM US LLP Securance LLC SeNet International Corporation SHI International Corp

EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project Manager and all The most critical element in the successful completion of any Paul Ashe, President and Engagement Manager, CPA, CISA, CISSP, 15+ years See PDf Page 12‐24 for Qualifications and pages The SHI Security Services team are all senior level Security key staff that are intended to be assigned to services performed within this category. engagement of this nature is the personnel assigned to carry out experience 70‐82 for Resumes. Professionals with each having 20+ years’ experience. Specific Include resumes for the Project Manager and all key staff described. the responsibilities and the depth of resources available to Chris Bunn, Practice Director and Senior IT Security Consultant, CISA, CHP, 30+ Qualifications and Experience skill sets may vary but overall each has experience working support the County. Our team has a strong blend of information years experience with various industry security frameworks such as NIST or technology auditing, information security experience, project Chris Cook, Senior IT Security Consultant, CISSP, CISA, 20+ years experience SANs CIS Controls. The team holds many different Security management capabilities and extensive experience auditing Chris Thomas, Senior IT Security Consultant, CompTIA Security+, CompTIA related certifications however all have a CISSP certification. various applications, supporting systems and databases. The Network+, 10+ years experience following table describes the qualifications of the proposed team, their roles and the value they will bring to the County. Detailed biographies containing each team member’s formal education and professional affiliations are included in the Team resumes section located in the Appendix of this proposal. Jason Alexander, Principal, Risk Advisory Services, Engagement Leader, 15+ years experience Alexandra Lorie, Director, Risk Advisory Services, Engagement Director, 16+ years experience Ryan Moore, Manager, Risk Advisory Services, Manager, and IT general and application controls specialist Ryan Hay, Manager, Risk Advisory Services,

b. List any other relevant Security and Compliance Industry certifications that the Jason Alexander, Certified Internal Auditor (CIA), Certified Paul Ashe, President and Engagement Manager, CPA, CISA, CISSP See Pages 5 ‐ 10 MBA – Master of Business Administration Project Manager and key staff described may have. Include copies of certificates, if Information Systems Auditor, Certified Fraud Examiner (CFE) Chris Bunn, Practice Director and Senior IT Security Consultant, CISA, CHP Qualifications and Experience CGEIT – Certified in Governance of Enterprise Information applicable. Ryan Moore, Certified Internal Auditor (CIA), Certified Chris Cook, Senior IT Security Consultant, CISSP, CISA Technology Information Systems Auditor (CISA), Certified Information Chris Thomas, Senior IT Security Consultant, CompTIA Security+, CompTIA ISSAP –Information Systems Security Architecture Technology Infrastructure Library (ITIL) Network+ Professional Ryan Hay, Certified Information Systems Auditor (CISA), Certified GIAC – Global Information Assurance Certification Information Systems Security Professional o GPEN – GIAC Penetration Tester Certification Trixie de Leon, Certified Information Systems Auditor o GCFA – GIAC Certified Forensic Analyst Alyssa Mrdjenovich, Certified Cloud Security Knowledge (CCSK), o GAWN – GIAC Auditing Wireless Networks Certified Information Systems Auditor (CISA), ISO/IEC 27001 Lead CEH – Certified Ethical Hacker Auditor TCNA – Tenable Certified Nessus Auditor PMP – Project Management Professional ITILv3 – Information Technology Infrastructure Library version 3

9 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Verizon Business Network Services Inc. d/b/a Licensing Matrix Verizon Business Services

EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project Manager and all See Pages 39 ‐ 41. key staff that are intended to be assigned to services performed within this category. Verizon’s Project Management organization comprises Include resumes for the Project Manager and all key staff described. over 60 PMs with significant experience in managing large programs and projects. In order to ensure the successful delivery of all projects and meet the standards required by our Clients, Verizon’s PMs hold the highest levels of certification recognized globally across the Project/Program Management field. Furthermore, Verizon’s Project Management organization has chosen the Project Management Institute’s (PMI’s) Project Management Body of Knowledge (PMBOK®) Guide and Standards as the baseline of its Project Management Delivery Method.

b. List any other relevant Security and Compliance Industry certifications that the As well as a leading global Qualified Security Assessor Project Manager and key staff described may have. Include copies of certificates, if (QSA), Payment Application Qualified Security Assessor applicable. (PA‐QSA), and Qualified Security Assessor Point‐to‐Point Encryption (P2PE) company, we are one of few qualified PCI Forensic Investigators (PFI) for Visa and MasterCard. Our assessors are highly experienced, often industry thought‐leaders and maintain an array of security industry certifications including the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and Certified Ethical Hacker (CEH).

10 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 3 ‐ IT Audit Services

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Prime: Carahsoft Technology Corp Licensing Matrix Services ATT Solution Provider: Trustwave Crowe Horwath LLP 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work in this Category. We are going to take holistic approach to the project. First See PDF Pgs. 503 ‐ 514 See PDF Pg. 22 ‐ 25 See PDF Pg. 57 ‐ 61 is to understand the complete environment at Broward Trustwave has a number of IT Audit and Risk assessment‐ Information Technology (IT) Risk Assessment county, including the servers, Linux machines, web CONFIDENTIAL related services available to Broward County. A Trustwave The Information Technology Risk Assessment is designed to help an servers, Linux servers, application running and the risk assessment engagement gives your organization a institution get a holistic view of the risks associated with their IT complete infrastructure. We are going to lay down a Pgs 35: roadmap for a risk‐based approach to decision‐making. This Environment. During this assessment, Crowe will work closely with comprehensive effort to get this started. Then identify the Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be helps establish security standards and informs purchasing County personnel to prioritize information systems based on risk. This best practices to start using it for implementing Audits. reproduced or redistributed in any way, shape, or form without prior written consent from AT&T Corp. decisions, but more importantly ‐ it helps your organization risk will be determined considering the applications and functions The goal is to lay down a phased approach to penetration © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, set the framework for following numerous compliance and managed by the system, and considering the sensitivity and testing, including the pre work as well as any precautions and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T industry best practices. We combine elements of best vulnerability levels associated with the systems. As a result of this that needs to be taken so that the results are accurate Corp. affiliated practices from National Institute of Standards and assessment of IT Risk, Crowe will work with the County to develop an IT companies." Technology (NIST) special publications, the Operationally Audit schedule. This plan will help the County to determine how they Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) will monitor and control systems with considerable risks. Special Pgs 36‐ 223: security framework, International Organization for attention will be paid to the direction of risk, and the increasing or "AT&T Consulting Proprietary and Confidential Information" Standardization (ISO) 27000 series family of standards, as decreasing dependence on certain customer information systems, well as our own proprietary methods. Engagements are regulatory scrutiny and pressures, current IT Industry Risks and the Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only scaled as needed for business needs, or for an entire County’s strategic IT planning. and is not for general distribution. enterprise, and can be specific to an infrastructure, The acknowledgment and assessment of risks that threaten customer application, device or data type. A brief description of each of information systems the offerings are listed below, as well as a sample project The development of controls and procedures that minimize these plan approach. types of risks The management of service providers including review and monitoring of third party activity as it relates to customer information....

b. Number of employees, coordination efforts, servers and workers located within See file "Evaluation ‐ Cat 3" See PDF Pg. 25 See PDF Pg. 57 ‐ 61 USA. Number of employees will be determined based on the CONFIDENTIAL All employees and servers would be within the United States. Information Technology (IT) Risk Assessment infrastructure we have to maintain and cover for IT audits. Trustwave has over 900 employees in the US. The Information Technology Risk Assessment is designed to help an It will also depend on the timeframe required to complete Pgs 35: institution get a holistic view of the risks associated with their IT the project Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be Environment. During this assessment, Crowe will work closely with reproduced or redistributed in any way, shape, or form without prior written consent from AT&T Corp. County personnel to prioritize information systems based on risk. This © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, risk will be determined considering the applications and functions and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T managed by the system, and considering the sensitivity and Corp. affiliated vulnerability levels associated with the systems. As a result of this companies." assessment of IT Risk, Crowe will work with the County to develop an IT Audit schedule. This plan will help the County to determine how they Pgs 36‐ 223: will monitor and control systems with considerable risks. Special "AT&T Consulting Proprietary and Confidential Information" attention will be paid to the direction of risk, and the increasing or decreasing dependence on certain customer information systems, Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only regulatory scrutiny and pressures, current IT Industry Risks and the and is not for general distribution. County’s strategic IT planning. The acknowledgment and assessment of risks that threaten customer information systems The development of controls and procedures that minimize these types of risks The management of service providers including review and monitoring of third party activity as it relates to customer information....

11 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix Enterprise Risk Management, Inc. Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work in this Category. See PDF Pg. 84 See PDF Pg. 116 ‐ 120 See "Broward Security Services 2017" See PDF Pg. 40 a. Approach When providing co‐sourced services, our approach is to Global Information Intelligence will apply its expert and proven methodology A review of the project’s objectives, scope, scheduled follow the client’s methodology while to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) activities, assumptions and or possible constraints leveraging the foundational elements of the Focal Point SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust will be reviewed with client key personnel and staff during a methodology to provide the highest and Resilient methods that include proactive recommendations and project kickoff meeting. level of customer service. Focal Point uses a collaborative remediation sample for design and implementation operational effectiveness Client shall cooperate with ERM in the performance of but disciplined approach to executing for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: ERM’s services. To comply with budgeted project estimates, audit projects. We will ensure that there is proper Network assessment of BROWARD COUNTY Corporate Network and its ERM requires the timely, complete and accurate planning, timely communication to the Internal Operations Technology Network. INFORMATION TECHNOLOGY (IT) SECURITY cooperation from the client. Audit team prior to the start of audit fieldwork, complete AND COMPLIANCE SERVICES IT Audit and accurate workpapers, validated ERM will perform a comprehensive Information Technology findings, and relevant and practical recommendations to Audit of the client organization’s processes, correct deficiencies. procedures, and IT infrastructure. The IT Audit will cover all We will take a risk‐based approach to performing a critical general and application controls. The various phases review of the information technology risks, and components of the audit will depend on the specific related general controls, technical and network project scope at hand, but will include, at a high‐level, the safeguards, information technology processes, following areas: (1) General Audit Planning; (2) Review of and oversight activities in connection with these areas in General Controls; Review of Infrastructure Controls; and (4) accordance with applicable regulatory Review of Application Controls. The Information Systems guidance and internal audit standards. As appropriate, audit work performed on a periodic basis will be based on we will also reference or utilize relevant the results of the overall audit risk assessment and guidance such as COBIT, the National Institute of the proposed audit plan, after management and the Audit Standards and Technology (NIST), ISO Committee approve such plan. Our review of 27000, and ITIL..... the areas mentioned above assumes we will receive assistance from the internal personnel of the organization.... b. Number of employees, coordination efforts, servers and workers located within See PDF Pg. 85 See PDF Pg. 116 ‐ 120 The consulting team has over 20 people across the US. Our servers See PDF Pg. 40 USA. ERM has approximately 30 full time employees. Of these When providing co‐sourced services, our approach is to are supported in SSAE18 Co‐Los Global Information Intelligence will apply its expert and proven methodology employees, 25 are located in the USA. Only follow the client’s methodology while to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) full time employees located in the USA will work in these leveraging the foundational elements of the Focal Point SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust engagements. methodology to provide the highest and Resilient methods that include proactive recommendations and Regarding coordination efforts, Esteban Farao will be the level of customer service. Focal Point uses a collaborative remediation sample for design and implementation operational effectiveness Project Manager. He will lead a project kickoff but disciplined approach to executing for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: meeting, send the information requirements, manage the audit projects. We will ensure that there is proper Network assessment of BROWARD COUNTY Corporate Network and its project, communicate with the client planning, timely communication to the Internal Operations Technology Network. INFORMATION TECHNOLOGY (IT) SECURITY project team, lead project update calls and meeting as well Audit team prior to the start of audit fieldwork, complete AND COMPLIANCE SERVICES as delivery the final reports and and accurate workpapers, validated presentations. findings, and relevant and practical recommendations to All of ERM’s severs are located at the ERM’s headquarters correct deficiencies. in Coral Gables, Florida. We will take a risk‐based approach to performing a review of the information technology risks, related general controls, technical and network safeguards, information technology processes, and oversight activities in connection with these areas in accordance with applicable regulatory guidance and internal audit standards. As appropriate, we will also reference or utilize relevant guidance such as COBIT, the National Institute of Standards and Technology (NIST), ISO 27000, and ITIL.....

12 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Prime: Marcum LLP Licensing Matrix Sub: 24by7 Security MGT of America Consulting, LLC Plante & Moran, PLLC dba Plante Moran Presidio 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work in this Category. See PDF Pgs. 85‐86 See PDF Pg. 103 ‐ 104. See PDF Pgs. 24‐33 See PDF Pg. 33 ‐ 34 Firm’s history We pride ourselves on our years of continuous business and these two cornerstone For nearly 30 years, Plante Moran has been recognized Presidio’s approach methodology for IT Audit Services Marcum LLP is one of the largest independent public accounting and tenants of our leader in providing information technology services to includes the following components: advisory services firms in the business: In‐Depth Understanding of State and Local Government—MGT has worked public sector clients. We are a full service consulting firm Kickoff Meeting nation, with offices in major business markets throughout the U.S., Grand almost exclusively with the public sector. As a result, we understand the challenges with significant and recent Governance Assessment Cayman and China. and unique issues inherent in the operations of state and local government programs experience in conducting Information Technology Audit External Vulnerability Assessment Headquartered in New York City, Marcum provides a full spectrum of and service delivery. Because many of our staff have worked in government, we have Services. Our approach to each consulting Internal Vulnerability Assessment traditional tax, accounting and assurance services; advisory, valuation and a clear understanding of the state and local government structure, control agencies, engagement is structured to provide the services and Wireless Vulnerability Assessment litigation support; and an extensive range of specialty and niche industry budgetary processes, and political environment. Our Focus is on Business level of professional support required to meet Web Application Assessment practices. The Firm serves both privately held and publicly traded companies, Understanding and Analysis—MGT consistently focuses on identifying and the individual needs of the client. We will work jointly Penetration Testing as well as high net worth individuals, private equity and hedge funds, with a implementing the most effective and efficient methods for achieving operational with Broward County management to design a Physical Security Assessment focus on middle‐market companies and closely held family businesses. objectives in all of our engagements. No matter what the task, we “cut to the chase,” process that will meet the overall needs of the County. Social Engineering Assessment Marcum is a member of the Marcum Group, an organization and work to provide the most viable business solutions in the shortest amount of Plante Moran uses a phased approach to Secure Network Architecture Assessment providing a comprehensive array of professional services. time, at the lowest cost. We understand the importance of streamlining business create a high probability of success for our clients. This Active Directory Architecture Assessment Established in 1951, Marcum is a leader with an outstanding reputation at processes and we know how to pinpoint the most efficient and effective approach provides for a structured and Firewall Analysis the national and regional levels. Marcum is ranked as one of the largest firms methodologies for specific situations. Based on our more than 40 years of experience focused effort throughout the project. The major tasks Device Hardening Assessment in the New York metropolitan area (Crain’s New York Business), the New in providing consulting services to federal, state, and local government clients, MGT are organized into five phases. At the Remote Access Assessment England region (Boston Business Journal) and the Southeast (South Florida knows the success of any project is based upon the project management. Our project conclusion of each phase, there is a scheduled Deliverables Business Journal)..... manager will work in tandem with the County’s designated project lead to drive the management meeting to confirm progress and to gain o Executive Summary MGT project management principals and guidelines for the development of your synergy for the next phase. Below is a summary of our o Vulnerability Assessment Report customized solutions. approach and project phases. o Detailed Architecture Report o Firewall Rule Analysis

b. Number of employees, coordination efforts, servers and workers located within See PDF Pg. 86 See PDF Pg. 104. See Pg. 32 See PDF Pg. 34 USA. As a national firm with 29 offices and approximately 1,550 professionals, we Our firm of over 60 professionals has successfully managed more than 8,500 client Plante Moran has over 2,200 employees and 500 servers Presidio has twenty‐three (23) people on our Cyber serve as a strategic alternative to the much larger firms. The partners and engagements nationally with a significant portion of MGT’s engagements being in the USA. Security Consulting team all whom are managers with whom you will develop relationships, drive all major repeat business, reflecting the firm’s commitment to achieving a high level of Presidio employees located within the USA. The Presidio decisions; possessing both the appropriate resources and decision making customer satisfaction and ability to exceed the expectations of clients. Prior to Cyber Security Project Managers authority. Our local firm approach provides hands‐on service and timely working with public sector entities as consultants, many of our staff worked in coordinate all the resources on the Presidio team. communication, resulting in the County receiving the best of both worlds. government agencies as executives and managers. This insider's knowledge of Marcum has more than 20 professionals dedicated to providing IT Audit and government structure and process gives MGT a competitive advantage and an ability Technology Services.... to hit the ground running from the very start of a project. Our organization leverages leading project management solutions, and highly qualified trained professionals throughout all aspects of our engagements in order to ensure the best customer experience at every stage.

13 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix RSM US LLP Securance LLC SeNet International Corporation SHI International Corp 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work in this Category. See PDF pages 33 ‐ 37. Our audit approach is unlike that of any other professional services or See Pages 21 ‐ 37. Initially a kick off call will be scheduled to review the scope, It is our understanding that the County is looking for a accounting firm. We focus on technology risk as it translates into business risk. tasks, contacts, communications plan and logistics required professional services firm that can provide IT audit Our approach will focus on continuous assessment of Broward County IT to complete the project. Requested documentation (Policies, services over a variety of technological areas. A key component of controls. As we begin the audit process, we will work closely with Internal Process and Procedures, network diagrams) are reviewed and our audit methodology is an integrated Audit Management to better understand key technology issues and changes in an External Security Vulnerability Scan is completed prior to approach across our IT risk advisory professionals, which include the organization’s IT environment. We will leverage available resources in your onsite activities. Onsite activities will consist of staff both risk and technology team members. Based on our IT and Internal Audit Departments — teaming to eliminate unnecessary interviews, internal network scans, live network data capture understanding of your needs, we are confident that RSM has the duplication of effort, to enhance quality and to maximize cost effectiveness. analysis, device security configurations and physical site visits. right capabilities, qualifications, and client‐service culture that Securance Consulting’s continuous assessment of these factors will result in All information gathered is reviewed for analysis and align specifically to the IT audit services being requested. Our IT discussions with Management to determine what procedures should be alignment with IT Security best practices and other industry risk advisory professionals will work closely with the County to performed during the audit, who should perform them and when they should guidelines with results presented in a report detailing the determine the scope of IT control assessment areas. The be performed. As a result, we will strategically focus our efforts on areas of overall security posture with findings and recommendations assessment of IT controls performed by RSM would follow the high technology risk. Ultimately, our process will deliver assurance. Our audit for remediation. guidelines of Committee of Sponsoring Organizations (COSO), results are objective. Through continuous communication throughout the Control Objectives for Information and Related Technologies process, we deliver a real‐time view of technology risk, providing early (COBIT), and other industry standards, such as IT Infrastructure warnings and no surprises. Library (ITIL), and International Organization for Standardization (ISO). While the County’s audit plan may include individually scoped audits that are specifically technology related, we recognize that most audits will have some relation to your technology platforms and may require expertise beyond standard IT general controls. Our IT risk advisory team will work with your technology team to best determine how to obtain the information we need. We will work with our technology team to best understand how to evaluate your critical applications, supporting systems and databases efficiently and effectively. b. Number of employees, coordination efforts, servers and workers located within See PDF Pg 38. See Audit Approach Pages 25 ‐ 27. See Pages 5 ‐ 10. The SHI Security Services team has 6 active members with 2 USA. Our IT risk advisory professionals comprise nearly 1,000 Each project we undertake will follow this standard methodology. While we openings. Additionally each assessment is assigned a Project professionals who contain a deep understanding of widely are flexible in modifying our approach and methodology, we do so only in the Manager from a team of 8 PM’s. All SHI services teams are US adopted frameworks, best practices and standards such as best interest of our clients and their internal control initiatives. based. Committee of Sponsoring Organizations of the Treadway Commission (COSO), Control Objectives for Information and related Technology (COBIT), Information Technology Infrastructure Library (ITIL), International Organization for Standardization (ISO), and the National Institute of Standards and Technology (NIST). Our IT risk advisory professionals hold various professional certifications such as Certified Public Accountant (CPA), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professionals (CISSP), Certified Information Privacy Professional (CIPP), Certified Business Continuity Professional (CBCP) and various SANS GIAC (Global Information Assurance Certification) security certifications. In addition, many of our professionals have technical certifications such as Microsoft Certified System Engineer (MCSE), Cisco Certified Network Associate (CCNA), Cisco Certified Design Associate (CCDA), and Certified Novell Engineer (CNE).

14 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Verizon Business Network Services Inc. d/b/a Licensing Matrix Verizon Business Services 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work in this Category. We will deliver projects using an efficient, phased methodology, which is proven through hundreds of IT Audit projects delivered by Verizon for organizations around the world. The experience gained from these engagements provides us with valuable insight into the critical steps required to initiate and complete an IT Audit project in the most efficient and cost‐effective manner.

b. Number of employees, coordination efforts, servers and workers located within USA.

Verizon operates a global QSA practice with over 70 assessors providing consistent delivery of high quality PCI services around the world. 16 QSA are located in the USA.

15 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 3 ‐ IT Audit Services

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Prime: Carahsoft Technology Corp Licensing Matrix Services ATT Solution Provider: Trustwave Crowe Horwath LLP c. Describe vendor’s plan to meet key milestones and deadline dates including We will have a project manager to help engage in the See PDF Pgs. 515 ‐ 518 See PDF Pg. 25 See PDF Pg. 57 ‐ 61 communication plan. discussions and monitor the project and coordinate all the Please see attached project management plan as a Information Technology (IT) Risk Assessment activities and players during the project. CONFIDENTIAL representative sample of the type of project plan we typically The Information Technology Risk Assessment is designed to help an follow. institution get a holistic view of the risks associated with their IT Pgs 35: Project Management Environment. During this assessment, Crowe will work closely with Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be Trustwave has a formal procedure for the project County personnel to prioritize information systems based on risk. This reproduced or redistributed in any way, shape, or form without prior written consent from AT&T Corp. organization and governance as well as adherence to the risk will be determined considering the applications and functions © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, timelines. Project timelines will be established between managed by the system, and considering the sensitivity and and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Trustwave and Client upon project kick‐off. Project progress, vulnerability levels associated with the systems. As a result of this Corp. affiliated needs and deadlines will be provided to Client through the assessment of IT Risk, Crowe will work with the County to develop an IT companies." CVS manager portal that is described further below in this Audit schedule. This plan will help the County to determine how they section. will monitor and control systems with considerable risks. Special Pgs 36‐ 223: Project Resources attention will be paid to the direction of risk, and the increasing or "AT&T Consulting Proprietary and Confidential Information" Trustwave’s Managing Consultant decreasing dependence on certain customer information systems, Trustwave will assign a Managing Consultant to oversee all regulatory scrutiny and pressures, current IT Industry Risks and the Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only assessment activities and serve as the primary contact for the County’s strategic IT planning. and is not for general distribution. length of the Agreement. The Managing Consultant will The acknowledgment and assessment of risks that threaten customer coordinate and schedule activities and resources with Client information systems and ensure the quality of all Trustwave deliverables...... The development of controls and procedures that minimize these types of risks The management of service providers including review and monitoring of third party activity as it relates to customer information....

16 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix Enterprise Risk Management, Inc. Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC c. Describe vendor’s plan to meet key milestones and deadline dates including See PDF Pg. 85 See PDF Pg. 116 ‐ 120 Deadlines are based objectives, current gaps, and risk based findings See PDF Pg. 40 communication plan. ERM Project Manager will develop a Project Plan which When providing co‐sourced services, our approach is to of gaps. Phased approach to compliance can be reviewed in Broward Global Information Intelligence will apply its expert and proven methodology details all key milestones and deadline dates. follow the client’s methodology while Security Services 2017. All foresite services are customized to to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) ERM Project Manager will work with the client to adjust leveraging the foundational elements of the Focal Point address client specific needs and can changed based on scope, level SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust based on client needs. The Communication methodology to provide the highest or not‐in‐place findings and budget. and Resilient methods that include proactive recommendations and Plan will be discussed and agreed to during the kick‐off call. level of customer service. Focal Point uses a collaborative remediation sample for design and implementation operational effectiveness ERM’s communication plans typically but disciplined approach to executing for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: include weekly status updates as well as updates based on audit projects. We will ensure that there is proper Network assessment of BROWARD COUNTY Corporate Network and its key milestones and deadlines. planning, timely communication to the Internal Operations Technology Network. INFORMATION TECHNOLOGY (IT) SECURITY Audit team prior to the start of audit fieldwork, complete AND COMPLIANCE SERVICES and accurate workpapers, validated findings, and relevant and practical recommendations to correct deficiencies. We will take a risk‐based approach to performing a review of the information technology risks, related general controls, technical and network safeguards, information technology processes, and oversight activities in connection with these areas in accordance with applicable regulatory guidance and internal audit standards. As appropriate, we will also reference or utilize relevant guidance such as COBIT, the National Institute of Standards and Technology (NIST), ISO 27000, and ITIL.....

17 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Prime: Marcum LLP Licensing Matrix Sub: 24by7 Security MGT of America Consulting, LLC Plante & Moran, PLLC dba Plante Moran Presidio c. Describe vendor’s plan to meet key milestones and deadline dates including See PDF Pg. 87 See PDF Pg. 104 ‐ 105. See PDF Pgs. 32 ‐ 33. See PDF Pg. 34 ‐ 36. communication plan. Effective Project Management is a key focus at Marcum. As a large audit, tax As we have already done with other projects for Broward County, MGT will ensure Frequent communication, guided by a “no surprises” Presidio would develop a project plan with all defined and consulting firm, the ability to provide services to clients on schedule and accountability, compliance, and implementation of the services provided. We will philosophy is the key to a successful project. In project milestones which includes weekly status within a set budget is priority. Our techniques include best practices from adhere to all applicable federal and state policies, procedures, and regulations. MGT's this way, expectations can be effectively managed and meetings to track the project overall progress. the Project Management Body of Knowledge (PMBOK) and go from the Project Manager will have primary responsibility for the supervision of all project problems can either be avoided entirely, or Escalation methodology follows. Planning to the Reporting phase, going through quality assurance checks. operations and project administration and will ensure all deliverables meet the addressed early on to minimize wasted effort and keep Below is an overview of the milestones we will use throughout this standards of quality set forth by the the project on schedule. Prior to formally engagement. We plan to communicate each of our findings upon County. Our Project Manager is responsible for the day‐to‐day activities of all design kicking off the project, we will work with the County to the completion of each milestone. As we meet with your key personnel, we and technical key develop a communications plan for the project. will work with management to lay out specific deadline dates for each staff. In concert with the County’s Project Lead, MGT’s Project Manager will facilitate We will identify project stakeholders, and for each: milestone that take into consideration the needs of your professionals implementation of the What they will need to know throughout the project whose time will be required.... main components of the project, including the installation, configuration, initiation, (e.g., status updates, risk and issues) pilot, acceptance When and how frequently they will want system, and the training of end users as well as generating progress reports on all communication (e.g., weekly, monthly) project activities. How communications will be delivered (e.g., status Other major responsibilities will include: updates reports, meetings, phone calls) Scheduling of project activities. Who will be responsible for the communication Financial management. We will maintain this communication plan on a shared General tasks related to contract administration. collaboration site throughout the project to Serving as the primary point of contact for County inquiries or requests for project ensure regular communication and ongoing updates. collaboration.

18 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix RSM US LLP Securance LLC SeNet International Corporation SHI International Corp c. Describe vendor’s plan to meet key milestones and deadline dates including See PDF Pg 38. See Project Management Approach See PDF Pg. 93. See Pages 59 ‐ 62. Once an assessment is assigned to a Sr. Solutions Architect, communication plan. RSM’s management approach can be expressed in one simple Each project we undertake will follow this standard accountability model. they are dedicated to the project ensuring their availability to phrase: “no surprises.” First, we will work with the County to 1) Engagement Manager…. complete all project related task and milestones as agreed in establish a communication protocol and approach that you 2) Senior IT Security Consultants…. the SOW and/or project kickoff meeting. Schedules are prefer, and we will use these channels and tools to share 3) Independent Reviewer….. managed closely to ensure overlap in projects is minimal and information on the engagement. Once the communications plan 4) Broward County's Project Manager….. allow all milestones to be met and assessments to be has been created, RSM will create a timeline and milestones 5) Status Reports..... completed on time. All SHI assessments have an assigned PM project schedule and track those milestones to completion on a who document and track all milestones and significant events weekly basis. We will work with you and management to keep for a particular project. The PM will work with all key you informed of our progress throughout the engagement with stakeholders involved to ensure all communications are periodic formal and informal status reports and meetings as managed effectively to meet all customer expectations. Email appropriate. Continuous communication helps ensure that the is used for daily County and the RSM team are in agreement on, and informed communication with secure solutions being utilized for all about, every aspect of an engagement. Our team will work confidential documentation. closely with County management to establish clear, open lines of communication via face‐to‐face meetings, phone calls, and/or regular electronic or hard‐copy communications to keep you informed of progress and issues. In the event that RSM identifies that a particular engagement is behind schedule, it will be formally communicated to the client to discuss the issues and possible solutions to get back on track. Similarly, if observations or risk areas are identified during an engagement, we will be on hand to provide recommendations for remediation and provide support to management in the enhancement of current processes.

19 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Verizon Business Network Services Inc. d/b/a Licensing Matrix Verizon Business Services c. Describe vendor’s plan to meet key milestones and deadline dates including Verizon will designate a “Project Manager” who will act communication plan. as the single point of contact throughout the Project. The Project Manager will oversee and coordinate the Project. The Project Manager will manage Verizon resources to complete Project activities, such as milestone tracking, coordinating tasks and dependencies, as well as providing weekly status reports (the “Weekly Report”). Customer will appoint a single point of contact or program management team to coordinate the Project activities with Verizon and ensure timely data flow and exchange of information required for execution of the Project within the agreed time frame. Verizon will work with Customer to schedule a kick‐off meeting to initiate the Project. Verizon and Customer will collaborate to determine required stakeholders and other attendees, agenda, and meeting location (i.e. on site or virtual).

20 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 3 ‐ IT Audit Services

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Prime: Carahsoft Technology Corp Licensing Matrix Services ATT Solution Provider: Trustwave Crowe Horwath LLP

3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature and scope, along See file "Evaluation ‐ Cat 3" See PDF Pg. 519 See PDF PG. 27 (3) Reference Verification Forms included for this Category ‐ PDF Pgs. with evidence of satisfactory completion, both on time and within budget, for the past We have extensive experience in doing projects of similar Please see addendum for Client References. 63 ‐ 65 five years. Provide a minimum of three projects with references, preferably nature and scope. We have consistently performed these CONFIDENTIAL References government agencies (i.e. state, local) of similar size and structure and proven tasks with high quality and within the time limits proposed We have completed and submitted the Vendor Reference Verification experience and skillset. at the beginning of the project. Pgs 35: Form as requested. Vendor should provide references for similar work performed to show evidence of Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be Client Experience 1 qualifications and previous experience. Refer to Vendor Reference Verification Form reproduced or redistributed in any way, shape, or form without prior written consent from AT&T Corp. Crowe worked with the City Auditor of a city in Florida to determine an and submit as instructed. Only provide references for non‐Broward County Board of © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, Information Technology Audit County Commissioners’ contracts. For Broward County contracts, the County will and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T plan. Crowe performed a Network Security Assessment and Internal review performance evaluations in its database for vendors with previous or current Corp. affiliated Penetration Assessment on behalf contracts with the County. The County considers references and performance companies." of the City. Crowe worked within the City’s budgetary constraints to evaluations in the evaluation of Vendor’s past performance. provide value to City. Ultimately, Pgs 36‐ 223: Crowe identified gaps in the City’s security to provide the Mayor insight "AT&T Consulting Proprietary and Confidential Information" into the City’s security posture.

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

b. Provide evidence of similar work related to services identified in this Category, See file "Evaluation ‐ Cat 3" See Attachments: See PDF PG. 27 (3) Reference Verification Forms included for this Category ‐ PDF Pgs. including sample executive summaries and reports. We performed IT Audits for different clients. We ATT_Sanitized Security Assessment_Report_Sample Excerpts Please see addendum for Sample Reports. 63 ‐ 65 generated IT Audit reports that helped companies to take References remediation steps. We have completed and submitted the Vendor Reference Verification Form as requested. Client Experience 1 Crowe worked with the City Auditor of a city in Florida to determine an Information Technology Audit plan. Crowe performed a Network Security Assessment and Internal Penetration Assessment on behalf of the City. Crowe worked within the City’s budgetary constraints to provide value to City. Ultimately, Crowe identified gaps in the City’s security to provide the Mayor insight into the City’s security posture.

21 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix Enterprise Risk Management, Inc. Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC

3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature and scope, along (3) Reference Verification Forms provided for this Aurora Diagnostics 2011 – Current See References. See References with evidence of satisfactory completion, both on time and within budget, for the past Category. ‐ See PDF pgs. 85‐88 ITGC Testing Foresite supplies services to forture 500 companies within the US and five years. Provide a minimum of three projects with references, preferably a. ERM’s Experience SOX Audit address specific needs based on a phased approach. The approach government agencies (i.e. state, local) of similar size and structure and proven ERM has completed over 300 IT Audit projects. All of our SOX ITGC starts with a gap assessment to determin actual scope followed by experience and skillset. projects have been completed on time and findings and observations, recommendations for remediation then a Vendor should provide references for similar work performed to show evidence of within budget. Bayview Lending 2007 – Current road map plan to address all aspects of the overall objectives. qualifications and previous experience. Refer to Vendor Reference Verification Form As requested, below are three references for projects of Business Continuity and submit as instructed. Only provide references for non‐Broward County Board of similar size and structure. Fraud Audits County Commissioners’ contracts. For Broward County contracts, the County will 1. Helm Bank USA Incident Response Audit review performance evaluations in its database for vendors with previous or current 2. We Family Internal Audit Co‐Sourcing contracts with the County. The County considers references and performance 3. Greenville Utilities Commission IT General Controls Testing evaluations in the evaluation of Vendor’s past performance. IT Risk Assessment SDLC Process Audit SOX Readiness

Burger King Corporation 2006 – Current Application Controls Disaster Recovery Planning Internal Audit Co‐Source ITGC Testing Penetration Testing SOX Testing Vulnerability Assessment ......

b. Provide evidence of similar work related to services identified in this Category, See PDF Pgs. 89 ‐ 90 Aurora Diagnostics 2011 – Current similar to that of pci, auditing specific requirements are address on a See PDF Pgs. 311 ‐ 317 including sample executive summaries and reports. Sample outline of client report. ITGC Testing custimized bases, actual phased approach can be seen in the See Sample Reports. SOX Audit Broward Security Services 2017 under PCI DSS managed services SOX ITGC

Bayview Lending 2007 – Current Business Continuity Fraud Audits Incident Response Audit Internal Audit Co‐Sourcing IT General Controls Testing IT Risk Assessment SDLC Process Audit SOX Readiness

Burger King Corporation 2006 – Current Application Controls Disaster Recovery Planning Internal Audit Co‐Source ITGC Testing Penetration Testing SOX Testing Vulnerability Assessment ......

22 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Prime: Marcum LLP Licensing Matrix Sub: 24by7 Security MGT of America Consulting, LLC Plante & Moran, PLLC dba Plante Moran Presidio

3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature and scope, along See PDF Pg. 88 See Reference Verification Forms PDF Pgs. 107 ‐ 109. Reference Verification Forms included. ‐ See PDF Pgs. 70 ‐ Reference Verification Forms included. with evidence of satisfactory completion, both on time and within budget, for the past See attached Vendor Reference Forms for: See PDF Pg. 106. 72 See PDF Pg. 36. five years. Provide a minimum of three projects with references, preferably City of Coconut Creek With a focus on organizational goals first, MGT provides business‐driven information Presidio provides the following three references for government agencies (i.e. state, local) of similar size and structure and proven City of Hollywood security services keeping our clients’ interests at the forefront of our engagements which we have provided similar solutions to Category 3 ‐ experience and skillset. City of Pompano Beach ensuring we deliver the most efficient solution. MGT’s core cyber security capabilities IT Audit Services: Vendor should provide references for similar work performed to show evidence of Florida Keys Aqueduct Authority include: security risk assessments, full range of penetration testing services, physical Brady Corporation qualifications and previous experience. Refer to Vendor Reference Verification Form In addition to testing for cities and other government entities, we have penetration testing, secure application development, compliance engagements, Broward Health and submit as instructed. Only provide references for non‐Broward County Board of conducted similar work for many training and awareness, policy and procedure development, among others. Having Dayton’s Children Hospital County Commissioners’ contracts. For Broward County contracts, the County will private businesses. Additional references related to that work are available completed vulnerability assessments, full security risk assessments (including NIST, Presidio uploads these customer references on the review performance evaluations in its database for vendors with previous or current upon request. ISO, HIPAA, etc.), and physical penetration tests for both private and public required Vendor Verification Form, in a contracts with the County. The County considers references and performance organizations, along with a team with 18+ years of experience in the field, we believe separate file. evaluations in the evaluation of Vendor’s past performance. to have the optimal mix to help the County enhance their overall security posture. Provided below are projects similar to those requested for Category 3 of the County’s RFP, conducted within the past five years. SEIBERT INSURANCE AGENCY: INFORMATION SECURITY RISK ASSESSMENT A leading insurance agency in Florida, Seibert Insurance Agency selected us to perform a complete security risk assessment of the organization, create an information security program, and develop all the relevant security policies and procedures to reach an optimal security posture...... HIGH RISK HOPE: INFORMATION SECURITY RISK ASSESSMENT A non‐profit organization, High Risk Hope (HRH) selected us to perform a comprehensive look at their information systems to create a risk management program. This effort included a full risk assessment and a complete revamp of their policies and procedures as well as their general security controls......

b. Provide evidence of similar work related to services identified in this Category, See PDF Pg. 88 See Sample Written Information Security Program in Appendix ‐ PDF Pgs. 119 ‐ 349. Reference Verification Forms included. ‐ See PDF Pgs. 70 ‐ Reference Verification Forms included. including sample executive summaries and reports. See attached for sample report for IT Audit Services. 72 See PDF Pg. 36. Examples ‐ See PDF Pg. 34 Presidio provides the following three references for which we have provided similar solutions to Category 3 ‐ IT Audit Services: Brady Corporation Broward Health Dayton’s Children Hospital Presidio uploads these customer references on the required Vendor Verification Form, in a separate file.

23 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix RSM US LLP Securance LLC SeNet International Corporation SHI International Corp

3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature and scope, along Reference Verification Forms included in Appendix (PDF Pg 182 ‐ CONFIDENTIAL See Pages 10 ‐20 SHI Security Services is very flexible in scoping a Security with evidence of satisfactory completion, both on time and within budget, for the past 186) References ‐ pdf pgs 100 ‐ 108 Assessment with requirements focused on HIPAA, PCI, CJIS or five years. Provide a minimum of three projects with references, preferably Brevard County Government References remain confidential. other Security frameworks such as SANS CIS Controls. It is our government agencies (i.e. state, local) of similar size and structure and proven January 2015 ‐ April 2015 experience most local government agencies have experience and skillset. Engaged by Brevard County to understand the current state requirements for all these areas with systems and data Vendor should provide references for similar work performed to show evidence of assessment of the IT environment…. overlapping within departments. By scoping an assessment to qualifications and previous experience. Refer to Vendor Reference Verification Form Lee County Electric Cooperative include two or more of these regulatory requirements we are and submit as instructed. Only provide references for non‐Broward County Board of September 2016 ‐ December 2016 able to minimize time and cost and greatly increase the value County Commissioners’ contracts. For Broward County contracts, the County will To determine if changes applied to LCEC's flagship systems were of the assessment. (Our PCI Assessments are for review performance evaluations in its database for vendors with previous or current documented, tested and approved prior to implmentation to Self‐Assessment or Gap analysis only as we do not staff a contracts with the County. The County considers references and performance production... QSA). SHI understands the importance of quality references; evaluations in the evaluation of Vendor’s past performance. City of West Palm Beach however for services such as those being requested by the August 2014 ‐ September 2014 County, most customers feel the information associated with RSM was engaged by the City of West Palm Beach to perform a these services is confidential. SHI has included a list of a few risk assessment of the City's current IT environment.... customers that we have provided similar services as District of Columbia Water & Sewer Authority requested in this RFP. If needed, we agree to help coordinate March 2016 ‐ June 2016 a call between our customers and Broward County to discuss RSM was engaged by DC Water to evaluate the current state IT their experience with SHI. Please note that customers may governance structure and provide recommendations... not wish to discuss specifics of their project due to the Prince William County, Virginia sensitive nature. May 2014 ‐ August 2014 Gold’s Gym, Anthony (Tony) Wilkins, Director of IT RSM was engaged to perform an evaluation of the information Infrastructure and Telecom technology general controls Tampa General Hospital, Jason Powell, Chief Information Security Officer City of San Marcos, Lenora Newson, IT Infrastructure Manager b. Provide evidence of similar work related to services identified in this Category, Due to the sensitivity of the results of the work completed for our See Relevant Client Projects ‐ Page 30. See Pages 10 ‐ 20. SHI has attached sample reports with our submission. including sample executive summaries and reports. clients, results of our engagements, or final reports will not be provided as evidence for proof of CONFIDENTIAL completion. If the County desires, we are prepared to provide example templates used as part of our References remain confidential. reporting process to help ensure you are comfortable with the final work products we are accustomed to delivering.

24 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Verizon Business Network Services Inc. d/b/a Licensing Matrix Verizon Business Services

3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature and scope, along Verizon has highly relevant customers who can provide with evidence of satisfactory completion, both on time and within budget, for the past information on the work we have done and the quality five years. Provide a minimum of three projects with references, preferably of our relationship with their organizations. Due to the government agencies (i.e. state, local) of similar size and structure and proven number of requests Verizon receives for experience and skillset. recommendations from these customers, it is our policy Vendor should provide references for similar work performed to show evidence of to provide contact information only when we are under qualifications and previous experience. Refer to Vendor Reference Verification Form serious consideration for a contract award. In addition, and submit as instructed. Only provide references for non‐Broward County Board of Verizon’s corporate nondisclosure policies – combined County Commissioners’ contracts. For Broward County contracts, the County will with the sensitive nature of our customers’ business – review performance evaluations in its database for vendors with previous or current require that certain agreements be in place before we contracts with the County. The County considers references and performance can release sensitive customer data. In order to protect evaluations in the evaluation of Vendor’s past performance. the interests and confidentiality of our customers, and at the request of our customers, we prefer to facilitate references calls and/or visits at a mutually convenient time for all. It is standard policy of Verizon to not publish reference lists due, in large part, to Non‐Disclosure Agreements between Verizon and its customers.

b. Provide evidence of similar work related to services identified in this Category, As a highly respected authority on Security and including sample executive summaries and reports. Compliance and one of the most trusted voices in the security community, we truly appreciate your challenges, put payment security in the context of your industry‐specific regulations and standards, and make recommendations not just in terms of IT change, but business process transformation, too. These principles are embodied in our annual Data Breach Investigations Report, now in its tenth edition, report, which uses data and insights drawn directly from assessments we have conducted for global enterprises across a variety of industries. View the report at http://www.verizonenterprise.com/verizoninsights‐ lab/dbir/2017/#report.

25 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 3 ‐ IT Audit Services

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Prime: Carahsoft Technology Corp Licensing Matrix Services ATT Solution Provider: Trustwave Crowe Horwath LLP 4. Workload of the Firm: List all completed and active projects that Vendor has managed within the past five See file "Evaluation ‐ Cat 3" AT&T has conducted hundreds, if not thousands of assessments in the past five years. See PDF Pg. 28 See PDF Pg. 66 years. In addition, list all projected projects that Vendor will be working on in the near We have recently completed projects with Counsyl, AT&T applies a structured project management methodology throughout each As a private firm, we do not go into specific details, but we Over the past 5 years, Crowe has had over 16,000 clients, of which over future. Projected projects will be defined as a project(s) that Vendor is awarded a Creditshop. We have sufficient capacity to take on new engagement to manage risks, communication, expectation, and escalations. AT&T is an can say we do about 4000 pen tests a year and 1,200 were government clients. Crowe currently has 871 government contract but the Notice to Proceed has not been issued. Identify any projects that projects and we are very confident that you will be industry leader, providing a wide variety of security consultation services across our about 850 RoCs ‐ but also have the most QSAs and Pen clients, with 32 in the Florida area. Vendor worked on concurrently. Describe Vendor’s approach in managing these pleased with our services. global customer base, including; US Federal and State Governments, major financial Testers than any other competitor – over 100 in Crowe is well positioned to provide quality service to Broward County projects. Were there or will there be any challenges for any of the listed projects? If institutions, a large corporate entities. AT&T will leverage its world‐class knowledge, each case. We are busy, but have sufficient resources to in a timely fashion. Crowe has a sophisticated Centralized Resource so, describe how Vendor dealt or will deal with the projects’ challenges. tools, and experience into the execution of our security consultation services for cover all of our engagements. Management function that is responsible for ensuring that Broward Broward County. Due to the sensitive nature and adherence to mandated information County’s needs are met with the experienced and trained staff from security practices AT&T cannot provide the specific company and agency names our local offices, and if needed, from across our firm. We realize that associated with past, present, and future security services. resource management is a crucial element to consistently providing top quality service to Broward County, and all of our clients.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. 3K Technologies LLC AT&T Corp Carahsoft Technology Corporation Crowe Horwath LLP

2. Doing Business As/ Fictitious Name (if applicable): Not applicable

3. Federal Employer I.D. Number. 02‐0604148 13‐4924710 522189693 35‐0921680 4. Dun & Bradstreet Number. (If applicable). 113018282 00‐698‐0080 08‐8365767 787324008 5. Website address (if applicable). www.3ktechnologies.com www.att.com www.carahsoft.com www.crowehorwath.com 6. Principal place of business. 1114 Cadillac Ct, Milpitas, CA 95035 One AT&T Way, Bedminster, NJ 07921 1860 Michael Faraday Drive, Suite 100 225 West Wacker Drive, Suite 2600 Reston, VA 20190 Chicago, Illinois 60606‐1224 7. Office Location for this project. 1114 Cadillac Ct, Milpitas, CA 95035 2002 NW 64th St., Ft. Lauderdale, FL 33309 1860 Michael Faraday Drive, Suite 100 401 East Las Olas Boulevard, Suite 1100 Reston, VA 20190 Fort Lauderdale, Florida 33301‐4230

8. Telephone/Fax Number: Telephone no.:4087165901 Telephone no.:305‐913‐3887 Fax no.: Telephone no.:703.871.8500 Fax no.:703.871.8505 Telephone no.:954.202.8600 Fax no.:954.202.8639 Fax no.:4088842420 9. Type of Business LLC Corporation; New York Corporation; Maryland Limited Liability Partnership 10. List Florida Registration Number. M09000002854 845822 GP0800003826

26 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix Enterprise Risk Management, Inc. Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC 4. Workload of the Firm: List all completed and active projects that Vendor has managed within the past five See PDF Pg. 91 See PDF Pg. 126 Foresite has over 600 active projects and current has a client base of See PDF Pg. 40 years. In addition, list all projected projects that Vendor will be working on in the near ERM has completed approximately 100 IT Audit projects Focal Point has completed over 3,000 audit projects over over 2000 companies. Foresite has over 8 million US dollars currently Global Information Intelligence will apply its expert and proven methodology future. Projected projects will be defined as a project(s) that Vendor is awarded a during the past 5 years and estimates it will be its 12 years of providing IT audit and in the 6 month sales pipe. The request can certainly be discussed but to provide BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) contract but the Notice to Proceed has not been issued. Identify any projects that working on approximately 3 per month during the cyber security services. Over the last five years, our audit would not seem logical to address at the level you are requesting. SECURITY AND COMPLIANCE SERVICES using Intelligent, Proactive and Robust Vendor worked on concurrently. Describe Vendor’s approach in managing these remainder of 2017. teams have completed hundreds of IT and Resilient methods that include proactive recommendations and projects. Were there or will there be any challenges for any of the listed projects? If ERM is able to manage several projects simultaneously and financial audits. Our South Florida office, who will be remediation sample for design and implementation operational effectiveness so, describe how Vendor dealt or will deal with the projects’ challenges. based on our efficient project management the audit team responsible for for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: approach. We have not experienced any challenges to Broward, typically completes around 70 projects Network assessment of BROWARD COUNTY Corporate Network and its complete these projects, nor do we expect to annually. We complete all of our projects Operations Technology Network. INFORMATION TECHNOLOGY (IT) SECURITY experience challenges completed projects for the client. concurrently with other projects, so the added workload AND COMPLIANCE SERVICES a. Past Five Years that this project presents is not an issue • Banking & Financial Services (30) for our firm. • Credit Card Processing (5) As of now, our South Florida audit team has projects • Education (5) slated to begin later this summer and into • Local, City, State Government (5) the fall and currently has 25 ongoing projects ranging • Federal Government (3) from internal audit to SOX and ITGC • Hospitality (5) testing. We do not anticipate these other projects • Insurance (5) limiting us from providing the County with the • Legal (5) highest level of service. • Manufacturing (5) • Retail (5) • Technology (10) • Telecommunications (5) • Other (12) VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Enterprise Risk Management, Inc. Focal Point Data Risk, LLC Foresite MSP LLC Global Information Intelligence LLC

2. Doing Business As/ Fictitious Name (if applicable):

3. Federal Employer I.D. Number. 65‐0827427 61‐1805201 38‐3916369 273548900 4. Dun & Bradstreet Number. (If applicable). 610144201 08‐0541660 07‐8744163 5. Website address (if applicable). www.emrisk.com www.focal‐point.com www.foresite.com www.globalinfointel.com 6. Principal place of business. 800 S. Douglas Road, Suite 940 North Tower, Coral Gables, 201 E Kennedy Blvd, Suite 1750 E Windsor Ct 6860 North Dallas Parkway, Suite 200,Plano, TX 75024 FL 33134 Tampa, FL 33602 7. Office Location for this project. 800 S. Douglas Road, Suite 940 North Tower, Coral Gables, We will utilize both our Tampa location and our Broward New York 6861 North Dallas Parkway, Suite 200,Plano, TX 75024 FL County location for this project. 33134 Our Broward County address is 1601 Sawgrass Corp. Pkwy., Suite 130, Sunrise, FL 33323

8. Telephone/Fax Number: Telephone no.:305‐447‐6750 Fax no.:305‐447‐6752 Telephone no.:(813) 402‐1208 Fax no.:813‐436‐5283 800‐940‐4699 Telephone no.:4082509045 Fax no.:N/A

9. Type of Business Corporation; Florida LLC LLC Corp; DE ‐ LLC 10. List Florida Registration Number. M16000008367

27 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Prime: Marcum LLP Licensing Matrix Sub: 24by7 Security MGT of America Consulting, LLC Plante & Moran, PLLC dba Plante Moran Presidio 4. Workload of the Firm: List all completed and active projects that Vendor has managed within the past five See PDF Pg. 89 See PDF Pgs. 111 ‐ 117. See PDF Pg. 35 See PDF Pg. 37 years. In addition, list all projected projects that Vendor will be working on in the near Marcum LLP provides these services to many clients in the private business MGT has completed projects for the County, including: Our team of 40+ cybersecurity consultants has completed The Presidio Cyber team averages 70 concurrent future. Projected projects will be defined as a project(s) that Vendor is awarded a arena. Given the confidential nature of our services we will provide a specific Disparity Study of County Government (2000). projects for hundreds of organizations over the past five projects at any one time. Our project managers ensure contract but the Notice to Proceed has not been issued. Identify any projects that list of private company clients upon request. Cost Allocation Plans (2009, 2010, 2011, 2014, 2015, 2016). years. In addition, our team uses multiple firm wide that we have resources allocated for the projects. Our Vendor worked on concurrently. Describe Vendor’s approach in managing these Identify any projects that Vendor worked on concurrently. Comprehensive Review of the Sheriff’s Office Department of Detention (2009). project management tools to assist with working with project sizes range from $8,000 to $1.6M. We monitor projects. Were there or will there be any challenges for any of the listed projects? If 1. City of Hollywood Comprehensive Analysis of the Libraries Division (2010). dozens of clients each week. Should an unexpected and manage the workload monthly and make decisions so, describe how Vendor dealt or will deal with the projects’ challenges. 2. Miami‐Dade Water and Sewer Department Being a national company, MGT has completed many projects within the past five conflict occur while working with the County, the County on whether we need to add additional security 3. Consolidated Water years. Therefore, instead of providing a list of the over 2,200 projects the firm has will be given priority as necessary. consultants to the team. completed or is currently conducting, we are providing a list of clients served (presented in alphabetical order by state).....

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. MGT of America Consulting, LLC Plante & Moran, PLLC Presidio Marcum LLP 2. Doing Business As/ Fictitious Name (if applicable): Plante Moran

3. Federal Employer I.D. Number. 111986323 81‐0890071 381357951 58‐1667655 4. Dun & Bradstreet Number. (If applicable). 968051180 02‐096‐7659 004913299 15‐405‐0959 5. Website address (if applicable). www.marcumllp.com www.mgtconsulting.com plantmoran.com www.presidio.com 6. Principal place of business. 451 East Las Olas Boulevard, Ninth Floor 3800 Esplanade Way, Suite 210 27400 Northwestern Hwy 12120 Sunset HIlls Rd, Sutie 202 Fort Lauderdale, FL 33301 Tallahassee, FL 32311 Southield, MI 48037 Reston, Va 20190 7. Office Location for this project. Tallahassee, FL Southfield, MI 3250 W. Commercial Blvd Fort Lauderdale, Fl 33309

451 East Las Olas Boulevard, Ninth Floor Fort Lauderdale, FL 33301 8. Telephone/Fax Number: Telephone no.:850.386.3191 Fax no.:850.385.4501 Tel:248‐223‐3428 Fax no.:248‐603‐5997 305‐606‐2835 954‐320‐8000 Fax no.:954‐320‐8001 9. Type of Business Limited Partnership LLC Limited Partnership LLC 10. List Florida Registration Number. LLP090003311 L15000199435 M11000002358 L15000111335

28 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix RSM US LLP Securance LLC SeNet International Corporation SHI International Corp 4. Workload of the Firm: List all completed and active projects that Vendor has managed within the past five RSM maintains confidentiality agreements with many of our We are currently engaged on a number of client projects. We attempt to keep See Pages 21 ‐ 37. Due to the sensitivity and type of services, SHI cannot provide years. In addition, list all projected projects that Vendor will be working on in the near clients. For this reason, we cannot name our workload commensurate this information as it relates to other projects and customers future. Projected projects will be defined as a project(s) that Vendor is awarded a them in proposals or marketing collateral without express with our staff. However, we believe the best way to measure our ability to either completed or in the future. SHI would be happy to contract but the Notice to Proceed has not been issued. Identify any projects that permission. However, in the Past Performance complete task orders on time is meet with Broward County discuss our approach and any Vendor worked on concurrently. Describe Vendor’s approach in managing these section on the prior page, we provide references from clients through discussion with our current clients (see client references on previous challenges we may have experienced on similar projects. SHI projects. Were there or will there be any challenges for any of the listed projects? If who can discuss our work with them on issues relevant to your page). We guarantee that we will: believes in transparency and any time we come upon a so, describe how Vendor dealt or will deal with the projects’ challenges. operations. If we are engaged by the County, you will be a Properly staff each project with employees that are qualified and technical challenge with a project we work with the customer to let priority for our firm and to each member of your engagement experts; them know the issues and possible solutions. SHI has a clearly team. Our workload fluctuates based on a number of factors, Begin all task orders on time; defined escalation path so if a challenge arises the proper including timing and currently pending engagements. Regardless, Complete them within budget, within the required time frame; and people can be engaged to assist. In addition as one of the top our firm has excelled at managing its human resources so that Deliver a draft report within one (1) week of fieldwork completion. provider of IT solutions, SHI has built solid relationships with our workload never surpasses the ability of our assigned teams to Due to confidential nature of our work, we are not permitted to provide a IT manufacturers and has a network of partners to work with devote the time and attention necessary to add value to our complete list of similar projects. should any challenges encountered required additional clients’ organizations. Our ability to manage our workload is However, we guarantee that Securance is experienced with networks of your products or resources. evidenced by relatively low turnover rates and is supported by size and complexity. We have clients’ opinions of our service. The engagement team along with provided a sampling of our related experience of governmental agencies on County management will design a plan that will ensure page 30. expectations are met along with responsive and timely delivery of services as required by the County. The engagement in‐charge and staff will be solely dedicated to the County from start to finish for the audit. We believe this to be a team effort so that all team members understand their roles, expectations, deliverables, and timelines. VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. RSM US LLP Securance LLC SHI International Corp SeNet International Corporation 2. Doing Business As/ Fictitious Name (if applicable):

3. Federal Employer I.D. Number. FEIN‐42‐0714325 03‐0392503 54‐1902349 22‐3009648 4. Dun & Bradstreet Number. (If applicable). 73482424 04‐1637542 07‐9941139 61‐142‐9481 5. Website address (if applicable). www.rsmus.com http://www.securanceconsulting.com www.senet‐int.com www.shi.com 6. Principal place of business. 100 NE Third Ave, Suite, Fort Lauderdale, FL 33301 6922 West Linebaugh Avenue, Suite 101, Tampa, FL 33625 290 Davidson Ave Somerset, New Jersey 08873 3040 Williams Drive, Suite 510, Fairfax, VA 22031 7. Office Location for this project. Fort Lauderdale 6923 West Linebaugh Avenue, Suite 101, Tampa, FL 33625 290 Davidson Ave Somerset, New Jersey 08873

3040 Williams Drive, Suite 510, Fairfax, VA 22031 8. Telephone/Fax Number: 954‐462‐6351 Telephone no.:877‐578‐0215 Fax no.:813‐960‐4946 800‐477‐6479 Telephone no.:(703) 206‐9383 Fax no.:(703) 206‐9 9. Type of Business Limited Partnership LLC Corporation; Virginia Corporation; New Jersey 10. List Florida Registration Number. ADP004384 L02000005108 F‐01000004066

29 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Verizon Business Network Services Inc. d/b/a Licensing Matrix Verizon Business Services 4. Workload of the Firm: List all completed and active projects that Vendor has managed within the past five Verizon is continuously working multiple projects years. In addition, list all projected projects that Vendor will be working on in the near concurrently and has the people, process and future. Projected projects will be defined as a project(s) that Vendor is awarded a technology to ensure all active projects are meeting the contract but the Notice to Proceed has not been issued. Identify any projects that milestones defined on the project scope. We do not Vendor worked on concurrently. Describe Vendor’s approach in managing these anticipate any challenges; however, should issues arise projects. Were there or will there be any challenges for any of the listed projects? If we have a welldefined process for identifying the root so, describe how Vendor dealt or will deal with the projects’ challenges. cause and developing a remediation plan.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Verizon Business Network Services Inc. on behalf of MCI Communications Services Inc. 2. Doing Business As/ Fictitious Name (if applicable): d/b/a/ Verizon Business Services (Verizon Business or Verizon) 3. Federal Employer I.D. Number. 13‐2745892 4. Dun & Bradstreet Number. (If applicable). 556565836 5. Website address (if applicable). www.verizonenterprise.com 6. Principal place of business. OneVerizon Way, Basking Ridge NJ 07920 7. Office Location for this project.

Tampa, FL 8. Telephone/Fax Number: no.:(813) 520‐9786 Fax no.:813‐978‐6751 9. Type of Business Corporation; Delaware 10. List Florida Registration Number. 829591

30 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 3 ‐ IT Audit Services

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Prime: Carahsoft Technology Corp Licensing Matrix Services ATT Solution Provider: Trustwave Crowe Horwath LLP 11. List name and title of each principal, owner, officer and major shareholder. a) Krishna K Chittabathini a. Thadeus Arroyo, President and CEO AT&T, 208 S. Akard St., Dallas, TX 75202 a) Craig P. Abod ‐ President a) James Powers, CEO b) Sireesha Chittabathini b. Anne Chow, President‐Integrator Solutions, AT&T, 208 S. Akard St., Suite 3514, Dallas, TX 75202 b) Robert Moore ‐ Vice President b) Joseph Santucci, COO c. Frank Jules, President ‐ Global Business AT&T, 208 S. Akard St., Suite 3509, Dallas, TX 75202 c) Jillian Szczepanek ‐ Controller c) Todd Welu, CFO d. Cathy Martine‐Dolecki, President ‐ Natl Bus AT&T, 1 AT&T Way, Bedminster, NJ 07921 d) Jennifer Taha ‐ Proposals Director d) Crowe Horwath LLP is a limited liability partnership with more than e. Delores McCarty, Assistant Secretary AT&T, 675 W Peachtree St, NW, Atlanta, GA 30308 275 partners/principals. If required, we will provide a complete listing f. George B. Goeke, CFO and Treasurer AT&T, 208 S. Akard St., Suite 1824, Dallas, TX 75202 of the partner/principals. The names and titles of the firm's leadership AT&T is a publicly held corporation. No single person owns more than 10% of the company. It is an is available at www.crowehorwath.com/leadership. independent, publicly traded telecommunications services provider. The names and titles of the AT&T Inc. officers are • Randall Stephenson—Chairman and Chief Executive Officer (CEO) • William Blase—Senior Executive Vice President, Human Resources • James Cicconi—Senior Executive Vice President, External and Legislative Affairs • Ralph de la Vega—President and Chief Executive Officer (CEO), AT&T Mobile and Business Solutions • John Donovan—Senior Executive Vice President, AT&T Technology and Operations and Corporate Strategy • Jose Gutierrez—Senior Vice President, Executive Operations • David Huntley—Chief Compliance Officer • Lori Lee—Senior Executive Vice President and Global Marketing Officer • John Stankey—CEO, AT&T Entertainment and Internet Services • John Stephens—Sr. Executive Vice President and Chief Financial Officer (CFO); Corporate Development • Wayne Watts—Senior Executive Vice President and General Counsel

12. Authorized contacts for your firm. Name: Krishna K Chittaathini Name: Dwayne Stafford Name: Aaron Giannini Name: Craig Sullivan Title: CEO Title: Strategic Account Lead Title: Account Representative Title: Partner E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 4087165901 Telephone No.: 786‐479‐4113 Telephone No.: 703.889.9848 Telephone No.: 574.236.7618 Name: Murali Gomatam Name: Esther Martin Name: Jennifer Taha Title: President Title: Strategic Account Lead Title: Proposals Director E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 4087165907 Telephone No.: 305‐582‐9541 Telephone No.: 703.871.8556

31 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix Enterprise Risk Management, Inc. Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC 11. List name and title of each principal, owner, officer and major shareholder. a) Silka Gonzalez ‐ President a) Andrew Cannata ‐ Principal, Cyber Security Robin Mano ‐ CEO a) DR. EMMANUEL HOOPER, PHD, PHD, PHD, Harvard Yale Alumni, President b) Michelle Miller ‐ COO b) Christie Verscharen ‐ Principal, PCI and Risk Services George Farris ‐ Board Member b) Theresa Marie Hooper, BA (Harvard),Senior Executive c) Esteban Farao ‐ Director of Consulting Services c) Eric Dieterich ‐ Principal, Data Privacy David Cohen ‐ Board Member Gary Fish ‐ Board Member

12. Authorized contacts for your firm. Name: Silka Gonzalez Name: Andrew Cannata Jason Leduc Name: DR. EMMANUEL HOOPER, PHD, PHD, PHD Title: President Title: Principal, Cyber Security VP Cyber Security Services Title: President E‐mail: [email protected] E‐mail: acannata@focal‐point.com [email protected] E‐mail: [email protected] Telephone No.: 305‐447‐6750 Telephone No.: (813) 731‐9074 732‐674‐0871 Telephone No.: 408‐250‐9045 Name: Michelle Miller Name: Eric Dieterich Name: Theresa M. Hooper Title: COO Title: Principal, Data Privacy John Lavelle Title: Senior Executive E‐mail: [email protected] E‐mail: edieterich@focal‐point.com Controller E‐mail: [email protected] Telephone No.: 305‐447‐6750 Telephone No.: (786) 390‐1490 [email protected] Telephone No.: 714‐331‐1173 800‐940‐4699 ext 227

32 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Prime: Marcum LLP Licensing Matrix Sub: 24by7 Security MGT of America Consulting, LLC Plante & Moran, PLLC dba Plante Moran Presidio 11. List name and title of each principal, owner, officer and major shareholder. a) Michael Balter, Regional Managing Partner a) A. Trey Traviesa, Chairman & CEO a) James Proppe, Managing Partner Regarding principals, owners, etc., not applicable. b) Mark Agulnik, Partner b) Fred Seamon, Executive Vice President b) Dnnis Graham, Group Managing Partner Presidio is a publicly owned company. c) David Appel, Partner c) Brad Burgess, Executive Vice President c) Frank Audia, CIO d) Shaun Blogg, Partner d) Beth Bialy, Government Industry Group Leader e) Ilyssa Blum, Partner f) Marc Breslow, Partner g) Michael Curto, Partner h) Adam Firestein, Partner i) Michael Futterman, Partner j) John Gabriel, Partner k) Cecelia Garber, Partner l) Kim Lamplough, Partner m) Michele Lipson, Partner n) Michael Novak, Partner Marcum LLP is managed by more than 140 partners around the country. Below is a list of partners from our local Florida offices. A complete list of partners around the country is available at www.marcumllp.com/people‐ search.

12. Authorized contacts for your firm. Name: Mark Agulnik Name: A. Trey Traviesa Name: Raj Patel Name: Jill Finkelstein Title: Partner Title: Chairman & CEO Title: Partner Title: Business Development Manager E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 954‐320‐8000, Ext. 38013 Telephone No.: 850.386.3191 Telephone No.: 248‐223‐3428 Telephone No.: 305‐606‐2835 Name: Jose Antigua Name: Fred Seamon Name: Scott Eiler Name: Ralph Gentile Title: Senior Manager Title: Executive Vice President Title: Partner Title: Sales Lead E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 954‐320‐800, 38054 Telephone No.: 850.386.3191 Telephone No.: 248‐223‐3447 Telephone No.: 954‐817‐0690

33 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix RSM US LLP Securance LLC SeNet International Corporation SHI International Corp 11. List name and title of each principal, owner, officer and major shareholder. Paul Ashe a) Anatoly Kozushin, President Thai Lee b) Ilan Katz, CEO Koguan Leo c) Gus Fritschie, Chief Technology Officer d) Steve Davis, COO

12. Authorized contacts for your firm. Jason Alexander Name: Paul Ashe Name: Meghan Flisakowski Principal Title: President Name: Anatoly Kozushin Title: Public Program Manager 786‐239‐4279 E‐mail: [email protected] Title: President E‐mail: [email protected] Telephone No.: 877‐578‐0215 E‐mail: toly.kozushin@senet‐int.com Telephone No.: 5125174088 Name: Gillian Tedeschi Telephone No.: (703) 206‐9383 Name: Natalie Castagno Title: Director of Marketing Name: Ilan Katz Title: Director Response Team E‐mail: [email protected] Title: CEO E‐mail: [email protected] Telephone No.: 877‐578‐0215 E‐mail: Ilan.Katz@senet‐int.com Telephone No.: 732‐868‐5902 Telephone No.: (703) 206‐9383

34 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Verizon Business Network Services Inc. d/b/a Licensing Matrix Verizon Business Services 11. List name and title of each principal, owner, officer and major shareholder.

please see: http://www.verizon.com/about/investors/corporate‐ governance MCI Communications Services Inc. (100% Shareholder) 12. Authorized contacts for your firm.

Name: Frank Parra Title: Sr. Client Executive E‐mail: [email protected] Telephone No.: (813) 520‐9786

35 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 3 ‐ IT Audit Services

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Prime: Carahsoft Technology Corp Licensing Matrix Services ATT Solution Provider: Trustwave Crowe Horwath LLP 13. Has your firm, its principals, officers or predecessor organization(s) been debarred No No No No or suspended by any government entity within the last three years? If yes, specify details in an attached written response.

14. Has your firm, its principals, officers or predecessor organization(s) ever been No No No No debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted.

15. Has your firm ever failed to complete any services and/or delivery of products No We are unaware of any work completion issues that would impair our ability to meet our obligations No Yes, Like all large professional service firms, Crowe is, from time to during under any contract. AT&T is a large company with an international presence and significant contractual time, subject to contract disputes or issues where contracts may be the last three (3) years? If yes, specify details in an attached written response. relations. Given the size and scope of our business, we from time to time over our history have been terminated for a variety of reasons, including without limitation lack of involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐ client funding, disputes over the scope of the work, or payment capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are disputes. Through active management and communication with our unaware of any contact performance claim or legal action that would preclude or impair our ability clients, Crowe is usually successful in anticipating such areas and to meet our obligations or perform our duties under any contract. We serve millions of customers working with the client to mitigate these issues. around the globe, and we'll work hard to honor our promises.

16. Is your firm or any of its principals or officers currently principals or officers of No Yes No No another organization? If yes, specify details in an attached written response.

17. Have any voluntary or involuntary bankruptcy petitions been filed by or against No No No No your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response.

36 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix Enterprise Risk Management, Inc. Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC 13. Has your firm, its principals, officers or predecessor organization(s) been debarred No No No No or suspended by any government entity within the last three years? If yes, specify details in an attached written response.

15. Has your firm ever failed to complete any services and/or delivery of products No No No No during the last three (3) years? If yes, specify details in an attached written response.

16. Is your firm or any of its principals or officers currently principals or officers of No No Principal invests in multiple businesses No another organization? If yes, specify details in an attached written response.

37 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Prime: Marcum LLP Licensing Matrix Sub: 24by7 Security MGT of America Consulting, LLC Plante & Moran, PLLC dba Plante Moran Presidio 13. Has your firm, its principals, officers or predecessor organization(s) been debarred No No No No or suspended by any government entity within the last three years? If yes, specify details in an attached written response.

15. Has your firm ever failed to complete any services and/or delivery of products No No during the last three (3) years? If yes, specify details in an attached written response.

p// p / / gp 16. Is your firm or any of its principals or officers currently principals or officers of Marcum Group is an organization providing a comprehensive range of Yes. Principal is CEO of MGT of America Consulting, LLC and Strategos Public Affairs, No No another organization? If yes, specify details in an attached written response. professional services spanning accounting and advisory, technology LLC, both wholly owned subsidiaries of MGT of America, LLC. solutions, wealth management and executive and professional recruiting. MARCUM LLP Marcum LLP is one of the largest independent public accounting and advisory services firms in the nation, with offices in major business markets throughout the U.S., Grand Cayman and China. MARCUM FINANCIAL SERVICES Marcum Financial Services was founded in late 2009 by combining the expertise of several professionals and firms with extensive investment, financial and business experiences. MARCUM SEARCH Marcum Search LLC offers professional recruiting services. Our recruiters recognize the importance of working closely with companies and prospective candidates to ensure the perfect match. MARCUM TECHNOLOGY Marcum Technology LLC is a full‐service integrated solutions vendor (ISV) specializing in data storage, disaster recovery, network infrastructure, IT staffing and managed services. MARCUM BERNSTEIN & PINCHUK Marcum Bernstein & Pinchuk is an independent public accounting firm. We provide a full range of audit and assurance, tax and transaction advisory services for clients in a variety of industries. MARCUM RBK (IRELAND) LIMITED Marcum RBK is a service center for current and future hedge fund and private equity fund clients of the Marcum Alternative Investment Group.

17. Have any voluntary or involuntary bankruptcy petitions been filed by or against No No your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response.

38 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix RSM US LLP Securance LLC SeNet International Corporation SHI International Corp 13. Has your firm, its principals, officers or predecessor organization(s) been debarred No No No No or suspended by any government entity within the last three years? If yes, specify details in an attached written response.

15. Has your firm ever failed to complete any services and/or delivery of products No No No No during the last three (3) years? If yes, specify details in an attached written response.

16. Is your firm or any of its principals or officers currently principals or officers of No No No No another organization? If yes, specify details in an attached written response.

17. Have any voluntary or involuntary bankruptcy petitions been filed by or against No No No your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response.

39 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Verizon Business Network Services Inc. d/b/a Licensing Matrix Verizon Business Services 13. Has your firm, its principals, officers or predecessor organization(s) been debarred or suspended by any government entity within the last three years? If yes, specify details in an attached written response. No 14. Has your firm, its principals, officers or predecessor organization(s) ever been debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted.

No 15. Has your firm ever failed to complete any services and/or delivery of products during the last three (3) years? If yes, specify details in an attached written response.

No 16. Is your firm or any of its principals or officers currently principals or officers of another organization? If yes, specify details in an attached written response.

No 17. Have any voluntary or involuntary bankruptcy petitions been filed by or against your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response.

40 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 3 ‐ IT Audit Services

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Prime: Carahsoft Technology Corp Licensing Matrix Services ATT Solution Provider: Trustwave Crowe Horwath LLP 18. Has your firm’s surety ever intervened to assist in the completion of a contract or No No No No have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

19. Has your firm ever failed to complete any work awarded to you, services and/or No We are unaware of any work completion issues that would impair our ability to meet our obligations No Yes, Like all large professional service firms, Crowe is, from time to delivery of products during the last three (3) years? If yes, specify details in an under any contract. AT&T is a large company with an international presence and significant contractual time, subject to contract disputes or issues where contracts may be attached written response. relations. Given the size and scope of our business, terminated for a variety of reasons, including without limitation lack of we from time to time over our history have been involved in occasional alleged contract performance client funding, disputes over the scope of the work, or payment claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any disputes. Through active management and communication with our outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal clients, Crowe is usually successful in anticipating such areas and action that would preclude or impair our ability to meet our obligations or perform our duties under any working with the client to mitigate these issues. contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.

20. Has your firm ever been terminated from a contract within the last three years? If No Except for material matters that AT&T discloses in filings with the Securities and Exchange Commission No Yes, Like all large professional service firms, Crowe is, from time to yes, or otherwise discloses in response to subpoenas or other valid court orders, AT&T is legally and time, subject to contract disputes or issues where contracts may be specify details in an attached written response. contractually prohibited from disclosing information to third parties about contractual matters. Also, terminated for a variety of reasons, including without limitation lack of due to the size and scale of AT&T’s operations, as a practical matter, AT&T cannot state with absolute client funding, disputes over the scope of the work, or payment certainty whether AT&T has defaulted under a contract. Notwithstanding the legal and practical disputes. Through active management and communication with our restrictions that limit AT&T’s ability to disclose specific contract performance issues, AT&T can assure clients, Crowe is usually successful in anticipating such areas and Customer that AT&T is capable of performing the services requested under this RFP and that AT&T has working with the client to mitigate these issues. no history or pattern of performance issues with other customers that would affect AT&T’s ability to perform the services requested by Customer. AT&T reiterates that AT&T is not aware of any circumstances involving performance under another contract which would materially and adversely impact AT&T’s ability to perform services for Customer. Moreover, AT&T is not aware of any circumstance when AT&T was not awarded a bid due to non‐performance concerns about AT&T by the entity sponsoring a particular procurement. AT&T is forced to qualify such assurances to the best of its knowledge due to the scale and scope of AT&T’s operations. AT&T will not be able to provide such assurances with absolute certainty with respect to every contract or bid opportunity in which AT&T has participated.

21. Living Wage solicitations only: N/A No N/A N/A

41 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix Enterprise Risk Management, Inc. Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC 18. Has your firm’s surety ever intervened to assist in the completion of a contract or No No No No have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

19. Has your firm ever failed to complete any work awarded to you, services and/or No No No No delivery of products during the last three (3) years? If yes, specify details in an attached written response.

20. Has your firm ever been terminated from a contract within the last three years? If No No No No yes, specify details in an attached written response.

21. Living Wage solicitations only: N/A N/A N/A

42 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Prime: Marcum LLP Licensing Matrix Sub: 24by7 Security MGT of America Consulting, LLC Plante & Moran, PLLC dba Plante Moran Presidio 18. Has your firm’s surety ever intervened to assist in the completion of a contract or No No No No have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

19. Has your firm ever failed to complete any work awarded to you, services and/or Our firm enters in to Engagement letters with clients that allow for cessation No No No delivery of products during the last three (3) years? If yes, specify details in an of work and/or termination by either party in certain circumstances. attached written response.

20. Has your firm ever been terminated from a contract within the last three years? If Our firm enters in to Engagement letters with clients that allow for cessation No No – Plante Moran is not aware of any client terminating No yes, of work and/or termination by either party in certain circumstances. a contract involving the provision of information specify details in an attached written response. technology security and compliance services. As one of the country’s largest accounting and consulting firms with thousands of annual engagements, there likely have been instances during the last three years where clients receiving tax or accounting‐related services have elected to use other service providers for their particular needs. Plante Moran’s record of client service and satisfaction is best in class, with 99% of clients indicating they would recommend Plante Moran to others.

21. Living Wage solicitations only: N/A N/A

43 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Licensing Matrix RSM US LLP Securance LLC SeNet International Corporation SHI International Corp 18. Has your firm’s surety ever intervened to assist in the completion of a contract or No No No No have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

20. Has your firm ever been terminated from a contract within the last three years? If No No No No yes, specify details in an attached written response.

21. Living Wage solicitations only: No No No

44 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Serv Category 3 ‐ IT Audit Services

Verizon Business Network Services Inc. d/b/a Licensing Matrix Verizon Business Services 18. Has your firm’s surety ever intervened to assist in the completion of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety. No 19. Has your firm ever failed to complete any work awarded to you, services and/or delivery of products during the last three (3) years? If yes, specify details in an attached written response.

No 20. Has your firm ever been terminated from a contract within the last three years? If yes, specify details in an attached written response.

No 21. Living Wage solicitations only: No

45 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 4 ‐ Security Penetration Testing

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Licensing Matrix 1st Secure IT LLC Services ATT RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided ‐ PDF Pg. 120 Provided Provided / See PDF Pg. 569 AND Offensive Security Certified Professional Certification (OSCP) on staff Not Provided Not Provided Not Provided and proposed key team member Requirement Met Requirement Met Requirement Met OR GIAC Penetration Tester (GPEN) on staff and proposed key team Not Provided Provided Provided member Requirement Met Requirement Met Requirement Met OR Certified Ethical Hacker (CEH) on staff and proposed key team Provided Not Provided Not Provided member Requirement Met Requirement Met Requirement Met FORMS Vendor Questionnaire Form Provided Provided Provided

Provided Vendor Security Questionnaire Form Provided Provided

1 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Carahsoft Technology Corp Licensing Matrix BreakPoint Labs Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided ‐ See Page 47 Provided ‐ See PDF Pg. 9 Provided AND Offensive Security Certified Professional Certification (OSCP) on staff Not Provided Not Provided Provided Not Provided and proposed key team member Requirement Met Requirement Met Requirement Met Requirement Met OR GIAC Penetration Tester (GPEN) on staff and proposed key team Not Provided Provided Not Provided Not Provided member Requirement Met Requirement Met Requirement Met Requirement Met OR Certified Ethical Hacker (CEH) on staff and proposed key team Provided Provided Not Provided Provided member Requirement Met Requirement Met Requirement Met Requirement Met FORMS Vendor Questionnaire Form Provided Provided Provided Provided

Provided Provided Vendor Security Questionnaire Form Provided Provided

2 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: JohnsTek Inc. Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: IOMAXIS RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided Provided Provided AND Offensive Security Certified Professional Certification (OSCP) on staff Not Provided Not Provided Not Provided Provided and proposed key team member Requirement Met Requirement Met Requirement Met Requirement Met OR GIAC Penetration Tester (GPEN) on staff and proposed key team Provided Not Provided Not Provided Not Provided member Requirement Met Requirement Met Requirement Met Requirement Met OR Certified Ethical Hacker (CEH) on staff and proposed key team Not Provided Provided Provided Provided member Requirement Met Requirement Met Requirement Met Requirement Met FORMS Vendor Questionnaire Form Provided Provided Provided Provided

Provided Provided Provided Vendor Security Questionnaire Form Provided

3 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Marcum LLP Merchant Preservation Services, LLC d/b/a Licensing Matrix Sub: 24by7 Security CampusGuard MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided Provided ‐ See PDF Pg. 23 Provided ‐ See PDF Pg. 42 AND Offensive Security Certified Professional Certification (OSCP) on staff Not Provided Not Provided Not Provided Provided and proposed key team member Requirement Met Requirement Met Requirement Met Requirement Met OR GIAC Penetration Tester (GPEN) on staff and proposed key team Not Provided Not Provided Provided Not Provided member Requirement Met Requirement Met Requirement Met Requirement Met OR Certified Ethical Hacker (CEH) on staff and proposed key team Provided Provided Not Provided Not Provided member Requirement Met Requirement Met Requirement Met Requirement Met FORMS Vendor Questionnaire Form Provided Provided Provided Provided

Provided Provided Provided Provided Vendor Security Questionnaire Form

4 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Licensing Matrix Optiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided Provided Provided AND Offensive Security Certified Professional Certification (OSCP) on staff Not Provided Not Provided Not Provided Not Provided and proposed key team member Requirement Met Requirement Met Requirement Met Requirement Met OR GIAC Penetration Tester (GPEN) on staff and proposed key team Provided Not Provided Provided Not Provided member Requirement Met Requirement Met Requirement Met Requirement Met OR Certified Ethical Hacker (CEH) on staff and proposed key team Provided Provided Provided Provided member Requirement Met Requirement Met Requirement Met Requirement Met FORMS Vendor Questionnaire Form Provided Provided Provided Provided

Provided Provided Provided Provided Vendor Security Questionnaire Form

5 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Verizon Business Network Services Licensing Matrix SeNet International Corporation SHI International Corp Inc. d/b/a Verizon Business Services RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided Provided AND Offensive Security Certified Professional Certification (OSCP) on staff Not Provided Not Provided Not Provided and proposed key team member Requirement Met Requirement Met Requirement Met OR GIAC Penetration Tester (GPEN) on staff and proposed key team Not Provided Provided Not Provided member Requirement Met Requirement Met Requirement Met OR Certified Ethical Hacker (CEH) on staff and proposed key team Provided Not Provided Provided member Requirement Met Requirement Met Requirement Met FORMS Vendor Questionnaire Form Provided Provided Provided

Provided Provided Provided Vendor Security Questionnaire Form

6 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 4 ‐ Security Penetration Testing

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Licensing Matrix 1st Secure IT LLC Services ATT EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project See PDF Pg. 155 ‐ 156. Resumes ‐ See PDF Pgs. 162 ‐ 171. See file "Evaluation ‐ Cat 4" See PDF Pg. 521 ‐ 524 Manager and all key staff that are intended to be assigned to services Mark Akins, PCI QSA, CISSP, CISA, 24+ years experience Rajiv has extensive experience in Vulnerability and Penetration performed within this category. Include resumes for the Project Alberto Espana, CISM, PCI‐QSA, 30+ years experience testing. He is experienced in industry standard tools like Qualys, CONFIDENTIAL Manager and all key staff described. Orencio Cardenas, MCSA, MCSE, CISSP, 20+ years experiences Webking, Nessus, NMAP, ISIC‐TCPSIC, Codenomicon. he has done Alan Kakareka, CISSP, GSEC, CEH, LPT, 20+ years in IT; 13+ years in IT Security penetration testing and helped proactively remove the threats at Pgs 35: Abelardo Rodrigues, PCI QSA, CISSP, CISA, 24+ years experience different clients. Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. affiliated companies."

Pgs 36‐ 223: "AT&T Consulting Proprietary and Confidential Information"

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

b. List any other relevant Security and Compliance Industry See PDF Pg. 155 ‐ 156. See PDF Pgs. 162 ‐ 171. See file "Evaluation ‐ Cat 4" See PDF Pg. 521 ‐ 524 certifications that the Project Manager and key staff described may Mark Akins, PCI QSA, CISSP, CISA, 24+ years experience He has CEH certification. He has CCIE ‐ Routing and Switching have. Include copies of certificates, if applicable. Alberto Espana, CISM, PCI‐QSA, 30+ years experience (Written). CONFIDENTIAL Orencio Cardenas, MCSA, MCSE, CISSP, 20+ years experiences Alan Kakareka, CISSP, GSEC, CEH, LPT, 20+ years in IT; 13+ years in IT Security Pgs 35: Abelardo Rodrigues, PCI QSA, CISSP, CISA, 24+ years experience Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be reproduced or redistributed in any 1st Secure IT is an Active QSA Company and status can be looked up on the PCI council's way, shape, or form without prior written consent from AT&T Corp. © website. Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors other trademarks, service marks, and designs are registered or PCI QSA, CISSP, CISA, CEH unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. affiliated companies."

Pgs 36‐ 223: "AT&T Consulting Proprietary and Confidential Information"

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

7 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Carahsoft Technology Corp Licensing Matrix BreakPoint Labs Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project See PDF Pgs. 22 ‐ 23, 25 ‐ 29. See PDF Pg. 29 See PDF Pgs. 89 ‐ 91 See Resumes PDF Pg. 99‐110; Certifications PDF Pgs. 111‐113 Manager and all key staff that are intended to be assigned to services Andrew McNicol, CTO, OSCE, OSCP, OSWP, GICSP, Trustwave's penetration testing services are delivered by SpiderLabs® Mike Del Giudice, Project Manager, CISSP, 16 years experience Esteban Orlando Farao, CISSP, CISA, CISO, CRISC, CEH, QSA, and performed within this category. Include resumes for the Project GCFA, GCIA, GCIH, GPEN, GREM, GSEC, GWAPT, GWEB, CISSP, CEH, Penetration Testing and Incident Response — an advanced security team within Trustwave focused on forensics, Ryan Reynolds, Technical Lead, OSCP, 9 years experience PCIP.PCI QSA, 20+ years experience Manager and all key staff described. Lucas Hudson, Senior Offensive Security Engineer, Vulnerability Enumeration and Exploitation; OSCE, OSCP, ethical hacking, application and network security testing. The team has Piotr Marszalik, Technical Lead, OSCP, OSCE, 6 years experience Christopher Sanchez, Information Security Consultant OSWP, GISCP, GCFA, GPEN, GWAPT, GWEB, CISSP, CEH performed hundreds of forensic investigations, ethical hacking Eric DePree, Project Team, OSCP, 3 years experience Animesh Srivastava, Information Security Consultant, Extensive Zachary Meyers, Senior Offensive Security Engineer, OSCP, CISSP, GPEN, GWAPT, GCIH, GICSP, CEH exercises and application security tests globally. Made up of some of Mitch Hennigan, Project Team, OSCP, Experience in Network experience competing regulatory compliance assessments the top information security professionals in the world, the team has Security Assessments and External/Internal Penetration assessments Srivathsav Gandrathi, CEH, Information Security Consultant, career experience Michael Raibick, Project Team, OSCP, Specializes in Information Extensive experience in Implementation of Secure Network ranging from Corporate Information Security to Security Research to Assurance and Computer Networking Protocols Federal and Local Law Enforcement. Members of SpiderLabs frequently Haslyn Martin, Information Security Consultant, Extensive speak at security conferences around the world. experience in implementation of Secure Network Protocols Noah Stahl, Infomration Security Consultant, Extensive experience in software testing and Digital Forensics

b. List any other relevant Security and Compliance Industry See PDF Pgs. 22 ‐ 23, 25 ‐ 29. See PDF Pg. 29 See PDF Pgs. 89 ‐ 91 See PDF Pg. 111 ‐ 113 certifications that the Project Manager and key staff described may Andrew McNicol, CTO, OSCE, OSCP, OSWP, GICSP, Please see the representative biographies embedded below, including Mike Del Giudice, Project Manager, CISSP, 16 years experience • Esteban Farao: CISSP, CISA, CISO, CRISC, CEH, PCI QSA, and PCIP have. Include copies of certificates, if applicable. GCFA, GCIA, GCIH, GPEN, GREM, GSEC, GWAPT, GWEB, CISSP, CEH, Penetration Testing and Incident Response the typical certifications held by the Ryan Reynolds, Technical Lead, OSCP, 9 years experience • Animesh Srivastava: CCFE Lucas Hudson, Senior Offensive Security Engineer, Vulnerability Enumeration and Exploitation; OSCE, OSCP, resources who may be assigned to your project. Piotr Marszalik, Technical Lead, OSCP, OSCE, 6 years experience • Srivathsav Gandrathi: CEH OSWP, GISCP, GCFA, GPEN, GWAPT, GWEB, CISSP, CEH Eric DePree, Project Team, OSCP, 3 years experience Copies of the Certification follow: Zachary Meyers, Senior Offensive Security Engineer, OSCP, CISSP, GPEN, GWAPT, GCIH, GICSP, CEH Mitch Hennigan, Project Team, OSCP, Experience in Network Esteban Farao: CISSP Security Assessments and External/Internal Penetration assessments Michael Raibick, Project Team, OSCP, Specializes in Information Assurance and Computer Networking

8 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: JohnsTek Inc. Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: IOMAXIS EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project See PDF Pgs. 157 ‐ 158 See Bios ‐ Jason L, Specialities: Compliance and Network Security, 20+ See PDF Pg. 78 See PDF Pgs. 47 ‐ 48 Manager and all key staff that are intended to be assigned to services Project Advisor – Andrew Cannata, Principal, CISSP, QSA, CISM, 25+ years experience, QSA PCI, PA QSA, PCIP PCI, SANS GIAC GSNA, GCIH, Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND Darnell Macapinlac, JohnsTek Program Manager and Prime Contract performed within this category. Include resumes for the Project years experience GPEN COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD Representative, 20 years experience, PMP, CompTIA Security +, ITIL V3, CISSP, Manager and all key staff described. Chris Sullo – Practice Lead, CISSP, RHCE, RHCT, 20+ years Thomas A, Specialities, Compliance and Network Security, 15+ years Information Security and Computing Sciences (Over 30 years of and CEH Peter Hefley – Senior Manager, GPEN, CISSP, GREM, CISA. Peter has a experience, QSA PCI, CISSP, HCISSP Professional Experience and 25 years of Research, Harvard and Yale Osvaldo Perez, Project Manager and Senior Cybersecurity Consultant, 12 broad base of John W, Compliance, Network Security, and Incident Response/Digital Alumnus, Summa Cum Laude, and Oxford Research, etc.) years experience, CISSP, CISA, C|EH, CPT, and Security+‐certified retired Army experience in systems administration, network security, information Forensics, QSA PCI, PA QSA, CISSP Global Information Intelligence LLC (100% Small Business, Minority, and Officer with 9 years of experience serving as Program Manager, Team Chief, warfare, and cryptography. Keith K, GRC, Security Architecture and Audit, 20+ years experience, Women Owned) Senior Trainer, and Quality Assurance Officer of the Army’s NSA‐certified and Steve Tornio – Senior Manager, OSCP, CISSP. Steve has been active CISSP By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences USSTRATCOM‐accredited Cyber Red Team within the security Bradley A, Penetration Testing, 15+ years of experience, CISSP, OSCE, and Information Security Founder, Consortium for Emerging Pete Harris, Lead Offensive Security Engineer and Senior Penetration Tester, community for the past 20 years OSCP, CEH, SANS GIAC Technologies‐Harvard, Exemplary Models for 12 years experience, OSWP, OSCP, CISSP, CISA, GPEN, GWAPT, CEH and MCSA‐ Anthony Miller‐Rhodes – Senior Consultant. Anthony has several years Federal, State, Local, Counties, Cities, Private/Public Sectors, Academia certified professional with 12 years of experience in support of Army of security & Industry and Global computer and network security, defense, management and procurement experience involving penetration testing and software development of Category 4 – Security Penetration Testing: Matthew "Rudy" Benton, Senior Offensive Security Engineer and Senior offensive and defensive Provided intelligent and effective services within this category Penetration Tester, 12 years experience, OSCE, OSCP, CISSP, CISA, GCIH, CEH capabilities. including Security Penetration Testing Services. and Security+‐certified professional with 12 years of experience as an Army Eric Turner – Senior Consultant, OSCP. Eric is a Senior Consultant with Examples of specific activities includes activities but not be limited to officer leading Cyber Red Teams over four years of Internal Network Penetration Testing, External Network Penetration Brian Dillansnyder, Senior Offensive Security Developer and Senior penetration testing experience and as a general network.... Testing, Web Application Testing, Wireless Network Penetration Testing, Penetration Tester, OSCE, OSWP, OSCP, CISSP, CISA, and CEH certified Jeremy Archer – Senior Consultant, GCED, OSCP, CCNA, CISSP. Jeremy and Social Engineering Test Cases. professional with 8 years of experience as a Software engineer/developer has over 20 using .NET and 5 years of Java, 8 years of years of information technology and security experience,.... web development experience Rob Ditmer – Consultant, GPEN, CISSP. Rob has over six years of experience in information technology and security ...... b. List any other relevant Security and Compliance Industry See PDF Pgs. 157 ‐ 158 See Bios ‐ Jason L, Specialities: Compliance and Network Security, 20+ See PDF Pg. 78 See PDF Pgs. 47 ‐ 48 certifications that the Project Manager and key staff described may Project Advisor – Andrew Cannata, Principal, CISSP, QSA, CISM, 25+ years experience, QSA PCI, PA QSA, PCIP PCI, SANS GIAC GSNA, GCIH, Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND Darnell Macapinlac, JohnsTek Program Manager and Prime Contract have. Include copies of certificates, if applicable. years experience GPEN COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD Representative, 20 years experience, PMP, CompTIA Security +, ITIL V3, CISSP, Chris Sullo – Practice Lead, CISSP, RHCE, RHCT, 20+ years Thomas A, Specialities, Compliance and Network Security, 15+ years Information Security and Computing Sciences (Over 30 years of and CEH Peter Hefley – Senior Manager, GPEN, CISSP, GREM, CISA. Peter has a experience, QSA PCI, CISSP, HCISSP Professional Experience and 25 years of Research, Harvard and Yale Osvaldo Perez, Project Manager and Senior Cybersecurity Consultant, 12 broad base of John W, Compliance, Network Security, and Incident Response/Digital Alumnus, Summa Cum Laude, and Oxford Research, etc.) years experience, CISSP, CISA, C|EH, CPT, and Security+‐certified retired Army experience in systems administration, network security, information Forensics, QSA PCI, PA QSA, CISSP Global Information Intelligence LLC (100% Small Business, Minority, and Officer with 9 years of experience serving as Program Manager, Team Chief, warfare, and cryptography. Keith K, GRC, Security Architecture and Audit, 20+ years experience, Women Owned) Senior Trainer, and Quality Assurance Officer of the Army’s NSA‐certified and Steve Tornio – Senior Manager, OSCP, CISSP. Steve has been active CISSP By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences USSTRATCOM‐accredited Cyber Red Team within the security Bradley A, Penetration Testing, 15+ years of experience, CISSP, OSCE, and Information Security Founder, Consortium for Emerging Pete Harris, Lead Offensive Security Engineer and Senior Penetration Tester, community for the past 20 years OSCP, CEH, SANS GIAC Technologies‐Harvard, Exemplary Models for 12 years experience, OSWP, OSCP, CISSP, CISA, GPEN, GWAPT, CEH and MCSA‐ Anthony Miller‐Rhodes – Senior Consultant. Anthony has several years Federal, State, Local, Counties, Cities, Private/Public Sectors, Academia certified professional with 12 years of experience in support of Army of security & Industry and Global computer and network security, defense, management and procurement experience involving penetration testing and software development of Category 4 – Security Penetration Testing: Matthew "Rudy" Benton, Senior Offensive Security Engineer and Senior offensive and defensive Provided intelligent and effective services within this category Penetration Tester, 12 years experience, OSCE, OSCP, CISSP, CISA, GCIH, CEH capabilities. including Security Penetration Testing Services. and Security+‐certified professional with 12 years of experience as an Army Eric Turner – Senior Consultant, OSCP. Eric is a Senior Consultant with Examples of specific activities includes activities but not be limited to officer leading Cyber Red Teams over four years of Internal Network Penetration Testing, External Network Penetration Brian Dillansnyder, Senior Offensive Security Developer and Senior penetration testing experience and as a general network.... Testing, Web Application Testing, Wireless Network Penetration Testing, Penetration Tester, OSCE, OSWP, OSCP, CISSP, CISA, and CEH certified Jeremy Archer – Senior Consultant, GCED, OSCP, CCNA, CISSP. Jeremy and Social Engineering Test Cases. professional with 8 years of experience as a Software engineer/developer has over 20 using .NET and 5 years of Java, 8 years of years of information technology and security experience,.... web development experience RbDit ClttGPEN CISSP Rbh i f

9 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Marcum LLP Merchant Preservation Services, LLC d/b/a Licensing Matrix Sub: 24by7 Security CampusGuard MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project See PDF Pg. 40 See PDF Pgs 512 ‐ 514. See PDF Pgs. 351 ‐ 355. See PDF Pg. 22. Manager and all key staff that are intended to be assigned to services For Marcum LLP’s proposed key staff, refer to profiles and certificates Tony Martinez, Project Manager, Project Management, Vulnerability Patrick Matthews, Security Consultant performed within this category. Include resumes for the Project available in Appendix A. Edward (Ed) Ko, Pen Test Manager, Multi Assessment, Physical Penetration Testing, Network Penetration Testing, Web IACRB – Certified Expert Penetration Tester Manager and all key staff described. Client Service and Engagement Partner: Campus PCI Experience, Information Privacy, Application Penetration Testing, Security Auditing, Secure Code Reviews, IACRB – Certified SCADA Security Architect Mark Agulnik, Partner, CPA, CISA, PCI‐QSA Network Analysis, Telecommunications, 12 Disaster Reovery/ Business Continuity Planning, Security Policy Design IACRB – Certified Computer Forensics Examiner Principal: years in security field; 16 years in experience Steve Porter, CISSP, GPEN, GWAPT, QSA, CEH, GICSP, GMOB, GCIH, Vulnerability Offensive Security Wireless Professional (OSWP) Heather Bearfield, Principal, CISA, CISM, CRISC, PCI‐QSA and responsibilities Assessment, Network Penetration Testing, PCI‐DSS Preparation & Remediation, Offensive Security Certified Professional (OSCP) Senior Manager (Project Lead): Chad Wheeler, ASV, Penetration Testing, Security Auditing, Database Security, Secure Code Reviews, Firewall Menachem Rothbart, Senior Security Consultant, 5+ years experience Jose Antigua, Senior Manager, CISA, ACDA, COBIT Vulnerability Scanning, Ethical Hacking, 8 years Administration, System Hardening and Patching, Disaster Recovery/Business Offensive Security Wireless Professional (OSWP) Senior Manager: experience in security related fields Continuity Planning & Design, Security Policy Design, Log Management Planning, Offensive Security Certified Professional (OSCP) Robert Coro, Senior Manager, CISA, CISM, PCI‐QSA Christopher Wallace, Penetration Testing, Design, Administration Offensive Security Certified Expert (OSCE) Vulnerability Scanning, 5 years experience in Henri St. Louis, CISSP, QSA, GCFE, OPST, Vulnerability Assessment, Network Milos Celic, Senior Consultant, 9 years experience security related field Penetration Testing, PCI‐DSS Preparation & Remediation, Security Auditing, Offensive Security Certified Professional (OSCP) Judi Seguy, CRM Manager, Project Manager, E‐ Database Security, Secure Code Reviews, System Hardening and Patching, Cisco Certified Network Associate (CCNA) commerce, PCI DSS compliance, General Disaster Recovery/Business Continuity Planning & Design, Security Policy Design Information Technology, 8 years experience in JJ Maria Giner, GPEN, Vulnerability Assessment, Network Penetration Testing, security related field in higher education and Web Application Penetration Testing information technology security

b. List any other relevant Security and Compliance Industry See PDF Pg. 40 Ed Ko, QSA, ASV, CISSP, CPISM/A See PDF Pgs. 351 ‐ 355. See PDF Pg. 22. certifications that the Project Manager and key staff described may For Marcum LLP’s proposed key staff, refer to profiles and certificates Chad Wheeler, QSA, ASV, CISSP, CPISM/A, Tony Martinez, Project Manager, Project Management, Vulnerability Patrick Matthews, Security Consultant have. Include copies of certificates, if applicable. available in Appendix A. OSCP, SSCP, CEH, CVE Assessment, Physical Penetration Testing, Network Penetration Testing, Web IACRB – Certified Expert Penetration Tester Client Service and Engagement Partner: Chris Wallace, OSCP Application Penetration Testing, Security Auditing, Secure Code Reviews, IACRB – Certified SCADA Security Architect Mark Agulnik, Partner, CPA, CISA, PCI‐QSA Disaster Reovery/ Business Continuity Planning, Security Policy Design IACRB – Certified Computer Forensics Examiner Principal: Steve Porter, CISSP, GPEN, GWAPT, QSA, CEH, GICSP, GMOB, GCIH, Vulnerability Offensive Security Wireless Professional (OSWP) Heather Bearfield, Principal, CISA, CISM, CRISC, PCI‐QSA Assessment, Network Penetration Testing, PCI‐DSS Preparation & Remediation, Offensive Security Certified Professional (OSCP) Senior Manager (Project Lead): Security Auditing, Database Security, Secure Code Reviews, Firewall Menachem Rothbart, Senior Security Consultant, 5+ years experience Jose Antigua, Senior Manager, CISA, ACDA, COBIT Administration, System Hardening and Patching, Disaster Recovery/Business Offensive Security Wireless Professional (OSWP) Senior Manager: Continuity Planning & Design, Security Policy Design, Log Management Planning, Offensive Security Certified Professional (OSCP) Robert Coro, Senior Manager, CISA, CISM, PCI‐QSA Design, Administration Offensive Security Certified Expert (OSCE) Henri St. Louis, CISSP, QSA, GCFE, OPST, Vulnerability Assessment, Network Milos Celic, Senior Consultant, 9 years experience Penetration Testing, PCI‐DSS Preparation & Remediation, Security Auditing, Offensive Security Certified Professional (OSCP) Database Security, Secure Code Reviews, System Hardening and Patching, Cisco Certified Network Associate (CCNA) Disaster Recovery/Business Continuity Planning & Design, Security Policy Design JJ Maria Giner, GPEN, Vulnerability Assessment, Network Penetration Testing, Web Application Penetration Testing

10 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Licensing Matrix Optiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project See PDF Pg. 235 See PDF Pgs. 37 ‐ 39 Resumes See PDF Pgs 75 ‐ 89. Andrew Weidenhamer, Director, National Secutiy Testing Lead, 15+ years Manager and all key staff that are intended to be assigned to services been trained in the processes and procedures for conducting these Joseph Olekask, CISSP, CRISC, Partner, 17+ years PDF Pg. 40 experience performed within this category. Include resumes for the Project assessments. experience The Presidio Project Managers are responsible for Martin Rubio, Manager, Security, Privacy and Risk Services, 18+ years Manager and all key staff described. The consultant resumes below are examples of the highly qualified Scott Petree, CPA, CISA, CFE, QSA, Principal, 17+ years managing all cyber security projects that include: Payment experience Optiv consultants that Broward can expect to work on this engagement. experience Card Industry Data Security Standard (PCI DSS), Health Ben Johnson, Senior, Security, Privacy, and Risk Services, 5 years experience Actual consultants will be determined based on availability at the time Saumil Shah, CISA, CEH, CCNA, Senior Manager, 8+ Insurance Portability and Accountability Act (HIPAA), IT William Martin, Senior, Security, Privacy and Risk Services, 6 years experience of proposal signature. Additional consultant biographies are available years experience Audit Services, Security Penetration testing, and Tyler Price, Associate, Security, Privacy and Risk Services, 3 years experience upon request. Andrea Selke, CISSP, Security+, Manager, 9+ years architecture consulting. Presidio’s project managers and Practice Manager – Dan Kottmann experience key staff have an extensive list of industry certifications that Dan Kottmann has a decade of professional experience in information Patrick Flanigan, CEH, Manager, 3+ years experience include: CISSP, CISA, CISM, CRISC, OSCP, GPEN, GWAPT, security focusing on vulnerability assessments, penetration testing and Shelby Mathers, Senior Consultant, Focus Area in attack G2700, CEH, ITIL Practitioner and ITIL (v3). In addition, consulting. Dan has conducted security assessments that include & penetration, vulnerability assessments, social Presidio has 1,600 engineers on the backend that provide components such as internal/external network and application engineering, wireless security, IT security audits and architecture design and implementation services. penetration testing, social engineering, wireless assessment and other network security assessments intrusion, and vulnerability assessments. In addition, Dan has executed Adam Cohen, Senior Consultant, 2+ years experience quarterly external scans for various clients based on the Payment Card Shabaz Khan, CEH, Consultant, experience in Industry (PCI) Data Security Standard. Dan also has performed web information security, control and IT audit application development using a number of common frameworks, Zachary Johnson, Consultant, Area of focus in technologies and languages. Lastly, Dan has acted as a primary resource penetration testing , vulnerability assessments, social for developing, executing and delivering advanced offerings and engineering, web application security testing, wireless engagements including breach simulations and endpoint security security testing, and IT security audits assessments......

b. List any other relevant Security and Compliance Industry See Pg. 236 See PDF Pgs. 37 ‐ 39 PDF Pg. 40 Andrew Weidenhamer, Offensive Security Certified Professional (OSCP), certifications that the Project Manager and key staff described may Certified Information Systems Security Professional (CISSP) Joseph Olekask, CISSP, CRISC, Partner, 17+ years Presidio brings Broward County our broad skill set and Certified information Systems Security Professional (CISSP), Certified have. Include copies of certificates, if applicable. Certified Information Security Manager (CISM) experience depth of experience. Our security engineering team is Information Systems Auditor (CISA), Certified Information Privacy Professional Offensive Security Certified Professional (OSCP) Scott Petree, CPA, CISA, CFE, QSA, Principal, 17+ years composed of Certified Information System Security (CIPP), Payment Application Qualified Security Assessor (PA‐QSA), Payment Offensive Security Certified Engineer (OSCE) experience Professionals (CISSPs), Certification and Accreditation Card Industry Qualified Security Assessor (PCI QSA), Information Organization Microsoft Certified Systems Engineer (MCSE) Saumil Shah, CISA, CEH, CCNA, Senior Manager, 8+ Professionals (CAPs), InfoSec Assessment Methodology for Standardization 27001 Provisional Auditor (ISO 27001) Cisco Certified Security Administrator (CCNA) years experience (IAM) professionals, Certified Ethical Hackers (CEHs), and Martin Rubio, National Security Agency ‐ InfoSec Assessment Methodology Cisco Certified Security Professional (CCSP) Andrea Selke, CISSP, Security+, Manager, 9+ years Certified Information Security Managers (CISMs). This (NSA IAM), Institute for Security Open Methodologies Open Source Security GIAC Web Application Penetration Tester (GWAPT) experience highly trained and experienced group has completed many Testing Methodology Manual Professional Security Analyst (ISECOM OPSA), GIAC Certified Forensic Analyst (GCFA) Patrick Flanigan, CEH, Manager, 3+ years experience Vulnerability Risk Assessment (VRA) and Security eSecurity Certified Professional Penetration Tester (eCPPT) GIAC Certified UNIX Security Administrator (GCUX) Shelby Mathers, Senior Consultant, Focus Area in attack Certification and Accreditation (C&A) projects, tests, Ben Johnson, Certified information Systems Security Professional (CISSP), GIAC Security Essentials Certification (GSEC) & penetration, vulnerability assessments, social evaluations, and related services. Exhibit 4 illustrates Global Information Assurance Certification Mobile Device Security Analyst engineering, wireless security, IT security audits and Presidio’s Security Certifications. Our security professionals (GIAC GMOB), Global Information Assurance Certification Web Application other network security assessments keep current with changes in the information security space Penetration Tester (GIAC GWAPT) Adam Cohen, Senior Consultant, 2+ years experience and are considered thought‐leaders in the market. Each William Martin, Offensive Security Certified Professional (OSCP) Shabaz Khan, CEH, Consultant, experience in security team member has extensive experience Tyler Price, Certified Ethical Hacker (CEH), Certified Penetration Tester (CPT) information security, control and IT audit performing VRA and C&A services for commercial, Zachary Johnson, Consultant, Area of focus in enterprise, and government clients and is well acquainted penetration testing , vulnerability assessments, social with applicable compliance regulations.Presidio other engineering, web application security testing, wireless relevant Security and Compliance Industry certifications not security testing, and IT security audits required in the RFQ include CRISC, QWAPT, G2700, ITIL Practitioner and ITIL (3)

11 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Verizon Business Network Services Licensing Matrix SeNet International Corporation SHI International Corp Inc. d/b/a Verizon Business Services EVALUATION CRITERIA 1. Ability of Professional Personnel: j g a. Describe the qualifications and relevant experience of the Project See Pages 5 ‐ 10 The SHI Security Services team are all senior level Penetration Testing engagements is performed Manager and all key staff that are intended to be assigned to services Qualifications and Experience Security Professionals with each having 20+ years’ by three roles: performed within this category. Include resumes for the Project experience. Specific skill sets may vary but overall each • Engagement Manager – The Engagement Manager and all key staff described. has experience working with various industry security Manager is responsible for the overall frameworks and providing Security Assessments and quality and timeliness of the deliverables. The Penetration Testing. The team holds many different Engagement Manager will ensure that the Security related certifications however all have CISSP overall project schedule is met; that appropriate, certifications. skilled and knowledgeable resources are provided for each phase and task of the initiative. He will ensure that you are satisfied with the collaborative support provided by Verizon. • Project Manager – The Project Manager will be responsible for running the project, scheduling and conducting status meetings, facilitating data exchange, and serving as the primary point of contact for the engagement. • Expert Security Engineering Staff ‐ The Engagement Manager will be supported by Verizon’s staff of trained consultants and engineers. The staff assigned to the project will be based upon the actual project schedule and the knowledge required for accomplishing the scope of this engagement. Actual resumes will be provided upon contract award or down selection. b. List any other relevant Security and Compliance Industry See Pages 5 ‐ 10 MBA – Master of Business Administration Security relevant certifications of Verizon’s US‐ certifications that the Project Manager and key staff described may Qualifications and Experience CGEIT – Certified in Governance of Enterprise based Penetration Testing consulting staff include: have. Include copies of certificates, if applicable. Information Technology • Certified Information Systems Security ISSAP –Information Systems Security Architecture Professional [CISSP] Professional • EC‐Council: Certified Ethical Hacker [CEH] GIAC – Global Information Assurance Certification • Mile2: Certified Pen Testing Specialist [CPTS] o GPEN – GIAC Penetration Tester Certification • Certified Wireless Network Administrator o GCFA – GIAC Certified Forensic Analyst [CWNA] o GAWN – GIAC Auditing Wireless Networks • Cisco CCNA Certified CEH – Certified Ethical Hacker • Cisco CCSP (SECURE, CIDS) [CCSP] TCNA – Tenable Certified Nessus Auditor • SANS GREM PMP – Project Management Professional All Penetration Testing Project Managers have ITILv3 – Information Technology Infrastructure Library Project Management Professional (PMP) version 3 certifications.

12 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 4 ‐ Security Penetration Testing

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Licensing Matrix 1st Secure IT LLC Services ATT 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work See PDF Pgs. 157 ‐ 159. See file "Evaluation ‐ Cat 4" See PDF Pg. 525 ‐ 541 in this Category. IMPLEMENTATION ROADMAP AND TIMING We are going to take a holistic approach to the project. First is to The Payment Card Industry Data Security Standards (PCI DSS) includes 12 Requirement understand the complete environment at Broward county, CONFIDENTIAL sections in which several sub‐requirements are within each main requirement. Overall, there including the network infrastructure, Linux machines, web are approximately 300+ individual requirements that must be met to be considered “PCI servers, Linux servers, application running and the complete Pgs 35: Certified”. The PCI DSS address all areas of operations to ensure the protection of cardholder infrastructure. We are going to lay down a comprehensive effort Non‐Disclosure Statement "The information in this document is AT&T data. Therefore, a significant effort is required by all departments within an organization to to get this started. Then, we will identify the right tools to start Corp. Confidential, and cannot be reproduced or redistributed in any way, establish and maintain a PCI DSS certified environment. Here’s a high level overview of the using it upon vendor acceptance. The goal is to lay down a phased shape, or form without prior written consent from AT&T Corp. © standard: 1st Secure IT has a repeatable and proven methodology for helping our clients approach to penetration testing, including the pre‐work as well as Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other achieve PCI DSS any precautions that needs to be taken so that the results are trademarks, service marks, and designs are registered or unregistered Compliance. On Page 10 of the PCI Data Security Standard it states “The first step of a PCI DSS accurate. trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. assessment is to accurately determine the scope of the review. At least annually and prior to affiliated the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope companies." by identifying all locations and flows of cardholder data, and identify all systems that are connected to or, if compromised, could impact the Cardholder Data Environment (CDE) to Pgs 36‐ 223: ensure they are included in the PCI DSS scope.” To this end, our PCI Compliance "AT&T Consulting Proprietary and Confidential Information" Implementation Roadmap will start with a comprehensive PCI DSS scope review. After the CDE has been accurately defined, the next step is to work with our client to implement scope Pgs 418‐568 AT&T Proprietary: The information contained herein is for reduction use by authorized persons only and is not for general distribution. methods as necessary.....

b. Number of employees, coordination efforts, servers and workers 1st Secure IT LLC has 7 employees located at their headquarters in Ft. Lauderdale, FL. They See file "Evaluation ‐ Cat 4" located within USA maintain 10 servers in a FTL Hosting facility. Number of employees will be determined based on the CONFIDENTIAL infrastructure we have to maintain and cover for penetration testing. It will also depend on the timeframe required to complete Pgs 35: the project. Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. affiliated companies."

Pgs 36‐ 223: "AT&T Consulting Proprietary and Confidential Information"

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

13 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Carahsoft Technology Corp Licensing Matrix BreakPoint Labs Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work See PDF Pgs. 11 ‐ 20. See PDF Pg. 30 See PDF Pgs. 92 ‐ 102 See PDF Pg. 114 ‐ 115 in this Category. Full External Perimeter Evaluation ‐ Our Approach Managed Security Testing (MST) service is a subscription based Security Penetration Testing a. Approach During an External Penetration Test, BreakPoint Labs will emulate the presence of an adversary trying to attack managed vulnerability scanning and penetration testing service. MST It is our understanding that it is the goal of the County is to engage a A review of the project’s objectives, scope, scheduled activities, the organization externally. BPL will evaluate all external helps identify vulnerabilities and findings that can lead to data firm for Security Penetration Testing Services, including Internal assumptions and or possible constraints will be reviewed with systems and services for the target organization utilizing the following methodology: compromise in Networks, Applications, and Databases, which helps Network Penetration Testing, External Network Penetration Testing, client key personnel and staff during a project kickoff meeting. 1. Scoping organizations measure and manage risk. Web Application Testing, Wireless Network Penetration Testing, and Client shall cooperate with ERM in the performance of ERM’s 2. Reconnaissance: Discovery The MST service consists of: Social Engineering Test Cases. To help the County achieve its goals, services. To comply with budgeted project estimates, ERM requires 3. Automated Testing: Enumeration Reconnaissance, which is the information gathering and discovery we have outlined the following approach. the timely, complete and accurate cooperation from the client. 4. Manual Testing process to understand the Client’s Target System(s) and the scope of Crowe’s Penetration Assessments can provide a unique perspective External/Internal Network Penetration Test 5. Reporting the required scanning and/or testing of those systems. into the security of an organization on multiple levels. Crowe’s The main objective of this assessment is to perform an 6. Remediation Support Scanning & testing, this helps identify potential vulnerabilities or approach is customized for each client and engagement providing external/internal network penetration test of the organization’s Key Objectives weak configurations of the Clients Target System(s), the confirmation value targeted toward your specific requirements. Flexibility is technical infrastructure. We will assess the overall network security Enumerate to the Broward County Board of County Commissioners’ external technology footprint and evaluate and evaluation of those vulnerabilities and the attempted exploitation derived from clearly understanding your goals for the engagement including the network perimeter devices residing on network the Internet facing services and current controls of, and extraction of data from, the Clients Target System(s). and tailoring our service to complement the business requirements. segments (DMZ and internal) and the Internet for potential to identify exploitable vulnerabilities. Attempt to leverage the vulnerabilities enumerated to gain elevated Reporting, is the provision of results of the Client Target System(s) Testing involves specialized Crowe Security and Privacy vulnerabilities that could expose critical organizational systems and privilege (root/administrative level access) to the Broward County Board of County Commissioners’ systems. scans and where relevant tests, as a completed report available professionals who are adept at using the same tools and techniques applications; customer information; organization information, and Enumerate any security concerns related to configuration of to the Broward County Board of County through the TrustKeeper Client Portal. as those leveraged by the hacking community. Thoroughly testing an financial assets. This assessment will be conducted combining the Commissioners’ DMZ, Internet facing services, Wireless, Email, Telecommunications, and DR environment.... organization for vulnerabilities includes testing both the technical tools and techniques used by malicious "hackers" with disciplined aspects of information security as well as the scientific procedures to provide unique insight into the state of human element... security in the information systems environment of the organization. The security assessment will provide the organization with a diagnosis of network vulnerabilities from an external and internal perspective....

b. Number of employees, coordination efforts, servers and workers See PDF Pgs. 11 ‐ 20. See PDF Pg. 31 See PDF Pgs. 92 ‐ 102 See PDF Pg. 115 located within USA Full External Perimeter Evaluation ‐ Our Approach Trustwave has a team of 100+ dedicated Penetration Testers. This is Security Penetration Testing ERM has approximately 30 full time employees. Of these During an External Penetration Test, BreakPoint Labs will emulate the presence of an adversary trying to attack one of the largest teams in the industry. Unlike most of our It is our understanding that it is the goal of the County is to engage a employees, 25 are located in the USA. Only the organization externally. BPL will evaluate all external competitors, our penetration testers are not general consultants. They firm for Security Penetration Testing Services, including Internal full time employees located in the USA will work in these systems and services for the target organization utilizing the following methodology: only work in their area– which means they only perform penetration Network Penetration Testing, External Network Penetration Testing, engagements. 1. Scoping testing within their specialization. With such Web Application Testing, Wireless Network Penetration Testing, and Regarding coordination efforts, Esteban Farao will be the Project 2. Reconnaissance: Discovery laser focus, they stay on top of the latest threats and attack vectors in a Social Engineering Test Cases. To help the County achieve its goals, Manager. He will lead a project kickoff 3. Automated Testing: Enumeration way that general consultants never could. All employees and servers we have outlined the following approach. meeting, send the information requirements, manage the project, 4. Manual Testing would be within the United States. Trustwave has over 900 total Crowe’s Penetration Assessments can provide a unique perspective communicate with the client 5. Reporting employees in the US. into the security of an organization on multiple levels. Crowe’s project team, lead project update calls and meeting as well as 6. Remediation Support approach is customized for each client and engagement providing delivery the final reports and Key Objectives value targeted toward your specific requirements. Flexibility is presentations. Enumerate to the Broward County Board of County Commissioners’ external technology footprint and evaluate derived from clearly understanding your goals for the engagement All of ERM’s severs are located at the ERM’s headquarters in Coral the Internet facing services and current controls and tailoring our service to complement the business requirements. Gables, Florida. to identify exploitable vulnerabilities. Attempt to leverage the vulnerabilities enumerated to gain elevated Testing involves specialized Crowe Security and Privacy privilege (root/administrative level access) to the Broward County Board of County Commissioners’ systems. professionals who are adept at using the same tools and techniques Enumerate any security concerns related to configuration of to the Broward County Board of County as those leveraged by the hacking community. Thoroughly testing an Commissioners’ DMZ, Internet facing services, Wireless, Email, Telecommunications, and DR environment.... organization for vulnerabilities includes testing both the technical aspects of information security as well as the human element...

14 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: JohnsTek Inc. Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: IOMAXIS 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work See PDF Pgs. 159 ‐ 164 See "Broward Security Services 2017" See PDF Pg.41 See PDF Pgs. 49 ‐ 56 in this Category. APPROACH Global Information Intelligence will apply its expert and proven JohnsTek Team’ approach to meeting the requirements outlined in the Focal Point’s Approach to Project Management methodology to provide BROWARD COUNTY with INFORMATION solicitation begins with the unique ability to tailor our level of support and Project Lead – Focal Point’s project lead will be responsible for the TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using align it to the client’s request. Depending on the size and communication of progress updates as well as the management and Intelligent, Proactive and Robust and Resilient methods that include complexity of the applications and specific work to be performed, we identify coordination of all staff activities. proactive recommendations and remediation sample for design and the appropriate staff with the specific skillsets best suited for the technology Quality Assurance (QA) – Focal Point’s objective is to exceed Broward’s implementation operational effectiveness for INFORMATION being tested, and use that to determine the actual staff expectations. As such, Focal Point will employ a team‐based approach TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Network levels required to meet the scope and period of performance requirements of to this engagement. Our team managers assessment of BROWARD COUNTY Corporate Network and its Broward County for each task. will coordinate fieldwork and develop project deliverables, while our Operations Technology Network.... Figure 1 below illustrates JohnsTek Team’s approach to meeting Broward senior consultants and consultants perform project activities and County’s requirements. The approach is incorporated into a Technical gather data for our reports. Focal Point’s professionals Assessment Plan (TAP) specifically designed to satisfy the penetration testing are trained to continuously review the quality of service and objectives required by Broward County. The TAP will be broken down into production provided at each level. three (3) stages: Pre‐Engagement (Preparation), Engagement (Penetration As a result, prior to release to Broward, all reports and deliverables will Testing Activities), Post‐Engagement (Deliverables). The TAP also includes a undergo a stringent QA process. Once Focal Point has approved the detailed timeline that denotes milestones mapped to the outputs for each draft report internally, the draft report will be stage. The ROE is then generated and integrated as the final portion of the released to Broward for review. TAP, codifying JohnsTek Team’s boundaries, the scope and nature of the The following phases offer a high‐level illustration of the approach we engagement, and the specific activities will take on this engagement.... authorized and/or prohibited by Broward County.

b. Number of employees, coordination efforts, servers and workers See PDF Pgs. 159 ‐ 164 The consulting team has over 20 people across the US. Our servers are See PDF Pg.41 See PDF Pgs. 49 ‐ 56. located within USA APPROACH supported in SSAE18 Co‐Los Global Information Intelligence will apply its expert and proven JohnsTek Team’ approach to meeting the requirements outlined in the Focal Point’s Approach to Project Management methodology to provide BROWARD COUNTY with INFORMATION solicitation begins with the unique ability to tailor our level of support and Project Lead – Focal Point’s project lead will be responsible for the TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using align it to the client’s request. Depending on the size and communication of progress updates as well as the management and Intelligent, Proactive and Robust and Resilient methods that include complexity of the applications and specific work to be performed, we identify coordination of all staff activities. proactive recommendations and remediation sample for design and the appropriate staff with the specific skillsets best suited for the technology Quality Assurance (QA) – Focal Point’s objective is to exceed Broward’s implementation operational effectiveness for INFORMATION being tested, and use that to determine the actual staff expectations. As such, Focal Point will employ a team‐based approach TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Network levels required to meet the scope and period of performance requirements of to this engagement. Our team managers assessment of BROWARD COUNTY Corporate Network and its Broward County for each task. Figure 1 below illustrates JohnsTek Team’s will coordinate fieldwork and develop project deliverables, while our Operations Technology Network.... approach to meeting Broward County’s requirements. The approach is senior consultants and consultants perform project activities and incorporated into a Technical Assessment Plan (TAP) specifically designed to gather data for our reports. Focal Point’s professionals satisfy the penetration testing objectives required by Broward County. The are trained to continuously review the quality of service and TAP will be broken down into three (3) stages: Pre‐Engagement (Preparation), production provided at each level. Engagement (Penetration Testing Activities), Post‐Engagement (Deliverables). As a result, prior to release to Broward, all reports and deliverables will The TAP also includes a detailed timeline that denotes milestones mapped to undergo a stringent QA process. Once Focal Point has approved the the outputs for each stage. The ROE is then generated and integrated as the draft report internally, the draft report will be final portion of the TAP, codifying JohnsTek Team’s boundaries, the scope and released to Broward for review. nature of the engagement, and the specific activities authorized and/or The following phases offer a high‐level illustration of the approach we prohibited by Broward County.... will take on this engagement....

15 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Marcum LLP Merchant Preservation Services, LLC d/b/a Licensing Matrix Sub: 24by7 Security CampusGuard MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work See PDF Pg. 41 See PDF Pg 515 ‐ 520. See PDF Pgs. 356 ‐ 358. See PDF Pgs. 23 ‐ 28. in this Category. Firm’s history Penetration testing involves simulating an We pride ourselves on our years of continuous business and these two NETWORK PENTRATION TESTING METHODOLOGY Marcum LLP is one of the largest independent public accounting and advisory actual attack on the customer’s network to test cornerstone tenants of our business: In‐Depth Understanding of State and Local One of the primary objectives of a penetration test is to identify risk services firms in the nation, with offices in major business markets throughout the effectiveness of an organization’s Government—MGT has worked almost exclusively presented by a given system, in a safe and effective manner. A penetration the U.S., Grand Cayman and China. investment in security defenses. This type of with the public sector. As a result, we understand the challenges and unique test is an attack on a computer system or infrastructure that looks for Headquartered in New York City, Marcum provides a full spectrum of testing helps to determine what a malicious issues inherent in the operations of state and local government programs and security weaknesses, potentially gaining access to the environment and traditional tax, accounting and assurance services; advisory, valuation and person may actually accomplish in a real world service delivery. Because many of our staff have worked in government, we have data. A penetration test can help determine whether a system is litigation support; and an extensive range of specialty and niche industry hacking effort. The goal of the penetration test a clear understanding of the state and local vulnerable to attack, if the defenses were sufficient, and practices. The Firm serves both privately held and publicly traded companies, is to ensure the best security posture for government structure, control agencies, budgetary processes, and political which defenses (if any) the test defeated. It is therefore of high importance as well as high net worth individuals, private equity and hedge funds, with a Broward County through the discovery of environment. Our Focus is on Business Understanding and Analysis—MGT to ensure that the engagement is designed and planned effectively..... focus on middle‐market companies and closely held family businesses. vulnerabilities that may affect the consistently focuses on identifying and implementing the most effective and Marcum is a member of the Marcum Group, an organization providing a confidentiality, integrity, and availability of the efficient methods for achieving operational objectives in all of our engagements. comprehensive array of professional services. institution’s data. Below, we address commonly No matter what the task, we “cut to the chase,” and work to provide the most asked questions viable business solutions in the shortest amount of time, at the lowest cost. We about PCI penetration tests. understand the importance of streamlining business processes and we know how to pinpoint the most efficient and effective methodologies for specific situations. Based on our previous work with the County and more than 40 years of experience in providing consulting services to federal, state, and local government clients, MGT knows that the success of any project is based upon the project management. Our project manager will work in tandem with the County’s designated project lead to drive the MGT project management principals and guidelines for the development of your customized solutions.

b. Number of employees, coordination efforts, servers and workers See PDF Pg. 45 See PDF Pg 520. Our firm of over 60 professionals has successfully managed more than 8,500 See PDF Pgs. 23 ‐ 28. located within USA Being a National firm with 29 offices and approximately 1,550 professionals, Merchant Preservation Services LLC, d/b/a client engagements nationally with a significant portion of MGT’s engagements NETWORK PENTRATION TESTING METHODOLOGY we serve as a strategic alternative to the much larger firms. The partners and CampusGuard, was established for the sole being repeat business, reflecting the firm’s commitment to achieving a high level One of the primary objectives of a penetration test is to identify risk managers with whom you will develop relationships, drive all major decisions; purpose of providing information security of customer satisfaction and ability to exceed the expectations of clients. Prior to presented by a given system, in a safe and effective manner. A penetration possessing both the appropriate resources and decision making authority. Our services for multi campus environments. We working with public sector entities as consultants, many of our staff worked in test is an attack on a computer system or infrastructure that looks for local firm approach provides hands‐on service and timely communication, deliver professional services in the areas government agencies as executives and managers. This insider's knowledge of security weaknesses, potentially gaining access to the environment and resulting in the County receiving the best of both worlds. Marcum has more of PCI DSS, Red Flags, FERPA, HIPAA, GLBA, and government structure and process gives MGT a competitive advantage and an data. A penetration test can help determine whether a system is than 20 professionals dedicated to providing IT Audit and Technology other areas regarding protecting personally ability to hit the ground running from the very start of a project. Our vulnerable to attack, if the defenses were sufficient, and Services.... identifiable information. CampusGuard was organization leverages leading project management solutions, and highly which defenses (if any) the test defeated. It is therefore of high importance founded in 2009 as an alternative for public qualified trained professionals throughout all aspects of our engagements in to ensure that the engagement is designed and planned effectively..... sector and education based sectors seeking a order to ensure the best customer experience at every stage. partner that has not only deep experience with information security, but understands the complexities of applying the standards into the culture that separates multi campus environments from all other areas of enterprise.

16 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Licensing Matrix Optiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work See PDF Pg. 236 See PDF Pgs. 39 ‐ 44. Pdf Pg. 40 in this Category. Comprehensive Perimeter and Internal Penetration Test The Pen Test will focus on simulating various threat The Presidio Cyber Security Penetration Testing is Optiv’s Comprehensive Penetration Test leverages an in‐depth scenarios. These threats range from external comprised of a group of subject matter experts with various methodology that uses commercial and customized nonknowledgeable “drive‐by” attacks, to targeted disciplines and backgrounds that span all domains related tools designed to ensure thorough analysis of the targets and attack authorized knowledgeable insiders. Using current threat to the cyber arena. Our expert knowledge provides us with See Pdf Pgs 48 ‐ 63 surface. Optiv begins with a discovery phase, intelligence, our cybersecurity specialists will work with the ability to act as the adversary’s advocate by The following section describes RSM’s approach in conducting similar work in using proprietary methods and open source tools to establish a the County to identify specific targets and implementing dynamic, multi‐faceted, and multi‐vectored this Category. comprehensive view of Broward County’s network, goals and launch controlled attacks from common attacks and knowledgeably role‐play the adversary, using a External Penetration Testing systems, and applications. Multiple automated scans, paralleled with footholds including: network perimeter, remote controlled, realistic, interactive process for defensive Penetration testing attempts to actively identify and exploit vulnerabilities on manual examination, are used to expose access, unauthenticated and authenticated internal purposes. the County’s network potential weaknesses that may exist within the network. Optiv will network access, enterprise applications, and physical The sole purpose of Presidio’s Cyber Security Penetration systems and devices. Externally, the penetration test attempts to identify and perform penetration testing on unauthenticated access.... Testing is to provide staged intrusions that will exercise exploit vulnerabilities on the web applications (and using authenticated application roles if defined in Broward County’s incident response capabilities, measure County’s publically facing systems and devices. These types of devices include the scoping assumptions), looking for organizational resilience (socially, physically, technically, but are not limited to: weaknesses such as those defined in the OWASP Top 10 Application and procedurally), and provide realistic attack scenarios • Web servers vulnerability categories that could lead to through the use of threat modeling techniques. If utilized • File Transfer Protocol (FTP) servers system compromise or sensitive information disclosure.... correctly, Penetration Testing will provide realistic training • VPN concentrators for incident response teams, improve decision making skills, • Mail servers increase efficiency and response times to real word Any critical finding discovered during the penetration testing phase will be incidents, increase security awareness among the immediately reported informally organization, demonstrate true business risk, and assess to the County’s technical staff and point‐of‐contact. At the end of the Broward County’s defense‐in‐depth strategy. assessment, all results of our testing activities will be reported to you in a formal report that documents our activities, findings and recommendations. b. Number of employees, coordination efforts, servers and workers See PDF Pg. 247 Plante Moran has over 2,000 employees and 500 servers PDF Pg. 42 Our security testing service line is staffed by approximately 50 qualified located within USA Optiv has approximately 55 employees dedicated to Security in the USA. Presidio has twenty‐three (23) people on our Cyber Security penetration testers spread across the United States. All such testers have Penetration Testing consulting practice with Consulting team, all whom are Presidio employees located baseline skillsets that include vulnerability scanning, manual validation of plans to increase the size of the staff in the next few years. All within the USA. The Presidio Cyber Security Project findings, network and operating system penetration testing, and wireless coordination efforts, servers, and workers are Managers coordinate all the resources on the Presidio penetration testing. located in the USA. team. The group is then further divided into specialties such as web application assessments, database assessments, ERP assessments, mobile app/device assessments, and social engineering. All coordination efforts provided to the County will be led by the penetration testing services project manager and tracked formally within RSM’s project management/tracking system. RSM conducts all external testing through their testing lab based out of Chicago. This lab has ~5 servers that have a myriad of both commercial and proprietary tools installed on them. For internal testing, RSM consultants have firm provided laptops using full disk encryption. RSM never stores any client sensitive data after the testing is complete other than the final deliverable which is stored on a single internal server hosted at RSM.

17 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Verizon Business Network Services Licensing Matrix SeNet International Corporation SHI International Corp Inc. d/b/a Verizon Business Services 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work See Pages 21 ‐ 37. See Pages 12 ‐ 13. A Penetration testing service description is in this Category. SHI follows a tested and repeatable penetration testing embeded in document but unable to open. methodology designed to provide consistent technical results and ensure full coverage of the defined scope. Although our penetration testers are guided by the following methodologies, results or findings from a particular phase may guide a tester down a specific path that their experience indicates may be more productive; this is critical in many engagements which have limited levels of effort and permits SHI to provide the most value for resources applied.

b. Number of employees, coordination efforts, servers and workers See Pages 5 ‐ 10. 10 Senior Level Penetration Testing Consultants located within USA 5 Penetration Testing Project Managers 3 Penetration Testing Principal Consultants All servers needed to conduct the penetration test are physically located in the United States.

The SHI Security Services team has 6 active members with 2 openings. Additionally each assessment is assigned a Project Manager from a team of 8 PM’s. All SHI services teams are US based.

18 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 4 ‐ Security Penetration Testing

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Licensing Matrix 1st Secure IT LLC Services ATT c. Describe vendor’s plan to meet key milestones and deadline dates See PDF Pgs. 158 ‐ 159. See file "Evaluation ‐ Cat 4" including communication plan. METHODOLOGY We will have a project manager to help engage in the discussions CONFIDENTIAL Our approach is to inform, assist and advise the assessed company each step of the way. We and monitor the project and coordinate all the activities and employ a proven project framework that will rapidly assess and document specific PCI‐DSS players during the project. Pgs 35: challenges. Recognizing that maximizing the time allocated for this engagement is critical, the Non‐Disclosure Statement "The information in this document is AT&T assessment framework is conducted through scheduled work and project management Corp. Confidential, and cannot be reproduced or redistributed in any way, sessions. The nine phases of our compliance methodology are: shape, or form without prior written consent from AT&T Corp. © Phase 1 ‐ Preliminary meeting/documentation request. This phase will review service Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other requirements and deliverables and it helps us to identify significant system information that trademarks, service marks, and designs are registered or unregistered the trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. 1st Secure IT Auditor will need to collect and analyze. affiliated Phase 2 – Review and Assess documentation. Determine primary audit focus and general companies." CDE scope. Phase 3 ‐ Discovery (interview, data discovery, Service Provider Identification) during this Pgs 36‐ 223: phase we will collect data and examine all existing business processes that involve cardholder "AT&T Consulting Proprietary and Confidential Information" data, interview key personnel, review and analyze cardholder dataflow and network topology and Pgs 418‐568 AT&T Proprietary: The information contained herein is for gather an inventory of all components that process, transmit or store cardholder data. The use by authorized persons only and is not for general distribution. following chart defines the characteristics of cardholder data (CHD) and Sensitive Authentication Data (SAD): Since the CDE consists of all systems and functions that store, process and/or transmit cardholder data, it’s important to understand the elements of data that is permitted to be stored. The PCI DSS permits the storage of the PAN, Cardholder Name, Service Code, and Expiration Date. However, the PAN must be stored in an unreadable format.

19 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Carahsoft Technology Corp Licensing Matrix BreakPoint Labs Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. c. Describe vendor’s plan to meet key milestones and deadline dates See PDF Pgs. 11 ‐ 20. See PDF Pg. 31 See PDF Pg. 131 ‐ 132 See PDF Pg. 115 including communication plan. Full External Perimeter Evaluation ‐ Our Approach For Security Testing Services, all tests/scans are scheduled by you, the Security Penetration Testing ERM Project Manager will develop a Project Plan which details all During an External Penetration Test, BreakPoint Labs will emulate the presence of an adversary trying to attack customer, who has ultimate control as to when tests get done. It is our understanding that it is the goal of the County is to engage a key milestones and deadline dates. the organization externally. BPL will evaluate all external Penetration tests under our Managed Security Testing (MST) solution firm for Security Penetration Testing Services, including Internal ERM Project Manager will work with the client to adjust based on systems and services for the target organization utilizing the following methodology: has a two Network Penetration Testing, External Network Penetration Testing, client needs. The Communication 1. Scoping (2) week lead time. Web Application Testing, Wireless Network Penetration Testing, and Plan will be discussed and agreed to during the kick‐off call. ERM’s 2. Reconnaissance: Discovery Social Engineering Test Cases. To help the County achieve its goals, communication plans typically 3. Automated Testing: Enumeration we have outlined the following approach. include weekly status updates as well as updates based on key 4. Manual Testing Crowe’s Penetration Assessments can provide a unique perspective milestones and deadlines. 5. Reporting into the security of an organization on multiple levels. Crowe’s 6. Remediation Support approach is customized for each client and engagement providing Key Objectives value targeted toward your specific requirements. Flexibility is Enumerate to the Broward County Board of County Commissioners’ external technology footprint and evaluate derived from clearly understanding your goals for the engagement the Internet facing services and current controls and tailoring our service to complement the business requirements. to identify exploitable vulnerabilities. Attempt to leverage the vulnerabilities enumerated to gain elevated Testing involves specialized Crowe Security and Privacy privilege (root/administrative level access) to the Broward County Board of County Commissioners’ systems. professionals who are adept at using the same tools and techniques Enumerate any security concerns related to configuration of to the Broward County Board of County as those leveraged by the hacking community. Thoroughly testing an Commissioners’ DMZ, Internet facing services, Wireless, Email, Telecommunications, and DR environment.... organization for vulnerabilities includes testing both the technical aspects of information security as well as the human element...

20 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: JohnsTek Inc. Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: IOMAXIS c. Describe vendor’s plan to meet key milestones and deadline dates See PDF Pgs. 159 ‐ 164 Deadlines are based objectives, current gaps, and risk based findings of See PDF Pg.41 See PDF Pgs. 57 ‐ 59 including communication plan. APPROACH gaps. Phased approach to compliance can be reviewed in Broward Global Information Intelligence will apply its expert and proven JohnsTek Team is a privately‐owned (no outside investors), zero‐debt, U.S Focal Point’s Approach to Project Management Security Services 2017. All foresite services are customized to address methodology to provide BROWARD COUNTY with INFORMATION cybersecurity and engineering company that maintains a TS Facility Clearance; Project Lead – Focal Point’s project lead will be responsible for the client specific needs and can changed based on scope, level or not‐in‐ TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using additionally, 100% of our 135 employees are US citizens with approximately communication of progress updates as well as the management and place findings and budget. Intelligent, Proactive and Robust and Resilient methods that include 80% cleared to the TS level, with many of those briefed for access to Sensitive coordination of all staff activities. proactive recommendations and remediation sample for design and Compartmented Information (SCI). Our cadre of cleared professionals are Quality Assurance (QA) – Focal Point’s objective is to exceed Broward’s implementation operational effectiveness for INFORMATION currently doing the same work described in the Broward County solicitation expectations. As such, Focal Point will employ a team‐based approach TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Network for multiple clients in the Department of Defense (DoD), Department of to this engagement. Our team managers assessment of BROWARD COUNTY Corporate Network and its Homeland Security (DHS), Intelligence Community (IC), Law Enforcement will coordinate fieldwork and develop project deliverables, while our Operations Technology Network.... Agencies (LEA), U.S. Federal Government and Commercial clients. All of our senior consultants and consultants perform project activities and infrastructure, to include gather data for our reports. Focal Point’s professionals our servers, are located within the United States. We have the necessary are trained to continuously review the quality of service and experience, accounting, organizational and operational controls to be an production provided at each level. effective partner for Broward County. JohnsTek Team was founded in 2006 as As a result, prior to release to Broward, all reports and deliverables will a technology engineering company focused on the Research and undergo a stringent QA process. Once Focal Point has approved the Development (R&D) of secure solutions. We are an International Organization draft report internally, the draft report will be for Standardization (ISO) 9001:2015 certified and Capability Maturity Model released to Broward for review. Integration for Development (CMMI‐DEV) Level 2 assessed Veteran‐Owned The following phases offer a high‐level illustration of the approach we Small Business (VOSB) providing critical defensive and offensive cybersecurity will take on this engagement.... support to our clients.

21 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Marcum LLP Merchant Preservation Services, LLC d/b/a Licensing Matrix Sub: 24by7 Security CampusGuard MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude c. Describe vendor’s plan to meet key milestones and deadline dates See PDF Pg. 45 See PDF Pg 520 ‐ 521. See PDF Pgs. 358 ‐ 360 See PDF Pgs. 23 ‐ 28. including communication plan. Effective Project Management is a key focus at Marcum. As a large audit, tax Many of our milestones and communication As we have already done with other projects for Broward County, MGT will NETWORK PENTRATION TESTING METHODOLOGY and consulting firm, the ability to provide services to clients on schedule and coordination will come from a dedicated ensure accountability, compliance, and implementation of the services provided. One of the primary objectives of a penetration test is to identify risk within a set budget is priority. Our techniques include best practices from the resource to Broward County. Our Penetration We will adhere to all applicable federal and presented by a given system, in a safe and effective manner. A penetration Project Management Body of Knowledge (PMBOK) and go from the Planning Testers are paired up with one of state policies, procedures, and regulations. MGT will ensure accountability, test is an attack on a computer system or infrastructure that looks for to the Reporting phase, going through quality assurance checks. Below is an CampusGuard’s Customer Relationship compliance, and implementation of the services provided to the County. We will security weaknesses, potentially gaining access to the environment and overview of the milestones we will use throughout this engagement. We plan Managers who will work with the Penetration adhere to all applicable federal and state policies, procedures, and regulations. data. A penetration test can help determine whether a system is to communicate each of our findings upon the completion of each milestone. Tester and County directly to establish goals MGT's Project Manager will have primary responsibility for the supervision of all vulnerable to attack, if the defenses were sufficient, and As we meet with your key personnel, we will work with management to lay and milestones. This project operations and project administration and will ensure all deliverables which defenses (if any) the test defeated. It is therefore of high importance out specific deadline dates for each milestone that take into consideration the communication is continuous until the project meet the standards of quality set forth by the County. Our Project Manager is to ensure that the engagement is designed and planned effectively..... needs of your professionals whose time will be required.... is deemed completed by the County. Plans will responsible for the day‐to‐day activities of all design and technical key be set by the CampusGuard team and those staff. deemed appropriate from the County in a project “kickoff” call and key milestones will be set at that time. From there, continuous communication will be had by the CampusGuard and Broward County teams on a time basis the County is most comfortable with. This can include weekly conference calls, summary emails or other methods the County may prefer.

22 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Licensing Matrix Optiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP c. Describe vendor’s plan to meet key milestones and deadline dates See PDF Pg. 247 ‐ 248 Frequent communication, guided by a “no surprises” PDF Pg. 42 ‐ 44 RSM’s management approach can be expressed in one simple phrase: “no including communication plan. Optiv uses standard Project Management practices to manage key philosophy is the key to a successful project. In Presidio would develop a project plan with all defined surprises.” First, we will work with the County to establish a communication milestones and deadline dates. this way, expectations can be effectively managed and project milestones which includes weekly protocol and approach that you prefer, and we will use these channels and Project Management problems can either be avoided entirely, or status meetings to track the project overall progress. tools to share information on the engagement. Once the communications plan Overview addressed early on to minimize wasted effort and keep Escalation methodology follows. has been created, RSM will create a timeline and milestones project schedule Optiv will conduct status meetings, which may include updates on the project on schedule. Prior to formally and track those milestones to completion on a weekly basis. We will work project status and issues identified and kicking off the project, we will work with the County to with you and management to keep you informed of our progress throughout addressed (such as schedule, deliverables, project quality, and team develop a communications plan for the project. the engagement with periodic formal and informal status reports and interaction). In addition, Optiv will provide We will identify project stakeholders, and for each: meetings as appropriate. Continuous communication helps ensure that the immediate notification of any issues requiring Broward County Office of What they will need to know throughout the project County and the RSM team are in agreement on, and informed about every IT’s attention. Optiv expects that any issues (e.g., status updates, risk and issues) aspect of an engagement. Our team will work closely with County identified will be resolved promptly to avoid impact to the project When and how frequently they will want management to establish clear, open lines of timelines. communication (e.g., weekly, monthly) communication via face‐to‐face meetings, phone calls, and/or regular Optiv Project Coordination Activities How communications will be delivered (e.g., status electronic or hard‐copy communications to keep you informed of progress and The following list details Optiv's Project Coordination activities for this updates reports, meetings, phone calls) issues. In the event that RSM identifies that a particular engagement is behind project: Who will be responsible for the communication schedule, this issue will be formally communicated to the client to discuss the Facilitation of the project kick‐off meeting We will maintain this communication plan on a shared issues and possible solutions to get back on track. Similarly, if observations or Project budget reporting and Change Order management (if needed) collaboration site throughout the project to risk areas are identified during an engagement, we will be on hand to provide Coordination of Optiv personnel logistics ensure regular communication and ongoing recommendations for remediation and collaboration. provide support to management in the enhancement of current processes.

23 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Verizon Business Network Services Licensing Matrix SeNet International Corporation SHI International Corp Inc. d/b/a Verizon Business Services c. Describe vendor’s plan to meet key milestones and deadline dates See Pages 59 ‐ 62. Once an assessment is assigned to a Sr. Solutions See Pages 53 ‐ 55. including communication plan. Architect, they are dedicated to the project ensuring The overall Verizon engagement management and their availability to complete all project related task and delivery approach consists of the following steps. milestones as agreed in the SOW and/or project kickoff meeting. Schedules are managed closely to ensure overlap in projects is minimal and allow all milestones to be met and assessments to be completed on time. All SHI assessments have an assigned PM who document and track all milestones and significant events for a particular project. The PM will work with all key stakeholders involved to ensure all communications are managed effectively to meet all customer expectations. Email is used for daily communication with secure solutions being utilized for all confidential documentation.

24 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 4 ‐ Security Penetration Testing

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Licensing Matrix 1st Secure IT LLC Services ATT 3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature See Reference Verification Form PDF Pg. 126, 130, 131. See file "Evaluation ‐ Cat 4" and scope, along with evidence of satisfactory completion, both on See PDF Pg. 159 We have extensive experience in doing projects of similar nature CONFIDENTIAL time and within budget, for the past five years. Provide a minimum of 1st Secure IT has been a Qualified Security Assessor Company since 2010 and has performed and scope. We have consistently performed these tasks with high three projects with references, preferably government agencies (i.e. has performed hundreds of PCI DSS audit. 1st Secure IT, LLC is a Payment Card Industry quality and within the time limits proposed at the beginning of Pgs 35: state, local) of similar size and structure and proven experience and Qualified Security the project. Non‐Disclosure Statement "The information in this document is AT&T skillset in evaluation a mixed credit card environment of web Assessor Company (PCI‐QSA) certified and authorized to perform PCI DSS and PCI PIN audits it Corp. Confidential, and cannot be reproduced or redistributed in any applications, point of sale (POS), and IVR systems. the United States and Latin America. We are headquartered in Coral Springs, FL and focus on way, shape, or form without prior written consent from AT&T Corp. © Vendor should provide references for similar work performed to compliance services Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all show evidence of qualifications and previous experience. Refer to and solutions related to regulations such as PCI, HIPAA, EI3PA, and SOC2. We specialize in and other trademarks, service marks, and designs are registered or Vendor Reference Verification Form and submit as instructed. Only are focused on delivering industry standards compliance and fraud prevention services. unregistered trademarks of AT&T Corp. Intellectual Property and/or provide references for non‐Broward County Board of County SAMPLE LIST OF CLIENTS AT&T Corp. affiliated Commissioners’ contracts. For Broward County contracts, the County 1st Secure IT, LLC has done well over 100 Reports of Compliance (ROC) in the last 12 months. companies." will review performance evaluations in its database for vendors with The following previous or current contracts with the County. The County considers is a sample set of clients for whom 1st Secure IT, LLC has performed compliance/security Pgs 36‐ 223: references and performance evaluations in the evaluation of engagements: "AT&T Consulting Proprietary and Confidential Information" Vendor’s past performance. Sample clients in USA 1. Luihn Foods ‐ (Refer to Vendor Reference Verification Form) Pgs 418‐568 AT&T Proprietary: The information contained herein is for 2. FPN ‐ (Refer to Vendor Reference Verification Form) use by authorized persons only and is not for general distribution. 3. Sedano’s Supermarket ‐ (Refer to Vendor Reference Verification Form) 4. Great Health Works 5. Softheon,Inc Amwest Venture Corp 6. Apartment Owners Association of California, Inc. 7. Bagshaw Enterprises 8. BKK Management Co (Yakima) 9. Burger Florida Group 10. Century Fast Foods, Inc. b. Provide evidence of similar work related to services identified See Reference Verification Form PDF Pg. 126, 130, 131. See file "Evaluation ‐ Cat 4" similar work related to services identified in this Category, including See PDF Pg. 159 We performed Penetration testing for different clients. We CONFIDENTIAL sample executive summaries and reports 1st Secure IT has been a Qualified Security Assessor Company since 2010 and has performed generated Penetration testing reports that helped companies to has performed hundreds of PCI DSS audit. 1st Secure IT, LLC is a Payment Card Industry take remediation steps. Pgs 35: Qualified Security Non‐Disclosure Statement "The information in this document is AT&T Assessor Company (PCI‐QSA) certified and authorized to perform PCI DSS and PCI PIN audits it Corp. Confidential, and cannot be reproduced or redistributed in any way, the United States and Latin America. We are headquartered in Coral Springs, FL and focus on shape, or form without prior written consent from AT&T Corp. © compliance services Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other and solutions related to regulations such as PCI, HIPAA, EI3PA, and SOC2. We specialize in and trademarks, service marks, and designs are registered or unregistered are focused on delivering industry standards compliance and fraud prevention services. trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. SAMPLE LIST OF CLIENTS affiliated 1st Secure IT, LLC has done well over 100 Reports of Compliance (ROC) in the last 12 months. companies." The following is a sample set of clients for whom 1st Secure IT, LLC has performed compliance/security Pgs 36‐ 223: engagements: "AT&T Consulting Proprietary and Confidential Information" Sample clients in USA 1. Luihn Foods ‐ (Refer to Vendor Reference Verification Form) Pgs 418‐568 AT&T Proprietary: The information contained herein is for 2. FPN ‐ (Refer to Vendor Reference Verification Form) use by authorized persons only and is not for general distribution. 3. Sedano’s Supermarket ‐ (Refer to Vendor Reference Verification Form) 4. Great Health Works 5. Softheon,Inc Amwest Venture Corp 6. Apartment Owners Association of California, Inc. 7. Bagshaw Enterprises 8. BKK Management Co (Yakima) 9. Burger Florida Group 10. Century Fast Foods, Inc.

25 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Carahsoft Technology Corp Licensing Matrix BreakPoint Labs Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. 3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature See Reference Verification Forms (3) PDF Pgs. 31 ‐ 35. See PDF PG. 31 See PDF Pgs. 103 ‐ 106 (3) Reference Verification Forms included. ‐ See PDF Pgs. 115 ‐ 118 and scope, along with evidence of satisfactory completion, both on See PDF Pg. 7 Trustwave completed approximately 4000 penetration tests in 2016. Past Performance a. ERM’s Experience time and within budget, for the past five years. Provide a minimum of Over the past years BPL security engineers have performed hundreds of security assessments. BPLs security That means that our average penetration tester performs 40 or more Crowe’s cybersecurity team conducts over 200 penetration ERM has completed over 5,000 Penetration Test projects. All of our three projects with references, preferably government agencies (i.e. engineers have helped organizations identify exploitable vulnerabilities that would have had a large business tests each year – compared to the 3‐10 yearly tests consultants perform assessments annually, including both internal and external projects have been completed on time and within budget. state, local) of similar size and structure and proven experience and impact if compromised. Below are highlights of some of the ways BPL security engineers have improved the at most firms. penetration testing. Quality work, based upon strong competency As requested, below are three references for projects of similar size skillset in evaluation a mixed credit card environment of web security posture and directed towards our client’s needs, is the core element of and structure. applications, point of sale (POS), and IVR systems. of its customers: creating value for our clients. Quality service involves prompt and 1. CSID Vendor should provide references for similar work performed to ● Idenﬁed a crical SQL Injecon (SQLi) vulnerability in an Internet‐facing applicaon that when exploited efficient service delivery and effective communications with clients. 2. State of New Hampshire show evidence of qualifications and previous experience. Refer to allowed an adversary to access all the clear‐text usernames and passwords for the entire commercial company. Business relationships involve gaining trust and respect by listening 3. Tecnicard Vendor Reference Verification Form and submit as instructed. Only ● Discovered custom vulnerabilies in DoD research and educaonal organizaons that would have allowed for a to our client’s needs and developing a comprehensive provide references for non‐Broward County Board of County complete compromise of the organization. understanding of their business and vision for the future before Commissioners’ contracts. For Broward County contracts, the County ● Enumerated several unknown vulnerabilies in commercial applicaons in use by DoD organizaons and providing advice. We have delivered high value to our clients for will review performance evaluations in its database for vendors with followed a responsible disclosure process to communicate findings with the vendors. decades and we feel that we are well‐suited to help Broward previous or current contracts with the County. The County considers ● Helped DoD research and educaonal organizaons idenfy emerging high‐impact vulnerabilies (Shellshock, County.... references and performance evaluations in the evaluation of Heartbleed, etc.) by developing custom tools for use in Vendor’s past performance. their environment prior to release of checks in commercial scanning tools. ● Discovered a crical SMTP injecon vulnerability for a DoD organizaon that would have allowed for an aacker to send E‐mails as anyone in the organization......

b. Provide evidence of similar work related to services identified See Reference Verification Forms (3) PDF Pgs. 31 ‐ 35. See PDF PG. 31 Past Performance See PDF Pg. 119 ‐ 121 similar work related to services identified in this Category, including See PDF Pg. 7 Please see addendum for Client References. Crowe’s cybersecurity team conducts over 200 penetration Sample outline of client report. sample executive summaries and reports Over the past years BPL security engineers have performed hundreds of security assessments. BPLs security assessments annually, including both internal and external engineers have helped organizations identify exploitable vulnerabilities that would have had a large business penetration testing. Quality work, based upon strong competency impact if compromised. Below are highlights of some of the ways BPL security engineers have improved the and directed towards our client’s needs, is the core element of security posture creating value for our clients. Quality service involves prompt and of its customers: efficient service delivery and effective communications with clients. ● Idenﬁed a crical SQL Injecon (SQLi) vulnerability in an Internet‐facing applicaon that when exploited Business relationships involve gaining trust and respect by listening allowed an adversary to access all the clear‐text usernames and passwords for the entire commercial company. to our client’s needs and developing a comprehensive ● Discovered custom vulnerabilies in DoD research and educaonal organizaons that would have allowed for a understanding of their business and vision for the future before complete compromise of the organization. providing advice. We have delivered high value to our clients for ● Enumerated several unknown vulnerabilies in commercial applicaons in use by DoD organizaons and decades and we feel that we are well‐suited to help Broward followed a responsible disclosure process to communicate findings with the vendors. County.... ● Helped DoD research and educaonal organizaons idenfy emerging high‐impact vulnerabilies (Shellshock, Heartbleed, etc.) by developing custom tools for use in their environment prior to release of checks in commercial scanning tools. ● Discovered a crical SMTP injecon vulnerability for a DoD organizaon that would have allowed for an aacker to send E‐mails as anyone in the organization......

26 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: JohnsTek Inc. Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: IOMAXIS 3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature See PDF Pgs. 165 ‐ 167 See References. See References. Reference Verification Forms included. See PDF Pgs. 67 ‐68, 94 and scope, along with evidence of satisfactory completion, both on Focal Point has been providing information security advisory services, Foresite supplies services to forture 500 companies within the US and See PDF Pgs. 59 ‐ time and within budget, for the past five years. Provide a minimum of including vulnerability address specific needs based on a phased approach. The approach Director, Operational Test & Evaluation (DOT&E) three projects with references, preferably government agencies (i.e. assessments, penetration testing, infrastructure analyses, and technical starts with a gap assessment to determin actual scope followed by Point of Contact: John Burns state, local) of similar size and structure and proven experience and security assessments, findings and observations, recommendations for remediation then a Phone Number and Email Address: 571‐372‐3887; [email protected] skillset in evaluation a mixed credit card environment of web for over 12 years. We have developed and evaluated the information road map plan to address all aspects of the overall objectives. Contract Period of Performance: 12/17/2015 – 12/16/2017 applications, point of sale (POS), and IVR systems. technology departments of Description of Similar Work: Vendor should provide references for similar work performed to many leading organizations. IOMAXIS SMEs apply their collective knowledge, skills, and experience to show evidence of qualifications and previous experience. Refer to Over the past five years, we’ve delivered hundreds of successful support DOT&E’s Congressionallymandated Cybersecurity Assessment Vendor Reference Verification Form and submit as instructed. Only penetration testing projects for Program (CAP), providing operational Red Team subject matter expertise, provide references for non‐Broward County Board of County both private organizations and government entities. On average, we operator augmentation, data collection & analysis, and other expert‐level Commissioners’ contracts. For Broward County contracts, the County complete around 100 consulting services to multiple facets of their mission...... will review performance evaluations in its database for vendors with penetration testing projects annually, and can provide these services to Alliance Technology Group previous or current contracts with the County. The County considers several clients Point of Contact: Jason Sherbert references and performance evaluations in the evaluation of concurrently. Phone Number and Email Address: 443‐561‐0525; jason.sherbert@alliance‐ Vendor’s past performance. Our excellence in penetration testing is evidenced by the long‐lasting it.com relationships we maintain Contract Period of Performance: 11/04/2016 – 11/05/2017 with our clients, who continue to rely on us year after year to find and IOMAXIS conducted a penetration test to evaluate the overall security posture remediate the of the clients’ externally‐facing system(s), application(s), and service(s), vulnerabilities in their networks.... including their networking and security architecture. The objective was to gain unauthorized access to any of the internal architecture.

b. Provide evidence of similar work related to services identified See PDF Pgs. 165 ‐ 167 similar to that of pci, security testing specific requirements are address See PDF Pgs. 318 ‐ 322 Reference Verification Forms included. See PDF Pgs. 67 ‐68, 94 similar work related to services identified in this Category, including Focal Point has been providing information security advisory services, on a custimized bases, actual phased approach can be seen in the See Sample Reports. See PDF Pgs. 59 ‐ sample executive summaries and reports including vulnerability Broward Security Services 2017 under PCI DSS managed services Director, Operational Test & Evaluation (DOT&E) assessments, penetration testing, infrastructure analyses, and technical Point of Contact: John Burns security assessments, Phone Number and Email Address: 571‐372‐3887; [email protected] for over 12 years. We have developed and evaluated the information Contract Period of Performance: 12/17/2015 – 12/16/2017 technology departments of Description of Similar Work: many leading organizations. IOMAXIS SMEs apply their collective knowledge, skills, and experience to Over the past five years, we’ve delivered hundreds of successful support DOT&E’s Congressionallymandated Cybersecurity Assessment penetration testing projects for Program (CAP), providing operational Red Team subject matter expertise, both private organizations and government entities. On average, we operator augmentation, data collection & analysis, and other expert‐level complete around 100 consulting services to multiple facets of their mission...... penetration testing projects annually, and can provide these services to Alliance Technology Group several clients Point of Contact: Jason Sherbert concurrently. Phone Number and Email Address: 443‐561‐0525; jason.sherbert@alliance‐ Our excellence in penetration testing is evidenced by the long‐lasting it.com relationships we maintain Contract Period of Performance: 11/04/2016 – 11/05/2017 with our clients, who continue to rely on us year after year to find and IOMAXIS conducted a penetration test to evaluate the overall security posture remediate the of the clients’ externally‐facing system(s), application(s), and service(s), vulnerabilities in their networks.... including their networking and security architecture. The objective was to gain unauthorized access to any of the internal architecture.

27 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Marcum LLP Merchant Preservation Services, LLC d/b/a Licensing Matrix Sub: 24by7 Security CampusGuard MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude 3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature See PDF Pg. 46 Reference Verification Forms included Pg. 524 ‐ See Reference Verification Forms PDF Pgs. 363 ‐ 365 See PDF Pgs. 23 ‐ 28. and scope, along with evidence of satisfactory completion, both on See attached Vendor Reference Forms for: 529. See PDF Pg. 362. NETWORK PENTRATION TESTING METHODOLOGY time and within budget, for the past five years. Provide a minimum of City of Coconut Creek See PDF Pg 522. With a focus on organizational goals first, MGT provides business‐driven One of the primary objectives of a penetration test is to identify risk three projects with references, preferably government agencies (i.e. City of Boca Raton CampusGuard’s Pen Testing Team has worked information security services keeping our clients’ interests at the forefront of our presented by a given system, in a safe and effective manner. A penetration state, local) of similar size and structure and proven experience and City of Hollywood in the most dynamic environments throughout engagements ensuring we deliver the most efficient solution. MGT’s core cyber test is an attack on a computer system or infrastructure that looks for skillset in evaluation a mixed credit card environment of web their careers and have brought that experience security capabilities include: security risk assessments...... security weaknesses, potentially gaining access to the environment and applications, point of sale (POS), and IVR systems. to CampusGuard with them. All of (ISC)2: ON‐DEMAND PENETRATION TESTING SERVICES data. A penetration test can help determine whether a system is Vendor should provide references for similar work performed to CampusGuard’s clients operate in multi campus (ISC)2, the largest information security association in the world, selected us as vulnerable to attack, if the defenses were sufficient, and show evidence of qualifications and previous experience. Refer to environments, this includes Higher Education, their key penetration testing partner to test multi‐year rollout of enterprise which defenses (if any) the test defeated. It is therefore of high importance Vendor Reference Verification Form and submit as instructed. Only Local and County Government and the resort applications as well as infrastructure upgrades. This engagement is ongoing and to ensure that the engagement is designed and planned effectively..... provide references for non‐Broward County Board of County industry. Due to the nature of these networks, thus far, we have successfully tested several of their website back end Commissioners’ contracts. For Broward County contracts, the County their environment is far more complicated to applications, their learning management system, and will soon be completing an will review performance evaluations in its database for vendors with protect and has greater exposure for unethical infrastructure test..... previous or current contracts with the County. The County considers hackers. As you will find through our CITY OF ROSEVILLE: EXTERNAL AND INTERNAL PENETRATION TEST AND WIFI references and performance evaluations in the evaluation of references, CampusGuard is native to these ACCESS Vendor’s past performance. environments and operates in them every day. POINT TEST Our Penetration Testing team works to provide The City of Roseville selected us to perform a full test on their external and results based off of a predetermined scope of internal IPs as well as their wireless access points. This was part of their yearly work and deliver those results to our clients on PCI effort. We were able to successfully deliver on all aspects of the engagement time and within budget. Our CRM assists our while focusing on transfer of knowledge in order to help the security team with Pen Testing Team with our goals and keep on‐going operations as much as possible. within the timelines for completion. VITAL RECORDS CONTROL COMPANIES: WEB APPLICATION PENETRATION TESTING Vital Records Control Companies (VRCC) selected us to do a full penetration test of their custom electronic medical records application. We successfully executed the engagement and provided all the necessary insight into addressing any and all vulnerabilities that came about..... b. Provide evidence of similar work related to services identified See PDF Pg. 46 See PDF Pgs. 374 ‐ 432. See PDF Pg. 28 ‐ 31. similar work related to services identified in this Category, including See attached sample report for Security Penetration Testing. Included in Appendix are four sample executive summaries and reports for: Nettitude has provided Broward County with a case study of a previous sample executive summaries and reports Mobile App Pen Test penetration test. Network Layer Case Study 1: SharePoint Testing Web Application Client Requirement Wireless Security A long term client, a high profile FTSE 100 company, requested a penetration test of one of their critical applications which was built on Sharepoint. The data assets held by the Sharepoint application were of critical importance to the company; the testing was primarily requested to ensure that no authorised access could be gained to the data, the backend database, and to ensure that there were no weak configurations that could lead to data compromise. Nettitude Engagement & Delivery The average engagement size for Sharepoint applications has been five days of testing and a day of report writing. The average SharePoint application tests conducted have followed our Web Application testing methodology covering all aspects of the OWASP Top 10....

28 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Licensing Matrix Optiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP 3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature See PDF Pg. 248 Reference Verification Forms included. ‐ See PDF Pgs. 73 Reference Verification Forms included. See PDF Pgs 187 ‐ 191 and scope, along with evidence of satisfactory completion, both on The security, privacy and business concerns of our clients‐both current ‐ 76 PDF Pg. 44 time and within budget, for the past five years. Provide a minimum of and past‐are of the highest priority. Presidio provides the following three references for which Brevard County, Florida three projects with references, preferably government agencies (i.e. As such, we must respectfully decline to provide specific contact names we have provided similar solutions to October 2014 ‐ Ongoing state, local) of similar size and structure and proven experience and and details for potential Category 4 – Security Penetration Testing: RSM has performed enterprise internal, external and wireless penetration skillset in evaluation a mixed credit card environment of web references at this stage. However, a number of our clients from recent Virginia Credit Union tests as well as web application security testing…. applications, point of sale (POS), and IVR systems. engagements would be willing to Inteva Products Manager Prince William County, Virginia Vendor should provide references for similar work performed to entertain an informal conversation with their peers to discuss their use Dayton’s Children Hospital March 2014 ‐ August 2014 show evidence of qualifications and previous experience. Refer to of the products and services they Presidio uploads these customer references on the required RSM conducted internal and database testing along with web application Vendor Reference Verification Form and submit as instructed. Only were provided which we can help facilitate at the appropriate time. Vendor Verification Form, in a penetration testing for PWC. provide references for non‐Broward County Board of County separate file. City of Sacramento Commissioners’ contracts. For Broward County contracts, the County April 2013 ‐ Ongoing will review performance evaluations in its database for vendors with RSM has performed enterprise internal external and application penetration previous or current contracts with the County. The County considers tests for the City of Sacramento... references and performance evaluations in the evaluation of Cubic Corporatoin and Transportation Systems Vendor’s past performance. May 2014 ‐ Ongoing RSM has performed enterprise internal and external penetration tests as well as web application security testing.... District of Columbia Water & Sewer Authority October 2015 ‐ January 2016 RSM conducted a myriad of security testing engagements for DC Water including internal, external and wireless penetration testing....

b. Provide evidence of similar work related to services identified See PDF Pg. 248 Reference Verification Forms included. ‐ See PDF Pgs. 73 Reference Verification Forms included. Due to the sensitivity of the results of the work completed for our clients, similar work related to services identified in this Category, including Please see the provided sample deliverables (attached separately). ‐ 77 PDF Pg. 44 results of our engagements, or final reports will not be provided as evidence sample executive summaries and reports Examples ‐ See PDF Pgs. 45 Presidio provides the following three references for which for proof of completion. If the County desires, we are prepared to provide we have provided similar solutions to example templates used as part of our reporting process to help ensure you Category 4 – Security Penetration Testing: are comfortable with the final work products we are accustomed to delivering. Virginia Credit Union Inteva Products Manager Dayton’s Children Hospital Presidio uploads these customer references on the required Vendor Verification Form, in a separate file.

29 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Verizon Business Network Services Licensing Matrix SeNet International Corporation SHI International Corp Inc. d/b/a Verizon Business Services 3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature See Pages 10 ‐20 Penetration testing results vary greatly however it is Verizon’s US testing team has conducted over and scope, along with evidence of satisfactory completion, both on References ‐ pdf pgs 100 ‐ 108 typical to find, but not limited to, exposed websites 1000 penetration testing projects in the past five time and within budget, for the past five years. Provide a minimum of providing detailed information, remote access points years. Verizon has highly relevant customers who three projects with references, preferably government agencies (i.e. only requiring a password for access, outdated can provide information on the work we have state, local) of similar size and structure and proven experience and protocols and operating systems, easily identifiable staff done and the quality of our relationship with their skillset in evaluation a mixed credit card environment of web with privileged access, lack of current patches or organizations. Due to the number of requests applications, point of sale (POS), and IVR systems. updates, improperly configured devices and lack of Verizon receives for recommendations from these Vendor should provide references for similar work performed to employee training in response to malicious activities. customers, it is our policy to provide contact show evidence of qualifications and previous experience. Refer to SHI understands the importance of quality references; information only when we are under serious Vendor Reference Verification Form and submit as instructed. Only however for services such as those being requested by consideration for a contract award. provide references for non‐Broward County Board of County the County, most customers feel the information In addition, Verizon’s corporate nondisclosure Commissioners’ contracts. For Broward County contracts, the County associated with these services is confidential. SHI has policies – combined with the sensitive nature of will review performance evaluations in its database for vendors with included a list of a few customers that we have provided our customers’ business – require that certain previous or current contracts with the County. The County considers similar services as requested in this RFP. If needed, we agreements be in place before we can release references and performance evaluations in the evaluation of agree to help coordinate a call between our customers sensitive customer data. In order to protect the Vendor’s past performance. and Broward County to discuss their experience with interests and confidentiality of our customers, and SHI. Please note that customers may not wish to discuss at the request of our customers, we prefer to specifics of their project due to the sensitive nature. facilitate references calls and/or visits at a Gold’s Gym, Anthony (Tony) Wilkins, Director of IT mutually convenient time for all. Infrastructure and Telecom Tampa General Hospital, Jason Powell, Chief Information Security Officer City of San Marcos, Lenora Newson, IT Infrastructure Manager

b. Provide evidence of similar work related to services identified See Pages 10 ‐20. SHI has attached sample reports with our submission. As a highly respected authority on Security and similar work related to services identified in this Category, including Compliance and one of the most trusted voicesin sample executive summaries and reports the security community, we truly appreciate your challenges, put payment security in the context of your industry‐specific regulations and standards, and make recommendations not just in terms of IT change, but business process transformation, too. These principles are embodied in our annual Data Breach Investigations Report, now in its tenth edition, report, which uses data and insights drawn directly from assessments we have conducted for global enterprises across a variety of industries. View the report at http://www.verizonenterprise.com/verizoninsight s‐ lab/dbir/2017/#report.

30 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 4 ‐ Security Penetration Testing

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Licensing Matrix 1st Secure IT LLC Services ATT 4. Workload of the Firm: List all completed and active projects that Vendor has managed See PDF Pgs. 160 ‐ 161. See file "Evaluation ‐ Cat 4" See PDF Pgs. 543 ‐ 544 within the past five years. In addition, list all projected projects that 1st Secure IT, LLC is a QSA company for the PCI SSC. Our core competencies are within the PCI We have recently completed projects with Counsyl, Creditshop. Vendor will be working on in the near future. Projected projects will and We have sufficient capacity to take on new projects and we are CONFIDENTIAL be defined as a project(s) that Vendor is awarded a contract but the Penetration Testing arena. Over 90% of our revenue derives from direct PCI related work. PCI very confident that you will be pleased with our services. Notice to Proceed has not been issued. Identify any projects that related Pgs 35: Vendor worked on concurrently. Describe Vendor’s approach in work includes: Non‐Disclosure Statement "The information in this document is AT&T managing these projects. Were there or will there be any challenges PCI DSS Scoping Reviews Corp. Confidential, and cannot be reproduced or redistributed in any way, for any of the listed projects? If so, describe how Vendor dealt or will PCI DSS Reports on Compliance shape, or form without prior written consent from AT&T Corp. © deal with the projects’ challenges. PCI Self‐Assessment Questionnaire assistance Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other Penetration Testing – for PCI Compliance trademarks, service marks, and designs are registered or unregistered IT Security Consultation Projects for PCI Compliance trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. Approximately, 10% of our revenue is generated from projects outside of PCI, but are affiliated synergistic to IT companies." Security. These projects include: Fraud Prevention Consultation Pgs 36‐ 223: Visa Global Risk Assessments "AT&T Consulting Proprietary and Confidential Information" PIN Security Non‐PCI related Penetration Testing Pgs 418‐568 AT&T Proprietary: The information contained herein is for General IT Security Consulting..... use by authorized persons only and is not for general distribution.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. 1ST SECURE IT LLC 3K Technologies LLC AT&T Corp

2. Doing Business As/ Fictitious Name (if applicable): N/A

3. Federal Employer I.D. Number. 27‐1776302 02‐0604148 13‐4924710 4. Dun & Bradstreet Number. (If applicable). N/A 113018282 00‐698‐0080 5. Website address (if applicable). https://www.1stsecureit.com/en/ www.3ktechnologies.com www.att.com 6. Principal place of business. 6810 Lyons Technology Circle, Suite 190 1114 Cadillac Ct, Milpitas, CA 95035 One AT&T Way, Bedminster, NJ 07921 Coconut Creek, FL 33073 7. Office Location for this project. 6810 Lyons Technology Circle, Suite 190, Coconut Creek, FL 33073 1114 Cadillac Ct, Milpitas, CA 95035 2002 NW 64th St., Ft. Lauderdale, FL 33309

8. Telephone/Fax Number: Telephone no.:(954) 613‐0515 Fax no.:(866) 735‐3369 Telephone no.:4087165901 Telephone no.:305‐913‐3887 Fax no.: Fax no.:4088842420 9. Type of Business LLC LLC Corporation; New York 10. List Florida Registration Number. L10000009297 M09000002854 845822

31 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Carahsoft Technology Corp Licensing Matrix BreakPoint Labs Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. 4. Workload of the Firm: List all completed and active projects that Vendor has managed BreakPoint Labs (BPL) manages multiple security assessments at any given time in support of several customers. See PDF Pg. 32 See PDF Pg. 107 See PDF Pg. 122 within the past five years. In addition, list all projected projects that BPL assessment teams are broken into three (3) main categories: Application Security, Network Security, and As a private firm, we do not go into specific details, but we can say we Over the past 5 years, Crowe has had over 16,000 clients, of which ERM has completed over 600 Penetration Testing projects during Vendor will be working on in the near future. Projected projects will Compliance. BPL’s assessment teams work to manage these assessments based on individual skillsets. The BPL do about 4000 pen tests a year and about 850 RoCs ‐ but also have the over 1,200 were government clients. Crowe currently has 871 the past 5 years and estimates it will be working on approximately be defined as a project(s) that Vendor is awarded a contract but the Application Security Assessment team manages day to day application security assessments for a large scale DoD most QSAs and Pen Testers than any other competitor – over 100 in government clients, with 32 in the Florida area. 50 per month during the remainder of 2017. Notice to Proceed has not been issued. Identify any projects that organization and several commercial organizations. This team provides support to other BPL assessment teams to each case. We are busy, but have sufficient resources to cover all of our Crowe is well positioned to provide quality service to Broward ERM is able to manage several projects simultaneously based on Vendor worked on concurrently. Describe Vendor’s approach in ensure that applicable expertise is leveraged during other engagements. The BPL Network Security Assessment engagements. County in a timely fashion. Crowe has a sophisticated Centralized our efficient project management approach. We have not managing these projects. Were there or will there be any challenges Team focuses on performing full scope penetration tests for a large scale DoD organization (Red Team Resource Management function that is responsible for ensuring that experienced any challenges to complete these projects, nor do we for any of the listed projects? If so, describe how Vendor dealt or will Engagements) and supports numerous other commercial companies by conducting annual and recurring Broward County’s needs are met with the experienced and trained expect to experience challenges completed projects for the client. deal with the projects’ challenges. penetration tests. The Compliance Assessment team provides risk and vulnerability assessments focused on staff from our local offices, and if needed, from across our firm. We a. Past Five Years various compliance standards and requirements (PCI, HIPAA, RMF, etc.) for DoD and commercial customers. realize that resource management is a crucial element to • Banking & Financial Services (100) All of BPL’s assessment teams work together to ensure the right service is provided at the highest quality. Many consistently providing top quality service to Broward County, and all • Credit Card Processing (100) customers know they need an assessment, but are unsure of how to plan and execute, define goals, or even what of our clients. • Education (25) is possible. BPL’s assessment teams have extensive experience working with clients who are somewhat new to • Local, City, State Government (50) security assessments and provide extra guidance and information throughout the process to ensure our customers • Federal Government (25) are informed and getting the most return on investment. • Hospitality (25) BreakPoint Labs manages concurrent projects with an established approach by defining each project’s goals, • Insurance (100) deadlines and measurables that must be met. Clearly documenting and defining the project dates and deliverables • Retail (25) amongst the team for each customer has led to a successful outcome for BreakPoint Labs efforts prior and to date. • Technology (50) BPL’s penetration testing team services have the flexibility to work multiple projects with a remote access • Other (100) approach to testing and/or an onsite presence when necessary for the accomplish mission. One of the challenges .... with these projects is a lack of communication and/or clearly defined scope before any testing has begun. BreakPoint Labs has established an internal document and process to better aid this challenge to clearly define the project’s scope, rules of engagement and overall expected outcome. In addition, BPL adapts best practices from industry standards such as the Project Management Body of Knowledge (PMBOK) and the ISO Standard on Project Management.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Break Point Labs Carahsoft Technology Corporation Crowe Horwath LLP Enterprise Risk Management, Inc.

2. Doing Business As/ Fictitious Name (if applicable): Break Point Labs Not applicable

3. Federal Employer I.D. Number. 47‐4581296 522189693 35‐0921680 65‐0827427 4. Dun & Bradstreet Number. (If applicable). 07‐79914189 08‐8365767 787324008 610144201 5. Website address (if applicable). https://breakpoint‐labs.com/ www.carahsoft.com www.crowehorwath.com www.emrisk.com 6. Principal place of business. 8116 Arlington Blvd #255 1860 Michael Faraday Drive, Suite 100 225 West Wacker Drive, Suite 2600 800 S. Douglas Road, Suite 940 North Tower, Coral Gables, FL 33134 Falls Church, VA 22042 Reston, VA 20190 Chicago, Illinois 60606‐1224 7. Office Location for this project. 1860 Michael Faraday Drive, Suite 100 401 East Las Olas Boulevard, Suite 1100 800 S. Douglas Road, Suite 940 North Tower, Coral Gables, FL Reston, VA 20190 Fort Lauderdale, Florida 33301‐4230 33134

8. Telephone/Fax Number: 1‐844‐442‐5632 Telephone no.:703.871.8500 Fax no.:703.871.8505 Telephone no.:954.202.8600 Fax no.:954.202.8639 Telephone no.:305‐447‐6750 Fax no.:305‐447‐6752

9. Type of Business LLC Corporation; Maryland Limited Liability Partnership Corporation; Florida 10. List Florida Registration Number. GP0800003826

32 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: JohnsTek Inc. Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: IOMAXIS 4. Workload of the Firm: List all completed and active projects that Vendor has managed See PDF Pg. 168 Foresite has over 600 active projects and current has a client base of See PDF Pg.41 See PDF Pg. 64 ‐ 66 within the past five years. In addition, list all projected projects that As mentioned previously, Focal Point completes around 100 over 2000 companies. Foresite has over 8 million US dollars currently Global Information Intelligence will apply its expert and proven The Quality Management approach utilized by JohnsTek Team provides Vendor will be working on in the near future. Projected projects will penetration testing engagements annually, and has the resources to in the 6 month sales pipe. The request can certainly be discussed but methodology to provide BROWARD COUNTY with INFORMATION quality control measures across the entire company, managing our workload be defined as a project(s) that Vendor is awarded a contract but the serve several clients concurrently. Over the last five years, would not seem logical to address at the level you are requesting. TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using holistically and ensuring out ability to develop, restructure, Notice to Proceed has not been issued. Identify any projects that our penetration testing team has completed more than 500 security Intelligent, Proactive and Robust and Resilient methods that include rebalance, transform, and sustain the requirements of our various client’s and Vendor worked on concurrently. Describe Vendor’s approach in testing projects for hundreds of different clients. We complete all of proactive recommendations and remediation sample for design and contracts. managing these projects. Were there or will there be any challenges our projects concurrently with other projects, so implementation operational effectiveness for INFORMATION We apply the “Plan‐Do‐Check‐Act” (PDCA) methodology tool as the basis for for any of the listed projects? If so, describe how Vendor dealt or will the added workload that this project presents is not an issue for our TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Network our Quality Control process, to define, implement and control actions and deal with the projects’ challenges. firm. assessment of BROWARD COUNTY Corporate Network and its improvements as depicted in the Figure below... As of now, we currently have several penetration testing projects Operations Technology Network.... slated to begin later this summer and into the fall, but we do not anticipate any challenges for these projects, and we do not anticipate these other projects limiting us from providing the County with the highest level of service.....

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Focal Point Data Risk, LLC Foresite MSP LLC Global Information Intelligence LLC JohnsTek, Inc

2. Doing Business As/ Fictitious Name (if applicable):

3. Federal Employer I.D. Number. 61‐1805201 38‐3916369 273548900 20‐0352589 4. Dun & Bradstreet Number. (If applicable). 08‐0541660 07‐8744163 142428510 5. Website address (if applicable). www.focal‐point.com www.foresite.com www.globalinfointel.com www.johnstek.com 6. Principal place of business. 201 E Kennedy Blvd, Suite 1750 E Windsor Ct 6860 North Dallas Parkway, Suite 200,Plano, TX 75024 45 Almeria Ave, Coral Gables, FL 33134 Tampa, FL 33602 7. Office Location for this project. We will utilize both our Tampa location and our Broward New York 6861 North Dallas Parkway, Suite 200,Plano, TX 75024 45 Almeria Ave, Coral Gables, FL 33134 County location for this project. Our Broward County address is 1601 Sawgrass Corp. Pkwy., Suite 130, Sunrise, FL 33323 8. Telephone/Fax Number: Telephone no.:(813) 402‐1208 Fax no.:813‐436‐5283 800‐940‐4699 Telephone no.:4082509045 Fax no.:N/A Telephone no.:786.375.9020 Fax no.:305.675.8373

9. Type of Business LLC LLC Corp; DE ‐ LLC Corporation, S Corp 10. List Florida Registration Number. M16000008367 P03000120232

33 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Marcum LLP Merchant Preservation Services, LLC d/b/a Licensing Matrix Sub: 24by7 Security CampusGuard MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude 4. Workload of the Firm: List all completed and active projects that Vendor has managed See PDF Pg. 47 See PDF Pg 523. See PDF Pgs. 367 ‐ 373. See PDF Pg. 28 ‐ 31. within the past five years. In addition, list all projected projects that 1. City of Coconut Creek With over 90 penetration testing engagements MGT has completed projects for the County, including: Nettitude has provided Broward County with a case study of a previous Vendor will be working on in the near future. Projected projects will 2. City of Boca Raton completed between 2012 and today, Disparity Study of County Government (2000). penetration test. be defined as a project(s) that Vendor is awarded a contract but the 3. City of Hollywood CampusGuard is well versed in managing Cost Allocation Plans (2009, 2010, 2011, 2014, 2015, 2016). Case Study 1: SharePoint Testing Notice to Proceed has not been issued. Identify any projects that Identify any projects that Vendor worked on concurrently. penetration testing projects for multi campus Comprehensive Review of the Sheriff’s Office Department of Detention (2009). Client Requirement Vendor worked on concurrently. Describe Vendor’s approach in No projects were worked on concurrently. environments. Listed in section 3 is a sample of Comprehensive Analysis of the Libraries Division (2010). A long term client, a high profile FTSE 100 company, requested a managing these projects. Were there or will there be any challenges Describe Vendor’s approach in managing these projects. engagements CampusGuard has performed Being a national company, MGT has completed many projects within the past penetration test of one of their critical applications which was built on for any of the listed projects? If so, describe how Vendor dealt or will Effective Project Management is a key focus at Marcum. As a large audit, tax since 2012, if more projects are needed to help five years. Therefore, Sharepoint. The data assets held by the Sharepoint application were of deal with the projects’ challenges. and consulting firm, the ability to provide services to clients on schedule and identify the capabilities that CampusGuard can instead of providing a list of the over 2,200 projects the firm has completed or is critical importance to the company; the testing was primarily requested to within a set budget is priority. Our techniques include best practices from the provide, they will be made available. Actively currently conducting, ensure that no authorised Project Management Body of Knowledge (PMBOK) and go from the Planning CampusGuard is working on projects with Iowa we are providing a list of clients served (presented in alphabetical order by access could be gained to the data, the backend database, and to ensure to the Reporting phase, going through quality assurance checks. Below is an State (Internal), Bowling Green State University state). that there were no weak overview of the milestones we will use throughout this engagement. We plan (External and Internal), and Resolvity (External configurations that could lead to data compromise. to communicate each of our findings upon the completion of each milestone. and Internal). At this time, Boar’s Head Resort, Nettitude Engagement & Delivery As we meet with your key personnel, we will work with management to lay North Carolina State University and Virginia The average engagement size for Sharepoint applications has been five out specific deadline dates for each milestone that take into consideration the Alcohol Beverage Control are scheduled days of testing and a day of report writing. The average SharePoint needs of your projects for the months of August and application tests conducted have followed our Web Application testing professionals whose time will be required..... September. methodology covering all aspects of the OWASP Top 10....

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. 5820 Solutions, LLC MGT of America Consulting, LLC Netitude, Inc. Marcum LLP 2. Doing Business As/ Fictitious Name (if applicable): CampusGuard Netitude

3. Federal Employer I.D. Number. 111986323 203756873 81‐0890071 36‐4694227 4. Dun & Bradstreet Number. (If applicable). 968051180 134960447 02‐096‐7659 968240825 5. Website address (if applicable). www.marcumllp.com www.campusguard.com www.mgtconsulting.com www.Nettitude.com 6. Principal place of business. 451 East Las Olas Boulevard, Ninth Floor 121 S.13th Street, STE 201 3800 Esplanade Way, Suite 210 85 Broad Street, New York NY 10004 Fort Lauderdale, FL 33301 Lincoln NE 68508 Tallahassee, FL 32311 7. Office Location for this project. 121 S.13th Street, STE 201 Tallahassee, FL 85 Broad Street, New York NY 10004 Lincoln NE 68508 451 East Las Olas Boulevard, Ninth Floor Fort Lauderdale, FL 33301 8. Telephone/Fax Number: 419‐873‐7016 Fax no.:972‐867‐4861 Telephone no.:850.386.3191 Fax no.:850.385.4501 Telephone no.:646‐795‐1881 Fax no.: 954‐320‐8000 Fax no.:954‐320‐8001 9. Type of Business Limited Partnership Limited Liability Company ‐ LLC LLC Corporation; S 10. List Florida Registration Number. LLP090003311 L15000199435

34 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Licensing Matrix Optiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP 4. Workload of the Firm: List all completed and active projects that Vendor has managed See PDF Pg. 248 ‐ 249 See PDF Pgs. 47 ‐ 50 PDF Pg. 45 RSM maintains confidentiality agreements with many of our clients. For this within the past five years. In addition, list all projected projects that Optiv has the largest dedicated commercial attack and penetration Our team of 40+ cybersecurity consultants has The Presidio Cyber team averages 70 concurrent projects at reason, we cannot name them in proposals or marketing collateral without Vendor will be working on in the near future. Projected projects will team in the world. We performed more than completed projects for hundreds of organizations over any one time. Our project managers ensure that we have express permission. However, in the Past Performance section on the prior be defined as a project(s) that Vendor is awarded a contract but the 600 engagements per year that total 73,000 hours of penetration the past five years. In addition, our team uses multiple resources allocated for the projects. Our project sizes range page, we provide references from clients who can discuss our work with them Notice to Proceed has not been issued. Identify any projects that testing. Optiv’s team of over 50 dedicated pen firm wide project management tools to assist with from $8,000 to $1.6M. We monitor and manage the on issues relevant to your operations. If we are engaged by the County, you Vendor worked on concurrently. Describe Vendor’s approach in testers, average 600+ hours per consultant for training, mentoring and working with dozens of clients each week. Should an workload monthly and make decisions on whether we need will be a priority for our firm and to each member of your engagement team. managing these projects. Were there or will there be any challenges research annually. Our Attack and Pen unexpected conflict occur while working to add additional security consultants to the team. Presidio Our workload fluctuates based on a number of factors, including timing and for any of the listed projects? If so, describe how Vendor dealt or will team is 100% dedicated to penetration testing and is backed by more with the County, the County will be given priority as would assign a project manager and key members upon currently pending engagements. Regardless, our firm has excelled at deal with the projects’ challenges. than 2000 Optiv engineers that can provide necessary. The following is an example list of award of the contract. We would require two‐weeks to get managing its human resources so that our workload never surpasses the assistance and context across the full spectrum of security concerns. In governmental clients that Plante Moran has conducted the team in place. Presidio’s project manager would create ability of our assigned teams to devote the time and attention necessary to addition to performing tests with opensource tools, Optiv leverages Information Technology Security and Audit a project plan that clearly outlines the project timelines add value to our clients’ organizations. Our ability to manage our workload is more than 50 custom developed and proprietary tools... engagements within the last five years:.... and responsibilities for Presidio and Broward County. evidenced by relatively low turnover rates and is supported by clients’ Presidio would schedule weekly meetings with Broward opinions of our service. The engagement team along with County County to track the overall progress of the project. We will management will design a plan that will ensure expectations are met along provide Broward County weekly updates so project status is with responsive and timely delivery of services as required by the County. The communicated. Presidio requests Broward County to engagement in‐charge and staff will be solely dedicated to the County from identify a project sponsor that our project manager would start to finish for the audit. We believe this to be a team effort so that all team work directly with. members understand their roles, expectations, deliverables, and timelines. RSM has the bench strength of our eight Florida offices and our national public sector practice that we can draw upon to ensure that the County is served to the best of our ability. Our public sector team works diligently to ensure our client engagements are scheduled such that our client’s timelines are considered and target dates are met. We do not anticipate any scenario under which we will have difficulty completing the requested work.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Optiv Security Plante & Moran, PLLC Presidio RSM US LLP

2. Doing Business As/ Fictitious Name (if applicable): Optiv, Optiv Security Plante Moran

3. Federal Employer I.D. Number. 43‐1806449 381357951 58‐1667655 FEIN‐42‐0714325 4. Dun & Bradstreet Number. (If applicable). 01‐946‐6684 004913299 15‐405‐0959 73482424 5. Website address (if applicable). optiv.com plantmoran.com www.presidio.com www.rsmus.com 6. Principal place of business. 1125 17th St., Suite 1700 27400 Northwestern Hwy 12120 Sunset HIlls Rd, Sutie 202 100 NE Third Ave, Suite, Fort Lauderdale, FL 33301 Denver, CO 80202‐2032 Southield, MI 48037 Reston, Va 20190 7. Office Location for this project. N/A Southfield, MI 3250 W. Commercial Blvd Fort Lauderdale Fort Lauderdale, Fl 33309

8. Telephone/Fax Number: Telephone no.:(303) 298‐0600 Fax no.:(303) 298‐0868 Tel:248‐223‐3428 Fax no.:248‐603‐5997 305‐606‐2835 954‐462‐6351

9. Type of Business Corporation; Delaware Limited Partnership LLC Limited Partnership 10. List Florida Registration Number. M11000002358 L15000111335 ADP004384

35 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Verizon Business Network Services Licensing Matrix SeNet International Corporation SHI International Corp Inc. d/b/a Verizon Business Services 4. Workload of the Firm: List all completed and active projects that Vendor has managed See Pages 10 ‐20. Due to the sensitivity and type of services, SHI cannot Verizon is continuously working multiple projects within the past five years. In addition, list all projected projects that provide this information as it relates to other projects concurrently and has the people, process and Vendor will be working on in the near future. Projected projects will and customers either completed or in the future. SHI technology to ensure all active projects are be defined as a project(s) that Vendor is awarded a contract but the would be happy to meet with Broward County discuss meeting the milestones defined on the project Notice to Proceed has not been issued. Identify any projects that our approach and any challenges we may have scope. We do not anticipate any challenges; Vendor worked on concurrently. Describe Vendor’s approach in experienced on similar projects. SHI believes in however, should issues arise we have a managing these projects. Were there or will there be any challenges transparency and any time we come upon a challenge welldefined process for identifying the root cause for any of the listed projects? If so, describe how Vendor dealt or will with a project we work with the customer to let them and developing a remediation plan. deal with the projects’ challenges. know the issues and possible solutions. SHI has a clearly defined escalation path so if a challenge arises the proper people can be engaged to assist. In addition as one of the top provider of IT solutions, SHI has built solid relationships with IT manufacturers and has a network of partners to work with should any challenges encountered required additional products or resources.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. SHI International Corp Verizon Business Network Services Inc. on behalf SeNet International Corporation of MCI Communications Services Inc. 2. Doing Business As/ Fictitious Name (if applicable): d/b/a/ Verizon Business Services (Verizon Business or Verizon) 3. Federal Employer I.D. Number. 54‐1902349 22‐3009648 13‐2745892 4. Dun & Bradstreet Number. (If applicable). 07‐9941139 61‐142‐9481 556565836 5. Website address (if applicable). www.senet‐int.com www.shi.com www.verizonenterprise.com 6. Principal place of business. 290 Davidson Ave Somerset, New Jersey 08873 OneVerizon Way, Basking Ridge NJ 07920 3040 Williams Drive, Suite 510, Fairfax, VA 22031 7. Office Location for this project. 290 Davidson Ave Somerset, New Jersey 08873 Tampa, FL

3040 Williams Drive, Suite 510, Fairfax, VA 22031 8. Telephone/Fax Number: 800‐477‐6479 no.:(813) 520‐9786 Fax no.:813‐978‐6751 Telephone no.:(703) 206‐9383 Fax no.:(703) 206‐9666 9. Type of Business Corporation; Virginia Corporation; New Jersey Corporation; Delaware 10. List Florida Registration Number. F‐01000004066 829591

36 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 4 ‐ Security Penetration Testing

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Licensing Matrix 1st Secure IT LLC Services ATT 11. List name and title of each principal, owner, officer and major a) Dewsnap, Stephen a) Krishna K Chittabathini a. Thadeus Arroyo, President and CEO AT&T, 208 S. Akard St., Dallas, TX shareholder. b) Espana, Alberto b) Sireesha Chittabathini 75202 c) Akins, Mark b. Anne Chow, President‐Integrator Solutions, AT&T, 208 S. Akard St., d) Rodrigues, Abelardo Suite 3514, Dallas, TX 75202 e) Finizio, Stephen c. Frank Jules, President ‐ Global Business AT&T, 208 S. Akard St., Suite f) Dewsnap, Edward 3509, Dallas, TX 75202 d. Cathy Martine‐Dolecki, President ‐ Natl Bus AT&T, 1 AT&T Way, Bedminster, NJ 07921 e. Delores McCarty, Assistant Secretary AT&T, 675 W Peachtree St, NW, Atlanta, GA 30308 f. George B. Goeke, CFO and Treasurer AT&T, 208 S. Akard St., Suite 1824, Dallas, TX 75202 AT&T is a publicly held corporation. No single person owns more than 10% of the company. It is an independent, publicly traded telecommunications services provider. The names and titles of the AT&T Inc. officers are • Randall Stephenson—Chairman and Chief Executive Officer (CEO) • William Blase—Senior Executive Vice President, Human Resources • James Cicconi—Senior Executive Vice President, External and Legislative Affairs • Ralph de la Vega—President and Chief Executive Officer (CEO), AT&T Mobile and Business Solutions • John Donovan—Senior Executive Vice President, AT&T Technology and Operations and Corporate Strategy • Jose Gutierrez—Senior Vice President, Executive Operations • David Huntley—Chief Compliance Officer 12. Authorized contacts for your firm. Name: STEPHEN M DEWSNAP Name: Krishna K Chittaathini Name: Dwayne Stafford d d lbl k ff Title: Managing Partner Title: CEO Title: Strategic Account Lead E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 866‐735‐3369 x110 Telephone No.: 4087165901 Telephone No.: 786‐479‐4113 Name: MARK AKINS Name: Murali Gomatam Name: Esther Martin Title: Managing Partner Title: President Title: Strategic Account Lead E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 866‐735‐3369 x120 Telephone No.: 4087165907 Telephone No.: 305‐582‐9541

13. Has your firm, its principals, officers or predecessor No No No organization(s) been debarred or suspended by any government entity within the last three years? If yes, specify details in an attached written response. 14. Has your firm, its principals, officers or predecessor No No No organization(s) ever been debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted.

37 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Carahsoft Technology Corp Licensing Matrix BreakPoint Labs Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. 11. List name and title of each principal, owner, officer and major a) Thomas George, CEO a) Craig P. Abod ‐ President a) James Powers, CEO a) Silka Gonzalez ‐ President shareholder. b) William Glodek, President b) Robert Moore ‐ Vice President b) Joseph Santucci, COO b) Michelle Miller ‐ COO c) Andrew McNicol, CTO c) Jillian Szczepanek ‐ Controller c) Todd Welu, CFO c) Esteban Farao ‐ Director of Consulting Services d) Jennifer Taha ‐ Proposals Director d) Crowe Horwath LLP is a limited liability partnership with more than 275 partners/principals. If required, we will provide a complete listing of the partner/principals. The names and titles of the firm's leadership is available at www.crowehorwath.com/leadership.

12. Authorized contacts for your firm. Name: Zachary Meyers Name: Aaron Giannini Name: Craig Sullivan Name: Silka Gonzalez Title: Security Engineer Title: Account Representative Title: Partner Title: President E‐mail: Zmeyers@breakpoint‐labs.com E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: Telephone No.: 703.889.9848 Telephone No.: 574.236.7618 Telephone No.: 305‐447‐6750 Name: Shane Garhart Name: Jennifer Taha Name: Michelle Miller Title: Business Development Title: Proposals Director Title: COO E‐mail: sgarhart@breakpoint‐labs E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 301‐3516713 Telephone No.: 703.871.8556 Telephone No.: 305‐447‐6750

13. Has your firm, its principals, officers or predecessor No No No No organization(s) been debarred or suspended by any government entity within the last three years? If yes, specify details in an attached written response. 14. Has your firm, its principals, officers or predecessor No No No No organization(s) ever been debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted.

38 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: JohnsTek Inc. Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: IOMAXIS 11. List name and title of each principal, owner, officer and major a) Andrew Cannata ‐ Principal, Cyber Security Robin Mano ‐ CEO a) DR. EMMANUEL HOOPER, PHD, PHD, PHD, Harvard Yale Alumni, Scott A Johnston shareholder. b) Christie Verscharen ‐ Principal, PCI and Risk Services George Farris ‐ Board Member President c) Eric Dieterich ‐ Principal, Data Privacy David Cohen ‐ Board Member b) Theresa Marie Hooper, BA (Harvard),Senior Executive Gary Fish ‐ Board Member

12. Authorized contacts for your firm. Name: Andrew Cannata Jason Leduc Name: DR. EMMANUEL HOOPER, PHD, PHD, PHD Name: Scott A Johnston Title: Principal, Cyber Security VP Cyber Security Services Title: President Title: President E‐mail: acannata@focal‐point.com [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: (813) 731‐9074 732‐674‐0871 Telephone No.: 408‐250‐9045 Telephone No.: 786.375.9020 Name: Eric Dieterich Name: Theresa M. Hooper Title: Principal, Data Privacy John Lavelle Title: Senior Executive E‐mail: edieterich@focal‐point.com Controller E‐mail: [email protected] Telephone No.: (786) 390‐1490 [email protected] Telephone No.: 714‐331‐1173 800‐940‐4699 ext 227 13. Has your firm, its principals, officers or predecessor No No No No organization(s) been debarred or suspended by any government entity within the last three years? If yes, specify details in an attached written response. 14. Has your firm, its principals, officers or predecessor No No No No organization(s) ever been debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted.

39 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Marcum LLP Merchant Preservation Services, LLC d/b/a Licensing Matrix Sub: 24by7 Security CampusGuard MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude 11. List name and title of each principal, owner, officer and major a) Michael Balter, Regional Managing Partner a) Harvey Gannon ‐ CEO a) A. Trey Traviesa, Chairman & CEO a) Rowland Johnson shareholder. b) Mark Agulnik, Partner b) Ronald E. King ‐ President b) Fred Seamon, Executive Vice President b) Ben Densham c) David Appel, Partner c) Brad Burgess, Executive Vice President c) Martin Watts d) Shaun Blogg, Partner d) Mitchell Titley e) Ilyssa Blum, Partner f) Marc Breslow, Partner g) Michael Curto, Partner h) Adam Firestein, Partner i) Michael Futterman, Partner j) John Gabriel, Partner k) Cecelia Garber, Partner l) Kim Lamplough, Partner m) Michele Lipson, Partner n) Michael Novak, Partner Marcum LLP is managed by more than 140 partners around the country. Below is a list of partners from our local Florida offices. A complete list of partners around the country is available at www.marcumllp.com/people‐ search.

12. Authorized contacts for your firm. Name: Mark Agulnik Name: Andy Grant Name: A. Trey Traviesa Name: Miles Corn Title: Partner Title: Director, National Business Development Title: Chairman & CEO Title: Head of Bid Management E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 954‐320‐8000, Ext. 38013 Telephone No.: 419‐873‐7016 Telephone No.: 850.386.3191 Telephone No.: 646‐795‐1881 Name: Jose Antigua Name: Ron King Name: Fred Seamon Name: Karen Bolton Title: Senior Manager Title: President Title: Executive Vice President Title: EVP & Leader North America E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 954‐320‐800, 38054 Telephone No.: 972‐964‐8884 Telephone No.: 850.386.3191 Telephone No.: 646‐795‐1898

40 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Licensing Matrix Optiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP 11. List name and title of each principal, owner, officer and major a) Dan Burns ‐ CEO a) James Proppe, Managing Partner Regarding principals, owners, etc., not applicable. Presidio shareholder. b) David Roshak ‐ CFO b) Dnnis Graham, Group Managing Partner is a publicly owned company. c) Nate Brady ‐ CAO c) Frank Audia, CIO d) Veena Bricker ‐ CHRO d) Beth Bialy, Government Industry Group Leader

12. Authorized contacts for your firm. Name: Doug Hart Name: Raj Patel Name: Jill Finkelstein Jason Alexander Title: Client Manager Title: Partner Title: Business Development Manager Principal E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] 786‐239‐4279 Telephone No.: 305‐972‐8137 Telephone No.: 248‐223‐3428 Telephone No.: 305‐606‐2835 Name: Michael Mangra Name: Scott Eiler Name: Ralph Gentile Title: Solutions Architects Title: Partner Title: Sales Lead E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 561‐670‐1536 Telephone No.: 248‐223‐3447 Telephone No.: 954‐817‐0690

41 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Verizon Business Network Services Licensing Matrix SeNet International Corporation SHI International Corp Inc. d/b/a Verizon Business Services 11. List name and title of each principal, owner, officer and major a) Anatoly Kozushin, President Thai Lee please see: shareholder. b) Ilan Katz, CEO Koguan Leo http://www.verizon.com/about/investors/corpora c) Gus Fritschie, Chief Technology Officer te‐governance MCI Communications Services Inc. d) Steve Davis, COO (100% Shareholder)

12. Authorized contacts for your firm. Name: Meghan Flisakowski Name: Frank Parra Name: Anatoly Kozushin Title: Public Program Manager Title: Sr. Client Executive Title: President E‐mail: [email protected] E‐mail: [email protected] E‐mail: toly.kozushin@senet‐int.com Telephone No.: 5125174088 Telephone No.: (813) 520‐9786 Telephone No.: (703) 206‐9383 Name: Natalie Castagno Name: Ilan Katz Title: Director Response Team Title: CEO E‐mail: [email protected] E‐mail: Ilan.Katz@senet‐int.com Telephone No.: 732‐868‐5902 Telephone No.: (703) 206‐9383 13. Has your firm, its principals, officers or predecessor No No No organization(s) been debarred or suspended by any government entity within the last three years? If yes, specify details in an attached written response. 14. Has your firm, its principals, officers or predecessor No No No organization(s) ever been debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted.

42 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 4 ‐ Security Penetration Testing

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Licensing Matrix 1st Secure IT LLC Services ATT 15. Has your firm ever failed to complete any services and/or delivery No No We are unaware of any work completion issues that would impair our of products during ability to meet our obligations under any contract. AT&T is a large the last three (3) years? If yes, specify details in an attached written company with an international presence and significant contractual response. relations. Given the size and scope of our business, we from time to time over our history have been involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our ability to meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.

16. Is your firm or any of its principals or officers currently principals Yes. No Yes or officers of another organization? If yes, specify details in an Dewsnap, Stephen attached written response. • Microliance, LLC – Partner • Interlink Commerce, LLC – Partner Espana, Alberto • Payment Power, Inc. Finizio, Stephen • Advantage Networking ‐ Owner • Advantage Web Consulting ‐ Owner • Tend Skin Store ‐ Partner Dewsnap, Edward • Microliance, LLC – Partner • Interlink Commerce, LLC ‐ Partner

17. Have any voluntary or involuntary bankruptcy petitions been filed No No No by or against your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response. 18. Has your firm’s surety ever intervened to assist in the completion No No No of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

43 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Carahsoft Technology Corp Licensing Matrix BreakPoint Labs Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. 15. Has your firm ever failed to complete any services and/or delivery No Yes, Like all large professional service firms, Crowe is, from time to No of products during time, subject to contract disputes or issues where contracts may be the last three (3) years? If yes, specify details in an attached written terminated for a variety of reasons, including without limitation lack response. of client funding, disputes over the scope of the work, or payment disputes. Through active management and communication with our clients, Crowe is usually successful in anticipating such areas and working with the client to mitigate these issues.

16. Is your firm or any of its principals or officers currently principals No No No No or officers of another organization? If yes, specify details in an attached written response.

17. Have any voluntary or involuntary bankruptcy petitions been filed No No No by or against your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response. 18. Has your firm’s surety ever intervened to assist in the completion No No No No of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

44 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: JohnsTek Inc. Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: IOMAXIS 15. Has your firm ever failed to complete any services and/or delivery No No No No of products during the last three (3) years? If yes, specify details in an attached written response.

16. Is your firm or any of its principals or officers currently principals No Principal invests in multiple businesses No No or officers of another organization? If yes, specify details in an attached written response.

17. Have any voluntary or involuntary bankruptcy petitions been filed No No No No by or against your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response. 18. Has your firm’s surety ever intervened to assist in the completion No No No No of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

45 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Marcum LLP Merchant Preservation Services, LLC d/b/a Licensing Matrix Sub: 24by7 Security CampusGuard MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude 15. Has your firm ever failed to complete any services and/or delivery No No No No of products during the last three (3) years? If yes, specify details in an attached written response.

p// p / / gp 16. Is your firm or any of its principals or officers currently principals Marcum Group is an organization providing a comprehensive range of No Yes. Principal is CEO of MGT of America Consulting, LLC and Strategos Public No or officers of another organization? If yes, specify details in an professional services spanning accounting and advisory, technology solutions, Affairs, LLC, both wholly owned subsidiaries of MGT of America, LLC. attached written response. wealth management and executive and professional recruiting. MARCUM LLP Marcum LLP is one of the largest independent public accounting and advisory services firms in the nation, with offices in major business markets throughout the U.S., Grand Cayman and China. MARCUM FINANCIAL SERVICES Marcum Financial Services was founded in late 2009 by combining the expertise of several professionals and firms with extensive investment, financial and business experiences. MARCUM SEARCH Marcum Search LLC offers professional recruiting services. Our recruiters recognize the importance of working closely with companies and prospective candidates to ensure the perfect match. MARCUM TECHNOLOGY Marcum Technology LLC is a full‐service integrated solutions vendor (ISV) specializing in data storage, disaster recovery, network infrastructure, IT staffing and managed services. MARCUM BERNSTEIN & PINCHUK Marcum Bernstein & Pinchuk is an independent public accounting firm. We provide a full range of audit and assurance, tax and transaction advisory services for clients in a variety of industries. MARCUM RBK (IRELAND) LIMITED Marcum RBK is a service center for current and future hedge fund and private equity fund clients of the Marcum Alternative Investment Group.

46 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Licensing Matrix Optiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP 15. Has your firm ever failed to complete any services and/or delivery No of products during the last three (3) years? If yes, specify details in an attached written response.

16. Is your firm or any of its principals or officers currently principals No No No No or officers of another organization? If yes, specify details in an attached written response.

17. Have any voluntary or involuntary bankruptcy petitions been filed by or against your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response. 18. Has your firm’s surety ever intervened to assist in the completion No No No No of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

47 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Verizon Business Network Services Licensing Matrix SeNet International Corporation SHI International Corp Inc. d/b/a Verizon Business Services 15. Has your firm ever failed to complete any services and/or delivery No No No of products during the last three (3) years? If yes, specify details in an attached written response.

16. Is your firm or any of its principals or officers currently principals No No No or officers of another organization? If yes, specify details in an attached written response.

48 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 4 ‐ Security Penetration Testing

Prime: 3K Technologies LLC Subs: Managni Systems, Inc. ; Aujas Information Risk Licensing Matrix 1st Secure IT LLC Services ATT 19. Has your firm ever failed to complete any work awarded to you, No No We are unaware of any work completion issues that would impair our services and/or ability to meet our obligations under any contract. AT&T is a large delivery of products during the last three (3) years? If yes, specify company with an international presence and significant contractual details in an relations. Given the size and scope of our business, attached written response. we from time to time over our history have been involved in occasional alleged contract performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our ability to meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.

20. Has your firm ever been terminated from a contract within the No Except for material matters that AT&T discloses in filings with the last three years? If yes, specify details in an attached written Securities and Exchange Commission or otherwise discloses in response to response. subpoenas or other valid court orders, AT&T is legally and contractually prohibited from disclosing information to third parties about contractual matters. Also, due to the size and scale of AT&T’s operations, as a practical matter, AT&T cannot state with absolute certainty whether AT&T has defaulted under a contract. Notwithstanding the legal and practical restrictions that limit AT&T’s ability to disclose specific contract performance issues, AT&T can assure Customer that AT&T is capable of performing the services requested under this RFP and that AT&T has no history or pattern of performance issues with other customers that would affect AT&T’s ability to perform the services requested by Customer. AT&T reiterates that AT&T is not aware of any circumstances involving performance under another contract which would materially and adversely impact AT&T’s ability to perform services for Customer. Moreover, AT&T is not aware of any circumstance when AT&T was not awarded a bid due to non‐performance concerns about AT&T by the entity sponsoring a particular procurement. AT&T is forced to qualify such assurances to the best of its knowledge due to the scale and scope of AT&T’s operations. AT&T will not be able to provide such assurances with absolute certainty with respect to every contract or bid opportunity in which AT&T has participated.

21. Living Wage solicitations only: N/A N/A No

49 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Carahsoft Technology Corp Licensing Matrix BreakPoint Labs Solution Provider: Trustwave Crowe Horwath LLP Enterprise Risk Management, Inc. 19. Has your firm ever failed to complete any work awarded to you, No No Yes, Like all large professional service firms, Crowe is, from time to No services and/or time, subject to contract disputes or issues where contracts may be delivery of products during the last three (3) years? If yes, specify terminated for a variety of reasons, including without limitation lack details in an of client funding, disputes over the scope of the work, or payment attached written response. disputes. Through active management and communication with our clients, Crowe is usually successful in anticipating such areas and working with the client to mitigate these issues.

20. Has your firm ever been terminated from a contract within the No No Yes, Like all large professional service firms, Crowe is, from time to No last three years? If yes, specify details in an attached written time, subject to contract disputes or issues where contracts may be response. terminated for a variety of reasons, including without limitation lack of client funding, disputes over the scope of the work, or payment disputes. Through active management and communication with our clients, Crowe is usually successful in anticipating such areas and working with the client to mitigate these issues.

21. Living Wage solicitations only: N/A N/A

50 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: JohnsTek Inc. Licensing Matrix Focal Point Data Risk LLC Foresite MSP LLC Global Information Intelligence LLC Sub: IOMAXIS 19. Has your firm ever failed to complete any work awarded to you, No No No No services and/or delivery of products during the last three (3) years? If yes, specify details in an attached written response.

20. Has your firm ever been terminated from a contract within the No No No No last three years? If yes, specify details in an attached written response.

21. Living Wage solicitations only: N/A N/A N/A N/A

51 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Prime: Marcum LLP Merchant Preservation Services, LLC d/b/a Licensing Matrix Sub: 24by7 Security CampusGuard MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude 19. Has your firm ever failed to complete any work awarded to you, Our firm enters in to Engagement letters with clients that allow for cessation No No No services and/or of work and/or termination by either party in certain circumstances. delivery of products during the last three (3) years? If yes, specify details in an attached written response.

20. Has your firm ever been terminated from a contract within the Our firm enters in to Engagement letters with clients that allow for cessation No No No last three years? If yes, specify details in an attached written of work and/or termination by either party in certain circumstances. response.

21. Living Wage solicitations only: N/A N/A N/A N/A

52 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Licensing Matrix Optiv Security Plante & Moran, PLLC dba Plante Moran Presidio RSM US LLP 19. Has your firm ever failed to complete any work awarded to you, No No No No services and/or delivery of products during the last three (3) years? If yes, specify details in an attached written response.

20. Has your firm ever been terminated from a contract within the No No – Plante Moran is not aware of any client No No last three years? If yes, specify details in an attached written terminating a contract involving the provision of response. information technology security and compliance services. As one of the country’s largest accounting and consulting firms with thousands of annual engagements, there likely have been instances during the last three years where clients receiving tax or accounting‐related services have elected to use other service providers for their particular needs. Plante Moran’s record of client service and satisfaction is best in class, with 99% of clients indicating they would recommend Plante Moran to others.

21. Living Wage solicitations only:

53 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Com Category 4 ‐ Security Penetration Testing

Verizon Business Network Services Licensing Matrix SeNet International Corporation SHI International Corp Inc. d/b/a Verizon Business Services 19. Has your firm ever failed to complete any work awarded to you, No No No services and/or delivery of products during the last three (3) years? If yes, specify details in an attached written response.

20. Has your firm ever been terminated from a contract within the No No No last three years? If yes, specify details in an attached written response.

21. Living Wage solicitations only: No No No

54 10/20/2017 1:35 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 5 ‐ Security Incident Response

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided / See PDF Pg. 569 Provided ‐ See Page 47 Provided ‐ See PDF Pg. 9 AND 1. GIAC Certified Incident Handler (GCIH) on staff and proposed key team member Not Provided Provided Provided Requirement Met Requirement Met Requirement Met OR EnCase Certified Examiner (EnCe) on staff and proposed key team member Provided Not Provided Not Provided Requirement Met Requirement Met Requirement Met OR Not Provided Not Provided Not Provided Forensic Toolkit (FTK) on staff and proposed key team member Requirement Met Requirement Met Requirement Met FORMS Vendor Questionnaire Form Provided Provided Provided

Provided Vendor Security Questionnaire Form Provided Provided

1 10/20/2017 1:36 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 5 ‐ Security Incident Response

Licensing Matrix Enterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLC RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided Provided AND 1. GIAC Certified Incident Handler (GCIH) on staff and proposed key team member Not Provided Provided Provided Requirement Met Requirement Met Requirement Met OR EnCase Certified Examiner (EnCe) on staff and proposed key team member Provided Not Provided Not Provided Requirement Met Requirement Met Requirement Met OR Not Provided Not Provided Not Provided Forensic Toolkit (FTK) on staff and proposed key team member Requirement Met Requirement Met Requirement Met FORMS Vendor Questionnaire Form Provided Provided Provided

Provided Provided Vendor Security Questionnaire Form Provided

2 10/20/2017 1:36 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 5 ‐ Security Incident Response

Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Optiv Security RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided ‐ See PDF Pg. 23 Provided ‐ See PDF Pg. 42 Provided AND 1. GIAC Certified Incident Handler (GCIH) on staff and proposed key team member Provided Provided Provided Requirement Met Requirement Met Requirement Met OR EnCase Certified Examiner (EnCe) on staff and proposed key team member Not Provided Not Provided Provided Requirement Met Requirement Met Requirement Met OR Not Provided Not Provided Not Provided Forensic Toolkit (FTK) on staff and proposed key team member Requirement Met Requirement Met Requirement Met FORMS Vendor Questionnaire Form Provided Provided Provided

Provided Provided Provided Vendor Security Questionnaire Form

3 10/20/2017 1:36 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 5 ‐ Security Incident Response

Licensing Matrix Plante & Moran, PLLC dba Plante Moran RSM US LLP SeNet International Corporation RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided Provided AND 1. GIAC Certified Incident Handler (GCIH) on staff and proposed key team member Not Provided Not Provided Not Provided Requirement Not Met Requirement Not Met OR EnCase Certified Examiner (EnCe) on staff and proposed key team member Not Provided Provided Not Provided Requirement Not Met Requirement Met Requirement Not Met OR Not Provided Not Provided Not Provided Forensic Toolkit (FTK) on staff and proposed key team member Requirement Not Met Requirement Not Met FORMS Vendor Questionnaire Form Provided Provided Provided

Provided Provided Provided Vendor Security Questionnaire Form

4 10/20/2017 1:36 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 5 ‐ Security Incident Response

Verizon Business Network Services Inc. d/b/a Verizon Licensing Matrix Business Services RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided AND 1. GIAC Certified Incident Handler (GCIH) on staff and proposed key team member Provided Requirement Met OR EnCase Certified Examiner (EnCe) on staff and proposed key team member Not Provided Requirement Met OR Not Provided Forensic Toolkit (FTK) on staff and proposed key team member Requirement Met FORMS Vendor Questionnaire Form Provided

Provided Vendor Security Questionnaire Form

5 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project Manager and all key staff See PDF Pgs. 546 ‐ 547. See PDF Pg. 33 See Resumes ‐ PDF Pgs. 138 ‐ 144 that are intended to be assigned to services performed within this category. Include resumes for Having responded to more than 2,000 data security incidents, performed thousands of Tim Bryan, CPA, CFF, CITP, CISA, EnCE, Partner, 15+ years experience the Project Manager and all key staff described. CONFIDENTIAL network penetration tests and carried‐out hundreds of application security tests, Aaron Reyes, EnCE, CSx, MCTS, MCP, Senior Manager, 10+ years experience Trustwave SpiderLabs, and by extension its clients, stays apprised of the latest threats and David McKnight, CISSP, Senior Manager, 19+ years experience Pgs 35: methods of data compromise. Kiel Murray, Senior Manager, 7+ years experience Non‐Disclosure Statement "The information in this We've worked cases involving the theft of Payment Card Industry (PCI) data, electronic document is AT&T Corp. Confidential, and cannot be protected health information (ePHI), personally identifiable information (PII), industry reproduced or redistributed in any way, shape, or form trade secrets, sensitive corporate information, classified data and other types of protected without prior written consent from AT&T Corp. © assets. Organizations large and small select Trustwave SpiderLabs to augment their team Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. through our incident response and readiness expertise. This includes: logo, and all other trademarks, service marks, and designs Free consultation to assess your business environment, risk and needs are registered or unregistered trademarks of AT&T Corp. Integrated security technologies through a single source Intellectual Property and/or AT&T Corp. affiliated 24x7x365 support and dedicated security and compliance analysts companies." Access to our cloud‐based management portal "Follow the Threat" global Security Operations Centers Pgs 36‐ 223: $100,000 Breach Protection Program "AT&T Consulting Proprietary and Confidential Information"

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

b. List any other relevant Security and Compliance Industry certifications that the Project See PDF Pgs. 546 ‐ 547. See PDF Pg. 33 See Resumes ‐ PDF Pgs. 138 ‐ 144 Manager and key staff described may have. Include copies of certificates, if applicable. Please see the representative biographies embedded below, including the typical Tim Bryan, CPA, CFF, CITP, CISA, EnCE, Partner, 15+ years experience CONFIDENTIAL certifications held by the resources who may be assigned to your project. Aaron Reyes, EnCE, CSx, MCTS, MCP, Senior Manager, 10+ years experience David McKnight, CISSP, Senior Manager, 19+ years experience Pgs 35: Kiel Murray, Senior Manager, 7+ years experience Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. affiliated companies."

Pgs 36‐ 223: "AT&T Consulting Proprietary and Confidential Information"

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

6 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix Enterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLC EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project Manager and all key staff See Resumes PDF Pg. 129‐135; Certifications PDF See Bios ‐ Jason L, Specialities: Compliance and Network See PDF Pg. 78 ‐ 79 that are intended to be assigned to services performed within this category. Include resumes for Pgs. 136‐139 Security, 20+ years experience, QSA PCI, PA QSA, PCIP PCI, Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND the Project Manager and all key staff described. Esteban Orlando Farao, CISSP, CISA, CISO, CRISC, SANS GIAC GSNA, GCIH, GPEN COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD CEH, QSA, and PCIP.PCI QSA, 20+ years experience Thomas A, Specialities, Compliance and Network Security, 15+ Information Security and Computing Sciences (Over 30 years of Maria Rogers, CEH, CFE, Information Security years experience, QSA PCI, CISSP, HCISSP Professional Experience and 25 years of Research, Harvard and Yale Consultant, Extensive experience in software testing John W, Compliance, Network Security, and Incident Alumnus, Summa Cum Laude, and Oxford Research, etc.) and Digital Forensics Response/Digital Forensics, QSA PCI, PA QSA, CISSP Global Information Intelligence LLC (100% Small Business, Minority, and Haslyn Martin, Information Security Consultant, Keith K, GRC, Security Architecture and Audit, 20+ years Women Owned) Extensive experience in implementation of Secure experience, CISSP By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences Network Protocols Bradley A, Penetration Testing, 15+ years of experience, CISSP, and Information Security Founder, Consortium for Emerging OSCE, OSCP, CEH, SANS GIAC Technologies‐Harvard, Exemplary Models for Federal, State, Local, Counties, Cities, Private/Public Sectors, Academia & Industry and Global Category 5 – Security Incident Response Applied proven expertise and experience to apply intelligent, proactive and robust methodology to provide the following services category: Provided intelligent and effective services within this category including Security Architecture Design, Security Incident Response, Policy Review and Digital Forensics.

b. List any other relevant Security and Compliance Industry certifications that the Project See PDF Pgs. 136‐139 See Bios ‐ Jason L, Specialities: Compliance and Network See PDF Pg. 78 ‐ 79 Manager and key staff described may have. Include copies of certificates, if applicable. • Esteban Farao: CISSP, CISA, CISO, CRISC, CEH, PCI Security, 20+ years experience, QSA PCI, PA QSA, PCIP PCI, Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND QSA, and PCIP SANS GIAC GSNA, GCIH, GPEN COMPLIANCE SERVICES Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD • Maria Rogers: CEH Thomas A, Specialities, Compliance and Network Security, 15+ Information Security and Computing Sciences (Over 30 years of Copies of the Certification follow: years experience, QSA PCI, CISSP, HCISSP Professional Experience and 25 years of Research, Harvard and Yale Esteban Farao: CISSP John W, Compliance, Network Security, and Incident Alumnus, Summa Cum Laude, and Oxford Research, etc.) Response/Digital Forensics, QSA PCI, PA QSA, CISSP Global Information Intelligence LLC (100% Small Business, Minority, and Keith K, GRC, Security Architecture and Audit, 20+ years Women Owned) experience, CISSP By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences Bradley A, Penetration Testing, 15+ years of experience, CISSP, and Information Security Founder, Consortium for Emerging OSCE, OSCP, CEH, SANS GIAC Technologies‐Harvard, Exemplary Models for Federal, State, Local, Counties, Cities, Private/Public Sectors, Academia & Industry and Global Category 5 – Security Incident Response Applied proven expertise and experience to apply intelligent, proactive and robust methodology to provide the following services category: Provided intelligent and effective services within this category including Security Architecture Design, Security Incident Response, Policy Review and Digital Forensics.

7 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Optiv Security EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project Manager and all key staff See PDF Pgs. 435 ‐ 439. See PDF Pg. 35. See PDF Pg. 249 that are intended to be assigned to services performed within this category. Include resumes for Tony Martinez, Project Manager, Project Management, Vulnerability Assessment, Physical Adrian Shaw, Senior Incident Response Consultant, Certified Incident Project Manager – Erik Schmidt the Project Manager and all key staff described. Penetration Testing, Network Penetration Testing, Web Application Penetration Testing, Response (CRIA), CISSP, CEH, CHFI, and Erik Schmidt has over twenty years of experience with information assurance, Security Auditing, Secure Code Reviews, Disaster Reovery/ Business Continuity Planning, LPI. forensics, and incident management. Mr. Schmidt’s exposure to cyber security Security Policy Design Jules Pagna Disso, Head of Research and Development, 15+ years traverses across multiple industries including federal law enforcement, government, Steve Porter, CISSP, GPEN, GWAPT, QSA, CEH, GICSP, GMOB, GCIH, Vulnerability experience, PhD in Intrusion Detection Systems healthcare, financial, manufacturing, retail, and entertainment. He is experienced in Assessment, Network Penetration Testing, PCI‐DSS Preparation & Remediation, Security performing strategic consulting including: incident response, information risk Auditing, Database Security, Secure Code Reviews, Firewall Administration, System management, security strategy, network defense methodology, policy development, Hardening and Patching, Disaster Recovery/Business Continuity Planning & Design, Security controls assessment, gap analysis, business impact analysis, Policy Design, Log Management Planning, Design, Administration SME testimonies, and best practices assessment. As an expert in computer security, Henri St. Louis, CISSP, QSA, GCFE, OPST, Vulnerability Assessment, Network Penetration Erik assists clients in efficiently responding to incidents, achieving better security Testing, PCI‐DSS Preparation & Remediation, Security Auditing, Database Security, Secure awareness, and managing threats effectively and in a timely manner. Code Reviews, System Hardening and Patching, Disaster Recovery/Business Continuity Staff Member – Robert Reed Planning & Design, Security Policy Design Robert Reed is a seasoned investigator with 20 years of law enforcement experience. JJ Maria Giner, GPEN, Vulnerability Assessment, Network Penetration Testing, Web He has investigated incidents ranging from simple traffic investigations to criminal Application Penetration Testing homicides. In the pursuance of these investigations, he has conducted or participated in surveillance and/or undercover operations. He leveraged this knowledge of the computer forensics field to develop and operate the first ASCLD (American Society of Crime Lab Directors) accredited computer forensic program in the State of Arizona. In the course of his career, Mr. Reed has investigated numerous crimes involving computers, computer systems, or digital evidence. He has been the affiant on countless search warrant applications, and participated in the service and execution of many warrants including those involving digital evidence. He has testified in hundreds of criminal, civil, and administrative hearings. Staff Member – Michael Doran Michael Doran is a certified computer examiner with over four years of digital forensics experience coupled with nine and half years...... b. List any other relevant Security and Compliance Industry certifications that the Project See PDF Pgs. 435 ‐ 439. See PDF Pg. 35. See PDF Pg. 249 ‐ 250 Manager and key staff described may have. Include copies of certificates, if applicable. Tony Martinez, Project Manager, Project Management, Vulnerability Assessment, Physical Adrian Shaw, Senior Incident Response Consultant, Certified Incident Certifications for Robert Reed Penetration Testing, Network Penetration Testing, Web Application Penetration Testing, Response (CRIA), CISSP, CEH, CHFI, and • GCFA Security Auditing, Secure Code Reviews, Disaster Reovery/ Business Continuity Planning, LPI. • CEH Security Policy Design Jules Pagna Disso, Head of Research and Development, 15+ years • CHFI Steve Porter, CISSP, GPEN, GWAPT, QSA, CEH, GICSP, GMOB, GCIH, Vulnerability experience, PhD in Intrusion Detection Systems • U.S. Treasury BCERT and ACERT Assessment, Network Penetration Testing, PCI‐DSS Preparation & Remediation, Security • Certified EC Council Instructor (CEI) Auditing, Database Security, Secure Code Reviews, Firewall Administration, System Certification for Michael Doran Hardening and Patching, Disaster Recovery/Business Continuity Planning & Design, Security • CFCE Policy Design, Log Management Planning, Design, Administration • ACE Henri St. Louis, CISSP, QSA, GCFE, OPST, Vulnerability Assessment, Network Penetration • CCE Testing, PCI‐DSS Preparation & Remediation, Security Auditing, Database Security, Secure • EC‐Council C|HFI Code Reviews, System Hardening and Patching, Disaster Recovery/Business Continuity • EC‐Council C|EH Planning & Design, Security Policy Design JJ Maria Giner, GPEN, Vulnerability Assessment, Network Penetration Testing, Web Application Penetration Testing

8 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix Plante & Moran, PLLC dba Plante Moran RSM US LLP SeNet International Corporation EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project Manager and all key staff See PDF Pgs. 51 ‐ 52. Sean Renshaw, Director, National Lead, Digital Forensics and Incident See Pages 5 ‐ 10 that are intended to be assigned to services performed within this category. Include resumes for Michelle D. McHale‐Adams, CPA/CFF, CFE, Partner, 20+ years experience Response, 28+ years experience Qualifications and Experience the Project Manager and all key staff described. Eric Conforti, CPA, CFE, Senior Manager, Specializes in performing forensic Tom Luka, Manager, Security, Privacy and Risk Services investigations, data analytics, and internal control analyses Luke Emrich, Manager, Security, Privacy and Risk Services, 5+ years Amanda Fletcher, CPA, CFE, Manager, Experience in expense reviews, asset experience misappropriation investigations, internal control assessments and insurance claims Kyle Sutton, CPA, CFE, Senior Consultant, Emphasis in not‐for‐profit and healthcare industries

b. List any other relevant Security and Compliance Industry certifications that the Project See PDF Pgs. 51 ‐ 52. Sean Renshaw, Certified Fraud Examiner (CFE), EnCase Certified See Pages 5 ‐ 10 Manager and key staff described may have. Include copies of certificates, if applicable. Michelle D. McHale‐Adams, CPA/CFF, CFE, Partner, 20+ years experience Examiner (EnCE), Certified Computer Examiner (CCE), Certified Qualifications and Experience Eric Conforti, CPA, CFE, Senior Manager, Specializes in performing forensic Blacklight Examiner (CBE), Digital Forensics Certified Practitioner investigations, data analytics, and internal control analyses (DFCP‐Founders), Seized Computer Evidence Recovery Specialist Amanda Fletcher, CPA, CFE, Manager, Experience in expense reviews, asset (SCERS) misappropriation investigations, internal control assessments and insurance claims Tom Luka, EnCase Certified Examiner (EnCE) Kyle Sutton, CPA, CFE, Senior Consultant, Emphasis in not‐for‐profit and healthcare Luke Emrich, EnCase Certified Examiner (EnCE), Certified Ethical industries Hacker (CEH), Global Information Assurance Certification (GIAC) Certified Forensic Analyst (GFCA)

9 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Verizon Business Network Services Inc. d/b/a Verizon Licensing Matrix Business Services EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Project Manager and all key staff See Pages 64 ‐ 66. that are intended to be assigned to services performed within this category. Include resumes for Verizon sets the benchmark in the digital forensics, computer incident the Project Manager and all key staff described. response, electronic discovery, and IT investigative arenas, providing both public and private sector organizations with leading services and support. Over the past ten years, Verizon has been retained to investigate many of the world's largest, most publicly visible and damaging data breaches on record, affording the team a rare perspective into global cyber crime related trends. This critical investigator's perspective is a core component of the team's service offerings: enabling fast identification of data breach sources, and helping Customer Short move more quickly toward incident containment, while limiting the extent of informational losses. Team personnel hail from a combination of military, law enforcement, and IT technical backgrounds, affording Customer Short direct access to a wealth of highly specialized investigative experience and expertise. Our technical experts are well versed in criminal and civil investigative requirements and have extensive experience providing in‐court testimony in both expert and fact witness capacities. These experts are located throughout the Americas, Europe/Middle East, and Asia‐Pacific, providing Customer Short leading evidentiary direction,digital forensics expertise, and general IT investigative know‐how when and where it is needed most.

b. List any other relevant Security and Compliance Industry certifications that the Project As well as a leading global Qualified Security Assessor (QSA), Payment Manager and key staff described may have. Include copies of certificates, if applicable. ApplicationQualified Security Assessor (PA‐QSA), and Qualified Security Assessor Point‐to‐Point Encryption (P2PE) company, we are one of few qualified PCI Forensic Investigators (PFI) for Visa and MasterCard. Our assessors are highly experienced, often industry thought‐leaders and maintain an array of security industry certifications including the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and Certified Ethical Hacker (CEH).

10 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work in this Category. See PDF Pgs. 547 ‐ 550. See PDF Pg. 33 ‐ 35 See PDF Pg. 131 ‐ 132 Trustwave's Forensics practice provides clients with a highly technical investigation into a Security Architecture Design and Security Incident Response Policy Review CONFIDENTIAL system or network compromise... These following steps represent the actions Crowe will execute in order to Payment card compromise investigations must be carried out by a qualified PCI Forensic deliver the Security Architecture Design and Security Incident Response Policy Pgs 35: Investigator (PFI) company. Trustwave is certified to conduct PFI engagements in all Review Non‐Disclosure Statement "The information in this regions around the globe. services.... document is AT&T Corp. Confidential, and cannot be We offer a number of forensics and incident response services, including the following: reproduced or redistributed in any way, shape, or form Incident Response Planning without prior written consent from AT&T Corp. © Copyright Incident Response Investigation 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all PCI Forensic Investigation (PFI) other trademarks, service marks, and designs are registered Pre‐paid IR (Retainer) or unregistered trademarks of AT&T Corp. Intellectual Pre‐paid PFI (Retainer) Property and/or AT&T Corp. affiliated Forensic Data Acquisition companies." We identify accessible, recoverable and relevant data to locate and index all computer‐ and user‐generated evidence up to and including the recovery of content from non‐ Pgs 36‐ 223: functioning storage devices. Forensic data can be gathered from physical devices, logical "AT&T Consulting Proprietary and Confidential Information" volumes, memory, volatile data and network traffic. Trustwave SpiderLabs handles all data in accordance with proper digital evidence handling Pgs 418‐568 AT&T Proprietary: The information contained procedures to ensure evidence admissibility in court.... herein is for use by authorized persons only and is not for general distribution.

b. Number of employees, coordination efforts, servers and workers located within USA See PDF Pgs. 551. See PDF Pg. 35 See PDF Pg. 131 ‐ 132 All employees and servers would be within the United States. Trustwave has over 900 total Security Architecture Design and Security Incident Response Policy Review CONFIDENTIAL employees in the US. These following steps represent the actions Crowe will execute in order to deliver the Security Architecture Design and Security Incident Response Policy Pgs 35: Review Non‐Disclosure Statement "The information in this services.... document is AT&T Corp. Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. affiliated companies."

Pgs 36‐ 223: "AT&T Consulting Proprietary and Confidential Information"

Pgs 418‐568 AT&T Proprietary: The information contained

11 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix Enterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLC 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work in this Category. See PDF Pgs. 140 See "Broward Security Services 2017" See PDF PG. 79 a. Approach Category 6 – Public Safety Network and Systems Audit Services Security Incident Response Review and Testing Provided intelligent and effective services within this category ERM will review the client organization’s incident including Public Safety Network /Systems Audit and Review Services. response program/plan utilizing NIST SP 800‐61 Examples of specific activities includes but not be limited to evaluation guidelines, industry best practices, and ERM’s of IT General and Application controls, IT Governance, Security Strategy comprehensive experience in incident response and Systems, General Public Safety Network Topology, Connections to planning and mitigation. When reviewing the External Parties, Inbound and Outbound Remote Access, IT Security incident response program/plan, ERM will draw Policies and Procedures, External Network Penetration Testing, Network upon its experience of working with a vast variety of Device Security (i.e. switches, routers, firewalls, wireless access points) industry verticals to ensure that an all‐inclusive – Firmware and Patching Standards, Endpoint Devices (Servers, approach is utilized when drafting the program/plan. workstations) – Patching and Antivirus checks, Physical Security, ERM will perform a thorough review of the Data/Configuration Backup and Disaster Recovery, Network program/plan, associated Management, Vendor/Contractor Access Management, System policies, checklists, calling trees, and procedures to Administration/Privileged Access Management, and Network ensure that they are robust and capable of Documentation Creation and Maintenance. All services were relevant to protecting the organization in the event of an Network and Systems Audit Services within the Public Safety Industry. incident. ERM will also conduct incident response testing and war games to gauge the effectiveness of the organization’s incident response capabilities.

b. Number of employees, coordination efforts, servers and workers located within USA See PDF Pg. 141 The consulting team has over 20 people across the US. Our See PDF PG. 42 ERM has approximately 30 full time employees. Of servers are supported in SSAE18 Co‐Los Global Information Intelligence will apply its expert and proven these employees, 25 are located in the USA. Only methodology to provide BROWARD COUNTY with INFORMATION full time employees located in the USA will work in TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using these engagements. Intelligent, Proactive and Robust and Resilient methods that include Regarding coordination efforts, Esteban Farao will proactive recommendations and remediation sample for design and be the Project Manager. He will lead a project implementation operational effectiveness for INFORMATION kickoff meeting, send the information requirements, TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Network manage the project, communicate with the client assessment of BROWARD COUNTY Corporate Network and its project team, lead project update calls and meeting Operations Technology Network.... as well as delivery the final reports and presentations. All of ERM’s severs are located at the ERM’s headquarters in Coral Gables, Florida.

12 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Optiv Security 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work in this Category. See PDF Pgs. 440 ‐ 442. See PDF Pg. 35 ‐ 38. See PDF Pg. 250 We pride ourselves on our years of continuous business and these two cornerstone tenants This is a high level overview of the system for responding to and Incident Response Readiness Assessment of our managing Incident Response services with Nettitude. It is based The assessment leverages an IMF designed by the Optiv Enterprise Incident business: around a number of fundamental concepts and industry standards Management Team. The framework aligns with multiple industry‐accepted standards In‐Depth Understanding of State and Local Government—MGT has worked almost including SANS, Critical Infrastructure guidelines and the CREST and is ideally suited to provide structure and organization for exclusively with the public sector. As a result, we understand the challenges and unique Incident Response Maturity model. incident response endeavors (see appendix for more information). The framework issues inherent in the operations of state and local government programs and service Our services mirror the 3 phases of these models: addresses various areas of the Incident Management process, including: delivery. Because many of our staff have worked in government, we have a clear 1. Prepare (Strategic Plans and Risk Analysis) Review current policies, procedures, personnel, and training understanding of the state and local government structure, control agencies, budgetary 2. Respond (Management of Events and Incidents) Review network design, infrastructure, threat identification mechanisms, and processes, and political environment. Our Focus is on Business Understanding and 3. Follow up (Adapt and Learn).... security/investigative technologies and devices Analysis—MGT consistently focuses on identifying Analyze results of recent vulnerability scans to determine what gaps exist on the and implementing the most effective and efficient methods for achieving operational devices and the network objectives in all of our engagements. No matter what the task, we “cut to the chase,” and Identify, through conversations with key stakeholders, where sensitive data is kept work to provide [e.g., Cardholder Data the most viable business solutions in the shortest amount of time, at the lowest cost. We (CHD), Social Security Numbers (SSNs), Credit Card Numbers (CCNs), Personally understand the importance of streamlining business processes and we know how to Identifiable Information pinpoint (PII), Intellectual Property (IP)], how it moves through the organization, and the risk of the most efficient and effective methodologies for specific situations. Based on our compromise previous work with the County and more than 40 years of experience in providing Create awareness of probable attack or loss vector(s) from internal and external consulting services to federal, state, and local government clients, MGT knows that the breaches, whether success of any project is based upon the project management. Our project manager will deliberate or accidental work in tandem with the Review formal and repeatable procedures to handle probable types of breaches or County’s designated project lead to drive the MGT project management principals and compromises guidelines for the Ensure proper communication channels are outlined and followed in the event of a development of your customized solutions. breach including references to internal operational hierarchy and legal counsel.... b. Number of employees, coordination efforts, servers and workers located within USA See PDF Pg. 440 ‐ 441. See PDF Pg. 35 ‐ 38. See PDF Pg. 252 Our firm of over 60 professionals has successfully managed more than 8,500 client This is a high level overview of the system for responding to and Optiv has approximately fifteen employees dedicated to the Enterprise Incident engagements nationally with a significant portion of MGT’s engagements being repeat managing Incident Response services with Nettitude. It is based Management consulting practice with plans to increase the size of the staff in the next business, reflecting the firm’s commitment to achieving a high level of customer around a number of fundamental concepts and industry standards few years. All coordination efforts, servers, and workers are located in the USA. satisfaction and ability to exceed the expectations of clients. Prior to working with public including SANS, Critical Infrastructure guidelines and the CREST sector entities as consultants, many of our staff worked in government agencies as Incident Response Maturity model. executives and managers. This insider's knowledge of government structure and process Our services mirror the 3 phases of these models: gives MGT a competitive advantage and an ability to hit the ground running from the very 1. Prepare (Strategic Plans and Risk Analysis) start of a project.See Our firm of over 60 professionals has successfully managed more than 2. Respond (Management of Events and Incidents) 8,500 client engagements nationally with a significant portion of MGT’s engagements being 3. Follow up (Adapt and Learn).... repeat business, reflecting the firm’s commitment to achieving a high level of customer satisfaction and ability to exceed the expectations of clients. Prior to working with public sector entities as consultants, many of our staff worked in government agencies as executives and managers. This insider's knowledge of government structure and process gives MGT a competitive advantage and an ability to hit the ground running from the very start of a project.

13 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix Plante & Moran, PLLC dba Plante Moran RSM US LLP SeNet International Corporation 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work in this Category. See PDF Pg. 52 See PDF Pgs 73 ‐ 78 See Pages 56 ‐ 59. STEP 1 – PLANNING AND REVIEW Phase 1: Incident response program assessment ‐ Policy Review, We will work with you and those designated by you to gather appropriate Security Architecture information prior to coming to your location and/or working remotely. Phase 2: Incident response exercise ‐ Policy Review STEP 2 –FIELDWORK, DATA TESTING AND DETAILED TESTING Phase 3: Incident response support ‐ Security Incident Response and We will perform select data testing, as applicable, prior to arriving onsite. Our Digital Forensics fieldwork involves detailed testing of the transactions identified from our data testing as well as those identified based upon our understanding of the alleged schemes. If necessary, we may interview key personnel whose duties correspond to the areas of focus. In these interviews, our approach is non‐confrontational andopen. Previous clients having remarked that the process was noninvasive and caused little‐to‐no disruption. STEP 3 – PREPARATION OF DRAFT DELIVERABLES At this phase, we will prepare draft deliverables, which will outline the results from Steps 1 and 2. Based upon our findings, our forensic report will be drafted to address specific needs . This may include the report being submitted with the proof of loss and/or submitted as evidence of loss. STEP 4 – FINALIZATION OF REPORT Upon your review and approval, we will finalize our report.

b. Number of employees, coordination efforts, servers and workers located within USA Plante Moran has over 2,000 employees and 500 servers in the USA. RSM’s core DFIR team is composed of ten practitioners located in See Pages 5 ‐ 10 strategic locations throughout the United States. In addition, the DFIR Qualifications and Experience team can leverage over 100 additional RSM client facing technology personnel in other practice areas. Our primary DFIR lab is located in Chicago, with an additional lab in Iowa as a backup or supplemental facility.

14 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Verizon Business Network Services Inc. d/b/a Verizon Licensing Matrix Business Services 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar work in this Category. See Pages 67 ‐ 69. Cyber attacks happen on a daily basis—and inevitably, security incidents occur. To successfully manage incidents, it’s critical for you to know where to look for indicators of compromise and how to handle them. Quickly identifying and reacting with an appropriate response strategy can help lessen the potential impact of an incident. Intelligence‐driven strategies speed up effective responses to compromises and breaches, strengthening your overall security plan. Our RISK (Research, Investigations, Solutions, Knowledge) Team has broad expertise creating effective security practices and is well known for authoring our annual Data Breach Investigations Report. The team actively gathers data from security incidents, correlates this information to provide alerts, analysis, and recommendations, and turns it into actionable risk management solutions that can help protect your entire organization.

b. Number of employees, coordination efforts, servers and workers located within USA Verizon operates a global QSA practice with over 70 assessors providing consistent delivery of high quality Security services around the world. 16 QSA are located in the USA.

15 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP c. Describe vendor’s plan to meet key milestones and deadline dates including communication See PDF Pg. 35 See PDF Pg. 131 ‐ 132 plan. CONFIDENTIAL Please see the project management plan below as a representative sample of the type of Security Architecture Design and Security Incident Response Policy Review project plan we typically follow. These following steps represent the actions Crowe will execute in order to Pgs 35: Project Management deliver the Security Architecture Design and Security Incident Response Policy Non‐Disclosure Statement "The information in this Trustwave has a formal procedure for the project organization and governance as well as Review document is AT&T Corp. Confidential, and cannot be adherence to the timelines. Project timelines will be established between Trustwave and services.... reproduced or redistributed in any way, shape, or form Client upon project kick‐off. Project progress, needs and deadlines will be provided to without prior written consent from AT&T Corp. © Copyright Client through the CVS manager portal that is described 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all further below in this section. other trademarks, service marks, and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. affiliated companies."

Pgs 36‐ 223: "AT&T Consulting Proprietary and Confidential Information"

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature and scope, along with See PDF Pg. 552 See PDF Pg. 37 See PDF Pgs. 134 ‐ 135 evidence of satisfactory completion, both on time and within budget, for the past five years. Please see addendum for Client References. We have completed and submitted the Vendor Reference Verification Form as Provide a minimum of three projects with references, preferably government agencies (i.e. state, CONFIDENTIAL requested. local) of similar size and structure and proven experience and skillset in evaluation a mixed credit card environment of web applications, Point of Sale (POS), and Interactive Voice Response (IVR) Pgs 35: Systems. Vendor should provide references for similar work performed to show evidence of Non‐Disclosure Statement "The information in this qualifications and previous experience. Refer to Vendor Reference Verification Form and submit document is AT&T Corp. Confidential, and cannot be as instructed. Only provide references for non‐Broward County Board of County Commissioners’ reproduced or redistributed in any way, shape, or form contracts. For Broward County contracts, the County will review performance evaluations in its without prior written consent from AT&T Corp. © Copyright database for vendors with previous or current contracts with the County. The County considers 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all references and performance evaluations in the evaluation of Vendor’s past pertted with other trademarks, service marks, and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. affiliated companies."

Pgs 36‐ 223: "AT&T Consulting Proprietary and Confidential Information"

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

16 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix Enterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLC c. Describe vendor’s plan to meet key milestones and deadline dates including communication See PDF Pg. 141 Deadlines are based objectives, current gaps, and risk based See PDF PG. 42 plan. ERM Project Manager will develop a Project Plan findings of gaps. Phased approach to compliance can be Global Information Intelligence will apply its expert and proven which details all key milestones and deadline dates. reviewed in Broward Security Services 2017. All foresite methodology to provide BROWARD COUNTY with INFORMATION ERM Project Manager will work with the client to services are customized to address client specific needs and TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using adjust based on client needs. The Communication can changed based on scope, level or not‐in‐place findings and Intelligent, Proactive and Robust and Resilient methods that include Plan will be discussed and agreed to during the kick‐ budget. proactive recommendations and remediation sample for design and off call. ERM’s communication plans typically implementation operational effectiveness for INFORMATION include weekly status updates as well as updates TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Network based on key milestones and deadlines. assessment of BROWARD COUNTY Corporate Network and its Operations Technology Network....

3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature and scope, along with (3) Reference Verification Forms included for this See References. See References. evidence of satisfactory completion, both on time and within budget, for the past five years. Category ‐ See PDF Pgs. 141 ‐ 144 Foresite supplies services to forture 500 companies within the Provide a minimum of three projects with references, preferably government agencies (i.e. state, a. ERM’s Experience US and address specific needs based on a phased approach. local) of similar size and structure and proven experience and skillset in evaluation a mixed credit ERM has completed approximately 400 Incident The approach starts with a gap assessment to determin actual card environment of web applications, Point of Sale (POS), and Interactive Voice Response (IVR) Response projects. All of our projects have been scope followed by findings and observations, Systems. Vendor should provide references for similar work performed to show evidence of completed on time and within budget. recommendations for remediation then a road map plan to qualifications and previous experience. Refer to Vendor Reference Verification Form and submit As requested, below are three references for address all aspects of the overall objectives. as instructed. Only provide references for non‐Broward County Board of County Commissioners’ projects of similar size and structure. contracts. For Broward County contracts, the County will review performance evaluations in its 1. Barry University database for vendors with previous or current contracts with the County. The County considers 2. Ryder System references and performance evaluations in the evaluation of Vendor’s past perour staff 3. Banco Santander

17 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Optiv Security c. Describe vendor’s plan to meet key milestones and deadline dates including communication See PDF Pgs. 441 ‐ 442. See PDF Pg. 35 ‐ 38. See PDF Pg. 252 ‐ 253 plan. As we have already done with other projects for Broward County, MGT will ensure This is a high level overview of the system for responding to and Optiv uses standard Project Management practices to manage key milestones and accountability, compliance, and implementation of the services provided. We will adhere tomanaging Incident Response services with Nettitude. It is based deadline dates. all applicable federal and around a number of fundamental concepts and industry standards Project Management state policies, procedures, and regulations. MGT's Project Manager will have primary including SANS, Critical Infrastructure guidelines and the CREST Overview responsibility for the supervision of all project operations and project administration and Incident Response Maturity model. Optiv will conduct status meetings, which may include updates on project status and will ensure all deliverables meet the standards of quality set forth by the County. Our Our services mirror the 3 phases of these models: issues identified and Project Manager is responsible for the day‐to‐day activities of all design and technical key 1. Prepare (Strategic Plans and Risk Analysis) addressed (such as schedule, deliverables, project quality, and team interaction). In staff. In concert with the County’s Project Lead, MGT’s Project Manager will facilitate 2. Respond (Management of Events and Incidents) addition, Optiv will provide implementation of the 3. Follow up (Adapt and Learn).... immediate notification of any issues requiring Broward County Office of IT’s attention. main components of the project, including the installation, configuration, initiation, pilot, Optiv expects that any issues acceptance identified will be resolved promptly to avoid impact to the project timelines. system, and the training of end users as well as generating progress reports on all project Optiv Project Coordination Activities activities. The following list details Optiv's Project Coordination activities for this project: Other major responsibilities will include: Facilitation of the project kick‐off meeting Scheduling of project activities. Project budget reporting and Change Order management (if needed) Financial management. Coordination of Optiv personnel logistics General tasks related to contract administration. Optiv communications and project notifications, including weekly status reports Serving as the primary point of contact for County inquiries or requests for project outlining project status, updates...... issues noted, and issues addressed as they relate to schedule, Deliverables, project quality, and team interaction (as applicable)....

3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature and scope, along with See PDF Pgs. 443. See References. See PDF Pg. 254 evidence of satisfactory completion, both on time and within budget, for the past five years. See Reference Verification Forms on PDF Pgs. 444‐446 The security, privacy and business concerns of our clients‐both current and past‐are of Provide a minimum of three projects with references, preferably government agencies (i.e. state, EXPERIENCE ON SIMILAR PROJECTS the highest priority. local) of similar size and structure and proven experience and skillset in evaluation a mixed credit With a focus on organizational goals first, MGT provides business‐driven information As such, we must respectfully decline to provide specific contact names and details for card environment of web applications, Point of Sale (POS), and Interactive Voice Response (IVR) security services keeping our clients’ interests at the forefront of our engagements potential references at this stage. However, a number of our clients from recent Systems. Vendor should provide references for similar work performed to show evidence of ensuring we deliver the most efficient solution. engagements would be willing to entertain an informal conversation with their peers qualifications and previous experience. Refer to Vendor Reference Verification Form and submit MGT’s core cyber security capabilities include: security risk assessments, full range of to discuss their use of the products and services they as instructed. Only provide references for non‐Broward County Board of County Commissioners’ penetration testing services, physical penetration testing, secure application development, were provided which we can help facilitate at the appropriate time. contracts. For Broward County contracts, the County will review performance evaluations in its compliance engagements, training and awareness, policy and procedure development, database for vendors with previous or current contracts with the County. The County considers among others. references and performance evaluations in the evaluation of Vendor’s past perour staff Having completed vulnerability assessments, full security risk assessments (including NIST, ISO, HIPAA, etc.), and physical penetration tests for both private and public organizations, along with a team with 18+ years of experience in the field, we believe to have the optimal mix to help the County enhance their overall security posture. Provided below are projects similar to those requested for Category 5 of the County’s RFP, conducted within the past five years. SEIBERT INSURANCE AGENCY: INFORMATION SECURITY PROGRAM As part of their information security program, we developed a framework for their incident response plan giving them the tools to not only be ready in case of an incident, but also evolve their plan as their security program continues to get optimized. HARRY LEVINE INSURANCE: INFORMATION SECURITY PROGRAM Similar to Seibert Insurance agency, we developed a framework for their incident response plan as part of their information security program giving them the tools to not only be ready in case of an incident,

18 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix Plante & Moran, PLLC dba Plante Moran RSM US LLP SeNet International Corporation c. Describe vendor’s plan to meet key milestones and deadline dates including communication See PDF Pgs 52‐53 See Pdf pgs 78 ‐ 79 plan. Given the urgency usually surrounding a breach/fraud, our team is quick to RSM’s management approach can be expressed in one simple phrase: respond, assessing the “no surprises.” First, we will work situation and implementing an action plan with the approval of the client. Given with the County to establish a communication protocol and approach the unknowns that can that you prefer, and we will use these channels and tools to share exist in these situations, we provide the client with weekly updates to include: We information on the engagement. Once the communications plan has will provide weekly been created, RSM will create a timeline and milestones project updates to include: a brief description of services performed, findings, fees incurredschedule and track those milestones to completion on a weekly basis. to date and We will work with you and management to keep you informed of our estimated fees and work plan for the subsequent week. Upon receipt each week, progress throughout the engagement with periodic formal and management can informal status reports and meetings as appropriate. Continuous decide if PM should proceed or halt analysis. Should circumstances become communication helps ensure that the County and the RSM team are available that may impact in agreement on, and informed about every aspect of an our estimate of fees, we will immediately review these with you and agree on a engagement. Our team will work closely with County management to mutually agreeable establish clear, open lines of solution. communication via face‐to‐face meetings, phone calls, and/or regular Frequent communication, guided by a “no surprises” philosophy is the key to a electronic or hard‐copy communications to keep you informed of successful project. In progress and issues. In the event that RSM identifies that a particular this way, expectations can be effectively managed and problems can either be engagement is behind schedule, it will be formally communicated to avoided entirely, or the client to discuss the issues and possible solutions to get back on addressed early on to minimize wasted effort and keep the project on schedule. track.

See Pages 59 ‐ 62. 3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature and scope, along with Reference Verification Forms not included for Category 5 ‐ States "Confidential" See References on PDF Pgs See Pages 10 ‐20 evidence of satisfactory completion, both on time and within budget, for the past five years. See PDF Pg. 53 Lee County Electric Cooperative References ‐ pdf pgs 100 ‐ 108 Provide a minimum of three projects with references, preferably government agencies (i.e. state, We have forensic experience with multiple governmental entities in the last five September 2016 ‐ December 2016 local) of similar size and structure and proven experience and skillset in evaluation a mixed credit years. To The objective of this review was to determine if changes applied to card environment of web applications, Point of Sale (POS), and Interactive Voice Response (IVR) demonstrate our vast capabilities, the following outlines several examples: LCEC's flagship systemes were documented, tested and approved Systems. Vendor should provide references for similar work performed to show evidence of Chicago Transit Authority, IL prior to implementation to production... qualifications and previous experience. Refer to Vendor Reference Verification Form and submit Performed internal audits of their Point‐of‐Sale system District of Water & Sewer Authority (DC Water) as instructed. Only provide references for non‐Broward County Board of County Commissioners’ implementation (Ventra), Supply Chain Management, Payroll October 2015 ‐ January 2016 contracts. For Broward County contracts, the County will review performance evaluations in its Forensic Audit and Transit Operator Performance System RSM conducted a myriad of security testing engagements for DC database for vendors with previous or current contracts with the County. The County considers (TOPS) system implementation Water including internal, external, references and performance evaluations in the evaluation of Vendor’s past perour staff Project Timeline: May 2013 – December 2015 and wireless penetration testing. Capital Area Transportation Authority McDonald Hopkins We were engaged to provide forensic investigative services due to IRS notifications Multiple projects over several years. of non‐payment of payroll taxes. Our team uncovered numerous issues, including RSM has worked with McDonald Hopkins on a number of incident emails that outlined the staff that knew of the issues, which led to the ultimate response investigations over the findings. years. Genesee Intermediate School District We were engaged to investigate an alleged embezzlement. The ISD’s Superintendent suspected the Assistant Superintendent of inappropriate activity. We performed analytical tests, conducted interviews, used data mining techniques, and searched emails using key words.

19 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Verizon Business Network Services Inc. d/b/a Verizon Licensing Matrix Business Services c. Describe vendor’s plan to meet key milestones and deadline dates including communication Pages 69 ‐ 72. plan. While breaches and security compromises can come in many forms, they all demand fast action. When there is a clear incident or even a threat thereof, you have a team of investigators and experts at your disposal, at the ready, and just a phone call away.

3. Past Performance: a. Describe prime Vendor’s experience on projects of similar nature and scope, along with See Pages 72 ‐ 73. evidence of satisfactory completion, both on time and within budget, for the past five years. We have helped the following organizations—and we can help you too. Provide a minimum of three projects with references, preferably government agencies (i.e. state, A large financial services company with headquarters in New York has local) of similar size and structure and proven experience and skillset in evaluation a mixed credit leveraged our Professional Services on breach reduction and to card environment of web applications, Point of Sale (POS), and Interactive Voice Response (IVR) investigate potential breaches that were fortunately stopped before Systems. Vendor should provide references for similar work performed to show evidence of they become serious incidents; qualifications and previous experience. Refer to Vendor Reference Verification Form and submit A global law firm took advantage of tabletop exercises, mock incident as instructed. Only provide references for non‐Broward County Board of County Commissioners’ testing and policy contracts. For Broward County contracts, the County will review performance evaluations in its and procedure review as they established a formal security program; database for vendors with previous or current contracts with the County. The County considers A large retailer with more than 600 stores around the world uses references and performance evaluations in the evaluation of Vendor’s past perour staff Rapid Response Retainer as an insurance policy to protect payment card data, Protected Health Information (PHI) and Personally Identifiable Information (PII) of its customers; A large restaurant chain with thousands of locations around the globe needed security experts to supplement its staff to mitigate risks associated with handling and storing its customers’ credit card information.

20 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP b. Provide evidence of similar work related to services identified in this Category, including See PDF Pg. 552 See PDF Pg. 37 See PDF Pgs. 134 ‐ 135 sample executive summaries and reports Please see addendum for Sample Reports. We have completed and submitted the Vendor Reference Verification Form as CONFIDENTIAL requested.

Pgs 35: Non‐Disclosure Statement "The information in this document is AT&T Corp. Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from AT&T Corp. © Copyright 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all other trademarks, service marks, and designs are registered or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. affiliated companies."

Pgs 36‐ 223: "AT&T Consulting Proprietary and Confidential Information"

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

21 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix Enterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLC b. Provide evidence of similar work related to services identified in this Category, including See PDF Pgs. 145 ‐ 147 similar to that of pci, IR specific requirements are address on a See PDF Pgs. 323 ‐ 352 sample executive summaries and reports Sample outline of client report. custimized bases, actual phased approach can be seen in the See Sample Reports. Broward Security Services 2017 under PCI DSS managed services

22 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Optiv Security b. Provide evidence of similar work related to services identified in this Category, including See Sample Incident Response Framework in Appendix on PDF Pgs. 456 ‐ 468. See References. See PDF Pg. 254 sample executive summaries and reports Please see the provided sample deliverables.

23 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix Plante & Moran, PLLC dba Plante Moran RSM US LLP SeNet International Corporation b. Provide evidence of similar work related to services identified in this Category, including See PDF Pg 54 Due to the sensitivity of the results of the work completed for our See Pages 10 ‐20. sample executive summaries and reports Due to the confidential and legal nature of many of our projects, we are typically clients, results of our engagements or engaged by clients’ attorneys to maintain attorney work product protection and, final reports will not be provided as evidence for proof of completion. therefore, we are not authorized to release If the County desires, we are the names of those clients, including governmental clients, to whom we provided prepared to provide example templates used as part of our reporting forensic services. However, to provide additional on‐point examples, we offer the process to help ensure you are following: comfortable with the final work products we are accustomed to We were engaged by a City to perform forensic investigative services. The City delivering. was made aware that the Michigan State Police was investigating several of its police officers for the misuse of drug forfeiture funds. We performed interviews and analyzed numerous financial records to assist the City in preparing an insurance claim while waiting for the criminal trials to occur. Our efforts resulted in the City recovering the full amount their insurance policy allowed, in addition to identifying supplemental evidence which assisted the Michigan State Police in strengthening their criminal investigation. We were engaged by an organization to perform forensic investigative services. The organization’s internal investigation identified a forgery scheme, whereby the Controller altered the payee information on the physical check to differ from the payee listed in the accounting system. We were hired to assist the organization compile an independent proof of loss for insurance purposes, in addition to assisting them with restitution hearing, if needed. Our analysis included comparing check images to the accounting system to identify checks with discrepancies and, further, researching the payees to determine if they were related to the Controller. We also reviewed the Controller’s email activity, which resulted in our discovery of additional schemes performed by the Controller. In total, we quantified $435,000 in losses and the case is currently pending in the criminal court.

24 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Verizon Business Network Services Inc. d/b/a Verizon Licensing Matrix Business Services b. Provide evidence of similar work related to services identified in this Category, including See Pages 73 ‐74. sample executive summaries and reports The Verizon RISK Team performs cyber investigations for hundreds of commercial enterprises and government agencies annually across the globe. In 2016, we were retained to investigate more than 550 cybersecurity incidents occurring in over 40 countries. In 2008, the results of our field investigations were the genesis of the first Data Breach Investigations Report (DBIR), an annual publication that dissects real‐world data breaches with the goal of enlightening the public about the nature of the threat actors behind the attacks, the methods they use, including the data they seek, and the victims they target.

25 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP 4. Workload of the Firm: List all completed and active projects that Vendor has managed within the past five years. In See PDF Pg. 553 ‐ 554 See PDF Pg. 37 See PDF Pg. 136 addition, list all projected projects that Vendor will be working on in the near future. Projected As a private firm, we do not go into specific details, but we can say we do about 4000 pen Over the past 5 years, Crowe has had over 16,000 clients, of which over 1,200 projects will be defined as a project(s) that Vendor is awarded a contract but the Notice to CONFIDENTIAL tests a year and about 850 RoCs ‐ but also have the most QSAs and Pen Testers than any were government clients. Crowe currently has 871 government clients, with 32 Proceed has not been issued. Identify any projects that Vendor worked on concurrently. Describe other competitor – over 100 in each case. We are busy, but have sufficient resources to in the Florida area. Crowe is well positioned to provide quality service to Vendor’s approach in managing these projects. Were there or will there be any challenges for any Pgs 35: cover all of our engagements. Broward County in a timely fashion. Crowe has a of the listed projects? If so, describe how Vendor dealt or will deal with the projects’ challenges. Non‐Disclosure Statement "The information in this sophisticated Centralized Resource Management function that is responsible for document is AT&T Corp. Confidential, and cannot be ensuring that Broward County’s needs are met with the experienced and trained reproduced or redistributed in any way, shape, or form staff from our local offices, and if needed, without prior written consent from AT&T Corp. © Copyright from across our firm. We realize that resource management is a crucial element 2017 AT&T Corp. AT&T Corp., the AT&T Corp. logo, and all to consistently providing top quality service to Broward County, and all of our other trademarks, service marks, and designs are registered clients. or unregistered trademarks of AT&T Corp. Intellectual Property and/or AT&T Corp. affiliated companies."

Pgs 36‐ 223: "AT&T Consulting Proprietary and Confidential Information"

Pgs 418‐568 AT&T Proprietary: The information contained herein is for use by authorized persons only and is not for general distribution.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. AT&T Corp Carahsoft Technology Corporation Crowe Horwath LLP

2. Doing Business As/ Fictitious Name (if applicable): Not applicable

3. Federal Employer I.D. Number. 13‐4924710 522189693 35‐0921680 4. Dun & Bradstreet Number. (If applicable). 00‐698‐0080 08‐8365767 787324008 5. Website address (if applicable). www.att.com www.carahsoft.com www.crowehorwath.com 6. Principal place of business. One AT&T Way, Bedminster, NJ 07921 1860 Michael Faraday Drive, Suite 100 225 West Wacker Drive, Suite 2600 Reston, VA 20190 Chicago, Illinois 60606‐1224 7. Office Location for this project. 2002 NW 64th St., Ft. Lauderdale, FL 33309 1860 Michael Faraday Drive, Suite 100 401 East Las Olas Boulevard, Suite 1100 Reston, VA 20190 Fort Lauderdale, Florida 33301‐4230

8. Telephone/Fax Number: Telephone no.:305‐913‐3887 Fax no.: Telephone no.:703.871.8500 Fax no.:703.871.8505 Telephone no.:954.202.8600 Fax no.:954.202.8639

9. Type of Business Corporation; New York Corporation; Maryland Limited Liability Partnership 10. List Florida Registration Number. 845822 GP0800003826

26 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix Enterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLC 4. Workload of the Firm: List all completed and active projects that Vendor has managed within the past five years. In See PDF Pg. 147 Foresite has over 600 active projects and current has a client See PDF PG. 42 addition, list all projected projects that Vendor will be working on in the near future. Projected ERM has completed 25 Security Incident Response & base of over 2000 companies. Foresite has over 8 million US Global Information Intelligence will apply its expert and proven projects will be defined as a project(s) that Vendor is awarded a contract but the Notice to Digital Forensic projects during the past 5 years dollars currently in the 6 month sales pipe. The request can methodology to provide BROWARD COUNTY with INFORMATION Proceed has not been issued. Identify any projects that Vendor worked on concurrently. Describe and estimates it will be working on 1 per month for certainly be discussed but would not seem logical to address TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES using Vendor’s approach in managing these projects. Were there or will there be any challenges for any the remainder of 2017. at the level you are requesting. Intelligent, Proactive and Robust and Resilient methods that include of the listed projects? If so, describe how Vendor dealt or will deal with the projects’ challenges. ERM is able to manage several project proactive recommendations and remediation sample for design and simultaneously based on our efficient project implementation operational effectiveness for INFORMATION management approach. We have not experienced TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Network any challenges to complete these projects, nor do assessment of BROWARD COUNTY Corporate Network and its we expect to experience challenges completed Operations Technology Network.... projects for the client. a. Past Five Years 1. Education (5) 2. Banking & Financial Services (10) 3. Transportation (3) 4. Hospitality (2) 5. Other (5) b. Near Future ERM will complete Security Incident Response services for a wide range of clients.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Enterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLC

2. Doing Business As/ Fictitious Name (if applicable):

3. Federal Employer I.D. Number. 65‐0827427 38‐3916369 273548900 4. Dun & Bradstreet Number. (If applicable). 610144201 07‐8744163 5. Website address (if applicable). www.emrisk.com www.foresite.com www.globalinfointel.com 6. Principal place of business. 800 S. Douglas Road, Suite 940 North Tower, Coral E Windsor Ct 6860 North Dallas Parkway, Suite 200,Plano, TX 75024 Gables, FL 33134 7. Office Location for this project. 800 S. Douglas Road, Suite 940 North Tower, Coral New York 6861 North Dallas Parkway, Suite 200,Plano, TX 75024 Gables, FL 33134 8. Telephone/Fax Number: Telephone no.:305‐447‐6750 Fax no.:305‐447‐6752 800‐940‐4699 Telephone no.:4082509045 Fax no.:N/A

9. Type of Business Corporation; Florida LLC Corp; DE ‐ LLC 10. List Florida Registration Number.

27 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Optiv Security 4. Workload of the Firm: List all completed and active projects that Vendor has managed within the past five years. In See PDF Pgs. 448 ‐ 454. See References. See PDF Pg. 254 addition, list all projected projects that Vendor will be working on in the near future. Projected MGT has completed projects for the County, including: The security, privacy and business concerns of our clients‐both current and past‐are of projects will be defined as a project(s) that Vendor is awarded a contract but the Notice to Disparity Study of County Government (2000). the highest priority. Proceed has not been issued. Identify any projects that Vendor worked on concurrently. Describe Cost Allocation Plans (2009, 2010, 2011, 2014, 2015, 2016). As such, we must respectfully decline to provide specific a list of all completed and Vendor’s approach in managing these projects. Were there or will there be any challenges for any Comprehensive Review of the Sheriff’s Office Department of Detention (2009). active projects at this of the listed projects? If so, describe how Vendor dealt or will deal with the projects’ challenges. Comprehensive Analysis of the Libraries Division (2010). stage. Being a national company, MGT has completed many projects within the past five years. Optiv utilizes standard project management practices and dedicated resources to Therefore, manage progress and instead of providing a list of the over 2,200 projects the firm has completed or is currently communications on all Incident Response projects. We are able to identify potential conducting, issues early in the we are providing a list of clients served (presented in alphabetical order by state). project and address those quickly through communications with the client and adjusting resources as needed.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. MGT of America Consulting, LLC Netitude, Inc. Optiv Security

2. Doing Business As/ Fictitious Name (if applicable): Netitude Optiv, Optiv Security

3. Federal Employer I.D. Number. 81‐0890071 36‐4694227 43‐1806449 4. Dun & Bradstreet Number. (If applicable). 02‐096‐7659 968240825 01‐946‐6684 5. Website address (if applicable). www.mgtconsulting.com www.Nettitude.com optiv.com 6. Principal place of business. 3800 Esplanade Way, Suite 210 85 Broad Street, New York NY 10004 1125 17th St., Suite 1700 Tallahassee, FL 32311 Denver, CO 80202‐2032 7. Office Location for this project. Tallahassee, FL 85 Broad Street, New York NY 10004 N/A

8. Telephone/Fax Number: Telephone no.:850.386.3191 Fax no.:850.385.4501 Telephone no.:646‐795‐1881 Fax no.: Telephone no.:(303) 298‐0600 Fax no.:(303) 298‐0868

9. Type of Business LLC Corporation; S Corporation; Delaware 10. List Florida Registration Number. L15000199435

28 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix Plante & Moran, PLLC dba Plante Moran RSM US LLP SeNet International Corporation 4. Workload of the Firm: List all completed and active projects that Vendor has managed within the past five years. In Our forensic accounting team works on approximately 100 engagements per year. See Pdf Pg 84 See Pages 10 ‐20. addition, list all projected projects that Vendor will be working on in the near future. Projected Due to the confidential and legal nature of many of our projects, we are typically As previously noted, RSM’s DFIR matters are extremely sensitive and projects will be defined as a project(s) that Vendor is awarded a contract but the Notice to engaged by clients’ attorneys to maintain attorney work product protection and, we are not able to list the matters/clients. However, we have Proceed has not been issued. Identify any projects that Vendor worked on concurrently. Describe therefore, we are not authorized to release the names provided several references who can speak to our work performance. Vendor’s approach in managing these projects. Were there or will there be any challenges for any of those clients, including governmental clients, to whom we provided forensic In addition, the following will summarize the number of DFIR cases of the listed projects? If so, describe how Vendor dealt or will deal with the projects’ challenges. services. performed in the past 5 years. • 2017: 101 matters* (year to date – estimated 184 based on monthly average) • 2016: 153 matters • 2015: 65 matters • 2014: 32 matters • 2013: 15 matters At any given time RSM is conducting 10‐15 DFIR investigations simultaneously. Given the nature of DFIR investigations, there tends to be a natural ebb and flow in the work plan, so we are able to balance the needs of multiple matters at once. If we are engaged by the County, you will be a priority for our firm and to each member of your engagement team. Our workload fluctuates based on a number of factors, including timing and currently pending engagements. Regardless, our firm has excelled at managing its human resources so that our workload never surpasses the ability of our assigned teams to devote the time and attention necessary to add value to our clients’ organizations. Our ability to manage our workload is evidenced by relatively low turnover rates and is supported by clients’ opinions of our service.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Plante & Moran, PLLC RSM US LLP SeNet International Corporation

2. Doing Business As/ Fictitious Name (if applicable): Plante Moran

3. Federal Employer I.D. Number. 381357951 FEIN‐42‐0714325 54‐1902349 4. Dun & Bradstreet Number. (If applicable). 004913299 73482424 07‐9941139 5. Website address (if applicable). plantmoran.com www.rsmus.com www.senet‐int.com 6. Principal place of business. 27400 Northwestern Hwy 100 NE Third Ave, Suite, Fort Lauderdale, FL 33301 3040 Williams Drive, Suite 510, Fairfax, VA 22031 Southield, MI 48037 7. Office Location for this project. Southfield, MI Fort Lauderdale 3040 Williams Drive, Suite 510, Fairfax, VA 22031

8. Telephone/Fax Number: Tel:248‐223‐3428 Fax no.:248‐603‐5997 954‐462‐6351 Telephone no.:(703) 206‐9383 Fax no.:(703) 206‐9666

9. Type of Business Limited Partnership Limited Partnership Corporation; Virginia 10. List Florida Registration Number. M11000002358 ADP004384

29 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Verizon Business Network Services Inc. d/b/a Verizon Licensing Matrix Business Services 4. Workload of the Firm: List all completed and active projects that Vendor has managed within the past five years. In See Page 14. addition, list all projected projects that Vendor will be working on in the near future. Projected In any given year, Verizon handles approximately 400 – 500 cases projects will be defined as a project(s) that Vendor is awarded a contract but the Notice to involving the theft of consumer, personally identifiable information, Proceed has not been issued. Identify any projects that Vendor worked on concurrently. Describe and other forms of highly sensitive data. Verizon handles as many as Vendor’s approach in managing these projects. Were there or will there be any challenges for any one‐third of all publicly visible data breach investigations throughout of the listed projects? If so, describe how Vendor dealt or will deal with the projects’ challenges. the world, and to date, nine of the world’s eleven largest known data compromises. Verizon RISK team personnel are located in numerous countries in all regions of the globe. Additional Verizon personnel, including experienced incident responders, risk intelligence analysts, forensic lab support personnel, and other security professionals may be leveraged globally to assist in customer security emergencies under the Rapid Response Retainer. Verizon maintains several core forensic lab facilities with secure evidence storage capabilities around the world.

7. Office Location for this project. Tampa, FL

8. Telephone/Fax Number: no.:(813) 520‐9786 Fax no.:813‐978‐6751

9. Type of Business Corporation; Delaware 10. List Florida Registration Number. 829591

30 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP 11. List name and title of each principal, owner, officer and major shareholder. a. Thadeus Arroyo, President and CEO AT&T, 208 S. Akard a) Craig P. Abod ‐ President a) James Powers, CEO St., Dallas, TX 75202 b) Robert Moore ‐ Vice President b) Joseph Santucci, COO b. Anne Chow, President‐Integrator Solutions, AT&T, 208 S. c) Jillian Szczepanek ‐ Controller c) Todd Welu, CFO Akard St., Suite 3514, Dallas, TX 75202 d) Jennifer Taha ‐ Proposals Director d) Crowe Horwath LLP is a limited liability partnership with more than 275 c. Frank Jules, President ‐ Global Business AT&T, 208 S. Akard partners/principals. If required, we will provide a complete listing of the St., Suite 3509, Dallas, TX 75202 partner/principals. The names and titles of the firm's leadership is available at d. Cathy Martine‐Dolecki, President ‐ Natl Bus AT&T, 1 AT&T www.crowehorwath.com/leadership. Way, Bedminster, NJ 07921 e. Delores McCarty, Assistant Secretary AT&T, 675 W Peachtree St, NW, Atlanta, GA 30308 f. George B. Goeke, CFO and Treasurer AT&T, 208 S. Akard St., Suite 1824, Dallas, TX 75202 AT&T is a publicly held corporation. No single person owns more than 10% of the company. It is an independent, publicly traded telecommunications services provider. The names and titles of the AT&T Inc. officers are • Randall Stephenson—Chairman and Chief Executive Officer (CEO) • William Blase—Senior Executive Vice President, Human Resources • James Cicconi—Senior Executive Vice President, External and Legislative Affairs • Ralph de la Vega—President and Chief Executive Officer (CEO), AT&T Mobile and Business Solutions • John Donovan—Senior Executive Vice President, AT&T Technology and 12. Authorized contacts for your firm. Name: Dwayned Stafford Name: Aaron Giannini Name: Craig Sullivan Title: Strategic Account Lead Title: Account Representative Title: Partner E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 786‐479‐4113 Telephone No.: 703.889.9848 Telephone No.: 574.236.7618 Name: Esther Martin Name: Jennifer Taha Title: Strategic Account Lead Title: Proposals Director E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 305‐582‐9541 Telephone No.: 703.871.8556

13. Has your firm, its principals, officers or predecessor organization(s) been debarred or No No No suspended by any government entity within the last three years? If yes, specify details in an attached written response.

14. Has your firm, its principals, officers or predecessor organization(s) ever been No No No debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted. 15. Has your firm ever failed to complete any services and/or delivery of products during We are unaware of any work completion issues that would No Yes, Like all large professional service firms, Crowe is, from time to time, subject the last three (3) years? If yes, specify details in an attached written response. impair our ability to meet our obligations under any to contract disputes or issues where contracts may be terminated for a variety contract. AT&T is a large company with an international of reasons, including without limitation lack of client funding, disputes over the presence and significant contractual relations. Given the size scope of the work, or payment disputes. Through active management and and scope of our business, we from time to time over our communication with our clients, Crowe is usually successful in anticipating such history have been involved in occasional alleged contract areas and working with the client to mitigate these issues. performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our ability to meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.

31 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix Enterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLC 11. List name and title of each principal, owner, officer and major shareholder. a) Silka Gonzalez ‐ President Robin Mano ‐ CEO a) DR. EMMANUEL HOOPER, PHD, PHD, PHD, Harvard Yale Alumni, b) Michelle Miller ‐ COO George Farris ‐ Board Member President c) Esteban Farao ‐ Director of Consulting Services David Cohen ‐ Board Member b) Theresa Marie Hooper, BA (Harvard),Senior Executive Gary Fish ‐ Board Member

12. Authorized contacts for your firm. Name: Silka Gonzalez Jason Leduc Name: DR. EMMANUEL HOOPER, PHD, PHD, PHD Title: President VP Cyber Security Services Title: President E‐mail: [email protected] [email protected] E‐mail: [email protected] Telephone No.: 305‐447‐6750 732‐674‐0871 Telephone No.: 408‐250‐9045 Name: Michelle Miller Name: Theresa M. Hooper Title: COO John Lavelle Title: Senior Executive E‐mail: [email protected] Controller E‐mail: [email protected] Telephone No.: 305‐447‐6750 [email protected] Telephone No.: 714‐331‐1173 800‐940‐4699 ext 227 13. Has your firm, its principals, officers or predecessor organization(s) been debarred or No No No suspended by any government entity within the last three years? If yes, specify details in an attached written response.

32 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Optiv Security 11. List name and title of each principal, owner, officer and major shareholder. a) A. Trey Traviesa, Chairman & CEO a) Rowland Johnson a) Dan Burns ‐ CEO b) Fred Seamon, Executive Vice President b) Ben Densham b) David Roshak ‐ CFO c) Brad Burgess, Executive Vice President c) Martin Watts c) Nate Brady ‐ CAO d) Mitchell Titley d) Veena Bricker ‐ CHRO

12. Authorized contacts for your firm. Name: A. Trey Traviesa Name: Miles Corn Name: Doug Hart Title: Chairman & CEO Title: Head of Bid Management Title: Client Manager E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 850.386.3191 Telephone No.: 646‐795‐1881 Telephone No.: 305‐972‐8137 Name: Fred Seamon Name: Karen Bolton Name: Michael Mangra Title: Executive Vice President Title: EVP & Leader North America Title: Solutions Architects E‐mail: [email protected] E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 850.386.3191 Telephone No.: 646‐795‐1898 Telephone No.: 561‐670‐1536

33 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix Plante & Moran, PLLC dba Plante Moran RSM US LLP SeNet International Corporation 11. List name and title of each principal, owner, officer and major shareholder. a) James Proppe, Managing Partner a) Anatoly Kozushin, President b) Dnnis Graham, Group Managing Partner b) Ilan Katz, CEO c) Frank Audia, CIO c) Gus Fritschie, Chief Technology Officer d) Beth Bialy, Government Industry Group Leader d) Steve Davis, COO

12. Authorized contacts for your firm. Name: Raj Patel Jason Alexander Name: Anatoly Kozushin Title: Partner Principal Title: President E‐mail: [email protected] 786‐239‐4279 E‐mail: toly.kozushin@senet‐int.com Telephone No.: 248‐223‐3428 Telephone No.: (703) 206‐9383 Name: Scott Eiler Name: Ilan Katz Title: Partner Title: CEO E‐mail: [email protected] E‐mail: Ilan.Katz@senet‐int.com Telephone No.: 248‐223‐3447 Telephone No.: (703) 206‐9383

34 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Verizon Business Network Services Inc. d/b/a Verizon Licensing Matrix Business Services 11. List name and title of each principal, owner, officer and major shareholder. please see: http://www.verizon.com/about/investors/corporate‐ governance MCI Communications Services Inc. (100% Shareholder)

12. Authorized contacts for your firm. Name: Frank Parra Title: Sr. Client Executive E‐mail: [email protected] Telephone No.: (813) 520‐9786

13. Has your firm, its principals, officers or predecessor organization(s) been debarred or No suspended by any government entity within the last three years? If yes, specify details in an attached written response.

14. Has your firm, its principals, officers or predecessor organization(s) ever been No debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted. 15. Has your firm ever failed to complete any services and/or delivery of products during No the last three (3) years? If yes, specify details in an attached written response.

35 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Prime: Carahsoft Technology Corp Licensing Matrix ATT Solution Provider: Trustwave Crowe Horwath LLP 16. Is your firm or any of its principals or officers currently principals or officers of another Yes No No organization? If yes, specify details in an attached written response. 17. Have any voluntary or involuntary bankruptcy petitions been filed by or against your firm, its No No No parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response. 18. Has your firm’s surety ever intervened to assist in the completion of a contract or have No No No Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

19. Has your firm ever failed to complete any work awarded to you, services and/or We are unaware of any work completion issues that would No Yes, Like all large professional service firms, Crowe is, from time to time, subject delivery of products during the last three (3) years? If yes, specify details in an impair our ability to meet our obligations under any to contract disputes or issues where contracts may be terminated for a variety attached written response. contract. AT&T is a large company with an international of reasons, including without limitation lack of client funding, disputes over the presence and significant contractual relations. Given the size scope of the work, or payment disputes. Through active management and and scope of our business, communication with our clients, Crowe is usually successful in anticipating such we from time to time over our history have been involved in areas and working with the client to mitigate these issues. occasional alleged contract performance claims and legal actions. However, AT&T is a well‐capitalized company with assets in excess of any outstanding claims or lawsuits. As such, we are unaware of any contact performance claim or legal action that would preclude or impair our ability to meet our obligations or perform our duties under any contract. We serve millions of customers around the globe, and we'll work hard to honor our promises.

20. Has your firm ever been terminated from a contract within the last three years? If yes, Except for material matters that AT&T discloses in filings No Yes, Like all large professional service firms, Crowe is, from time to time, subject specify details in an attached written response. with the Securities and Exchange Commission or otherwise to contract disputes or issues where contracts may be terminated for a variety discloses in response to subpoenas or other valid court of reasons, including without limitation lack of client funding, disputes over the orders, AT&T is legally and contractually prohibited from scope of the work, or payment disputes. Through active management and disclosing information to third parties about contractual communication with our clients, Crowe is usually successful in anticipating such matters. Also, due to the size and scale of AT&T’s areas and working with the client to mitigate these issues. operations, as a practical matter, AT&T cannot state with absolute certainty whether AT&T has defaulted under a contract. Notwithstanding the legal and practical restrictions that limit AT&T’s ability to disclose specific contract performance issues, AT&T can assure Customer that AT&T is capable of performing the services requested under this RFP and that AT&T has no history or pattern of performance issues with other customers that would affect AT&T’s ability to perform the services requested by Customer. AT&T reiterates that AT&T is not aware of any circumstances involving performance under another contract which would materially and adversely impact AT&T’s ability to perform services for Customer. Moreover, AT&T is not aware of any circumstance when AT&T was not awarded a bid due to non‐ performance concerns about AT&T by the entity sponsoring a particular procurement. AT&T is forced to qualify such assurances to the best of its knowledge due to the scale and scope of AT&T’s operations. AT&T will not be able to provide such assurances with absolute certainty with respect to every contract or bid opportunity in which AT&T has participated. 21. Living Wage solicitations only: No N/A N/A

36 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix Enterprise Risk Management, Inc. Foresite MSP LLC Global Information Intelligence LLC 16. Is your firm or any of its principals or officers currently principals or officers of another No Principal invests in multiple businesses No organization? If yes, specify details in an attached written response. 17. Have any voluntary or involuntary bankruptcy petitions been filed by or against your firm, its No No No parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response. 18. Has your firm’s surety ever intervened to assist in the completion of a contract or have No No No Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

19. Has your firm ever failed to complete any work awarded to you, services and/or No No No delivery of products during the last three (3) years? If yes, specify details in an attached written response.

20. Has your firm ever been terminated from a contract within the last three years? If yes, No No No specify details in an attached written response.

21. Living Wage solicitations only: N/A N/A

37 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix MGT of America Consulting, LLC Nettitude, Inc. d/b/a Nettitude Optiv Security 16. Is your firm or any of its principals or officers currently principals or officers of another Yes. Principal is CEO of MGT of America Consulting, LLC and Strategos Public Affairs, LLC, No No organization? If yes, specify details in an attached written response. both wholly owned subsidiaries of MGT of America, LLC. 17. Have any voluntary or involuntary bankruptcy petitions been filed by or against your firm, its No No parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response. 18. Has your firm’s surety ever intervened to assist in the completion of a contract or have No No No Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

20. Has your firm ever been terminated from a contract within the last three years? If yes, No No No specify details in an attached written response.

21. Living Wage solicitations only: N/A N/A

38 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Licensing Matrix Plante & Moran, PLLC dba Plante Moran RSM US LLP SeNet International Corporation 16. Is your firm or any of its principals or officers currently principals or officers of another No No No organization? If yes, specify details in an attached written response. 17. Have any voluntary or involuntary bankruptcy petitions been filed by or against your firm, its No No parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response. 18. Has your firm’s surety ever intervened to assist in the completion of a contract or have No No No Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

20. Has your firm ever been terminated from a contract within the last three years? If yes, No – Plante Moran is not aware of any client terminating a contract involving the No No specify details in an attached written response. provision of information technology security and compliance services. As one of the country’s largest accounting and consulting firms with thousands of annual engagements, there likely have been instances during the last three years where clients receiving tax or accounting‐related services have elected to use other service providers for their particular needs. Plante Moran’s record of client service and satisfaction is best in class, with 99% of clients indicating they would recommend Plante Moran to others.

21. Living Wage solicitations only: No

39 10/20/2017 1:36 PM Category 5 ‐ Security Incident Response

Verizon Business Network Services Inc. d/b/a Verizon Licensing Matrix Business Services 16. Is your firm or any of its principals or officers currently principals or officers of another No organization? If yes, specify details in an attached written response. 17. Have any voluntary or involuntary bankruptcy petitions been filed by or against your firm, its No parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response. 18. Has your firm’s surety ever intervened to assist in the completion of a contract or have No Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

19. Has your firm ever failed to complete any work awarded to you, services and/or No delivery of products during the last three (3) years? If yes, specify details in an attached written response.

20. Has your firm ever been terminated from a contract within the last three years? If yes, No specify details in an attached written response.

21. Living Wage solicitations only: No

40 10/20/2017 1:36 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 6 ‐ Public Safety Network and Systems Audit Services

Prime: Carahsoft Technology Corp Licensing Matrix Solution Provider: Trustwave Focal Point Data Risk LLC RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided ‐ See Page 47 Provided AND 1. Offensive Security Certified Professional Certification Not Provided Not Provided Requirement Met Requirement Met OR Provided Provided Certified Information Systems Security Professional (CISSP) Requirement Met Requirement Met OR Not Provided Provided Certified Information Systems Auditor (CISA) Requirement Met Requirement Met AND 2. Contractor must complete and submit the following attestation form affirming their understanding and acceptance of additional requirements pertaining to the Public Safety Provided ‐ See Page 45 Provided ‐ See PDF Pg. 4 Network and Systems Audit Services: ‐ Category 6 ‐ Public Safety Network and Systems Audit Services Attestation Form FORMS Vendor Questionnaire Form Provided Provided

Provided Provided Vendor Security Questionnaire Form

1 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Prime: JohnsTek Inc. Licensing Matrix Global Information Intelligence LLC Sub: IOMAXIS RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided AND 1. Offensive Security Certified Professional Certification Not Provided Provided Requirement Met Requirement Met OR Provided Provided Certified Information Systems Security Professional (CISSP) Requirement Met Requirement Met OR Provided Provided Certified Information Systems Auditor (CISA) Requirement Met Requirement Met AND 2. Contractor must complete and submit the following attestation form affirming their understanding and acceptance of additional requirements pertaining to the Public Safety Provided Provided ‐ PDF Pg. 23 Network and Systems Audit Services: ‐ Category 6 ‐ Public Safety Network and Systems Audit Services Attestation Form FORMS Vendor Questionnaire Form Provided Provided

Provided Provided Vendor Security Questionnaire Form

2 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Licensing Matrix Securance LLC SHI International Corp RESPONSIBILTY REQUIREMENTS Servers and Workers Located in the USA Attestation Form Provided Provided AND 1. Offensive Security Certified Professional Certification Not Provided Not Provided Requirement Met Requirement Met OR Provided Provided Certified Information Systems Security Professional (CISSP) Requirement Met Requirement Met OR Provided Not Provided Certified Information Systems Auditor (CISA) Requirement Met Requirement Met AND 2. Contractor must complete and submit the following attestation form affirming their understanding and acceptance of additional requirements pertaining to the Public Safety Provided Provided Network and Systems Audit Services: ‐ Category 6 ‐ Public Safety Network and Systems Audit Services Attestation Form FORMS Vendor Questionnaire Form Provided Provided

Provided Provided Vendor Security Questionnaire Form

3 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 6 ‐ Public Safety Network and Systems Audit Services

Prime: Carahsoft Technology Corp Licensing Matrix Solution Provider: Trustwave Focal Point Data Risk LLC EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the See PDF Pg. 38 See PDF Pg. 199 ‐ 201 Project Manager and all key staff that are intended to be Trustwave's testing services are delivered by SpiderLabs® — an advanced security team Larry Burke, Principal, CPA, CITP, CGMA, HITRUST CCSFP.... assigned to services performed within this category. Include within Trustwavefocused on forensics, ethical hacking, application and network security Franchesca Sanabria – Principal, CIPP/US, CISA, HITRUST CCSFP. Franchesca is a resumes for the Project Manager and all key staff described. testing. The team has performed Principal at Focal Point in the National Data Privacy Practice. She has over 12 years of hundreds of forensic investigations, ethical hacking exercises and application security experience in governance, risk and compliance... tests globally. Derek Parks – Director, CISSP, CBCP, CISA, QSA. Derek has a significant amount of The broad experience of the team extends beyond regular corporate information experience delivering and managing IT risk assessments, PCI audit and gap technology enrvironement assessments, disaster recovery and business continuity assessments, IT governance to various operational technology environments including: policy creation, and internal audit engagements with a focus on IT controls.... Industrial Control Systems ...... Smart Grid Building Management Systems Telecommunications Infrastructure Embedded Systems and Hardware

4 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Prime: JohnsTek Inc. Licensing Matrix Global Information Intelligence LLC Sub: IOMAXIS EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the See PDF Pg. 79 See PDF Pgs. 27 ‐ 31 Project Manager and all key staff that are intended to be Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES Scott Johnston, Program Manager and Contracts Manager, 30 years experience assigned to services performed within this category. Include Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD Information Security and Computing Sciences Darnell Macapinlac, Project Manager and Key Rep, 20 years experience, PMP, CompTIA resumes for the Project Manager and all key staff described. (Over 30 years of Professional Experience and 25 years of Research, Harvard and Yale Security +, ITIL V3, CISSP, and CEH Alumnus, Summa Cum Laude, and Oxford Research, etc.) Gilbert Garcia, Corporate Cybersecurity Program Manager, 25 years experience Global Information Intelligence LLC (100% Small Business, Minority, and Women Owned) Evin Colman, First Responder/Public Safety Functional Expert, 24 years experience By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences and Information Security Founder, Consortium for Emerging Technologies‐Harvard, Exemplary Models for Federal, State, Local, Counties, Cities, Private/Public Sectors, Academia & Industry and Global Category 6 – Public Safety Network and Systems Audit Services Provided intelligent and effective services within this category including Public Safety Network /Systems Audit and Review Services. Examples of specific activities includes but not be limited to evaluation of IT General and Application controls, IT Governance, Security Strategy and Systems, General Public Safety Network Topology, Connections to External Parties, Inbound and Outbound Remote Access, IT Security Policies and Procedures, External Network Penetration Testing, Network Device Security (i.e. switches, routers, firewalls, wireless access points) – Firmware and Patching Standards, Endpoint Devices (Servers, workstations) – Patching and Antivirus checks, Physical Security, Data/Configuration Backup and Disaster Recovery, Network Management, Vendor/Contractor Access Management, System Administration/Privileged Access Management, and Network Documentation Creation and Maintenance. All services were relevant to Network and Systems Audit Services within the Public Safety Industry.

5 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Licensing Matrix Securance LLC SHI International Corp EVALUATION CRITERIA 1. Ability of Professional Personnel: a. Describe the qualifications and relevant experience of the Paul Ashe, President and Engagement Manager, CPA, CISA, CISSP, 15+ years The SHI Security Services team are all senior level Security Project Manager and all key staff that are intended to be experience Professionals with each having 20+ years’ experience working in assigned to services performed within this category. Include Chris Bunn, Practice Director and Senior IT Security Consultant, CISA, CHP, 30+ years public and private sector. Specific skill sets may vary but overall resumes for the Project Manager and all key staff described. experience each has experience working with various industry security Chris Cook, Senior IT Security Consultant, CISSP, CISA, 20+ years experience frameworks, including Criminal Justice Information Systems Chris Thomas, Senior IT Security Consultant, CompTIA Security+, CompTIA (CJIS) Policy. The team holds many different Security related Network+, 10+ years experience certifications however all have CISSP certifications.

6 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 6 ‐ Public Safety Network and Systems Audit Services

Prime: Carahsoft Technology Corp Licensing Matrix Solution Provider: Trustwave Focal Point Data Risk LLC b. List any other relevant Security and Compliance Industry See PDF Pg. 38 See PDF Pg. 199 ‐ 201 certifications that the Project Manager and key staff described Please see the representative biographies embedded below, including the typical Larry Burke, Principal, CPA, CITP, CGMA, HITRUST CCSFP.... may have. Include copies of certificates, if applicable. certifications held by the resources who may be assigned to your project. Franchesca Sanabria – Principal, CIPP/US, CISA, HITRUST CCSFP. Franchesca is a Principal at Focal Point in the National Data Privacy Practice. She has over 12 years of experience in governance, risk and compliance... Derek Parks – Director, CISSP, CBCP, CISA, QSA. Derek has a significant amount of experience delivering and managing IT risk assessments, PCI audit and gap assessments, disaster recovery and business continuity assessments, IT governance policy creation, and internal audit engagements with a focus on IT controls......

7 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Prime: JohnsTek Inc. Licensing Matrix Global Information Intelligence LLC Sub: IOMAXIS b. List any other relevant Security and Compliance Industry See PDF Pg. 79 See PDF Pgs. 31 ‐ 38 certifications that the Project Manager and key staff described Principal and Senior INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES JohnsTek takes an “intelligence‐based” approach when performing cybersecurity to may have. Include copies of certificates, if applicable. Expert: Dr. Emmanuel Hooper, PhD, PhD, PhD Information Security and Computing Sciences Public Safety Industry customers. Our unique approach is a holistic view which considers (Over 30 years of Professional Experience and 25 years of Research, Harvard and Yale all areas of influence on the client enterprise and accounts for all levels of needs and Alumnus, Summa Cum Laude, and Oxford Research, etc.) vulnerabilities when conducting trade studies, corporate strategy development, risk Global Information Intelligence LLC (100% Small Business, Minority, and Women Owned) assessments, information systems development and systems integration. This approach is By President, Dr. Emmanuel Hooper, PhD, PhD, PhD Computing Sciences and Information derived from the NIST Framework of Cybersecurity Framework, and expands beyond the Security Founder, Consortium for Emerging Technologies‐Harvard, Exemplary Models for NIST to include a risk based assessment of external threats, internal threats and Federal, State, Local, Counties, Cities, Private/Public Sectors, Academia & Industry and Global ubiquitous influences on the enterprise or system vulnerabilities. Additionally, we bring in Category 6 – Public Safety Network and Systems Audit Services proven analytical techniques and data collection, analysis and monitoring processes and Provided intelligent and effective services within this category including Public Safety systems to secure our clients. Network /Systems Audit and Review Services. Examples of specific activities includes but not be limited to evaluation of IT General and Application controls, IT Governance, Security Strategy and Systems, General Public Safety Network Topology, Connections to External Parties, Inbound and Outbound Remote Access, IT Security Policies and Procedures, External Network Penetration Testing, Network Device Security (i.e. switches, routers, firewalls, wireless access points) – Firmware and Patching Standards, Endpoint Devices (Servers, workstations) – Patching and Antivirus checks, Physical Security, Data/Configuration Backup and Disaster Recovery, Network Management, Vendor/Contractor Access Management, System Administration/Privileged Access Management, and Network Documentation Creation and Maintenance. All services were relevant to Network and Systems Audit Services within the Public Safety Industry.

8 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Licensing Matrix Securance LLC SHI International Corp b. List any other relevant Security and Compliance Industry Paul Ashe, President and Engagement Manager, CPA, CISA, CISSP MBA – Master of Business Administration certifications that the Project Manager and key staff described Chris Bunn, Practice Director and Senior IT Security Consultant, CISA, CHP CGEIT – Certified in Governance of Enterprise Information may have. Include copies of certificates, if applicable. Chris Cook, Senior IT Security Consultant, CISSP, CISA Technology Chris Thomas, Senior IT Security Consultant, CompTIA Security+, CompTIA Network+ ISSAP –Information Systems Security Architecture Professional GIAC – Global Information Assurance Certification o GPEN – GIAC Penetration Tester Certification o GCFA – GIAC Certified Forensic Analyst o GAWN – GIAC Auditing Wireless Networks CEH – Certified Ethical Hacker TCNA – Tenable Certified Nessus Auditor PMP – Project Management Professional ITILv3 – Information Technology Infrastructure Library version 3

9 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 6 ‐ Public Safety Network and Systems Audit Services

Prime: Carahsoft Technology Corp Licensing Matrix Solution Provider: Trustwave Focal Point Data Risk LLC 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar See PDF Pg. 39 ‐ 40 See PDF Pg. 202 ‐ 206 work in this Category. ICS/Smart Grid Security Assessment When providing co‐sourced services, our approach is to follow the client’s Approach methodology while leveraging the foundational elements of the Focal Point Advanced Metering Infrastructure and Smart Grids offer many benefits to energy methodology to provide the highest level of customer service. Focal Point uses a providers and their customers however the interconnectedness of key systems required collaborative but disciplined approach to executing audit projects. We will ensure that in Smart Grid environments presents expanded attack surface that increases the risk of there is proper planning, timely communication to the Internal Audit team prior to the security vulnerability in the system. start of audit fieldwork, complete and accurate workpapers, validated findings, and SpiderLabs Smart Grid penetration tests are designed to effectively assess the security relevant and practical recommendations to correct deficiencies. risks facing these systems while minimizing the risk of system disruption. We will take a risk‐based approach to performing a review of the information Methodology technology risks, related general controls, technical and network safeguards, The approach to testing Smart Grids builds on the standard ICS/SCADA penetration test information technology processes, and oversight activities in connection with these methodology (see above) but is expanded to include elements unique to Smart Grid areas in accordance with applicable regulatory guidance and internal audit standards. systems: As appropriate, we will also reference or utilize relevant guidance such as COBIT, the Remote metring systems National Institute of Standards and Technology (NIST), ISO27000, and ITIL.... Remote billing systems Demand/response energy systems Remote connect/disconnect systems Payment systems Consumer face systems and applications (see Section A for our detailed application testing methodology). Physical smart grid devices (see below for our detailed hardware assessment methodology)....

10 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Prime: JohnsTek Inc. Licensing Matrix Global Information Intelligence LLC Sub: IOMAXIS 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar See PDF PG. 43 See PDF Pgs. 31 ‐ 38. work in this Category. Global Information Intelligence will apply its expert and proven methodology to provide JohnsTek takes an “intelligence‐based” approach when performing cybersecurity to BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE Public Safety Industry customers. Our unique approach is a holistic view which considers SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive all areas of influence on the client enterprise and accounts for all levels of needs and recommendations and remediation sample for design and implementation operational vulnerabilities when conducting trade studies, corporate strategy development, risk effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: assessments, information systems development and systems integration. This approach is Category 6 – Public Safety Network and Systems Audit Services derived from the NIST Framework of Cybersecurity Framework, and expands beyond the Services within this category shall include Public Safety Network /Systems Audit and Review NIST to include a risk based assessment of external threats, internal threats and Services. Examples of specific activities may include but not be limited to evaluation of IT ubiquitous influences on the enterprise or system vulnerabilities. Additionally, we bring in General and Application controls, IT Governance, Security Strategy and Systems, General proven analytical techniques and data collection, analysis and monitoring processes and Public Safety Network Topology, Connections to External Parties, Inbound and Outbound systems to secure our clients. The NIST Cybersecurity Framework seeks to assist public Remote Access, IT Security Policies and Procedures, External Network Penetration Testing, and private organizations to strive for maturity of their Risk Profile. The profiles are Network Device Security (i.e. switches, routers, firewalls, wireless access points).... defined by four tiers: Tier 1 Partial Risk Management is adhoc, and awareness is limited Tier 2 Risk Informed There are Risk Management programs in place, but are not well known throughout the enterprise. Tier 3 Repeatable Formal policies exist and Risk Management programs are more mature Tier 4 Adaptive Risk Management processes and programs are based on lessons learned and embedded within the corporate culture. We provide value to our clients through partnering with the client corporate team to design, build and integrate the ‘best of breed’ practices and technology solutions that ensure our clients get the most appropriate tailored solution based on comprehensive analysis of business processes, procedures and data, ensuring the most economical investment in technology that result in the greatest impact....

11 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Licensing Matrix Securance LLC SHI International Corp 2. Project Approach: a. Describe the prime Vendor’s approach to performing similar See Audit Approach Pages PDF 137 ‐ 138. Initially a kick off call will be scheduled to review the scope, work in this Category. Each project we undertake will follow this standard methodology. While we are tasks, contacts, communications plan and logistics required to flexible in modifying our approach and methodology, we do so only in the best complete the project. Requested documentation (Policies, interest of our clients and their internal control initiatives. Process and Procedures, network diagrams) are reviewed and an External Security Vulnerability Scan is completed prior to onsite activities. Onsite activities will consist of staff interviews, internal network scans, live network data capture analysis, device security configurations and physical site visits. All information gathered is reviewed for analysis and alignment with CJIS policy and security best practices with results and finding provided in a detailed report with findings and remediation recommendations.

12 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 6 ‐ Public Safety Network and Systems Audit Services

Prime: Carahsoft Technology Corp Licensing Matrix Solution Provider: Trustwave Focal Point Data Risk LLC b. Number of employees, coordination efforts, servers and See PDF Pg. 40 See PDF Pg. 202 ‐ 206 workers located within USA Trustwave has a team of 100+ dedicated Penetration Testers. This is one of the largest When providing co‐sourced services, our approach is to follow the client’s teams in the industry. Unlike most of our competitors, our penetration testers are not methodology while leveraging the foundational elements of the Focal Point general consultants. They only methodology to provide the highest level of customer service. Focal Point uses a work in their area– which means they only perform penetration testing within their collaborative but disciplined approach to executing audit projects. We will ensure that specialization. With such laser focus, they stay on top of the latest threats and attack there is proper planning, timely communication to the Internal Audit team prior to the vectors in a way that general consultants never could. Trustwave also has a team of start of audit fieldwork, complete and accurate workpapers, validated findings, and more than 100 Qualified Security Assessors (QSAs) around the world, providing a variety relevant and practical recommendations to correct deficiencies. of security risk assessments, often working in conjunction with our SpiderLabs We will take a risk‐based approach to performing a review of the information team. technology risks, related general controls, technical and network safeguards, information technology processes, and oversight activities in connection with these areas in accordance with applicable regulatory guidance and internal audit standards. As appropriate, we will also reference or utilize relevant guidance such as COBIT, the National Institute of Standards and Technology (NIST), ISO27000, and ITIL....

c. Describe vendor’s plan to meet key milestones and deadline See PDF Pg. 41 ‐ 43 See PDF Pg. 202 ‐ 206 dates including communication plan. Please see the project management plan below as a representative sample of the type When providing co‐sourced services, our approach is to follow the client’s of project plan we typically follow. methodology while leveraging the foundational elements of the Focal Point Project Management methodology to provide the highest level of customer service. Focal Point uses a Trustwave has a formal procedure for the project organization and governance as well collaborative but disciplined approach to executing audit projects. We will ensure that as adherence to the timelines. Project timelines will be established between Trustwave there is proper planning, timely communication to the Internal Audit team prior to the and Client upon project kick‐off. Project start of audit fieldwork, complete and accurate workpapers, validated findings, and progress, needs and deadlines will be provided to Client through the CVS manager relevant and practical recommendations to correct deficiencies. portal that is described further below in this section. We will take a risk‐based approach to performing a review of the information Project Resources technology risks, related general controls, technical and network safeguards, Trustwave’s Managing Consultant information technology processes, and oversight activities in connection with these Trustwave will assign a Managing Consultant to oversee all assessment activities and areas in accordance with applicable regulatory guidance and internal audit standards. serve as the primary contact for the length of the Agreement. The Managing Consultant As appropriate, we will also reference or utilize relevant guidance such as COBIT, the will coordinate and schedule activities National Institute of Standards and Technology (NIST), ISO27000, and ITIL.... and resources with Client and ensure the quality of all Trustwave deliverables.

3. Past Performance:

13 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Prime: JohnsTek Inc. Licensing Matrix Global Information Intelligence LLC Sub: IOMAXIS b. Number of employees, coordination efforts, servers and See PDF PG. 43 See PDF Pgs. 34 ‐ 35 workers located within USA Global Information Intelligence will apply its expert and proven methodology to provide The JohnsTek Team has put into place the organization, procedures and systems required BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE to define and deploy the right level of expertise for SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive each Purchase Order or contingency presented to us during the life of this contract. Our recommendations and remediation sample for design and implementation operational Project Team will be well equipped for the task, and the effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: corporate staff, including the staffs of the contract team members, stand ready and Category 6 – Public Safety Network and Systems Audit Services available to provide quality services and superb coordination to deliver success to each Services within this category shall include Public Safety Network /Systems Audit and Review and every Purchase Order! The JohnsTek Team Management Plan provides the Services. Examples of specific activities may include but not be limited to evaluation of IT organizational structure, leadership, and tools necessary to produce innovative, common General and Application controls, IT Governance, Security Strategy and Systems, General sense order proposals coupled with responsive delivery that are on time and within Public Safety Network Topology, Connections to External Parties, Inbound and Outbound budget... Remote Access, IT Security Policies and Procedures, External Network Penetration Testing, Network Device Security (i.e. switches, routers, firewalls, wireless access points)....

c. Describe vendor’s plan to meet key milestones and deadline See PDF PG. 43 See PDF Pgs. 36 ‐ 37 dates including communication plan. Global Information Intelligence will apply its expert and proven methodology to provide Having been identified during the RFP response, as Task Orders are awarded the Project BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE Management Team will organize to implement the task. The Contract Management Team SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive develops the initial contract Management Plan, to include milestones, travel and key recommendations and remediation sample for design and implementation operational meetings. This information is compiled into a Project Schedule and presented to the effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: Government for Category 6 – Public Safety Network and Systems Audit Services approval. Schedules are a key element of project management, status reporting and Services within this category shall include Public Safety Network /Systems Audit and Review expectations. Scheduling items will be maintained within the SKIF, and made available to Services. Examples of specific activities may include but not be limited to evaluation of IT the Key Stakeholders of each Task Order. The Contract Management Team review General and Application controls, IT Governance, Security Strategy and Systems, General schedules with the Project Management Teams daily, and discrepancies, risks, and issues Public Safety Network Topology, Connections to External Parties, Inbound and Outbound that affect changes to the schedule will be resolved immediately..... Remote Access, IT Security Policies and Procedures, External Network Penetration Testing, Network Device Security (i.e. switches, routers, firewalls, wireless access points)....

3. Past Performance:

14 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Licensing Matrix Securance LLC SHI International Corp b. Number of employees, coordination efforts, servers and See Audit Approach Pages PDF 137 ‐ 138. The SHI Security Services team has 6 active members with 2 workers located within USA Each project we undertake will follow this standard methodology. While we are openings. Additionally each assessment is assigned a Project flexible in modifying our approach and methodology, we do so only in the best Manager from a team of 8 PM’s. All SHI services teams are US interest of our clients and their internal control initiatives. based.

c. Describe vendor’s plan to meet key milestones and deadline See Project Management Approach Page PDF 139 ‐ 141 No response. dates including communication plan. Each project we undertake will follow this standard accountability model. 1) Engagement Manager…. 2) Senior IT Security Consultants…. 3) Independent Reviewer….. 4) Broward County's Project Manager….. 5) Status Reports.....

3. Past Performance:

15 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 6 ‐ Public Safety Network and Systems Audit Services

Prime: Carahsoft Technology Corp Licensing Matrix Solution Provider: Trustwave Focal Point Data Risk LLC a. Describe prime Vendor’s experience on projects of similar See PDF Pg. 43 See PDF Pg. 207 ‐ 211 nature and scope, along with evidence of satisfactory Please see Addendum for Client References. Since its inception in 2005, Focal Point has provided IT Audits for hundreds of clients completion, both on time and within budget, for the past five over thousands of different engagements. In our continued success, we’ve expanded years within the Public Safety Industry. Provide a minimum of our team to meet new demands with the highest of standards, cultivating both a three projects with references, preferably government agencies seasoned workforce and expertly refined methodologies to deliver cost‐effective, (i.e. state, local) of similar size and structure and proven industry‐recognized risk management experience and skillset. solutions. Vendor should provide references for similar work performed to We’ve had the pleasure of evaluating, developing, and strengthening the information show evidence of qualifications and previous experience within technology postures of leading organizations across every industry, including the Public Safety Industry. Refer to Vendor Reference government organizations. As a result of this experience, our professionals have an Verification Form and submit as instructed. Only provide expert‐level understanding of the IT challenges that these organizations face. Our references for non‐ Broward County Board of County excellence in IT audit engagements is evidenced Commissioners’ contracts. For Broward County contracts, the by the long‐lasting relationship we’ve cultivated with our clients, who return to us County will review performance evaluations in its database for year after year for ITGC and application controls testing..... vendors with previous or current contracts with the County. The County considers references and performance evaluations in the evaluation of Vendor’s past performance.

16 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Prime: JohnsTek Inc. Licensing Matrix Global Information Intelligence LLC Sub: IOMAXIS a. Describe prime Vendor’s experience on projects of similar See References Reference Verification Forms included. See PDF Pgs. 87 ‐93 nature and scope, along with evidence of satisfactory See PDF Pgs. 38 ‐ 41 completion, both on time and within budget, for the past five 4.1 Contract: International Law Enforcement, Aviation IT, Panama, years within the Public Safety Industry. Provide a minimum of Peru (October 2015‐Present) three projects with references, preferably government agencies Solutions provided: (i.e. state, local) of similar size and structure and proven • Provide support services to aid the organization in providing Information Technology experience and skillset. and Information Assurance efforts Research and identify protected vehicle to meet Vendor should provide references for similar work performed to speciation’s for the Ministry of Anti‐ Drugs show evidence of qualifications and previous experience within • Provide project management, project oversight and technical services for system the Public Safety Industry. Refer to Vendor Reference problem resolution, system upgrades, system monitoring, operating system patches, Verification Form and submit as instructed. Only provide system security management, system administration support, firewall maintenance, references for non‐ Broward County Board of County information assurance,desktop support and configuration management. Commissioners’ contracts. For Broward County contracts, the Reference: County will review performance evaluations in its database for Name: Mr. Anthony Pesquera, vendors with previous or current contracts with the County. The Title: Government Task Monitor County considers references and performance evaluations in the (305) 517‐7644 evaluation of Vendor’s past performance. 4.2 Contract: Emergency Operations Center Implementation, Nejapa , El Salvador (May 2015) Solutions provided: • Design and implement a Regional Emergency Operations Center (24/7;365) and Disaster Relief Warehouse for the Secretary for National Emergencies in the Government of El Salvador. • Design and install of command and control systems, data management, and information sharing and communication technologies....

17 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Licensing Matrix Securance LLC SHI International Corp a. Describe prime Vendor’s experience on projects of similar CONFIDENTIAL SHI Security Services is very flexible in scoping a Security nature and scope, along with evidence of satisfactory Assessment with requirements focused on HIPAA, PCI, CJIS or completion, both on time and within budget, for the past five References remain confidential. other Security frameworks such as SANS CIS Controls. It is our years within the Public Safety Industry. Provide a minimum of experience most local government agencies have requirements three projects with references, preferably government agencies for all these areas with systems and data overlapping within (i.e. state, local) of similar size and structure and proven departments. By scoping an assessment to include two or more experience and skillset. of these regulatory requirements we are able to minimize time Vendor should provide references for similar work performed to and cost and greatly increase the value of the assessment. (Our show evidence of qualifications and previous experience within PCI Assessments are for Self‐Assessment or Gap analysis only as the Public Safety Industry. Refer to Vendor Reference we do not staff a QSA). SHI understands the importance of Verification Form and submit as instructed. Only provide quality references; however for services such as those being references for non‐ Broward County Board of County requested by the County, most customers feel the information Commissioners’ contracts. For Broward County contracts, the associated with these services is confidential. SHI has included a County will review performance evaluations in its database for list of a few customers that we have provided similar services as vendors with previous or current contracts with the County. The requested in this RFP. If needed, we agree to help coordinate a County considers references and performance evaluations in the call between our customers and Broward County to discuss their evaluation of Vendor’s past performance. experience with SHI. Please note that customers may not wish to discuss specifics of their project due to the sensitive nature. Gold’s Gym, Anthony (Tony) Wilkins, Director of IT Infrastructure and Telecom Tampa General Hospital, Jason Powell, Chief Information Security Officer City of San Marcos, Lenora Newson, IT Infrastructure Manager

18 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 6 ‐ Public Safety Network and Systems Audit Services

Prime: Carahsoft Technology Corp Licensing Matrix Solution Provider: Trustwave Focal Point Data Risk LLC b. Provide evidence of similar work related to services See PDF Pg. 43 See PDF Pg. 207 ‐ 211 identified in this Category, including sample executive Please see Addendum for Sample Reports. Since its inception in 2005, Focal Point has provided IT Audits for hundreds of clients summaries and reports. over thousands of different engagements. In our continued success, we’ve expanded our team to meet new demands with the highest of standards, cultivating both a seasoned workforce and expertly refined methodologies to deliver cost‐effective, industry‐recognized risk management solutions. We’ve had the pleasure of evaluating, developing, and strengthening the information technology postures of leading organizations across every industry, including government organizations. As a result of this experience, our professionals have an expert‐level understanding of the IT challenges that these organizations face. Our excellence in IT audit engagements is evidenced by the long‐lasting relationship we’ve cultivated with our clients, who return to us year after year for ITGC and application controls testing.....

19 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Prime: JohnsTek Inc. Licensing Matrix Global Information Intelligence LLC Sub: IOMAXIS b. Provide evidence of similar work related to services See PDF Pgs. 353 ‐ 407 See PDF Pgs. 87 ‐93 identified in this Category, including sample executive See Sample Reports. See PDF Pgs. 38 ‐ 41 summaries and reports. 4.1 Contract: International Law Enforcement, Aviation IT, Panama, Peru (October 2015‐Present) Solutions provided: • Provide support services to aid the organization in providing Information Technology and Information Assurance efforts Research and identify protected vehicle to meet speciation’s for the Ministry of Anti‐ Drugs • Provide project management, project oversight and technical services for system problem resolution, system upgrades, system monitoring, operating system patches, system security management, system administration support, firewall maintenance, information assurance,desktop support and configuration management. Reference: Name: Mr. Anthony Pesquera, Title: Government Task Monitor (305) 517‐7644 4.2 Contract: Emergency Operations Center Implementation, Nejapa , El Salvador (May 2015) Solutions provided: • Design and implement a Regional Emergency Operations Center (24/7;365) and Disaster Relief Warehouse for the Secretary for National Emergencies in the Government of El Salvador. • Design and install of command and control systems, data management, and information sharing and communication technologies....

20 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Licensing Matrix Securance LLC SHI International Corp b. Provide evidence of similar work related to services CONFIDENTIAL SHI has attached sample reports with our submission. identified in this Category, including sample executive summaries and reports. References remain confidential.

21 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 6 ‐ Public Safety Network and Systems Audit Services

Prime: Carahsoft Technology Corp Licensing Matrix Solution Provider: Trustwave Focal Point Data Risk LLC 4. Workload of the Firm: See PDF Pg. 43 See PDF Pg. 212 List all completed and active projects that Vendor has managed As a private firm, we do not go into specific details, but we can say we do about 4000 Focal Point has completed over 3,000 audit projects over its 12 years of providing IT within the past five years within the Public Safety Industry. In pen tests a year and about 850 RoCs ‐ but also have the most QSAs and Pen Testers than audit and cyber security services. Over the last five years, our audit teams have addition, list all projected projects that Vendor will be working any other competitor – over 100 in completed hundreds of IT and financial audits. Our South Florida office, who will be on in the near future. Projected projects will be defined as a each case. We are busy, but have sufficient resources to cover all of our engagements. the audit team responsible for Broward, typically completes around 70 projects project(s) that Vendor is awarded a contract but the Notice to annually. We complete all of our projects concurrently with other projects, so the Proceed has not been issued. Identify any projects that Vendor added workload that this project presents is not an issue worked on concurrently. Describe Vendor’s approach in for our firm. managing these projects. Were there or will there be any As of now, our South Florida audit team has projects slated to begin later this summer challenges for any of the listed projects? If so, describe how and into the fall and currently has 25 ongoing projects ranging from internal audit to Vendor dealt or will deal with the projects’ challenges. SOX and ITGC testing. We do not anticipate these other projects limiting us from providing the County with the highest level of service. While we are always engaged in performing multiple projects at once, we believe in the importance of personalized attention for each of our clients. The County will have direct communication lines to Focal Point Principals and project managers, who will ensure that our talented team of resources meets your needs and exceeds your expectations.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Carahsoft Technology Corporation Focal Point Data Risk, LLC 2. Doing Business As/ Fictitious Name (if applicable): 3. Federal Employer I.D. Number. 522189693 61‐1805201 4. Dun & Bradstreet Number. (If applicable). 08‐8365767 08‐0541660 5. Website address (if applicable). www.carahsoft.com www.focal‐point.com 6. Principal place of business. 1860 Michael Faraday Drive, Suite 100 201 E Kennedy Blvd, Suite 1750 Reston, VA 20190 Tampa, FL 33602 7. Office Location for this project. 1860 Michael Faraday Drive, Suite 100 We will utilize both our Tampa location and our Broward Reston, VA 20190 County location for this project. Our Broward County address is 1601 Sawgrass Corp. Pkwy., Suite 130, Sunrise, FL 33323

22 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Prime: JohnsTek Inc. Licensing Matrix Global Information Intelligence LLC Sub: IOMAXIS 4. Workload of the Firm: See PDF Pg. 43 See PDF Pgs. 41 ‐ 42 List all completed and active projects that Vendor has managed Global Information Intelligence will apply its expert and proven methodology to provide We have been providing services on Federal Contracts since 2011, and will continue to within the past five years within the Public Safety Industry. In BROWARD COUNTY with INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE perform into the foreseeable future. We are currently a Prime Contractor on the addition, list all projected projects that Vendor will be working SERVICES using Intelligent, Proactive and Robust and Resilient methods that include proactive Department of Defense Humanitarian Assistance Planning contract for US Southern on in the near future. Projected projects will be defined as a recommendations and remediation sample for design and implementation operational Command since October 2013; we project(s) that Vendor is awarded a contract but the Notice to effectiveness for INFORMATION TECHNOLOGY (IT) SECURITY AND COMPLIANCE SERVICES: are currently a subcontractor on the Department of State International Narcotics and Law Proceed has not been issued. Identify any projects that Vendor Category 6 – Public Safety Network and Systems Audit Services Services within this category Enforcement (INL/A) contract; we are a subcontractor on the DHS Intelligence and worked on concurrently. Describe Vendor’s approach in shall include Public Safety Network /Systems Audit and Review Services. Examples of specific Counterintelligence Analysis and Training and Tradecraft Support (ICATTS) contract since managing these projects. Were there or will there be any activities may include but not be limited to evaluation of IT General and Application controls, November 2012; we are a recipient of the General Services Administration Contract, challenges for any of the listed projects? If so, describe how IT Governance, Security Strategy and Systems, General Public Safety Network Topology, Schedule Vendor dealt or will deal with the projects’ challenges. Connections to External Parties, Inbound and Outbound Remote Access.... 70; and we recently won the South Carolina Information Security and Privacy Service contract...

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Global Information Intelligence LLC JohnsTek, Inc 2. Doing Business As/ Fictitious Name (if applicable): 3. Federal Employer I.D. Number. 273548900 20‐0352589 4. Dun & Bradstreet Number. (If applicable). 07‐8744163 142428510 5. Website address (if applicable). www.globalinfointel.com www.johnstek.com 6. Principal place of business. 6860 North Dallas Parkway, Suite 200,Plano, TX 75024 45 Almeria Ave, Coral Gables, FL 33134

7. Office Location for this project. 6861 North Dallas Parkway, Suite 200,Plano, TX 75024 45 Almeria Ave, Coral Gables, FL 33134

23 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Licensing Matrix Securance LLC SHI International Corp 4. Workload of the Firm: We are currently engaged on a number of client projects. We attempt to keep our Due to the sensitivity and type of services, SHI cannot provide List all completed and active projects that Vendor has managed workload commensurate with our staff. However, we believe the best way to this information as it relates to other projects and customers within the past five years within the Public Safety Industry. In measure our ability to complete task orders on time is through discussion with our either completed or in the future. SHI would be happy to meet addition, list all projected projects that Vendor will be working current clients (see client references on previous page). We guarantee that we will: with Broward County discuss our approach and any challenges on in the near future. Projected projects will be defined as a Properly staff each project with employees that are qualified and technical experts; we may have experienced on similar projects. SHI believes in project(s) that Vendor is awarded a contract but the Notice to Begin all task orders on time; transparency and any time we come upon a challenge with a Proceed has not been issued. Identify any projects that Vendor Complete them within budget, within the required time frame; and project we work with the customer to let them know the issues worked on concurrently. Describe Vendor’s approach in Deliver a draft report within one (1) week of fieldwork completion. and possible solutions. SHI has a clearly defined escalation path managing these projects. Were there or will there be any Due to confidential nature of our work, we are not permitted to provide a complete so if a challenge arises the proper people can be engaged to challenges for any of the listed projects? If so, describe how list of similar projects. assist. In addition as one of the top provider of IT solutions, SHI Vendor dealt or will deal with the projects’ challenges. However, we guarantee that Securance is experienced with networks of your size has built solid relationships with IT manufacturers and has a and complexity. We have provided a sampling of our related experience of network of partners to work with should any challenges governmental agencies on page 41. encountered required additional products or resources.

VENDOR QUESTIONNAIRE FORM Verify that these questions are the same as in the advertised solicitation: 1. Legal business name. Securance LLC SHI International Corp 2. Doing Business As/ Fictitious Name (if applicable): 3. Federal Employer I.D. Number. 03‐0392503 22‐3009648 4. Dun & Bradstreet Number. (If applicable). 04‐1637542 61‐142‐9481 5. Website address (if applicable). http://www.securanceconsulting.com www.shi.com 6. Principal place of business. 6922 West Linebaugh Avenue, Suite 101, Tampa, FL 33625 290 Davidson Ave Somerset, New Jersey 08873

7. Office Location for this project. 6923 West Linebaugh Avenue, Suite 101, Tampa, FL 33625 290 Davidson Ave Somerset, New Jersey 08873

24 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 6 ‐ Public Safety Network and Systems Audit Services

Prime: Carahsoft Technology Corp Licensing Matrix Solution Provider: Trustwave Focal Point Data Risk LLC 8. Telephone/Fax Number: Telephone no.:703.871.8500 Fax no.:703.871.8505 Telephone no.:(813) 402‐1208 Fax no.:813‐436‐5283 9. Type of Business Corporation; Maryland LLC 10. List Florida Registration Number. M16000008367 11. List name and title of each principal, owner, officer and a) Craig P. Abod ‐ President a) Andrew Cannata ‐ Principal, Cyber Security major shareholder. b) Robert Moore ‐ Vice President b) Christie Verscharen ‐ Principal, PCI and Risk Services c) Jillian Szczepanek ‐ Controller c) Eric Dieterich ‐ Principal, Data Privacy d) Jennifer Taha ‐ Proposals Director 12. Authorized contacts for your firm. Name: Aaron Giannini Name: Andrew Cannata Title: Account Representative Title: Principal, Cyber Security E‐mail: [email protected] E‐mail: acannata@focal‐point.com Telephone No.: 703.889.9848 Telephone No.: (813) 731‐9074 Name: Jennifer Taha Name: Eric Dieterich Title: Proposals Director Title: Principal, Data Privacy E‐mail: [email protected] E‐mail: edieterich@focal‐point.com Telephone No.: 703.871.8556 Telephone No.: (786) 390‐1490 13. Has your firm, its principals, officers or predecessor No No organization(s) been debarred or suspended by any government entity within the last three years? If yes, specify details in an attached written response. 14. Has your firm, its principals, officers or predecessor No No organization(s) ever been debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted.

15. Has your firm ever failed to complete any services and/or No No delivery of products during the last three (3) years? If yes, specify details in an attached written response. 16. Is your firm or any of its principals or officers currently No No principals or officers of another organization? If yes, specify details in an attached written response. 17. Have any voluntary or involuntary bankruptcy petitions been No No filed by or against your firm, its parent or subsidiaries or predecessor organizations during the last three years? If yes, specify details in an attached written response.

25 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Prime: JohnsTek Inc. Licensing Matrix Global Information Intelligence LLC Sub: IOMAXIS 8. Telephone/Fax Number: Telephone no.:4082509045 Fax no.:N/A Telephone no.:786.375.9020 Fax no.:305.675.8373 9. Type of Business Corp; DE ‐ LLC Corporation, S Corp 10. List Florida Registration Number. P03000120232 11. List name and title of each principal, owner, officer and a) DR. EMMANUEL HOOPER, PHD, PHD, PHD, Harvard Yale Alumni, President Scott A Johnston major shareholder. b) Theresa Marie Hooper, BA (Harvard),Senior Executive

12. Authorized contacts for your firm. Name: DR. EMMANUEL HOOPER, PHD, PHD, PHD Name: Scott A Johnston Title: President Title: President E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 408‐250‐9045 Telephone No.: 786.375.9020 Name: Theresa M. Hooper Title: Senior Executive E‐mail: [email protected] Telephone No.: 714‐331‐1173 13. Has your firm, its principals, officers or predecessor No No organization(s) been debarred or suspended by any government entity within the last three years? If yes, specify details in an attached written response. 14. Has your firm, its principals, officers or predecessor No No organization(s) ever been debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted.

26 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Licensing Matrix Securance LLC SHI International Corp 8. Telephone/Fax Number: Telephone no.:877‐578‐0215 Fax no.:813‐960‐4946 800‐477‐6479 9. Type of Business LLC Corporation; New Jersey 10. List Florida Registration Number. L02000005108 F‐01000004066 11. List name and title of each principal, owner, officer and Paul Ashe Thai Lee major shareholder. Koguan Leo

12. Authorized contacts for your firm. Name: Paul Ashe Name: Meghan Flisakowski Title: President Title: Public Program Manager E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 877‐578‐0215 Telephone No.: 5125174088 Name: Gillian Tedeschi Name: Natalie Castagno Title: Director of Marketing Title: Director Response Team E‐mail: [email protected] E‐mail: [email protected] Telephone No.: 877‐578‐0215 Telephone No.: 732‐868‐5902 13. Has your firm, its principals, officers or predecessor No No organization(s) been debarred or suspended by any government entity within the last three years? If yes, specify details in an attached written response. 14. Has your firm, its principals, officers or predecessor No No organization(s) ever been debarred or suspended by any government entity? If yes, specify details in an attached written response, including the reinstatement date, if granted.

27 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Compliance Services Category 6 ‐ Public Safety Network and Systems Audit Services

Prime: Carahsoft Technology Corp Licensing Matrix Solution Provider: Trustwave Focal Point Data Risk LLC 18. Has your firm’s surety ever intervened to assist in the No No completion of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

19. Has your firm ever failed to complete any work awarded to No No you, services and/or 20. Has your firm ever been terminated from a contract within No No the last three years? If yes, specify details in an attached written response.

21. Living Wage solicitations only: N/A N/A

28 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Prime: JohnsTek Inc. Licensing Matrix Global Information Intelligence LLC Sub: IOMAXIS 18. Has your firm’s surety ever intervened to assist in the No No completion of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

21. Living Wage solicitations only: N/A N/A

29 10/20/2017 1:37 PM RFQ A2114499R1 ‐ Broward County IT Security and Category 6 ‐ Public Safety Network and Systems A

Licensing Matrix Securance LLC SHI International Corp 18. Has your firm’s surety ever intervened to assist in the No No completion of a contract or have Performance and/or Payment Bond claims been made to your firm or its predecessor’s sureties during the last three years? If yes, specify details in an attached written response, including contact information for owner and surety.

21. Living Wage solicitations only: No No

30 10/20/2017 1:37 PM