Ron JimersonPort of Seattle, Chief Information Security Officer

Resourcing Information Technology

21 October 2021

Port of Seattle Information Security Department

OverviewThe department provides strategies, operations, and controls for protecting the Port’s information systems and sensitive data while increasing business resiliency.

Key Objectives• Identify: Increase the Port's cybersecurity posture by

minimizing security risks• Protect: Consistently implementing and evaluating key

controls• Detect: Evolving threat intelligence, partnerships, and

employee behavior modeling• Respond: Reduce incident response recovery times and

effect on business services• Recover: Lead enterprise-wide IT security business

resiliency and investment strategies

2

2021-2023 Priorities

3

Governance• Policies & Standards• Compliance & Audit

Reporting• Communication &

Partnerships• Privacy Management

Risk Management• Risk Assessment- Software/Hardware- Capital Projects

• Gap Analysis • Change Management• Identity and Access

Management

Operations• Incident Management• Threat & Vulnerability

Management• Threat Intelligence • Business Continuity &

Disaster Recovery• IT Project Support• Legal/HRO Investigations• Vendor Management • Awareness Training• Forensics Oversight• IT Security Architecture

Key Functions

4

HOW DO I DO BUSSINESS TO THE PORT OF SEATTLE

• Businesses should have their marketing materials updated and designed to relate with Port of Seattle business functions

• Register your business on VendorConnect – Port’s contracting database

• Register to attend a PortGen – These are Port of Seattle training workshops

• Look at our Future Solicitations

• Email the Ports Diversity in Contracting

Ref: https://www.portseattle.org/business/bid-opportunities5

Potential IT & Security Contracting 2022

IDIQ Contracting for Enterprise Management System

IDIQ Contracting for General Services

IDIQ for Incident Handing

IT Security Assessment & Consulting

*IDIQ = indefinite delivery/indefinite quantity

6

Future Procurement Opportunity Summary

Report Capture Date: 10/15/2021Division Category Future Procurement Name Port Contact ROM Planned Ad Qtr-YrAviation Consulting Services WIFI IMPROVEMENTS PLB Mayo, Sofia TBD 1 Quarter-2022 Aviation Consulting Services Access Controls in Communications Rooms Martinez, Carmen $2-3M 1 Quarter-2022 Aviation Consulting Services TELECOMMUNICATIONS MEET ME ROOM - Design Mayo, Sofia TBD 1 Quarter-2022 Aviation Consulting Services KEYS FOR CARD READERS Mayo, Sofia TBD 4 Quarter-2022 Aviation Major Construction Telecommunications Meet Me Room Dilbert, Kyle TBD TBD Aviation Major Construction ARFF Dilbert, Kyle TBD TBD Central Services Goods and Services Peoplesoft IDIQ Sadler, Krista TBD 4 Quarter-2021 Central Services Goods and Services Wireless Frequncy Scanning IDIQ Jaquez, Clarence TBD 4 Quarter-2021 Central Services Goods and Services Virtulization Design and Install Services IDIQ Krutenat, Joe TBD 4 Quarter-2021 Central Services Goods and Services SAFE Upgrade Sadler, Krista TBD 4 Quarter-2021 Central Services Goods and Services Security Information and Event Management System Contract Authorization Jimerson, Ron $1M 4 Quarter-2021 Central Services Goods and Services Smart Restrooms Hale, Ken TBD 4 Quarter-2021 Central Services Goods and Services WiFi Upgrade Equipment Sadler, Krista TBD 4 Quarter-2021 Central Services Goods and Services Sea-Tac International Airport (STIA) Network Redundancy Dawson, Jim $1-1.5M 4 Quarter-2021 Central Services Goods and Services DNS/DHCP Manager Dawson, Jim TBD 4 Quarter-2021 Central Services Goods and Services Certificate of Insurance Management Software Ron, Shai $250K-300K 1 Quarter-2022 Central Services Goods and Services Maritime Security Cameras Sadler, Krista $1-2M 4 Quarter-2022 Economic Development Division Consulting Services Diversity Barriers Analysis Rice, Mian $100k 4 Quarter-2021 Economic Development Division Major Construction Pier 69 Underdock Utility Replacement Chou, Fred TBD 4 Quarter-2021 Maritime Consulting Services Planning Services IDIQ Del Vento, Emma TBD TBD

7

Use Cautionary Sales Tactics

Keep in mind that IT & IT Security decision-makers are constantly being solicited

Unsolicited Emails - Often ignored and deleted

Cold Calls- Can be burdensome - Do your research and offer a compelling reason for your call- Product demonstrations require time and effort

We would prefer to find you through our database resources

8

IT Procurement Process

IT requirement established Business case Budgeting Procurement

Project Manager Assigned

RFPRFQ

Architecture Review

Vendor Selection

Proof of concept

ContractingLegal

Purchasing

Solution Implemented

9

Procurement ProcessDirect Buy Goods & Services < $50.000

Three Quote Goods & Services < $150.000

Advertised Competitive Process Goods & Services > $150.000

Direct Solicitation Goods & Services =/> $150.000 Targeted to select vendors

Intergovernmental Cooperative Agreements RCW 39.34

10

Things to Consider

• Data handling, storage, and sharing

• Parameters for interfacing with Port information Systems (remote access, etc.)

• Incident handling obligations/expectations

Reference: NIST Security Standards

11

Integrating Services

*Federal mandate of Contract Management Capability Maturity Model (CMMI) is not required

SaaS and Cloud services- Security assessments are be conducted- SOC 2 considerations - Access control considerations

On Premises Services- Security assessments are be conducted- Access control consideration

12

Terms of Agreement

Network Connections. VENDOR agrees to allow the PORT to perform network assessments based on a schedule mutually agreed upon by the parties. In the event a network connection is created between VENDOR and the PORT, VENDOR agrees to maintain an alert status regarding all vulnerabilities and security patches or corrective actions by subscribing to an industry-recognized service.

……if VENDOR, at any time during the life of this Agreement, is granted remote access to the PORT’s network, or is telecommuting in any capacity, then such VENDOR will be subject to additional data security requirements of the PORT.

13

14

Questions

14