FROM: Joe Michael, Chief Information Officer
SUBJECT: Selection of Cybersecurity Auditing Firm to Perform Comprehensive Cybersecurity Assessment and Services
RECOMMENDATION:
title
Recommend that the Board approve a three-year Professional Services Agreement with Symosis Security at an annual cost of $96,000.
body
BACKGROUND:
On April 15, 2025, SBCERA staff issued a Request for Proposals (RFP) for Comprehensive Cybersecurity Assessment and Services. The RFP was made publicly available on SBCERA's official website and promoted through social media to ensure broad outreach to qualified independent firms. In total, SBCERA received twenty-one proposals in response.
An internal evaluation committee was formed to review and assess the proposals. The committee was comprised of Joseph Michael, Chief Information Officer; Hugo Alvarez, Information Security Manager; and Daniel Mejia, Information Security Engineer. Proposals were evaluated using a weighted set of criteria that included the firm's experience and expertise, the clarity and comprehensiveness of the proposed audit methodology, the qualifications of the proposed audit team, the pricing structure, and the inclusion of value-added services.
Of the twenty-one proposals reviewed, four were found to either lack a complete understanding of the RFP requirements or presented unrealistically low pricing structures, raising concerns about potential change orders during the engagement. Five additional proposals were priced significantly above the average, without offering a meaningful increase in deliverables or quality of service. The remaining twelve proposals met the RFP criteria; however, one firm, Symosis Security, distinguished itself through the relevance of its submission.
Symosis Security demonstrated a well-defined and rigorous methodology for conducting comprehensive cybersecurity assessments, reflecting both industry best practices and a clear understanding of SBCERA's operational environme...
Click here for full text