Risk management Consulting For Municipality

EnrollHostel Privileged and Confidential Page 1 of 65
DAN GRIBBLE
SOURCETEKIT | 365, Suite 20, Healey Rd, Bolton, ON L7E 5C1
Response to RFP – Peel Region
Enterprise Risk and Audit
Services
KIND ATTN:XXX

Confidentiality Agreement
This document is confidential and may not be copied without the permission of EnrollHostel.
This document contains information proprietary to EnrollHostel. Transmittal, receipt or possession of this
document does not express licenseor imply rights to use,sell,and design, develop or have developed products
or services from this information. No reproduction, publication or disclosure of this information in whole or in
part, electronic or otherwise, shall be mad without prior written authorization from a signing office of
EnrollHostel. Authorized transfer of this document from the custody and control of EnrollHostel constitutes
a loan for limited purposes, and this document must be returned to EnrollHostel upon request, and in allevents
upon the conclusion of the loan.
Copyright 2018 EnrollHostel
ON L7E 5C1

To:
Jason Edgmon
Senior Director of IT Infrastructure & Operations
Pharmaceutical Research and Manufacturers of America
jedgmon@School.org
Dear Jason,
EnrollHostel thanks Pharmaceutical Research and Manufacturers of America(School) for providing the
opportunity to respond to this RFP for the provisioning of one single team that combines IT, Network and
Security operations for their Network & IT infrastructure.
Value is found in knowledge. EnrollHostel is renowned for its expertise in Asset Management, and
Infrastructure management through its state-of-the-art NOC and SOC. A Professional Services’ company
specializing in large-scale urban infrastructure engagements, EnrollHostel lends its expertise to leading Value-
added re-sellers and construction companies from the design phase through final testing throughout hospitals
in North America. EnrollHostel understands that engineering and technical prowess within its organization is
of prime importance at a time when our society demands data to be integrated, automated and secured. Our
Managed IT Services’ offering is something we’re intimately familiar with and have deployed numerous times
over the last year in environments comparable to your prescribed size and scope.
EnrollHostel’s Managed IT solution services ensure that our clients’ applications are managed and operated on
a 24x7 basis, ensuring both secure and high performance. Our services allow clients to benefit from scalable
project operations and cross-functional/discipline-knowledge sharing between teams, enabling EnrollHostel to
provide best in class Managed IT services.
The advantage of a partnership with EnrollHostel will ensure that this experience and qualification is leveraged
to;
 Mitigate transitional risk
 Provide best in class quality services at significantly lower costs
 Quickly construct ateam of experienced and knowledgeable personnel for onsite –offshore based delivery,
thereby assuring excellence in operations
EnrollHostel follows amanaged serviceapproach, basedon ITILbest practices,that provides for aset of process
frameworks and flexiblegovernance models that transform support services;improving productivity, achieving
higher operational efficiency and increasing cost predictability.
Adopting a multi-phased approach from transition to continual improvement, the managed service model
provides:
 Scalability and resource efficiency
 Less client involvement in routine operational tasks
 Predictability in delivery through experience and understanding of application environment
 Resource utilization and shift work load balancing
 Service Level Agreement (SLA) driven metrics
 Total quality management through well-defined processes and ITIL best practices

EnrollHostel understands School’s key objective to partner with a MSP that can demonstrate how their value-
added services will provide critical helpdesk, security, network engineering, business continuity, and disaster
recovery capabilities in a cost-effective manner while providing superior customer service to our users in a
24x7x365 environment.
In partnering with EnrollHostel over other “large” IT Consulting Firms, School will benefit by leveraging our:
 Proven past performances of successfully deploying end-to-end managed IT services to many similar scale
organizations
 10+ years of proven experience in collaboration, security and Infrastructure management
 Agile and dynamic business model that quickly adapts to customer needs and environment
Value proposition: Lower cost; maximize process efficiency
 Process oriented, result driven methodology focused on maximizing business value
Value proposition: Process standardization and consolidation
 Thought leadership and unparalleled technology “know-how”
Value proposition: Lower cost; maximize process efficiency; fast and safe technology
implementation
 Focused on customer satisfaction
Value proposition: Maximize process efficiency; enable customers to do more
 High priority on Quality and Operational Excellence
Value proposition: Maximize brand value; increase revenue.
Best Regards
Dan Gribble
VP-Sales, EnrollHostel
dgribble@EnrollHostel.com
(412) 418 3159

TABLE OF CONTENTS
1 PART I – GENERAL INFORMATION .................................................................................................................................................................7
1.1 EXECUTIVESUMMARY..................................................................................................................................................................................7
1.2 SCOPEOF SERVICES.......................................................................................................................................................................................7
X1.3 EXCEPTIONS TO RFP REQUIREMENTS ......................................................................................................................................................13
2 PART II – DESCRIPTION OF SERVICES...........................................................................................................................................................14
2.1 AUDITING/ASESSING IT SERVICES COMPLAINCE ...................................................................................................................................14
2.1.1 COMPLAINCE AUDIT/ ASSESSMENT METHODOLOGY ...............................................................................................................14
.............................................................................................................................................................................................................................14
2.1.2 RISK What has Changed? ................................................................................................................................................................17
2.1.3 RISK Governance Framework. ........................................................................................................................................................18
2.1.4 ............................................................................................................................................................Error! Bookmark not defined.
............................................................................................................................................................................Error! Bookmark not defined.
2.1.5 EnrollHostel Audit Knowledge Repository ....................................................................................................................................19
2.1.6 Audit Plan...........................................................................................................................................................................................22
2.1.7 Compliance Dashboards ....................................................................................................................................................................0
2.1.8 VULNERABILITY TESTING ...................................................................................................................................................................3
2.2 EXECUTIONPLAN...........................................................................................................................................................................................4
2.2.1 SERVICE DELIVERY APPROACH .........................................................................................................................................................4
2.2.2 INCEPTION ...........................................................................................................................................................................................6
2.2.3 KNOWLEDGE TRANSFER ....................................................................................................................................................................6
2.2.4 STEADY STATE OPERATIONS .............................................................................................................................................................8
2.2.5 AUDIT STRATEGY ................................................................................................................................................................................9
2.3 ACCOUNT MANAGEMENT & TECHNOLOGY TEAM STRUCTURE..........................................................................................................11
2.3.1 AUDIT ACCOUNT MANAGEMENT ..................................................................................................................................................11
2.3.2 PROJECT TEAM STRUCTURE............................................................................................................................................................13
2.3.2.1 TEAM STRUCTURE..................................................................................................................................................................... 13
2.3.2.2 TEAM ROLES & RESPONSIBILITES.............................................................................................................................................. 14
3 PART III – REFERENCES & ENROLLHOSTEL CAPABILITIES ........................................................................................................................16
3.1 CASE STUDIES ...............................................................................................................................................................................................16
3.1.1 CASE STUDY 1 ....................................................................................................................................................................................17
3.1.2 CASE STUDY 2 ....................................................................................................................................................................................17
3.1.3 CASE STUDY 3 ....................................................................................................................................................................................18
3.2 ENROLLHOSTEL | CAPABILITY....................................................................................................................................................................19
3.2.1 PROGRAM GOVERNANCE ...............................................................................................................................................................20
3.2.2 CONTINUAL SERVICE IMPROVEMENT (CSI)..................................................................................................................................20
3.2.3 KNOWLEDGE MANAGEMENT.........................................................................................................................................................20
3.2.4 TEAM COMPETENCY AND SKILLS ENHANCEMENTS ...................................................................................................................21
3.3 ENROLLHOSTEL | PROJECTMANAGEMENT PROCESS...........................................................................................................................21
3.3.1 REPORTING METRICS .......................................................................................................................................................................22
3.3.2 ESCALATION HANDLING ..................................................................................................................................................................23
3.3.3 COMMUNICATION PLAN .................................................................................................................................................................23
3.3.4 RISK MANAGEMENT PLAN..............................................................................................................................................................24
3.3.5 CHANGE MANAGEMENT PROCEDURE..........................................................................................................................................24
3.4 ENROLLHOSTEL | COMPLIMENTARY VALUE ADDED SERVICES ...........................................................................................................26
3.5 ENROLLHOSTEL | DIFFERENTIATORS .......................................................................................................................................................26
3.5.1 CYBERSECURITY SERVICES ...............................................................................................................................................................28
3.5.1.1 Penetration Testing................................................................................................................................................................... 28
3.5.1.2 Corporate Trainings - Cybersecurity......................................................................................................................................... 28
3.5.1.3 Email Securityand Office 365 Integration................................................................................................................................ 30
3.5.1.4 Cyber-Forensics......................................................................................................................................................................... 31
3.5.1.5 Social Engineering..................................................................................................................................................................... 32
3.5.2 SECURITY ASSESSMENT AND COMPLIANCE .................................................................................................................................33
3.5.3 SECURITY OPERATIONS CENTER.....................................................................................................................................................35
4 PART IV – PROJECT COST................................................................................................................................................................................38
4.1 FIXED PRICE ..................................................................................................................................................................................................38

4.2 RATE CARD FOR ADDITIONALWORK........................................................................................................................................................38
4.2.1 ADDITIONAL INITIATIVES.................................................................................................................................................................38
4.3 ASSUMPTIONS .............................................................................................................................................................................................39
4.3.1 USER COUNT AND DEMOGRAPHIC................................................................................................................................................40
4.3.2 ON-PREMISE & HOSTED ENVIRONMENT.....................................................................................Error! Bookmark not defined.
4.3.2.1 Desktops/Laptops ..................................................................................................................................................................... 40
4.3.2.2 On-Premise Network................................................................................................................................................................. 40
4.3.2.3 Hosted Cloud Environment....................................................................................................................................................... 40
4.3.2.4 Legacy Business Applications.................................................................................................................................................... 40
4.3.2.5 Third Party Vendors .................................................................................................................................................................. 40

1 PART I – GENERAL INFORMATION
1.1 EXECUTIVE SUMMARY
EnrollHostel is pleased to provide this proposal for Accessing/Auditing Compliance to RISK For School student
from Spain [Europe]. EnrollHostel understands the importance of these services School provides to Students.
EnrollHostel brings to this engagement a significant advantage to Education Sector, in terms of technology
expertise, security, operations architecture, strategy and advisory skills, process maturity and a consistent and
reliable track record providing operational and infrastructure support across multiple technologies.
EnrollHostel also proposes the advantages it brings on board as compared to other MSPs.
1.2 SCOPE OF SERVICES
EnrollHostel understands that School is looking for the following RISK compliance services.
Below is EnrollHostel’s compliance to the scope of services detailed by School in their RFP document:

Our proposed solution has been detailed in the Section: PART II – DESCRIPTION OF SERVICES
SNo Stages
1 To Identify Risks
2 To Evaluate Risks
3 To Treat (Manage/Action)
Risks
4 To Monitor (Review) Risks
5 To Report on Risks
6 To View/Update Validation
Rules

Risk Management PRINCIPLES
Risk Management should:
1
create value – resources expended to mitigate risk should be less than the
consequence of inaction
2 be an integral part of organizational processes
3 be part of decision making
4 explicitly address uncertainty and assumptions
5 be systematic, structured and timely
6 be based on the best available information
7 be tailorable
8 take human and cultural factors into account
9 be transparent and inclusive
10 be dynamic, iterative and responsive to change
11 facilitates continual improvement and enhancement of the organization
12 be continually or periodically re-assessed
Risk Management BENEFITS
1 Increase the likelihood of achieving objectives;
2 Encourage proactive management;
3
Be aware of the need to identify and treat risk throughout the
organization;
4 Improve the identification of opportunities and threats;

5
Achieve compatible risk management practices between organisations
and nations;
6
Comply with relevant legal and regulatory requirements and international
norms;
7 Improve governance;
8 Improve stakeholder confidence and trust;
9 Establish a reliable basis for decision making and planning;
10 Improve controls;
11 Effectively allocate and use resources for risk treatment;
12 Improve operational effectiveness and efficiency;
13 Enhance health & safety performance and environmental protection;
14 Improve loss prevention and incident management;
15 Minimize losses;
16 Improve organizational learning; and
17 Improve organizational resilience.
Risk Assessment & Management Plan
Stage Stage2 # Work Needs to be done
Development
of Risk
Framework
Communicate
andConsult
1 (38) Has the board and executiveexpressedtheirsupportfor
a risk managementprogramme?
2 (39) Has the risk committee (orequivalent) andthe board
reviewedandapprovedthe riskpolicy/strategy?
Establish the
Context
3 (1) Have you identifiedaperson whowill be responsible for
implementingriskmanagement?
4 Doesthe risk manager,or equivalent,have reasonable
access to staff andmanagementacrossthe
organisation?
5 (2) Have you definedcategoriesof riskrelevanttoyour
organisationand industry?
6 Do your riskcategoriesreflectall operational riskareas
of the businessaswell asmore strategicrisk
categories?
7 (3) Is there a clearorganisational strategy(orobjectives)
articulatedforthe organisation?
8 (4) Have you definedandagreedalikelihoodscale toassess
the potential forthe riskto occur throughoutthe
organisation?
9 (5) Have you definedandagreedaconsequencescale to
helpassessriskimpactsacrossthe organisation?
10 (6,7) Doesthe organisation'sconsequence scale describe both
financial andnon-financial impacts?
11 (8) Doesthe risk Managementframeworkconsiderthe
effectivenessof controlsorrisktreatments?

12 (9) Is there anagreedtemplate orformatfor recordingrisks
and risktreatmentinformation(ariskregister)?
13 (10) Has a riskpolicybeendefined?
14 (11) Doesthe organisationhave adocumentedrisk
managementstrategy?
15 Do jobdescriptionsof keystakeholdersinclude
responsibilitiesforrisk management?
16 (12) Is a formal projectmanagementmethodologyusedto
manage projects?
17 Is a mechanisminplace toidentify,assess,recordand
monitorrisksonprojects?
18 Has the organisationagreedwhattypesandlevelsof risk
are unacceptable?
19 Is there anagreedformat/template forreportingon
risk?
20 (13) Is there a processand/ortemplate where new riskscan
be recordedby the executiveandstaff?
Implementation
of Risk
Framework
Communicate
andConsult
21 Is risk managementorawarenesstrainingprovidedtoall
staff?
22 Doesthe risk manager(orequivalent) have accesstothe
CEO, boardand Audit/RiskCommitteewhen
required?
23 (14) Do staff know that theyhave a rightand responsibilityto
assistinrisk identificationandescalation?
24 Do staff know whoto report/escalate risksto?
25 (15) Do managersor supervisorsknow thattheyare
responsible formanagingriskintheirarea/sof
responsibility?
26 (16) Have the executive andthe boardprovidedguidance on
whatinformationtheywouldlike tosee inrisk
reports?
27 Is there agreementonwhenandhow oftenriskreports
will be produced?
28 Have the recipientsof riskreportsbeenidentifiedand
agreed?
29 (17) Can differentriskreportsbe producedtomeetdifferent
needsof stakeholdergroups?
30 (18) Has responsibilityformanaging/treatingspecificrisks
beenassignedandcommunicatedtothose
responsible?
31 Are staff encouragedorincentivisedtoreportriskor
suggestriskreductionstrategies?
Risk
Assessment
32 Has a riskbrainstormingworkshop(orworkshops) been
conducted?
33 (19) Have you consideredthe historyof eventsandincidents
inyour organisationduringthe risk assessment
process?
34 Has researchbeenperformedtounderstandcommon
risksinthe industry?
35 (20) Has the executive andboardconsideredrisksrelatingto
the achievementof keyorganisationalgoalsand
objectives?

36 Are risksidentified duringcompliance reviews/audits
alwaysaddedtothe riskregister?
37 (21) Have existingcontrolsbeenidentifiedforrisksduringthe
riskassessmentprocess?
38 (22) Has the perceivedeffectivenessof controlsbeen
assessedbya personwho understandsthe riskand
the controlsinplace?
39 Has the risk registerbeenupdatedinthe lastyear?
40 Is the riskregisterupdatedthroughoutthe yearto
reflectchangesinriskandemergingrisks?
Treat Risks 41 Doesthe risk registerrecordthe jobtitle of the person
responsible foroverseeingthe risktreatmentand
monitoringprocess(the 'riskowner'or'risk
champion')?
42 (23) Have you identifiedpossibleactions/treatmentplans
that couldhelptoreduce the risklevel?
43 (24) Have the benefitsof atreatmentapproachbeen
comparedto the potential costof the riskto
determine the appropriatenessof the treatment
strategy?
44 (25) Have risk treatmentoractionplansbeendocumented
and approved forimportantrisks?
45 Have due dates/completiondatesbeenagreedforrisk
treatmentactionsandplans?
46 (26) Is there a clearunderstandingof whowill overseethe
risktreatmentselectionandexecutionprocess?
47 (27,28) Have keyrisk indicators(KRIs) beendefinedandagreed
for keyrisks/riskareas?
48 Are the organisation'sphysical assetsappropriately
insured?
49 (29) Is a businesscontinuityplan(BCP) inplace forcritical
organisational functions/processes?
Monitoring &
Review
of Risk
Framework
Monitor and
Review
50 (30) Doesyour riskprocessfollow the stepsdescribedinthe
AS/NZS:4360 2004 Standard?
51 (31) Doesthe Internal Auditfunctionorequivalentreview
riskmanagementprocesses?
52 Is an Internal Audit function/processinplace?
53 (32) Do your internal auditorsfocustheirtime andefforton
the most critical risksrecordedinthe riskregister?
54 (33) Doesthe organisationtrackchangesin risklevelsover
time inorderto understandtrends/ changesinrisk
levels?
55 (34) Has the risk policybeenreviewedandapprovedinthe
lastyear?
56 (35) Has the board and/orrisk managementcommittee (or
equivalent) made anattestationinthe annual report
inaccordance withthe GovernmentRisk
ManagementFramework(if applicable)
57 (36) Is the riskprocessintegratedwithotherorganisational
planningprocesses - forexampleisriskconsidered
duringthe strategicplanning,budgetingandaudit
planningprocesses?

Suggested3tiersof escalatedsupport:
SupportTier Description
Tier 1 All supportincidentsbegininTier1,where theinitialtrouble ticketiscreated.The issue
isidentified, andclearlydocumented,andbasichardware/software troubleshootingis
initiated. At this stage engineers are also using the existing knowledge base to
investigate and try best of his/her ability to resolve the issue.
Tier 2 All supportincidentsthatcannotbe resolvedwithTier1Supportare escalatedtoTier
2 where more complex supporton hardware/software issuescanbe providedby
more experiencedEngineers.
Tier 3 Support Incidents that cannot be resolved by Tier 2 Support are escalated to Tier 3,
where supportisprovidedbythe mostqualifiedandexperiencedengineerswhohave
the abilitytocollaboratewith3rdParty(Vendor)SupportEngineerstoresolvethe most
complex issues.
1.3 EXCEPTIONS TO RFP REQUIREMENTS
None.

2 PART II – DESCRIPTION OF SERVICES
2.1 AUDITING/ASESSING IT SERVICES COMPLAINCE
2.1.1 COMPLAINCE AUDIT/ ASSESSMENT METHODOLOGY

EnrollHostel’sGRAYBIEmanagedservices platformprovides asinglepaneof accessandvisibilityforallthenetwork
devicesandsecurityissuesbackedbyour 24/7/365 monitoringbyourcertified andhighlyexperienced еngіnееrѕ.

GRAYBIE connectstoanyIT datasource or monitoringsystemtocollectandcollatedataonvariousITsystemsand
applications. GRAYBIE’s Core Rule Engine is leveraged to apply custom rules applicable to the business, gaining
insight into how the IT systems are performing within the business. Businesscritical application performance,
underlyingITinfrastructureperformanceandService deliverywithinthe organizationITsupportsystemcanall be
correlated to give a meaningful insight into the IT environment health.
GRAYBIE not only enables operational excellence through quick resolution but also helps in saving operational
costs through descriptive,prescriptive,andpredictiveinsightsforcalculatingthe magnitude,risk,andtime of the
issue athand, inreal-time, thereby enabling the teams to escalate it to the management at the right moment:
Fewreal-time capabilitiesof GRAYBIE:
 Sесurіtу threat соrrеlаtіоn and іnсіdеnt аnаlуѕіѕ
 Custom соrrеlаtіоn rule сrеаtіоn
 Dеvісе fault management
 High-touch service delivery
 Thіrd-раrtу lоg analysis to mееt compliance rеԛuіrеmеntѕ
 Cоnfіgurаtіоn and engineering ѕuрроrt

2.1.2 Risk Management Stages
SNo Stages
1 To Identify Risks
2 To Evaluate Risks
3 To Treat (Manage/Action)
Risks
4 To Monitor (Review) Risks
5 To Report on Risks
6 To View/Update Validation
Rules
2.1.3 Risk Management Process
2.1.4 Risk Management Principles
Risk Management PRINCIPLES
Risk Management should:
1
create value – resources expended to mitigate risk should be less than the
consequence of inaction
2 be an integral part of organizational processes
3 be part of decision making
4 explicitly address uncertainty and assumptions

5 be systematic, structured and timely
6 be based on the best available information
7 be tailorable
8 take human and cultural factors into account
9 be transparent and inclusive
10 be dynamic, iterative and responsive to change
11 facilitates continual improvement and enhancement of the organization
12 be continually or periodically re-assessed
2.1.5 Risk Management Audit Benefits
Risk Management BENEFITS
1 Increase the likelihood of achieving objectives;
2 Encourage proactive management;
3
Be aware of the need to identify and treat risk throughout the
organization;
4 Improve the identification of opportunities and threats;
5
Achieve compatible risk management practices between organisations
and nations;
6
Comply with relevant legal and regulatory requirements and international
norms;
7 Improve governance;
8 Improve stakeholder confidence and trust;
9 Establish a reliable basis for decision making and planning;
10 Improve controls;
11 Effectively allocate and use resources for risk treatment;
12 Improve operational effectiveness and efficiency;
13 Enhance health & safety performance and environmental protection;
14 Improve loss prevention and incident management;
15 Minimize losses;
16 Improve organizational learning; and
17 Improve organizational resilience.
2.1.6 RISK Governance Framework.

2.1.7 EnrollHostel Audit Knowledge Repository

EnrollHostel’s24x7x365 NetworkOperationsCentre (NOC)рrоvіdеѕrеаl-tіmе datafromover1,700 services,
аррlісаtіоnѕandрrосеѕѕеѕ inuse асrоѕѕ ourclients’infrastructurenetworks. Alarmingоursecurityandtесhnісаl

analysts, fromwithin ourсlоudѕеrvісеѕ detectsandrеѕоlvеsроtеntіаl problems bеfоrе thеуbесоmе service аffесtіng
to уоurbuѕіnеѕѕореrаtіоnѕ.
Our state-of-the-artNOCenablesquickriskdеtесtіоn,securityраtсhdерlоуmеnt,backup andendроіntmanagement
for yourѕеrvеrѕ,dеѕktорѕ andportable dеvісеѕ.

2.1.8 Risk Assessment Management Audit Plan
Stage Stage2 # Checklist Item
Development
of Risk
Framework
Communicate
and Consult
1 Has the board and executive expressed their
support for a risk management programme?
2 Has the risk committee (or equivalent) and the
board reviewed and approved the risk policy/
strategy?
Establish the
Context
3 Have you identified a person who will be
responsible for implementing risk
management?
4 Does the risk manager, or equivalent, have
reasonable access to staff and management
across the organisation?
5 Have you defined categories of risk relevant to
your organisation and industry?
6 Do your risk categories reflect all operational risk
areas of the business as well as more strategic
risk categories?
7 Is there a clear organisational strategy (or
objectives) articulated for the organisation?
8 Have you defined and agreed a likelihood scale to
assess the potential for the risk to occur
throughout the organisation?
9 Have you defined and agreed a consequence
scale to help assess risk impacts across the
organisation?
10 Does the organisation's consequence scale
describe both financial and non-financial
impacts?
11 Does the risk Management framework consider
the effectiveness of controls or risk
treatments?
12 Is there an agreed template or format for
recording risks and risk treatment information
(a risk register)?
13 Has a risk policy been defined?
14 Does the organisation have a documented risk
management strategy?
15 Do job descriptions of key stakeholders include
responsibilities for risk management?
16 Is a formal project management methodology
used to manage projects?
17 Is a mechanism in place to identify, assess, record
and monitor risks on projects?
18 Has the organisation agreed what types and
levels of risk are unacceptable?
19 Is there an agreed format/ template for reporting
on risk?

20 Is there a process and/or template where new
risks can be recorded by the executive and
staff?
Implementation
of Risk
Framework
Communicate
and Consult
21 Is risk management or awareness training
provided to all staff?
22 Does the risk manager (or equivalent) have
access to the CEO, board and Audit/ Risk
Committee when required?
23 Do staff know that they have a right and
responsibility to assist in risk identification and
escalation?
24 Do staff know who to report/ escalate risks to?
25 Do managers or supervisors know that they are
responsible for managing risk in their area/s of
responsibility?
26 Have the executive and the board provided
guidance on what information they would like
to see in risk reports?
27 Is there agreement on when and how often risk
reports will be produced?
28 Have the recipients of risk reports been identified
and agreed?
29 Can different risk reports be produced to meet
different needs of stakeholder groups?
30 Has responsibility for managing/ treating specific
risks been assigned and communicated to
those responsible?
31 Are staff encouraged or incentivised to report risk
or suggest risk reduction strategies?
Risk
Assessment
32 Has a risk brainstorming workshop (or workshops)
been conducted?
33 Have you considered the history of events and
incidents in your organisation during the risk
assessment process?
34 Has research been performed to understand
common risks in the industry?
35 Has the executive and board considered risks
relating to the achievement of key
organisational goals and objectives?
36 Are risks identified during compliance reviews/
audits always added to the risk register?
37 Have existing controls been identified for risks
during the risk assessment process?
38 Has the perceived effectiveness of controls been
assessed by a person who understands the
risk and the controls in place?
39 Has the risk register been updated in the last
year?
40 Is the risk register updated throughout the year to
reflect changes in risk and emerging risks?
Treat Risks 41 Does the risk register record the job title of the
person responsible for overseeing the risk

treatment and monitoring process (the 'risk
owner' or 'risk champion')?
42 Have you identified possible actions/ treatment
plans that could help to reduce the risk level?
43 Have the benefits of a treatment approach been
compared to the potential cost of the risk to
determine the appropriateness of the
treatment strategy?
44 Have risk treatment or action plans been
documented and approved for important
risks?
45 Have due dates/ completion dates been agreed
for risk treatment actions and plans?
46 Is there a clear understanding of who will oversee
the risk treatment selection and execution
process?
47 Have key risk indicators (KRIs) been defined and
agreed for key risks/ risk areas?
48 Are the organisation's physical assets
appropriately insured?
49 Is a business continuity plan (BCP) in place for
critical organisational functions/ processes?
Monitoring &
Review
of Risk
Framework
Monitor and
Review
50 Does your risk process follow the steps described
in the AS/NZS: 4360 2004 Standard?
51 Does the Internal Audit function or equivalent
review risk management processes?
52 Is an Internal Audit function/ process in place?
53 Do your internal auditors focus their time and
effort on the most critical risks recorded in the
risk register?
54 Does the organisation track changes in risk levels
over time in order to understand trends/
changes in risk levels?
55 Has the risk policy been reviewed and approved
in the last year?
56 Has the board and/or risk management committee
(or equivalent) made an attestation in the
annual report in accordance with the Victorian
Government Risk Management Framework (if
applicable)
57 Is the risk process integrated with other
organisational planning processes - for
example is risk considered during the strategic
planning, budgeting and audit planning
processes?

2.1.9 Compliance Dashboards
The compliance team рrоvіdеѕrеаl time datavisibilityformonitoring asperthe following dashboards:

1
Fig: NOC Main Dashboard
Fig: Threat Activity report

2
Fig: Types of report dashboard
Fig: Devices dashboard
Fig: Device Executive summary

3
Fig: Device executive summary – 2
Fig: Device executive summary - 3
2.1.10 VULNERABILITY TESTING
A vulnerabilityassessment/evaluationisaprocedure usedtorecognizeanddole outseriousnesslevelsto
whatever number security surrenders as could reasonably be expected in a given time period. This
procedure may include robotized and manual systems with changing degrees of meticulousness and an
accentuation on thorough scope. Utilizing a hazard-based approach, weakness appraisals may target

4
diverse layers of innovation, the most widely recognized being host-, network-, and application-layer
evaluations.
Directing vulnerability appraisals enable associations to distinguish vulnerabilities in their product and
supporting framework before a bargain can happen. A vulnerability can be characterized in two ways:
• A bug in code or an imperfectioninprogrammingplanthatcan be abusedto cause hurt. Misuse
may happen by means of a verified or unauthenticated aggressor.
• A hole in securitymethodsora shortcomingininteriorcontrolsthat whenmisusedoutcomesin
a security break.
Our dedicated team at EnrollHostel provides Vulnerability evaluations that are intended to yield a
positionedororganizedrundownof aframework'svulnerabilitiesfordifferentsortsof dangers.Usingthis,
we will utilize these evaluations know about security hazards and comprehend they require help
distinguishing and organizing potential issues. By understanding their vulnerabilities, we can plan
arrangements and patches for those vulnerabilities for consolidation with their hazard administration
framework.
The pointof viewof adefenselessnessmayvary,contingentuponthe frameworksurveyed.Forinstance,
a utilityframework,similartopowerand water,may organize vulnerabilitiestothingsthat coulddisturb
administrations or harm offices, similar to cataclysms, altering and psychological oppressor assaults.
Notwithstanding, a data framework (IS), like a site with databases, may require an appraisal of its
powerlessnesstoprogrammersanddifferenttypesof cyberattack.Thenagain,aserverfarmmayrequire
an appraisal of bothphysical andvirtual vulnerabilitiessinceitrequiressecurityforitsphysical office and
digital nearness. This is where we pitch in to provide the best of services and line up the possible cases
and assessments you need.
2.2 EXECUTION PLAN
2.2.1 SERVICE DELIVERY APPROACH
EnrollHostel isof the opinionthatgovernance ismultifacetedwithitsorganizational structure,customer
engagement, relationship models, processes and metrics. When the business and operational
environmentiscomplexthere isagreaterneedforrobustgovernance,aswithoutitthereisincreasedrisk
of shared service and vendor partnership value leakage.
1. Communicate and Consult
2. Establish the context
3. Plan Risk Assessment [Risk identification, Risk Analysis, Risk Evaluation]
4. Risk Treatment
5. Monitor and Review
6. Operate
7. Conform to Standard
BusinesssucceedswhenITrunsbetterandquickerwithreducedcost.OurOperations&SupportServices
is based on ITIL driven Service management framework, coupled with the state of the art tooling and
processes helps IT organizations cut cost, reduce risk and drive down IT Cost. Our mission is to reduce

5
incident trend targeting zero count and to ensure availability and reliability of applications to meet the
service levelcommitmentforeachapplication.We proactivelymonitoruserexperience,businessmetrics,
critical components and processes to analyze and fix incidents before end-users are impacted or
experience any delay, and thus ensure business critical apps perform at peak efficiency and availability
without any downtime.
The diagram below illustrates our approach to building an effective and high-performing
support/operations service.

6
2.2.2 INCEPTION
A teamcomprisingthe service deliverymanagersfrom EnrollHostel andSchool will be setupfordetailed
planning/resource assignmentandscope finalization.The teamwouldschedule,prioritize andmonitor
the tasks,as well asprovide statusreports.The tasksassociatedwiththisphase are highlightedbelow:
Activities Teams Involved
EnrollHostel
Team
School
Team(s)
Existing
Vendor
Team(s)
Identify Processes:
Standard
ProcessFlowCharts
  
Identify existing Documentation and Knowledgebase   
Team Ramp-up 
2.2.3 KNOWLEDGE TRANSFER
During this phase, the EnrollHostel support team will gain and share the knowledge about the
environmentandinfrastructure tobe supported.Existing School andvendorteamswill alsobe involved,
as required.
Activities Teams Involved
ENROLLHOSTEL
Team
School
Team(s)
Existing
Vendor
Team(s)
Study Processes:
Standard
ProcessFlowCharts
  
Reporting / Interfaces (If any changes) / Access   
Environment / System Landscape / Architecture /
Database
/ Servers / Hosting
  
Study Documentation and Knowledge Base   
Issue /Back Log forlast 3 monthsandlast quarterof
previousyear(foryear-endissues)   
DetailedRolesandResponsibilities  
The EnrollHostel Knowledge Transfer model promotes:
 Preparing SOPs and other documents (e.g. architectural details of environment, workflow
diagrams etc.)
 Maintaining strong known issues databases

7
 Capture of knowledge through collaboration both by explicit (interviewing and observation
process; ticket-by-ticket analysis) and implicit (discussion forums, blogs, error database and
reusable components repository) means.
 Ensure acquired knowledge is easily retrievable.
 Knowledgesharingacrossmultiple anddisparate ENROLLHOSTELresources
 Reductionof informationoverload/capturethroughreplicationbestpractices.

8
2.2.4 STEADY STATE OPERATIONS
EnrollHostel’s team will commence steady-state operations will full SLA compliance. SLA
measurement as per targets would be measured and reported to SCHOOL.
All the handover from current vendor team(s) will be considered complete, and they can be
disengaged from the project at the start of Steady-State Operations.

9
2.2.5 AUDIT STRATEGY
Effective implementationof Auditstrategy,andleverage the bestpracticesof ITService Management
(ITSM) concepts.The main focusfor IT Auditandcompliance istoexecute the businessrequirements
definedatthe Service Deliverytothe business.The diagrambelow illustratesthe variouscomponentsof
an ITSM approach.
The important components of ITSMfor having a Network-First strategy are as per below:
Access Management

10
Implementation of security polices defined by Information Security Management. The implementation
should include physical barriers to systems such as VLAN separation, firewalling, and access to storage
and applications.
Change Management
Establisha processfor controllingthe life cycle of all changeswhile minimizingdisruptiontooperations.
Test and review all changes that are candidates for automation vs, mechanized.

11
Service Asset and Configuration Management
Establish a process for maintaining information on assets, component, and infrastructure needed to
provide services. Informationonassetsshouldcontainpast andcurrentstatesandfuture-statesforecast
for demand portfolio.
Release & Deployment Management
Establish a predictable and homogenized release and deployment process to protect the production
environment. Ensure during capacity planning hardware and VM specifications are pre-defined and
tested,priortodeploymentcycle. UtilizeVMcomponenttemplatesapprovedforproductionsuchasVM
images and Gold images.
Knowledge Management
Establisha knowledgemanagementprocessforgathering,analyzing,andstoringandsharingknowledge
within the IT organization
Incident & Problem Management
Establishaprocessforresolvingeventsthatare impactingservicesinthe virtualizedenvironmentassoon
as possible with minimal disruption. Identify and resolve root causes of incidents that have occurred as
well as identity and prevent or minimize the impact of incidents that may re-occur.
Request Fulfillment
Management of all service requests while utilizing best practices for managing requests. All services
requests will be documented in the services catalog and will include SLA on when the request will be
completed.
Systems Administration
Regularly perform systems administration tasks and mature towards automation and scripting skills.
2.3 ACCOUNT MANAGEMENT & TECHNOLOGY TEAM STRUCTURE
2.3.1 AUDIT ACCOUNT MANAGEMENT
Despite havingmultiple Centersof Excellence,practicesandbeingdrivenbyIndustry’sStandardsandBest
Practices, EnrollHostel firmly believes and promotes a Client Centric model where each engagement is
tailored explicitly around the client’s needs and business drivers.
To thisextent,ithascreatedthe ClientSolutionsgroup,whichprovidesadedicatedAccountManagerand
Solution Specialists who actively interact with all the stakeholders within each client’s organization not
only to understand the business needs and requirements but also to align the proper services and
resources that will ensure maximum benefits to the client. Additional, these two entities indirectly
validate the qualityof the deliveryandprovide feedbackandinputstothe Global DeliveryOrganization.

13
2.3.2 PROJECT TEAM STRUCTURE
2.3.2.1 TEAM STRUCTURE
Director Audit Committee
IT Audit Team IT Audit Team Legal IT complaince Team
IT Audit Manager
Chief Audit Executive
IT AuditManager
Lead Auditor
Internal Auditors
Department 1
Internal Auditors
Department 2

14
2.3.2.2 TEAM ROLES & RESPONSIBILITES
Role Description
Data Subject A living natural person – they have rights and RISK refers to them
Data
Controller
Specifies how RISK is to be manipulated
Data Processor Manipulates the RISK on behalf of the Data Controller
DPO Data Protection Officer: A person charged with protecting RISK and helping
an organisation to meet the RISK compliance requirements
Supervisory
Authority (SA)
A national body who enforces the RISK in EU member states.
EDPB European Data Protection Board: The coordinating layer who provides
consistency between SAs
Third Country A country outside of the EU
Third Party An individual linked in some way to the Data Subject or any company or
organisation to who data is sent
Role Responsibilities
Delivery
Manager
(Audit)
 Reviewingandunderstandingthe responsibilitiesof eachpartyunderthisSOW.
 Workingwith School teamto accomplishthe tasksoutlinedinthisSOW.
 Maintainingregularcommunicationswiththe School teamonengagementprogress.
 Assistinginthe resolutionof deviationsfromthe scope/planthatmayimpact
deliverables,schedulesand/orcosts.
 Provide managementupdate of the projectteamdeliverablesprogramgovernance
metricsandreport onengagementhealthto School stakeholders.
 Ensure that the engagementremainshealthyandtasksoutlinedwithinthe SOWare
executedtothe client’ssatisfaction.

15
SeniorAuditors  Coordinate/manageendtoendsupportandoperationsrelatedactivitiesandprioritize
userrequestsand problemsaccordingtoseverityandexistingworkload.
 Optimize effortwithembeddedbestpracticesthataccelerate time tovalue
 Manage projectteamdeliverables/qualityissues/SLAs.
 Ensure all outagesare communicatedandaddressedwithinthe stipulatedtimeframe.
 Manage the shiftschedule andavailabilityof resources
 Supportoperational tools
 Manage properdelegationof supporttaskamongall supportteammembers.
 Provide clarificationaboutnew andexistingprocesses
 AssistSchool managersinall projectrelatedtasks,includingticketmanagement.
 Maintainand update documentation.
 Followdefinedguidelinesand processesand ensure the otherteammembersalso
followit.
 Planand participate inService ImprovementandValue-additionactivities
 Plancross-traininginitiativeswithinthe team
JuniorAuditors  Work on supportandoperationsrelatedactivities/tasks/tickets–primarilyon Network
Operations/activities
 Optimize effortwithembeddedbestpracticesthataccelerate time to market
 Guide otherteammembersonbestpracticesandtechnologyenhancements
 Planand participate inService ImprovementandValue-additionactivities
 Define andenhance supportprocesses
 Provide necessaryadvisoryservicesto SCHOOL
 Provide on-call supportonweekends/USholidays
Lead Auditor
RISK
 Work on support and operationsrelatedactivities/tasks/tickets – primarilyon IT
Operations/ activities
 Maintain constant communicationwith customers and SCHOOL stakeholders,
especiallywiththe onsite leads.
 Prioritizationof userrequestsand problems,withlead /manager, according to
severityand existingwork load
 Coordinate with other SCHOOL teams for issue resolution
 Support operational tools
 PerformRCAs
 Followguidelinesofdefinedsupportprocesses.

16
3 PART III – REFERENCES & ENROLLHOSTEL CAPABILITIES
3.1 CASE STUDIES
Some of the salientprojectsthat EnrollHostel hasdone inthe pastinclude the following(additional
detailshave beenprovidedasCase Studiesinthe proposal documentinANNEXUREI)
Customer* Services Details
LeadingGovernment RISK Consulting RISK assessment, RISK Gap
Analysis, RISK internalaudit, RISK
external audit,DPIA Data
protectionimpactassessment,
Leadingglobal Insurance Regulator RiskControls
consulting
RiskLaw basedaudit/assessment,
AssigningDPORole/team,RiskGap
Analysis Riskinternalaudit, Risk
law external audit.
Leadingmulti-nationalBank RiskLaw consulting RISK assessment, RiskLaw based
audit/assessment,, RiskGap
Analysis Riskinternalaudit, Risk
law basedexternal audit
*Due to contractual obligations, we are not permitted to explicitly name the organization for which these
services were provided.
Some of the key tasks that EnrollHostel teams have been involved in projects with Managed
Operations/Support included:
a) Risk Audit/assessment , RISK processing lawfully.
b) GAP Analysis to Reach for RISK compliance
c) Risk by design
d) Data Protection Impact assessment
e) Appointing and building Data Protection Officer Team.
f) Remedies, liability, & penalties
g) Provisions relating to specific processing situations
h) Delegated acts and implementing acts

17
3.1.1 CASE STUDY 1
Name and Address Leading Government in EMEA Region
Contracting Activity RISK Audit
Contract Type Fixed Price
Description of Services
*Due to contractual obligations, we are not permitted to explicitly name the organization for which these
services were provided.
The Challenges
 Client wanted to Assess its Risk based on new Risk law.
 Risk Audit/assessment , RISK processing lawfully.
 GAP Analysis to Reach for RISK compliance
 Risk by design
 Data Protection Impact assessment
 Appointing and building Data Protection Officer Team.
 Remedies, liability, & penalties
 Provisions relating to specific processing situations
 Delegated acts and implementing acts
Solution
The enterprise leveragedServerOperationsandCrisisManagementteams.Teamalsoworkedclosely
withthe other dependent team for any changes and upgrades to the production web applications.
 Risk by design
Benefits Delivered
 Risk by design
3.1.2 CASE STUDY 2
Name and Address Leading media and entertainment company in US*
Contracting Activity 24 x 7 Infra-support

18
*Due to contractual obligations, we are not permitted to explicitly name the organization for which
these services were provided.
The Challenges
The IT team of the Insurance company is responsible for provisioning and managing the entire
enterprise ITinfrastructure acrossmultiplelocations.The primaryobjectivewasto fix Riskaspectwith
respect to providing legally , regulatory complaint and competitive IT elements. This automation
would enable higher compliance to Risk and helpthe IT team and customer in managing day-to-day
operations more effectively. The IT team had a challenge in terms of managingIT across distributed
locations and the huge impact of smooth IT operations on business services.
Solution
The Risk assessment was done and solution was deployed centrallyat the IT operations center to
proactively monitor the network, systems, applications and database infrastructure and notify users
if there is any Risk issue.
The solutiondeployedisusedtomonitor Riskaspectforregulatoryandlegal complianceof the critical
network devices. Service level committed by the service provider is been verified by using the
availability service level report available from NOC solution service.
The solution was deployed for monitoring multiple key performance indicators of various elements
including;
 Routers,switches ->Availability,responsetimes,CPUutilizationandmemoryutilization,
customSNMP expressions-basedperformance metrics
 MPLS links -> availability,response timesandutilization
 Servers->Resource utilizationbyCPU,Memory,Disk,Bandwidth,etc
 Databases-> table space utilization,logfileutilization,deadlocksandqueryresponse times
 Applications ->service availability
 WebServices ->availability
Benefits Delivered
 Risk by design service was deployed to centralize incoming service requests to various
departments.
 A streamlined service request, routing, tracking, escalation, resolution and closure has
brought about accountability within each department.
 The automatedroutingandSLA monitoringcapabilitieshave reducedissueclosure timesand
have improved end user satisfaction.
 The NOC solution deployed has helpedthe IT staff to provide better service response, quick
resolution of end user reported issues with flexible workflow-based automation and has
enabled higher customer satisfaction across organization.
3.1.3 CASE STUDY 3
Name and Address Leading media and entertainment company in US*
Contracting Activity 24 x 7 Infra-support

19
*Due to contractual obligations, we are not permitted to explicitly name the organization for which
these services were provided.
The Challenges
The IT infrastructure companyisdistributedacross10 locations.There are about100 critical network
elementsincludingrouters,switches,linksetc.The IToperationsrunon20+critical windows2000and
2003 servers. There are about 15+ mission critical applications that run on variety of Microsoft SQL
and proprietary databases. These applications also include web based middleware and other web
services based application.
The few objectives for IT Infrastructure monitoring include the following:
 Proactive auditing/assessment of networks, systems, applications, databases, IT services
infrastructure for availability and performance
 Determine root cause, fix problems quickly and ensure mission critical applications are
healthy and available for end users conflicting with RISK.
 Enhance enduserperceptionof ITservicesbyensuring Riskprotection resolutiontoenduser
issues.Ensure thatthe ITteamisaccountableinclosingenduserreportedissuesontimewith
higher user satisfaction.
 Audit Risk of hosts, applications, locations, departments including hourly, weekly, monthly
usage trends
 Plan future Risk needs like Risk by design need are met in advance and maintain the
competitive edge
Solution
 The Riskby design solutionwasdeployedtomonitorcore IT serviceslike messagingservices,
ERP servicesandEIP services. The teamusesNOCtool to ensure availabilityof these services
to the branches is proactively monitored and accounted
 Real time dashboards and historical reports were made available as part of a build in web
based portal and are used by the IT team to examine and optimize resource compliance.
 The non-invasive,agentlessmonitoringcapabilityof complaince wasdeployedtohelpthe IT
team for easy and faster deployment for monitoring across local and remote servers,
databases, applications
 Flexible notification and escalation capabilities of Complaince were used for proactive
monitoring of faults and performance breaches. This helped the IT engineers to fix issues
before they are reported by end users.
Benefits Delivered
 The Complaince Assessment and analysis helped to audit better manage applications
compliance across locations, departments
 Better manage compliance for RISK assessment, Risk Law based audit/assessment, Risk Gap
Analysis Risk internal audit, Risk law based external audit
 Better Risk Compliance for application, link availability and performance
 Quick response time & resolution resulting in customer delight
3.2 ENROLLHOSTEL | CAPABILITY

20
EnrollHostel is founded on a strong foundation of architecture, process, and a Risk-based approach to
technologysolutions.Ourprofessionalsconsistentlyuse these fundamental principlescoupledwithout-
of-the-box thinking to deliver creative and robust solutions that meet our clients stated as well as
unanticipated needs. This approach allows us to deliver solutions that combine our expertise around
development,supportandtestingusingacontinuousintegrationapproachwithindustryleadingproducts
in various functional domains. Our core competency is the ability to quickly understand the client’s
business needs and deliver an elegant and robust, yet cost-effective solution.
Over the past 10 years, customers have engaged EnrollHostel for solutions and services across a wide
variety of technologies. EnrollHostel has constantly innovated and kept abreast of new and emerging
technologies in IT infrastructure, Security & Internet Of Things, amongst others.
3.2.1 PROGRAM GOVERNANCE
EnrollHostel has a well-defined program governance process, which closely monitors customer
satisfaction, service levels and quality. Periodic reviews are conducted to ensure that services are being
delivered to exceed customer expectation and seek feedback.
 Monthly business review is conducted to review service levels, process compliance, issues to be
escalated, targets and improvements for next month.
 Quarterlyexecutive briefings,presentopportunitytodiscusspastperformance,recommendations
and focus areas for future.
3.2.2 CONTINUAL SERVICE IMPROVEMENT (CSI)
EnrollHostel continuallyinstitute processandmethodologythatmeetsrequirementsandalso allowsfor
needsthatadjustbasedonclientchangingbusinessdynamics.Toachieve ourobjective of providingbest
in class services, our project teams adhere to continual improvement framework based on ITIL best
practices. The team will continually identify areas of improvement and provide recommendation on:
 Deployingandenhancingcontinuousintegrationframeworksforcode deploymentandautomated
deployment
 Build IT automation for important processes, such as automatic deployment and operations,
automatic ticket creation based on monitoring alert, integration of monitoring tools
 Proactivelymonitor,identifytrendandaddresssituationsandproposesolutionsinordertorestore
and resolve critical issues in a timely fashion
 Use ITIL techniques to improve the processes used.
 Proactively work closelywith client teamsand third-party development for operational readiness
and hand off of new development and applications
3.2.3 KNOWLEDGE MANAGEMENT
The EnrollHostel Knowledge Management approach promotes:

21
 Capture of knowledgethroughcollaborationbothbyexplicit(interviewingandobservationprocess;
case-by-case analysis) and implicit (discussion forums, blogs, error database and reusable
components repository) means.
 Organize the acquired knowledge so that it is easily retrievable.
 Share and distribute knowledge through wiki documentation, run-books, standard operating
procedures etc.
 Use and reuse knowledge for operational efficiency, improvement, automation
3.2.4 TEAM COMPETENCY AND SKILLS ENHANCEMENTS
To be on the forefrontof the ever-changingITtrends in business,itisimperative foranyorganizationto
constantly update and reinvent itself. EnrollHostel aims to achieve this through a strategic skill
enhancement program that involves every employee. Industry trend, analysts identify key areas of skill
enhancement keeping in view, our core competencies and goals.
EnrollHostel continuallystrivestoaugmentitsteamcompetencyandskillsconsideringthe changeinclient
processes, technology,tools, and domain knowledge and encourages and facilitates across the board
technical certification programs. Along with acquiring formal technical certification, it also empowers
employeeswithenhancedskillsandknowledge.We sponsorthese certificationsandproactivelyarrange
formal sessionsbetween industry expertsand our professionals. Some of the where our projects teams
get trainings from internal and external trainers are, Soft Skills, Technical Trainings on disruptive and
emerging technologies, team management, leadership etc.
3.3 ENROLLHOSTEL | PROJECT MANAGEMENT PROCESS
EnrollHostel ensuresthatall projectsundertakenby itsteamare beinggovernedandmanagedeffectively
meeting the customer expectations.
Below are the key project monitoring & control processesthat will be followed to track the progress of
the project delivery. Some of these may be tailored based on specific plans during project execution.
 Track project planned activities against the actual and update critical dependenciesin schedule
accordingly with the revised planned dates
 Status Reporting of ongoing project activities & implement corrective actions based on the
comments received from different stakeholder
 Internal team meetings
 Project customer meeting
 Monthly business reviews
 Track the estimates for reviewing the planned vs. actual effort throughout the project lifecycle
 Monitor Risks associated with cost, resource and schedule aspects and perform ongoing risk
identification and management in conjunction with client stakeholders.
 Review any changes to the allocated requirements according to change management process

22
 Collect measurement data for the project regularly throughout the project life cycle in data
collection plan on a monthly basis. This is done for the purpose of analysis & plan the preventive
and corrective actions
 SLA Monitoring & Tracking
3.3.1 REPORTING METRICS
Below is a list of typical metrics that EnrollHostel team would produce during the course of thisproject.
These metrics can be tailored in discussion with School at the time of project initiation.
Service Desk Support Reports
 Daily – ticket report, Pending & Closed ticket reports.
 Weekly – ticket trend report, ticket analysis report.
 Monthly – ticketAnalysis report, ticketTrendReport,Uptime reports,Backup and restore Report,
RCA, Escalated ticket report
Incident Management
 Number of repeated Incidents, with known resolution methods
 Number of Incidents resolved remotely by the support teams
 Number of escalations for Incidents not resolved in the agreed resolution time
 Average time for resolving an incident
 Percentage of Incidents resolved by L2 without L3 involvement
 Rate of incidents resolved during solution times agreed in SLA
Problem Management
 Number of problems logged
 Average time for resolving problems
 Number of problems where the underlying root cause is not known at a particular time
 Number of reported incidents linked to the same problem after problem identification
 Average time betweenfirstoccurrenceof anincidentandidentificationofthe underlyingrootcause
 Average work effort for resolving problems
Service Level Management
 Number of services covered by SLAs
 Number of Services where SLAs are backed up by corresponding OLAs/ UCs
 Number of monitored Services/ SLAs, where weak-spots and counter-measures are reported
 Number of Services/ SLAs which are regularly reviewed
 Number of Services/ SLAs where the agreed service levels are fulfilled
 Number of issues in the service provision, which are identified and addressed in an improvement
plan
Availability Management
 Availability of applications relative to the availability agreed in SLAs and OLAs
 Number of service interruptions
 Average duration of service interruptions
 Percentage of applications components under availability monitoring
 Number of implemented measures with the objective of increasing availability

23
Security Management
 Number of preventive security measures which were implemented in response to identified
security threats
 Duration from the identification of a security threat to the implementation of a suitable counter
measure
 Number of identified security incidents, classified by severity category
 Number of security incidents causing service interruption or reduced availability
 Number of security tests and trainings carried out
 Number of identified shortcomings in security mechanisms which were identified during tests
3.3.2 ESCALATION HANDLING
EnrollHostel expects that all queries & issues related to successful execution of the project would be
discussed and resolved via various meetings as per the CommunicationPlan. However, there may be
instanceswhere eitherSchool orEnrollHostel managementencounters orforeseesanyissuesthatneed
direct and prompt attention of other side’s management.
3.3.3 COMMUNICATION PLAN
Meeting
Type/Purpose
Frequency Participants (EnrollHostel) Participants (School)
Project
Discussion/Issue
Resolution
Needbasis • Technical Lead
• Otherteammembers
(optional)
• ProjectManager
• IT SPOC
Project Status Review Weekly • Service DeliveryManager
• Technical Lead
• ProjectManager
SteeringCommittee
Review
Monthly • EngagementManager
• Technical Lead
• Service DeliveryManager
• ProjectManager
• ProjectChampion

24
3.3.4 RISK MANAGEMENT PLAN
EnrollHostel proposes to use industry-standard FMEA tool (Failure Mode Effect Analysis) for managing
risks.FMEA aidsinanalysisof potential failures,problemsordefectswithinasystemusingaclassification
by the severity and likelihood of the failures. Using the FMEA analysis, the project team can plan for
appropriate mitigation & contingency strategies.
3.3.5 CHANGE MANAGEMENT PROCEDURE
EnrollHostel understands that a project often requires changes during execution, and hence proposesa
robust change management procedure. EnrollHostel proposes that a Change Management Board is
established that has authority to approve, partially approve or reject any change request. The Board
would comprise of:
ENROLLHOSTEL
 Service Delivery Manager
 Engagement Manager
School
 Project Manager
 Project Champion
 Sourcing (optional)
Risk
Identification
via FMEA
Develop
Mitigation &
Contingency
Plan
PeriodicRisk
Review
Address
major risks
Update
FMEA
Trigger for Change
 Scope
 Requirements
 Tools & Technology
 Schedule Adjustments

25
Impact Analysis
• Schedule
• Effort
• Cost
• Artifacts and Deliverables
Submission of formal Change
Request (CR)
Discussion & Approval of CR by
Change Management Board
Updated CR
Implementation of CR
• Contract
• Project plan
• Artifacts & Deliverables

26
3.4 ENROLLHOSTEL | COMPLIMENTARY VALUE ADDED SERVICES
EnrollHostel’s decade old expertise in managing networks infrastructure brings a lot of advantages as
compared to other IT Managed service providers.
Since we always strive for bringing the best possible robustness to our clients’ networks, we will be
bringing the following as complimentary services:
- Complimentary Anti-virus software license for all end-point devices along with maintenance
- Complimentary Penetration Testing to test the robustness of the installed network
3.5 ENROLLHOSTEL | DIFFERENTIATORS | Services
EnrollHostel is one of those rare organisations, that not only possesses leading IT Infrastructure
management professionals but also a global group of cybersecurity professionals.
With security clearances of the highest order (US Fed clearance), our professionals have led many
“Incident Response teams” carrying out “Forensics” for networks that have been breached.

28
3.5.1 CYBERSECURITY SERVICES
In tоdау’ѕinformationесоnоmу,dаtасаnbe уоur оrgаnіzаtіоn’ѕmostvaluableаѕѕеt,butwіththе rіѕе of
mоbіlе tесhnоlоgу, сlоud соmрutіng, аnd еxроnеntіаllу grоwіng vоlumе of digital іnfоrmаtіоn, kееріng
that dаtа ѕесurе аlѕо bесоmеѕ оnе оf уоur grеаtеѕt сhаllеngеѕ.
No оnе is immune to data lоѕѕ іnсіdеntѕ, and nо оnе is bеttеr еԛuірреd than EnrollHostel tо help уоu
іdеntіfуаnd сlоѕе gарѕ thаt рut уоur оrgаnіzаtіоn’ѕ cyber ѕесurіtу аt rіѕk. Information ѕесurіtу іѕѕuеѕ —
such as data brеасhеѕor employee mіѕсоnduсt — are a соnѕtаnt worry fоr C-ѕuіtе lеаdеrѕаѕwеll as fоr
frоnt-lіnеmаnаgеrѕіnуоurorganization.Cуbеrѕесurіtусhаllеngеѕput ѕеnѕіtіvеdataаt rіѕkandсаn соѕt
your соmраnу time, revenue and rеѕоurсеѕ.
EnrollHostel offersextensivecybersecuritystrategyandѕеrvісеѕthatсаnbе аррlіеdtomееtyourunіԛuе
rеԛuіrеmеntѕ,whеthеr thеуbе rеlаtеd tо a ѕуѕtеm, аn аrсhіtесturе, a network, роlісу establishmentоr
рrосеѕѕ implementationand improvement. Wе wоrk with оrgаnіzаtіоnѕ аt vаrіоuѕ stages оf thеіr суbеr
ѕесurіtу ѕtrаtеgу dеvеlорmеnt and суbеr ѕесurіtу program іmрlеmеntаtіоn.
3.5.1.1 RISK Services
A Penetration test(Pen-test) is a procedure to assess the security of an IT foundation by securely
attempting to misuse its vulnerabilities. These vulnerabilities may exist in working frameworks,
administrations,operatingsystemsandapplicationblemishes,inappropriate arrangements ordangerous
end-client conduct. Such evaluations are likewise helpful in approving the viability of protective
components, and, end-client adherence to security arrangements.
EnrollHostel’steamof leadingPen-testersthattestthe effectivenessof the security of the organization.
This is accomplished by emulating the behaviors and techniques of likely attackers in the most realistic
way possible.
3.5.1.2 Corporate Trainings Risk/Security Awareness

29
Risk/Security awarenessisthe learninganddemeanorindividualsfroman associationhave withrespect
to the assurance of the physical, and particularlyenlightening,resourcesof that association. Numerous
associations require formal security mindfulness preparing for all specialists when they join the
association and intermittently from there on, normally every year.
EnrollHostel commitson providing this training and practice to all its employees and clients and letting
them know about the possible outcomes thereafter.
Being“securely aware”means;onecomprehendsthatthere isthe potentialforafew peopletopurposely
or coincidentally take, harm, or abuse the information that is set aside inside an organization's PC
frameworks and through its association. Along these lines, it is judicious to help the advantages of the
foundation (data, physical, and individual) by attempting to prevent that from happening.
The focal point of Security Awareness here at EnrollHostel is to accomplish a long haul move in the
disposition of workers towards security, while advancing a social and behavioral change inside an
organization.Securitystrategiesoughttobe seenaskeyempoweringagentsforthe association,notasa
progression of principles confining the proficient working of your business. We provide Security
Awareness training to our new employees and keep them up to date with these principles.

30
3.5.1.3 Email Risk & Security with Office 365 Integration
Email isthe mostimportantbusinesscommunicationtool—andsimultaneously,the leadingthreatvector
for cyber-attacks.Infact,accordingto the CiscoMidyearCybersecurityReport,attackersturntoemail as
the primary vector for spreading ransomware and other malware.
Mass spamcampaignsare no longeryouronlyemail securityconcern.Attackersscoursocial mediasites
to find information on their intended victims and then create sophisticated and highly targeted
ransomware, business email compromise (BEC), and phishing campaigns.
EnrollHostel’sEmailSecurityenablessecure emailuseandprotectstheleadingattackvectorwithmultiple
layers of protection using Cisco’s Email Security.
Gain a robust layerof defense againstransomware,businessemail compromise,phishing,andmore for
Office 365 solution.
It helpsprotectyour networkfrom threatsin incomingemail while helpingpreventthe lossof business-
sensitive data in outgoing mail.
Benefits
 Block more threats with comprehensive threat intelligence from Cisco Talos- one of the largest
commercial threatintelligence teamsinthe world,comprisedof world-classresearchers,analysts
and engineers.
 Combat ransomware hidden in attachments that evade initial detection with Cisco Advanced
Malware Protection (AMP).
 Stop BEC and phishing attacks with superior URL intelligence and forged-email detection

31
 Protectsensitive contentinoutgoingemailswithdatalossprevention(DLP) andeasy-to-use email
encryption, all in one solution.
 Gain maximum deployment flexibilitywith a cloud, virtual, on-premises,or hybrid deployment or
move to the cloud in phases.
3.5.1.4 Cyber-Forensics
Our Forensics and Investigation solutions provide an attack’s context, infrastructure-wide visibility,
codified expertise, rich intelligence, and insights gained from front-line experience responding to the
world’s most impactful threats. Empowering your infrastructure with everything you require to rapidly
detect, triage, investigate, and minimize the impact of attacks.
One of the veryfeworganizationswith cybersecurityprofessionalswithTop-levelsecurityclearances(US
Fedsecurityclearance),enablesourclientswiththe highestlevel of confidenceinperformingthesecurity
incident analysis and forensics.

32
3.5.1.5 Social Risk Test Engineering
Social engineeringismandatorytocounterthe social engineers,hackerswhoexploitthe one weakness
that isfoundineach and everyorganization:humanpsychology.Usingavarietyof media,including
phone callsandsocial media,these attackerstrickpeople intoofferingthemaccesstosensitive
information.
These are the common types of social engineering attacks:
 Phishing: These assaults can incorporate situations like the previously mentioned, however may
likewise bemorefocusedon.Lancephishingassaultsare morerefinedandcanincorporate tweaked
email sends or focused on advertisements that require more research on the aggressor's part.
 Wateringgap: In a wateringopeningassault,clientbunchesare particularlybeingfocusedon.For
instance,aggressorswouldinquire aboutparticularworkersthatvisitspecialtysitesandafterward
have malware particularly focusing on these representatives.
 Bedeviling:Justlike the termproposes,teasingassaultsinclude offeringcasualtiessomethingthey
need. The hazard is that you might download malware rather than, or notwithstanding, the
documents you really need. Teasing can likewise incorporate pipe dream online arrangements or
phony messages with answers to questions you never asked on any gatherings.
EnrollHostel’sdecadeof experienceenablesustoprovide assistance andservicesonhow anorganization
can adhere itself and its employees against such attacks and prepare to tackle them anytime.

33
3.5.2 SECURITY ASSESSMENT AND COMPLIANCE
Securitythreats,risks,andvulnerabilitiesare presentthroughoutorganizationsof all sizes.Anyintrusions
orbreachesof critical systems,data,andapplicationswilllikelyresultinbusiness-impactingconsequences
that have varyingdegreesof severity.Witha solidsecurityplanandevaluation,however,theseriskscan
be identified and mitigated without impacting compliance and regulatory requirements.
EnrollHostel offersacomprehensivesecurityassessmentservice thatevaluatesanorganization’scurrent
information security program and infrastructure. The assessment identifies vulnerabilities and
weaknesses, and measures any risks associated with the organization’s current IT environment and
security practices.
FEATURES & COVERAGE
 Identify internal and external security gaps and vulnerabilities
 Discoveranyareasof concern,includingunpatchedsystems,openports,andcompliance violations
 Find security bugs and loopholes that could potentially be used to harm your network
 Verify network connections are secure, encrypted, and working as expected
 Outline and develop an actionable plan to mitigate the identified risks and vulnerabilities
 Approachand methodologiesare basedon industrystandardsand practices,such as the National
Institute of Science and Technology (NIST), Health Insurance Portability and Accountability
Act(HIPAA)
Our Network Vulnerability Assessment services are grouped into three categories of services:
 PeriodicnetworkVulnerabilityAssessmentasaservice: Ourclientsoftenrequestthatwe perform
a one time or periodicnetworkVA toverifythe strengthof theirnetworksecurityprofile.Industry
best practices suggest that you periodically rotate vendors for a more comprehensive VA.
 Deployment of network Vulnerability Assessment solutions: We help our clients select and
configure the mostsuitable networkVA solutionandmanage it on theirbehalf ortransferday-to-
day operation to their staff.
 Compliance Reporting for network Vulnerability Assessment: We provide a network VA that
supports your compliance obligations.Accordingly,we leverage our eGRC compliance reporting
solutions that supports more than 500 regulatory compliance reports. Specifically, we provide
reports that support:
o Payment Card Industry (PCI) Data Security Standards
o ISO 27001
o General data protection regulation (RISK)
o Health Insurance Portability and Accountability Act(HIPAA)
 Scope of Network Vulnerability Assessment Services: As part of our network Vulnerability
Assessment we typically cover the following areas:
o Network Topology Risk Assessment: Discover and assess the risk of network topology and
zones including: Public, Operational, Restricted, and Highly Restricted zones.

34
o DiscoverNetworkAssets:Aspart of the networkVA,ourpersonnelhelpyoudiscovernetwork
assets,includingnetworknodes,firewalls,IPSs,IDSs,routersandswitches,servers,databases,
applications.
o Discover Network Asset Vulnerabilities: Utilizing an array of commercial and open source
tools,we probe eachnetworkassetforpotentialvulnerabilities.Tocomplete ournetworkVA,
we deploy host configuration review.
o Verify Vulnerabilities (or Penetration Testing): With management approval, we verify
identified network vulnerabilities by actively trying to leverage it for further network
penetration and subversion of existing controls.
o NetworkSecurityConfigurationAssessment: We review thedeviceconfigurationforpotential
networkvulnerabilities.Ourpersonnelutilizeasetof automatedtoolsandmanual techniques
to review such vulnerabilities.
o Reporting: Our reportingprocessis designedtoinformexecutives,managementgroups,and
technical teams, compliance and audit departments. We carefully explain each vulnerability,
its respective exposure, and discoverability. Our personnel also provide pragmatic
prioritizationandrecommendations.Whendeemedappropriate,ourteamwill provideatrend
report to demonstrate the status of network VA over a designated period of time.
BENEFITS
 Validates current security programs and practices
 Identifies known security risks and vulnerabilities before they are exploited
 Provides organizations with an outline and action plan to remediate issues and improve IT
environment resiliency and performance
 Prepares organizations for audits and other reviews, and ensures compliance and regulatory
requirements are continuously met
 Can be performed at your convenience, either onsite or remotely

35
3.5.3 SECURITY OPERATIONS CENTER – Risk Or Confidentiality
Asadvancedcyberthreatsbecome more sophisticatedandorganized,vulnerabilitiesmore complex,with
the intentof notonlystealingyourdatabut alsoinstallingcryptocurrency-miningmalware,orusingyour
systemas a pivotpointto other attack vectors,businessestodayrecognize theycan't manage or handle
thischallenge alone.They're turningtomanagedsecurityservice providerslike EnrollHostel tokeeptheir
business protected.
Managed and monitored by highly skilled and highly sought after cyber security experts 24x7x365,
EnrollHostel’s SOC is one of its most advancedthreat intelligence monitoring, provided at an affordable
monthly price
Benefits:
 Security made easy – EnrollHostel’s NOC handles 24/7/365 monitoring of your network and
data. We identify and correlate any suspicious behavior, and we immediately alert you of any
suspicious or active threat alongwith detailed remediation instructions your IT staff can follow
for any malicious activity.
 Cost-effective security – EnrollHostel’sNOC is a comprehensive security services offering
that leverages security products you already own. And best of all, you won’t have to recruit,
hire and pay hard-to-find cyber security talent.
 Simplified compliance reporting – EnrollHostel’s NOC consolidates data from hundreds of
security products to ease the pain of manually compiling regulatory and compliance reports.
Plus, there are many built-in reports for regulations such as PCI- DSS, HIPAA, and many others.
 Comprehensive Forensics – Gain the capability to conduct detailed forensic investigations to
help remediate a breach
Fig: SOC Monitoring Dashboard

36
Fig: SOC Monitoring Tool Analysis report
Fig: SOC Monitoring SIEM

38
4 PART IV – PROJECT COST
4.1 FIXED PRICE
Audit consultant cost: $15,000
Auditors/assessors documentation, travel, miscellenous : $5,000
charges= $20,000 least cost bid for 42 man days project
4.2 RATE CARD FOR ADDITIONAL WORK
** For each project we might have few different type of resources and project management
office involve.
PRICE IN USD
 Support Engineer – 120/hr
 Sr. Engineer – 150/hr
 Project Manager – 140/hr
 Database Engineer – 150/hr
 Hardware move and installation – 80/hr
4.2.1 ADDITIONAL INITIATIVES
In additiontothe ongoingmanagedservicesprovidedunderafixedfeecontract,there are otherservices
related to the onboarding that would be billed separately, including but not limited to the following:
Network Equipment Upgrades
• UPS: Replacement of multiple aging APC UPS 1500 units with a proper NOC room UPS with Power
DistributionUnits(PDU) ineachrack capable of remote managementandenvironmental monitoring
• Switches:Replacementof agingCiscoCatalyst3750floor switchesandCiscoCatalyst6506Core Switch
• Bandwidth:Deploymentof alargermulti-source DirectInternetCircuittosupportanticipatedgrowth
fromadditional trafficgeneratedbySkype videoconferencingandamultitudeof hostedcloud-based
applications
Server Maintenance
• Upgrade of existing Microsoft Server 2008 to Microsoft Server 2016
• Upgrade of existing Microsoft 2008 Active Directory (AD) Domain Server to MS AD 2016
• Virtualizing the remaining on-premise servers to provide for better support/security
• Archiving of existing on-premise data storage to a virtualized environment
Advisory Services

39
The MSP shall provide advisory services including, but not limited to:
• Technology planning & cost forecasting
• Business continuity planning
• Disaster recovery planning
• Enterprise architecture
• Technology consulting
• Process development
• Incident Response Process
4.3 ASSUMPTIONS
EnrollHostel has made general assumptions that the information which was provided during the
preparationof thisproposal isaccurate andup-to-date. Duringthe course of thisproject,itmaybe found
that, assumptions that were made are invalid due to lack of information at the time of proposal
development. In such a case, EnrollHostel will work with School to make suitable amendments to this
proposal that is mutually agreed upon by both parties and when applicable, the corresponding change
request process would be initiated.
It is understoodand agreedupon that the followingitemsmustbe in place and/or providedat the start
of the engagement:

40
4.3.1 USER COUNT AND DEMOGRAPHIC
Approximate 250 users are located at School’s
The followingisahigh-leveloverviewof the on-premiseSchool computingassets:
4.3.1.1 Desktops/Laptops
We are concerned How replaced laptop
4.3.1.2 On-Premise Network/Software hosted
School Network andsoftware hosteddetailsare notknown.
4.3.1.3 Hosted Cloud Environment
It is anticipated that the majority of School’s services will be cloud-based by the end of FY2018. Cloud
details are not known. All software , platform and infrastructure information storing processing or
transmittingRISK informationisnotknown[ Dependingonhow manyapplicationswe needtocheckthe
amount of work may vary]
4.3.1.4 Legacy Business Applications
Details not known.
4.3.1.5 3rd Party Vendors
We wouldneed to understandthe SLAs whichthird party vendorsare on with respect to
handlingof RISK informationbeingprocessed,stored or transmitted.

Risk management Consulting For Municipality

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Risk management Consulting For Municipality

Similaire à Risk management Consulting For Municipality (20)

Plus de Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW

Plus de Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW (20)

Dernier

Dernier (20)

Risk management Consulting For Municipality