Innovapost Inc. (Innovapost), on behalf of Canada Post Group of Companies (Canada Post), is seeking a partner capable of delivering world-class managed security operation services that will work alongside our team to provide a high quality service to our staff and clients. Of secondary but equal importance is a partner that can help to enable Innovapost in realizing operational efficiencies and cost containment without negatively impacting innovation and growth as we move forward with our transformative journey.
The scope of this RFP is focused on designing and implementing the requirements needed to demonstrate the security capabilities the organization has determined it requires, versus the just technology that will support it. Included in this scope is a strategic perspective of how the security capabilities will be delivered in the long term and how it aligns to the organization’s current processes/culture and service delivery methods. All services to be provided are considered extensions of the Canada Post IT and Security teams.
The overall objective is to establish a zero-trust model to support business operations. The scope of the capabilities are Identity and Access Management (IAM), securing infrastructure in a cloud centric future state and management of security tools and services at a high level. A more detailed summary is provided in the sections below:
Identity and Access Management
The scope for this service includes playing a key role in the migration from current state to a centrally managed service with solutions operation, on-going support, maintenance and the innovation towards the future integration of services for its workforce. This includes the delivery of:
- A cloud-based identity provider to consolidate Canada Post’s user population into one centralized user directory, enabling modern authentication protocols, including risk-based authentication and multi-factor authentication, to secure access to the organization’s assets and simplify our user population’s digital experience.
- Identity Governance and Administration (IGA) capabilities, including automated lifecycle management, access reviews, role-based access control (RBAC) and more, and integrating these capabilities into Canada Post’s on-premise and cloud ecosystem.
- Centralized Privileged Access Management (PAM) controls, enhancing security controls and visibility of privileged access to Canada Post’s critical platforms and infrastructure.
- Managed Identity Services with:
- Identity management - administration of accounts; assignment of access privileges and support for self-service functions such as password reset over user life-cycle events; and administration of standard processes for onboarding, transfer, validation, and off-boarding.
- Access management - support over access controls, password management, authentication, authorization, single sign-on, multi-factor authentication and federation, as well as policy configuration, management, and service monitoring.
- Identity governance - support for access governance and certification campaigns, and maintenance and management of access privileges via enterprise/application roles.
- Privileged-user management - services include management of administrative accounts, workflows and approvals for elevated access, temporary elevation of privileges, administrative log management, password check-in/check-out, and reporting and auditing of privileged access.
Cloud Security
The objective of cloud security is for the service provider to design, implement, support and operate a cloud security architecture that protects Canada Post’s assets in a multitenant and multi-cloud landscape. The service provider is expected to operate this service as an extension of Canada Post’s security team, as such consideration should be given to ensuring the service provided meets our business requirements. The scope consists of Cloud Access Security Broker (CASB), Secure Web Gateway (SWG) and Remote Browser Isolation (RBI) to enable the following capabilities:
- Application visibility and control
- Data Loss Prevention (DLP) as a subcomponent of CASB to protect unintentional disclosure of sensitive and confidential data
- User Behavior Analytics incorporated as a subcomponent of CASB
- Deployment and Administration
- Governance, Management & Reporting
- Vulnerability, Threat & Malware Protection
- Detection and management of shadow IT instances
Managed Security Operations
The key objectives of transitioning security operations to a Managed Security Service (MSS) provider are to enable best in class cloud monitoring capabilities and to decrease Canada Post’s exposure to cyber risks by expanding the capabilities of their security operation and threat monitoring teams. In order to accomplish these objectives, the effort includes the following:
- Security monitoring and alerting, with tier 1-2 security monitoring and incident response support
- Security infrastructure support, managing and maintaining network and endpoint security tools
This document along with attachment describes the functional, administrative, integration and reporting requirements to meet business needs.
A signed Non-Disclosure Agreement will be required for release of the RFP documentation.
