GDPR And Privacy By design Consultancy

SourcetekIT– School Bid Privileged and Confidential Page 1 of 87
DAN GRIBBLE
SOURCETEKIT | 365, Suite 20, Healey Rd, Bolton, ON L7E 5C1
Response to RFP – GDPR
School
KIND ATTN:JASON EDGMON

Confidentiality Agreement
This document is confidential and may not be copied without the permission of EnrollHostel.
This document contains information proprietary to EnrollHostel. Transmittal, receipt or possession of this
document does not express licenseor imply rights to use,sell,and design, develop or have developed products
or services from this information. No reproduction, publication or disclosure of this information in whole or in
part, electronic or otherwise, shall be mad without prior written authorization from a signing office of
EnrollHostel. Authorized transfer of this document from the custody and control of EnrollHostel constitutes
a loan for limited purposes, and this document must be returned to EnrollHostel upon request, and in allevents
upon the conclusion of the loan.
Copyright 2018 EnrollHostel
365 Healey Road Suite 20 Caledon, ON L7E 5C1

To:
Jason Edgmon
Senior Director of IT Infrastructure & Operations
Pharmaceutical Research and Manufacturers of America
jedgmon@School.org
Dear Jason,
EnrollHostel thanks Pharmaceutical Research and Manufacturers of America(School) for providing the
opportunity to respond to this RFP for the provisioning of one single team that combines IT, Network and
Security operations for their Network & IT infrastructure.
Value is found in knowledge. EnrollHostel is renowned for its expertise in Asset Management, and
Infrastructure management through its state-of-the-art NOC and SOC. A Professional Services’ company
specializing in large-scale urban infrastructure engagements, EnrollHostel lends its expertise to leading Value-
added re-sellers and construction companies from the design phase through final testing throughout hospitals
in North America. EnrollHostel understands that engineering and technical prowess within its organization is
of prime importance at a time when our society demands data to be integrated, automated and secured. Our
Managed IT Services’ offering is something we’re intimately familiar with and have deployed numerous times
over the last year in environments comparable to your prescribed size and scope.
EnrollHostel’s Managed IT solution services ensure that our clients’ applications are managed and operated on
a 24x7 basis, ensuring both secure and high performance. Our services allow clients to benefit from scalable
project operations and cross-functional/discipline-knowledge sharing between teams, enabling EnrollHostel to
provide best in class Managed IT services.
The advantage of a partnership with EnrollHostel will ensure that this experience and qualification is leveraged
to;
 Mitigate transitional risk
 Provide best in class quality services at significantly lower costs
 Quickly construct ateam of experienced and knowledgeable personnel for onsite –offshore based delivery,
thereby assuring excellence in operations
EnrollHostel follows amanaged service approach, basedon ITILbest practices,that provides for aset of process
frameworks and flexiblegovernance models that transform support services;improving productivity, achieving
higher operational efficiency and increasing cost predictability.
Adopting a multi-phased approach from transition to continual improvement, the managed service model
provides:
 Scalability and resource efficiency
 Less client involvement in routine operational tasks
 Predictability in delivery through experience and understanding of application environment
 Resource utilization and shift work load balancing
 Service Level Agreement (SLA) driven metrics
 Total quality management through well-defined processes and ITIL best practices

EnrollHostel understands School’s key objective to partner with a MSP that can demonstrate how their value-
added services will provide critical helpdesk, security, network engineering, business continuity, and disaster
recovery capabilities in a cost-effective manner while providing superior customer service to our users in a
24x7x365 environment.
In partnering with EnrollHostel over other “large” IT Consulting Firms, School will benefit by leveraging our:
 Proven past performances of successfully deploying end-to-end managed IT services to many similar scale
organizations
 10+ years of proven experience in collaboration, security and Infrastructure management
 Agile and dynamic business model that quickly adapts to customer needs and environment
Value proposition: Lower cost; maximize process efficiency
 Process oriented, result driven methodology focused on maximizing business value
Value proposition: Process standardization and consolidation
 Thought leadership and unparalleled technology “know-how”
Value proposition: Lower cost; maximize process efficiency; fast and safe technology
implementation
 Focused on customer satisfaction
Value proposition: Maximize process efficiency; enable customers to do more
 High priority on Quality and Operational Excellence
Value proposition: Maximize brand value; increase revenue.
Best Regards
Dan Gribble
VP-Sales, EnrollHostel
dgribble@EnrollHostel.com
(412) 418 3159

TABLE OF CONTENTS
1 PART I – GENERAL INFORMATION .................................................................................................................................................................7
1.1 EXECUTIVESUMMARY..................................................................................................................................................................................7
1.2 SCOPEOF SERVICES.......................................................................................................................................................................................7
X1.3 EXCEPTIONS TO RFP REQUIREMENTS ......................................................................................................................................................18
2 PART II – DESCRIPTION OF SERVICES...........................................................................................................................................................19
2.1 AUDITING/ASESSING IT SERVICES COMPLAINCE ...................................................................................................................................19
2.1.1 COMPLAINCE AUDIT/ ASSESSMENT METHODOLOGY ...............................................................................................................19
.............................................................................................................................................................................................................................19
2.1.2 GDPR What has Changed?..............................................................................................................................................................22
2.1.3 GDPR Governance Framework. ......................................................................................................................................................22
2.1.4 .............................................................................................................................................................................................................23
.............................................................................................................................................................................................................................23
2.1.5 EnrollHostel Audit Knowledge Repository ....................................................................................................................................24
2.1.6 Audit Plan...........................................................................................................................................................................................27
2.1.7 Compliance Dashboards ....................................................................................................................................................................1
2.1.8 VULNERABILITY TESTING ...................................................................................................................................................................5
2.2 EXECUTIONPLAN...........................................................................................................................................................................................6
2.2.1 SERVICE DELIVERY APPROACH .........................................................................................................................................................6
2.2.2 INCEPTION ...........................................................................................................................................................................................8
2.2.3 KNOWLEDGE TRANSFER ....................................................................................................................................................................8
2.2.4 STEADY STATE OPERATIONS ...........................................................................................................................................................10
2.2.5 AUDIT STRATEGY ..............................................................................................................................................................................11
2.3 ACCOUNT MANAGEMENT & TECHNOLOGY TEAM STRUCTURE..........................................................................................................13
2.3.1 AUDIT ACCOUNT MANAGEMENT ..................................................................................................................................................13
2.3.2 PROJECT TEAM STRUCTURE............................................................................................................................................................15
2.3.2.1 TEAM STRUCTURE..................................................................................................................................................................... 15
2.3.2.2 TEAM ROLES & RESPONSIBILITES.............................................................................................................................................. 16
3 PART III – REFERENCES & ENROLLHOSTEL CAPABILITIES ........................................................................................................................18
3.1 CASE STUDIES ...............................................................................................................................................................................................18
3.1.1 CASE STUDY 1 ....................................................................................................................................................................................19
3.1.2 CASE STUDY 2 ....................................................................................................................................................................................19
3.1.3 CASE STUDY 3 ....................................................................................................................................................................................20
3.2 ENROLLHOSTEL | CAPABILITY....................................................................................................................................................................21
3.2.1 PROGRAM GOVERNANCE ...............................................................................................................................................................22
3.2.2 CONTINUAL SERVICE IMPROVEMENT (CSI)..................................................................................................................................22
3.2.3 KNOWLEDGE MANAGEMENT.........................................................................................................................................................22
3.2.4 TEAM COMPETENCY AND SKILLS ENHANCEMENTS ...................................................................................................................23
3.3 ENROLLHOSTEL | PROJECTMANAGEMENT PROCESS...........................................................................................................................23
3.3.1 REPORTING METRICS .......................................................................................................................................................................24
3.3.2 ESCALATION HANDLING ..................................................................................................................................................................25
3.3.3 COMMUNICATION PLAN .................................................................................................................................................................25
3.3.4 RISK MANAGEMENT PLAN..............................................................................................................................................................26
3.3.5 CHANGE MANAGEMENT PROCEDURE..........................................................................................................................................26
3.4 ENROLLHOSTEL | COMPLIMENTARY VALUE ADDED SERVICES ...........................................................................................................28
3.5 ENROLLHOSTEL | DIFFERENTIATORS .......................................................................................................................................................28
3.5.1 CYBERSECURITY SERVICES ...............................................................................................................................................................30
3.5.1.1 Penetration Testing................................................................................................................................................................... 30
3.5.1.2 Corporate Trainings - Cybersecurity......................................................................................................................................... 31
3.5.1.3 Email Securityand Office 365 Integration................................................................................................................................ 32
3.5.1.4 Cyber-Forensics......................................................................................................................................................................... 33
3.5.1.5 Social Engineering..................................................................................................................................................................... 34
3.5.2 SECURITY ASSESSMENT AND COMPLIANCE .................................................................................................................................35
3.5.3 SECURITY OPERATIONS CENTER.....................................................................................................................................................37
4 PART IV – PROJECT COST................................................................................................................................................................................40
4.1 FIXED PRICE ..................................................................................................................................................................................................40

4.2 RATE CARD FOR ADDITIONALWORK........................................................................................................................................................40
4.2.1 ADDITIONAL INITIATIVES.................................................................................................................................................................40
4.3 ASSUMPTIONS .............................................................................................................................................................................................41
4.3.1 USER COUNT AND DEMOGRAPHIC................................................................................................................................................42
4.3.2 ON-PREMISE & HOSTED ENVIRONMENT.....................................................................................Error! Bookmark not defined.
4.3.2.1 Desktops/Laptops ..................................................................................................................................................................... 42
4.3.2.2 On-Premise Network................................................................................................................................................................. 42
4.3.2.3 Hosted Cloud Environment....................................................................................................................................................... 42
4.3.2.4 Legacy Business Applications.................................................................................................................................................... 42
4.3.2.5 Third Party Vendors .................................................................................................................................................................. 42

1 PART I – GENERAL INFORMATION
1.1 EXECUTIVE SUMMARY
EnrollHostel is pleasedto provide this proposal for Accessing/Auditing Compliance to GDPR For School student
from Spain [Europe]. EnrollHostel understands the importance of these services School provides to Students.
EnrollHostel brings to this engagement a significant advantage to Education Sector, in terms of technology
expertise, security, operations architecture, strategy and advisory skills, process maturity and a consistent and
reliable track record providing operational and infrastructure support across multiple technologies.
EnrollHostel also proposes the advantages it brings on board as compared to other MSPs.
1.2 SCOPE OF SERVICES
EnrollHostel understands that School is looking for the following GDPR compliance services.
Below is EnrollHostel’s compliance to the scope of services detailed by School in their RFP document:
Our proposed solution has been detailed in the Section: PART II – DESCRIPTION OF SERVICES
GDPR ISO27k
Article Outline/summary Control Notes
1 GDPR concerns the protection and free
movement of “personal data”, defined in
article 4 as “any information relating to an
identified or identifiable natural person
(‘data subject’); an identifiable natural
person is one who can be identified, directly
or indirectly, in particular by reference to an
identifier such as a name, an identification
number, location data, an online identifier
or to one or more factors specific to the
physical, physiological, genetic, mental,
economic, cultural or social identity of that
natural person”.
A.18.1.4
etc.
The ISO27k standards concern information r
information security controls mitigating una
information. In the context of GDPR, privac
personal information, particularly sensitive
specifically mention compliance obligations
of personal info (more formally known as Pe
in some countries) in control A.18.1.4.
2 GDPR concerns “the processing of personal
data wholly or partly by automated means
....” (essentially, IT systems, apps and
networks) and in a business or
corporate/organizational context (private
home uses are not in scope).
Many ISO27k concerns information in general, not
networks. It is a broad framework, built aro
systematically addresses information risks a
organization as a whole, including but going
aspects.
3 GDPR concerns personal data for people in
the European Union whether is it processed
in the EU or elsewhere
A.18.1.4
etc.
ISO27k is global in scope. Any organization
European Union may fall under GDPR, espec
info.

GDPR ISO27k
4 GDPR privacy-related terms are formally
defined here.
3 ISO/IEC 27000 defines most ISO27k terms in
organizations have their own glossaries in th
definitions do not conflict with GDPR.
Chapter I General provisions
5 Personal data must be: (a) processed
lawfully, fairly and transparently; (b)
collected for specified, explicit and
legitimate purposes only; (c) adequate,
relevant and limited; (d) accurate; (e) kept
no longer than needed; (f) processed
securely to ensure its integrity and
confidentiality.
[This is the latest incarnation of the original
OECD principles published way back in 1980
<tips hat>.]
The “controller” is accountable for all that.
6.1.2,
A.8.1.1
A.8.2
A.8.3
A.9.1.1
A.9.4.1
A.10
A.13.2
A.14.1.1
A.15
A.17
A.18 ...
in fact
almost all!
5
A.6.1.1
Business processes plus apps, systems and n
personal information, requiring a comprehe
physical and other controls … starting with a
information risks. See also ‘privacy by desig
In order to satisfy these requirements, orga
info is, classify it and apply appropriate mea
Although not stated as such, accountability
‘Leadership’ section of ISO/IEC 27001.
6 Lawful processing must: (a) be consented to
by the subject for the stated purpose; (b) be
required by a contract; (c) be necessary for
other compliance reasons; (d) be necessary
to protect someone’s vital interests; (e) be
required for public interest oran official
authority; and/or(f) be limited if the subject
is a child.
Note: there are several detailed and explicit
requirements concerning lawful processing -
see GDPR!
Note also that EU member states may
impose additional rules.
6.1.2
A.14.1.1
A.18.1.1
etc.
This should also be covered in the assessmen
It will influence the design of business proce
(e.g. it may be necessary to determine some
and use their personal info). These are busi
personal information: many security contro
unacceptable information risks that cannot
data) or shared (e.g. relying on some other p
- a risk in its own right!).

GDPR ISO27k
7 The data subject’s consent must be
informed, freely given and they can
withdraw it easily at any time.
A.8.2.3
A.12.1.1
A.13.2.4?
A.18.1.3
6.1.2
A.14.1.1
A.8.3.2
A.13.2
etc.
There is a requirement to request informed
stop!) and to be able to demonstrate this. P
and records demonstrating the consent mus
Withdrawal of consent implies the capabilit
info, perhaps during its processing and may
business processes to check and handle req
8 Special restrictions apply to consent by/for
children.
See
Article 7
These special restrictions apply primarily at
getting a parent’s consent).
9 Special restrictions apply toparticularly
sensitive data concerning a person’s race,
political opinions, religion, sexuality, genetic
info and other biometrics etc. Processing of
such info is prohibited by default unless
consent is given and processing is necessary
(as defined in the Article).
A.8.2.1
A.8.2.3
A.14.1.1
See 7 above. It is important to identify wher
whether that is ‘necessary’ in fact, and to ob
considered in the design of systems, apps an
10 Special restrictions also apply to personal
data concerning criminal convictions and
offenses.
A.7.1
A.8.2.1
A.8.2.3
6.1.2
A.14.1.1
A.7.1
etc.
Any use of this information should be ident
circumstances. Such information should pre
authorities … but may be needed for backgr
etc.
11 Some restrictions don’t apply if a person
cannot be identified from the data held.
A.8.2.1
A.8.2.3
6.1.2
A.14.1.1
etc.
Avoiding information risks (by NOT knowing
where feasible: does the business really nee
aggregate info/statistics suffice?
Chapter III Rights of the data subject
12 Communications with data subjects must be
transparent, clear and easily understood.
A.12.1.1
A.14.1.1
A.16
etc.
See above. This affects the wording of web
etc. plus the processes. It may also be relev
i.e. mechanisms allowing people to enquire
personal information (implying a means to i
responding promptly, and for keeping recor
for excessive requests)

GDPR ISO27k
13 When personal data are collected, people
must be given (or already possess) several
specific items of information such as details
of the data “controller” and “data
protection officer”, whether theirinfo will
be exported (especially outside the EU), how
long the info will be held, their rights and
how to enquire/complain etc.
A.8.2.1
A.8.2.3
A.12.1.1
A.14.1.1
A.16
etc.
Procedures for the provision of fair processi
controller and purposes for processing the d
implemented. This relies in part on identifyi
14 Similar notification requirements to Article
13 apply if personal info is obtained
indirectly (e.g. a commercial mailing list?):
people must be informed within a month
and on the first communication with them.
A.8.2.1
A.8.2.3
A.12.1.1
A.14.1
A.16
etc.
See Article 13.
15 People have the right to find out whether
the organization holds their personal info,
what it is being used for, to whom it may be
disclosed etc., and be informed of the right
to complain, get it corrected, insist on it
being erased etc.
People have rights to obtain a copy of their
personal information.
A.8.1.1
A.8.2.1
A.12.1.1
A.13.2.1
A.14.1.1
etc.
Subject rights include being able to obtain a
the need for identification and authenticati
disclosing the nature of processing e.g. the l
‘profiling’, and info about the controls if the
backup and archive copies. See also Article 7
16 People have the right to get theirpersonal
info corrected, completed, clarified etc.
A.12.1.1
A.14.1
A.9
A.16?
A.12.3
A.18.1.3
Implies functional requirements to check, ed
controls concerning identification, authenti
also affect backup and archive copies.
17 People have a right to be forgotten i.e. to
have their personal info erased and no
longer used.
6.1.2
A.14.1.1
A.9
A.16
A.12.3
A.8.3.2
This is a form of withdrawing consent (see A
functional requirements to be able to erase
controls concerning identification, authenti
also affect backup and archive copies.
18 People have a right to restrict processing of
their personal info.
6.1.2
A.8.2.1
A.8.2.3
A.12.1.1
A.14.1.1
A.16
A.12.3
See Articles 7, 12 etc.
May need ways to identify the specific data
new handling / processing rules. Note it ma

GDPR ISO27k
A.18.1.1
19 People have a right to know the outcome of
requests to have their personal info
corrected, completed, erased, restricted etc.
A.12.1.1
6.1.2
A.14.1.1
A.16
etc.
Informing/updating the originator is a conve
management process, but there may be a se
for privacy complaints, requests etc. since th
employees/insiders.
20 People have a right to obtain a usable
‘portable’ electronic copy of theirpersonal
data to pass to a different controller.
6.1.2
A.13
A.14.1.1
A.8.3
A.10
A.18.1.3
etc.
Depending on your organisation’s purpose,
in practice (low risk) that it may best be han
automated IT system functions. Note that t
the identified and authenticated person/s c
securely, probably encrypted. It may also im
confirming this (Articles 17, 18 and 19).
21 People have a right to object to their
information being used for profiling and
marketing purposes.
6.1.2
A.12.1.1
A.14.1.1
A.16
A.12.3
etc.
See article 18.
May need ways to identify the specific data
implement new handling / processing rules.
22 People have a right to insist that key
decisions arising from automatic processing
of their personal info are manually
reviewed/reconsidered.
6.1.2
A.12.1.1
A.14.1.1
A.16
Profiling and decision support systems invo
review and overrides, with the appropriate
controls etc.
23 National laws may modify or override
various rights and restrictions for national
security and other purposes.
A.18.1.1 This is primarily of concern to the authoritie
police, customs, immigration, armed forces)
private/commercial organizations, either ro
industry, ISPs, CSPs, money laundering rules
(implying a legally-sound manualprocess to
situations).
Chapter IV Controller and processor
24 The “controller” (generally the organization
that owns and benefits from processing of
personal info) is responsible for
implementing appropriate privacy controls
(including policies and codes of conduct)
4, 5, 6, 7,
8, 9, 10
and much
of Annex
A
This is a formal reminder that a suitable, com
must be implemented, including policies an
physical and other controls addressing the i
obligations. The scale of this typically requi
privacy. Given the overlaps, it normally ma

GDPR ISO27k
considering the risks, rights and other
requirements within and perhaps beyond
GDPR.
and coordinate privacy with the ISO27k ISM
and business continuity management - in ot
25 Taking account of risks, costs and benefits,
there should be adequate protection for
personal info by design, and by default.
6 and
much of
Annex A
There are business reasons for investing app
information risks and compliance imperativ
with various costs and benefits: elaborating
management support and involvement, plu
necessary to design, deliver, implement and
Privacy by design and by default are exampl
the specification, design, development, ope
related IT systems and processes, including
parties e.g. ISPs and CSPs.
26 Where organizations are jointly responsible
for determining and fulfilling privacy
requirements collaboratively, they must
clarify and fulfil their respective roles and
responsibilities.
5.3
9.1
A.13.2
A.15
A.16
A.18.1
Organizations need to manage relationships
privacy and other information security aspe
includes, for instance, jointly investigating a
or access requests, achieving and maintainin
and respecting consented purposes for whic
regardless of where it ends up.
27 Organizations outside Europe must formally
nominate privacy representatives inside
Europe if they meet certain conditions
(e.g. they routinely supply goods and
services to, or monitor, Europeans).
5.3
7.5.1
A.15?
A.18.1.4
This is one of many compliance formalities:
Officer or equivalent) should be accountabl
28 If an organisation uses one or more third
parties to process personal info
(‘processors’), it must ensure they too are
compliant with GDPR.
8.2
9.1
A.15
A.18.1.1
A.18.1.3
A.18.1.4
This applies to ISPs and CSPs, outsourced da
services where the organization passes pers
marketing plus HR, payroll, tax, pension and
applies on the receiving end: service supplie
their GDPR compliance status, privacy polic
subcontractors), and to have compliance an
included in contracts and agreements. The
assessed and treated in the normal manner
29 Processors must only process personal info
in accordance with instructions from the
controller and applicable laws.
Most Processors need to secure and control perso
controllers. They may well be controllers fo
will hopefully have all necessary privacy arr
case of extending them to cover client info,
relationships (e.g. how to handle breaches o
30 Controllers must maintain documentation
concerning privacy e.g. the purposes for
which personal info is gathered and
7.5 More important formalities.

GDPR ISO27k
processed, ‘categories’ of data subjects and
personal data etc.
31 Organizations must cooperate with the
authorities e.g. privacy or data protection
ombudsmen.
A.6.1.3 Another formality.
32 Organizations must implement, operate and
maintain appropriate technical and
organizational security measures for
personal info, addressing the information
risks.
8.2
8.3
and most
of Annex
A
GDPR mentions a few control examples (suc
resilience) covering data confidentiality, int
testing/assurance measures and compliance
procedures, awareness/training and compli
ISO27k ISMS provides a coherent, comprehe
manage privacy alongside other information
etc.
33 Privacy breaches that have exposed or
harmed personal info must be notified to
the authorities promptly (within 3 days of
becoming aware of them unless delays are
justified).
A.16
A.18.1.4
Breaches etc. would normally be handled as
management process but GDPR-specific obl
notifying the authorities) must be fulfilled.
containing personal info are probably not no
encrypted (but remember this is NOT legal a
clock starts ticking is not explicitly defined: i
assess the available information/evident fir
reportable incident has actually occurred i.e
incident is declared genuine, not a false-alar
34 Privacy breaches that have exposed or
harmed personal info and hence are likely to
harm their interests must be notified to the
people so affected ‘without undue delay’.
A.16
A.18.1.4
Aside from the legal and ethical considerati
privacy authorities, there are obviously sign
the timing and nature of disclosure. This wo
management process for serious or significa
management as well as specialists and advis
the associated business costs, disruption an
arguments to make privacy a corporate imp
appropriate preventive measures. The same
serious/significant information incidents of
35 Privacy risks including potential impacts
must be assessed, particularly where new
technologies/systems/arrangements are
being considered, or otherwise where risks
may be significant (e.g. ‘profiling’ defined in
Article 4 as “any form of automated
processing of personal data consisting of the
use of personal data to evaluate certain
personal aspects relating to a natural
person, in particular to analyse or predict
aspects concerning that natural person's
6.1.2
A.6.1.3
A.8.2.1
ISO/IEC
27005 and
ISO 31000
Again, there are sound business and ethical
information risks (including privacy and com
obligations. Privacy-related risks should pro
registers alongside various other risks. GDP
assessment of privacy risks as part of the ro
business change projects, new IT systems de

GDPR ISO27k
performance at work, economic situation,
health, personal preferences, interests,
reliability, behaviour, location or
movements”). ‘Significantly risky situations’
are to be defined by the national privacy
authorities, apparently.
36 Privacy risks assessed as “high” [undefined]
should be notified to the authorities, giving
them the chance to comment.
6.1.2
A.6.1.3
A.8.2.1
ISO/IEC
27005 and
ISO 31000
The GDPR requirement is well-meaning but
corporate policies concerning the precise de
the other hand explicit inputs from the auth
official position on the suitability and adequ
words this comes down to a business risk/st
37 A data protection officermust be formally
identified under specified circumstances e.g.
public bodies, organizations regularly and
systematically monitoring people on a large
scale, or those performing large-scale
processing of sensitive personal info relating
to criminal records.
5.3
A.6.1.1
A.18.1.4
Aside from GDPR obligation, the “Privacy Of
more broadly applicable and valuable, whet
notifiable or not. There are clearly many an
focal point for privacy (ideally a competent
sense for virtually all organizations. This is a
38 [If formally designated] the data protection
officer must be supported by the
organization and engaged in privacy
matters.
5.3
A.6.1.1
A.18.1.4
See above. Formalities aside, without mana
the organization, a Privacy Officer is powerl
39 [If formally designated] the data protection
officer must offer advice on privacy matters,
monitor compliance, liaise with the
authorities, act as a contact point, address
privacy risks etc.
5.3
A.6.1.1
A.18.1.4
See above. The GDPR requirements would f
description.
40 Various authorities, associations and
industry bodies are anticipated to draw up
codes of conduct elaborating on GDPR and
privacy, offer them to be formally approved
(by an unspecified mechanism) and (where
appropriate) to implement their own
(member) compliance mechanisms.
5.3,
A.6.1.1
A.18.1.4
Although this is a valiant attempt toadd we
achieve a full legal mandate … but the ethic
than just a matter of strict compliance with
that, codes (and ISO27k standards!) offer go
may generate commercial/marketing advan
41 The bodies behind codes of conduct are
required to monitor compliance (by their
members), independently and without
prejudice to the legal and regulatory
5.3
A.6.1.1
A.18.1.4
See above.

GDPR ISO27k
compliance monitoring conducted by the
national authorities.
42 Voluntary data protection certification
schemes offering compliance seals and
marks (valid for 3 years) are to be developed
and registered.
5.3
A.6.1.1
A.18.1.4
Similar schemes already exist: GDPR gives th
the commercial advantages they already ex
43 Certification bodies that award compliance
seals and marks should be competent and
accredited for this purpose. The European
Commission may impose technical
standards for certification schemes.
5.3
A.6.1.1
A.18.1.4
This should improve the credibility and mea
may also increase the costs. Since they are
certified, and which schemes to join, are com
management.
Chapter V Transfers of personal data to third countries or international organisations
44 International transfers and processing of
personal info must fulfil requirements laid
down in subsequent Articles.
- Preamble.
45 Data transfers to countries whose privacy
arrangements (laws, regulations, official
compliance mechanisms ...) are deemed
adequate by the European Commission
(i.e. compliant with GDPR) do not require
official authorisation orspecific additional
safeguards.
A.18.1.4 Most formalities are to be handled by the Co
avoiding transfers to other countries, monit
ensuring that suitable contracts/agreement
as with other third party datatransfers (see
46 Data transfers to countries whose privacy
arrangements (laws, regulations, official
compliance mechanisms ...) are not deemed
adequate by the European Commission (i.e.
compliant with GDPR) but meet certain
other criteria require additional safeguards.
A.18.1.4 Essentially, the organization must implemen
controls before transferring personaldata t
suitable contractual clauses and compliance
47 National authorities may approve legally-
binding privacy rules permitting transfers to
non-approved countries.
A.18.1.4 Formalities may affect contractual terms, co
Hint: it may not be worth the aggravation, r
48 Requirements on European organizations
from authorities outside Europe to disclose
personal data may be invalid unless covered
by international agreements or treaties.
A.18.1.4,
A.16
Such situations would normally be handled
specialists - but may start out as incidents.
49 Yet more conditions apply to personal info
transfers to non-approved countries e.g.
explicit consent by the data subjects.
A.18.1.4 The Commission is deliberately making it dif
the privacy risks are higher.

GDPR ISO27k
50 International authorities will cooperate on
privacy
- -
Chapter VI Independent supervisory authorities
51-59 [Concern national bodies to oversee
privacy.]
- -
Chapter VII Cooperation and consistency
60-76 [Concern supervisory authorities and the EU
Data Protection Board.]
- -
Chapter VIII Remedies, liability and penalties
77-81 [Supervisory authorities can deal with
privacy complaints.]
- -
82 Anyone damaged by infringements of GDPR
has a right to compensation from the
controller/s or processor/s.
A.18.1.4 -
83 Administrative fines imposed by supervisory
authorities shall be “effective,
proportionate and dissuasive”. Various
criteria are defined. Depending on the
infringements and circumstances, fines may
reach 20 million Euros or up to 4% of total
worldwide annual turnoverfor the previous
year if greater.
6
A.18.1.4
Such huge fines are clearly intended to be a
significant part of the potential impact of pr
assessment of GDPR compliance and other p
84 Other penalties may be imposed. They too
must be “effective, proportionate and
dissuasive”.
6
A.18.1.4
See above.
Chapter IX Provisions relating tospecific processing situations
85 Countries must balance privacy/data
protection rights against freedom of
expression, journalism, academic research
etc. through suitable laws.
6
A.18.1.1
A.18.1.4
Issues under this Article may come down to
hence again there are information risks to b
where personal information is involved.
86 Personal data in official documents may be
disclosed if the documents are formally
required to be disclosed under ‘freedom of
information’-type laws.
6
A.18.1.1
A.18.1.4
It may be feasible to redact personal or othe
ISO/IEC 27038.

GDPR ISO27k
87 Countries may impose further privacy
controls for national ID numbers.
6
A.18.1.1
A.18.1.4
National ID numbers may be used as secret
they must remain confidential to reduce the
sensitive personal information, implying the
security/privacy controls.
88 Countries may impose further constraints on
corporate processing and use of personal
information about employees e.g. to
safeguard human dignity and fundamental
rights.
6
A.18.1.1
A.18.1.4
Employment laws may intersect with GDPR
compliance and altering the information ris
89 Where personal data are to be archived e.g.
for research and statistical purposes, the
privacy risks should be addressed through
suitable controls such as pseudonymization
and data minimization where feasible.
6
A.18.1.4
Privacy concerns remain as long as the data
their families or communities may be impac
this, the information risks should be identifi
in the normal way.
90 Countries may enact additional laws
concerning workers’ secrecy and privacy
obligations.
6
A.18.1.1
A.18.1.4
Employment or secrecy laws may intersect w
complicating compliance and altering the in
91 Pre-existing privacy rules for churches and
religious associations may continue,
“provided they are brought intoline with”
GDPR.
A.18.1.4 Good luck interpreting this highly ambiguou
Chapter X Delegated acts and implementing acts
92-99 [Concern how GDPR is being enacted by the
EU.]
A.18.1.1 Not relevant to an individual organization’s
much as they need to comply with applicab
Suggested3tiersof escalatedsupport:
SupportTier Description
Tier 1 All supportincidentsbegininTier1,where theinitialtrouble ticketiscreated.The issue
isidentified, andclearlydocumented,andbasichardware/software troubleshootingis
initiated. At this stage engineers are also using the existing knowledge base to
investigate and try best of his/her ability to resolve the issue.

Tier 2 All supportincidentsthatcannotbe resolvedwithTier1Supportare escalatedtoTier
2 where more complex supportonhardware/software issuescanbe providedby
more experiencedEngineers.
Tier 3 Support Incidents that cannot be resolved by Tier 2 Support are escalated to Tier 3,
where supportisprovidedbythe mostqualifiedandexperiencedengineerswhohave
the abilityto collaboratewith3rdParty(Vendor)SupportEngineerstoresolvethe most
complex issues.
1.3 EXCEPTIONS TO RFP REQUIREMENTS
None.

2 PART II – DESCRIPTION OF SERVICES
2.1 AUDITING/ASESSING IT SERVICES COMPLAINCE
2.1.1 COMPLAINCE AUDIT/ ASSESSMENT METHODOLOGY

EnrollHostel’sGRAYBIEmanagedservices platformprovides asinglepaneof accessandvisibilityforallthenetwork
devicesandsecurityissuesbackedbyour 24/7/365 monitoringbyourcertified andhighlyexperiencedеngіnееrѕ.

GRAYBIE connectstoanyIT datasource or monitoringsystemtocollectandcollatedataonvariousITsystemsand
applications. GRAYBIE’s Core Rule Engine is leveraged to apply custom rules applicable to the business, gaining
insight into how the IT systems are performing within the business. Businesscritical application performance,
underlyingITinfrastructureperformanceandService deliverywithinthe organizationITsupportsystemcanall be
correlated to give a meaningful insight into the IT environment health.
GRAYBIE not only enables operational excellence through quick resolution but also helps in saving operational
costs through descriptive,prescriptive,andpredictiveinsightsforcalculatingthe magnitude,risk,andtime of the
issue athand, inreal-time, thereby enabling the teams to escalate it to the management at the right moment:
Fewreal-time capabilitiesof GRAYBIE:
 Sесurіtу threat соrrеlаtіоn and іnсіdеnt аnаlуѕіѕ
 Custom соrrеlаtіоn rule сrеаtіоn
 Dеvісе fault management
 High-touch service delivery
 Thіrd-раrtу lоg analysis to mееt compliance rеԛuіrеmеntѕ
 Cоnfіgurаtіоn and engineering ѕuрроrt

2.1.2 GDPR What has Changed?
 Increased accountability and greater level of responsibility within organisations to ensure that personal data is fully protected
and processed according tothe regulations
 More data willbe classified as customers personaldata,not just in normal databases but alsoin EUC component and in
Cloud data storage
 New internal roleof a Data Protection Officer
 ExternalRoles outside the company will alsobe regulated,such as contractors,partners and service providers
 Ey e-wateringly high cost of non-compliance
 New requirements for notification of data losses through hacking and lackof compliance
 Greater rights for customers tounderstand how their data is tobe used, togive their informed consent, and tomake future
requests tochange their consent
 Risk Assessments
 Priv acy Impact Assessments
2.1.3 GDPR Governance Framework.
Role Description
Data Subject A living natural person – they have rights and PII refers to them
Data
Controller
Specifies how PII is to be manipulated
Data Processor Manipulates the PII on behalf of the Data Controller

DPO Data Protection Officer: A person charged with protecting PII and helping
an organisation to meet the GDPR compliance requirements
Supervisory
Authority (SA)
A national body who enforces the GDPR in EU member states.
EDPB European Data Protection Board: The coordinating layer who provides
consistency between SAs
Third Country A country outside of the EU
Third Party An individual linked in some way to the Data Subject or any company or
organisation to who data is sent
2.1.4
The Parts of the GDPR
AIM
Commentaries & guidelines explaining
why the articles are necessary and
providing an appreciation of how the
law and how the Articles are likely to be
interpreted
GDPR
Recitals99 Articles
AIM
The letter of the
law
The Articles are the
AIM
To allow Data
Subjects to

2.1.5 EnrollHostel Audit Knowledge Repository

EnrollHostel’s24x7x365 NetworkOperationsCentre (NOC)рrоvіdеѕrеаl-tіmе datafromover1,700 services,
аррlісаtіоnѕandрrосеѕѕеѕ inuse асrоѕѕ ourclients’infrastructurenetworks. Alarmingоursecurityandtесhnісаl

analysts, fromwithin ourсlоudѕеrvісеѕ detectsandrеѕоlvеsроtеntіаl problems bеfоrе thеуbесоmе service аffесtіng
to уоurbuѕіnеѕѕореrаtіоnѕ.
Our state-of-the-artNOCenablesquickriskdеtесtіоn,securityраtсhdерlоуmеnt,backup andendроіntmanagement
for yourѕеrvеrѕ,dеѕktорѕ andportable dеvісеѕ.

2.1.6 Audit Plan
GDPR Plan
This GDPR planner aims to help you prepare your business data compliance processes for the
General Data Protection Regulation (GDPR), which comes into force on the 25th of May 2018.
This planner expands on the suggested set of actions for each of the 12 areas issued by the
Information Commissioner’s Office (ICO), but, rather than presenting them by subject matter, it
does so chronologically, breaking down the necessary actions over four periods of time: (1) ground
work (2) planning (3) implementation, and (4) embed/test/review.
Phases 1, 2, 3 and 4 can be seen below.
Phase 1: Groundwork
CATEGORY TASK
DATE
COMMENT
COMPLETED
Consider whether to appoint a Data
Protection Insert date
Officer (DPO) to be responsible for data
protection within your organisation and to
Data Protection
assess whether your current approach to
data day 1
protection compliance will meet the
GDPR’s
Officers
requirements.
Scope out the potential DPO role. See
Precedent: Data protection officer—DPO—
job description and role profile.
Data Protection Assign budget and/or resources to data Insert date Day 2
Officers protection compliance.
Ensure the board receives regular briefings Insert date Day 3 & 4
and updates on the organisation’s
Awareness
preparations for GDPR implementation.
You can cover this in Precedent: Data
protection board report.
Add GDPR compliance as a risk to your Insert date Day 4
Awareness
organisation’s Risk register. Consider the
resource implications on implementing the
GDPR.

CATEGORY
TASK DATE
COMMENTCOMPLETE
D
Conduct an audit of: Insert date
what personal data you receive and/or Day 5
Hold Day 6
how you process personal data Day 7
for what purposes, you process personal
Data
whether you transfer or share personal
data and, if so, to whom and how
how personal data moves within your Day 8
Organisation
whether you transfer personal data
outside the EEA Day 8
Information audit
how you ensure personal data remains Day 9
accurate and up-to-date
−− how you store personal data Day 10
−− how long you keep personal data Day 11
−− how you destroy personal data Day 11
For the first part of the audit (what
personal
data you receive and/or hold), see
Practice
Note: Data mapping and Precedent:
Sample
data processing map.
See also Precedent: Data and
information
register, which can be used to record the
output of your data mapping exercise,
including the remaining parts of the
audit.
Review Practice Note: The General Data Insert date Day 12
Protection Regulation—Rights of the
data
subject, with particular regard to:
Individuals’ rights
−
− data portability
−
− data deletion
−
− direct marketing

−
− objecting to processing
−
− restricted processing
−− automated decision-making and
profiling
Communicating
Review Practice Note: Privacy notices to Insert date Day 13
familiarise yourself with the ICO’s
expectations
privacy information
in relation to privacy notices.

Phase 2: Planning
CATEGORY TASK
DATE
COMMENT
COMPLETED
Proceed with appointment of a DPO or Insert date Day 16
nominated individual to be responsible
for
data protection within your organisation
and
CATEGORY TASK
DATE
COMMCOMPLETE
D
Review all the data you process and
identify Insert date
Day 14
your legal basis for doing so —
generally, this will
Legal basis for
be consent of the data subject. Pay
particular
attention to sensitive personal data.processing
personal
data
Document your findings in a Data and
information register, also known as a
data-processing register.
Consent Protection Regulation—Lawfulness of
processing—New standard for consent.
Children Protection Regulation—Lawfulness of
processing—Parental consent.
Review subtopic: Privacy impact Insert date Day 16
Privacy by design
assessments to familiarise yourself with
the concept of privacy impact
assessments
(PIAs), also known as privacy by design.

Data Protection
GDPR preparation—see Precedent:
Data
protection officer—DPO—job
description
Officer
and role profile.
Decide where the DPO should sit within
your
organisation’s structure and
governance
arrangements.
Legal basis for
Check that your current legal basis for Insert date Day 17
processing data (as recorded in a dataprocessing
personal processing register) will be valid under
the
data
GDPR—see: lawfulness of processing.
CATEGORY TASK
DATE COMMENT
COMPLETED
Consider whether the right to portability Insert date Day 17
will apply to any of the data you process,
ie
personal data an individual has provided
to
you as a data controller, where:
−− the processing is based on the
individual’s
consent or for the performance of a
contract, and
−− processing is carried out by
automated
Means
If so, consider how you will deal with
requests Insert date Day 17
to port data—to include the requirement
to
provide the personal data in a structured,
commonly used and machine-readable
form.
Check your procedures and work out how Insert date

you would react if someone asks to have
their
personal data erased.
Can your current IT systems facilitate the
location and deletion of data or will you
need Day 18
to invest time and money in some form of
enhanced functionality?
Who will make the decisions about
deletion
when requests are received?
Consider whether your systems will be
able Insert date Day 18
to cope with requests for data portability
or
deletion where the data relates to more
than
one data subject.
Review your direct marketing processes Insert date Day 19
(including those of any service providers).
Are you able to remove data subjects who
object to direct marketing?
Consider whether your systems enable Insert date Day 19
Individuals’ rights you to isolate and exclude restricted data
from processing activities

CATEGORY TASK
DATE
COMMENTCOMPLETE
D
Audit whether, to what extent and on Insert date Day 20
what basis your organisation makes use
of
automated decision-making and/profiling
(refer to data processing register). If:
−− you undertake profiling based on
consent,
check that consent is explicit
−− profiling is undertaken on sensitive
personal data, check your processes
enable your organisation to obtain explicit
Consent
Review your internal processes for
dealing with Insert date Day 21
Subject access
subject access requests. Consider
whether
requests
changes are required to be able to
process
requests within one month.
Subject access
Consider conducting a cost/benefit
analysis of Insert date Day 22
developing functionality for people to
access
requests
their own information easily online.
Communicating
privacy
information
Draw up a register of all documents and
intranet and website pages that provide
privacy information. See Precedent:
Privacy notice register.
Audit the wording and functionality of each
Plan for ICO Privacy Code compliance. Day 23

privacy notice
identified in the
register for
compliance with
the ICO Privacy
Code.
See Precedent: Privacy notice audit.
Identify whether the organisation can
make amendments to privacy notices
itself or relies on an external service
provider to make changes.
5

CATEGORY TASK
DATE
COMMENTCOMPLETE
D
Review your current systems for obtaining Insert date Day 24
consent—do you presume consent from
silence, pre-ticked boxes or inactivity? You
can
use Precedents: Privacy notice register and
Privacy notice audit as your starting point.
Consent
If yes, investigate what technological and
other
process changes need to be made to
ensure:
−− consent is given by a clear affirmative
act,
e.g. a written statement, electronic means,
or oral statement
−− separate consent is given for distinct
processing obligations
Consider whether you currently obtain Insert date Day 25
consent as part of a written declaration
which concerns other matters. You
can use Precedents: Privacy notice
register and Privacy notice audit as a
Consent
starting point.
If you do, consider what changes need
to be made to ensure the consent request
is clearly distinguishable from
the other matters, in an intelligible and
easily accessible form, using clear and
plain language.
Consider whether your current systems Insert date Day 26
Consent
provide an effective audit trail of consent
being given. If not, investigate what
changes need to be made.
Consider whether your current system Insert date

Consent
provides simple methods for withdrawing
consent. If not, investigate what changes
need to be made.
6

CATEGORY TASK
DATE
COMMENTCOMPLETE
D
Determine whether the rules on children
will Insert date Day 28
affect your organisation and, if so,
consider:
−− what process changes are required (if
any)
to ensure appropriate parental consent
mechanisms are implemented
Children/consent
−− any codes of practice relating to
children
issued by any relevant regulator
−− whether any process changes are
required to ensure you can demonstrate
you properly consider whether a child’s
interests may override your own (if
relying on legitimate interests to justify
processing)
Review your information security Insert date Day 28
Data breaches arrangements—see Precedent:
Information security review.
If you have not already done so, Insert date Day 29
implement a data breach policy or plan.
See subtopic: Managing data breaches,
Data breaches which contains a range of tools and
Precedents including: Data breach
plan, Data breach panic sheet and
Data protection breach management
workflow.
Review data protection clauses with Insert date Day 29
external providers to ensure they require
Data breaches prompt notification to you of any data
security breach and appropriate
remedies,
including termination.

Data protection
by design Consider your organisation’s strategic
Insert
date
plan and ICT plan. Are there any
activities Day 29
within the foreseeable future that may
trigger the need for a PIA?
If yes, ensure your project plan(s)
make
provision for conducting a PIA to
ensure
privacy by design—see Precedent:
Privacy
impact assessment.
7

CATEGORY
TASK
DATE
COMMENTCOMPLETE
D
Collate contract documentation for all
third Insert date Day 30
Information audit
parties with whom you share data. This
information should be available in your
data
processing register
Determine which national data protection Insert date Day 30
supervisory authority you come under—
for
the vast majority of organisations, this is
likely to be the ICO.
International
If your organisation operates from other
Member States, map out where the
most significant decisions about data
processing are made. This will help to
determine your organisation’s main
establishment and therefore your lead
supervisory authority.
Phase 3: Implementation — by the end of December 2017
CATEGORY TASK
DATE
COMMENT
COMPLETED
Make necessary changes to your
systems and Insert date Day 31
processes in relation to:
−− data portability
−− data deletion
−− direct marketing
−− objections to processing
−− restricted processing

−− automated decision-making
and/profiling Day 32
Subject
access
requests
Make necessary changes to your
Insert
date
systems and processes in relation
to subject access requests. This will
include amending response letters
and
timescales.
8

CATEGORY
TASK
DATE
COMMENTCOMPLETE
D
Legal basis for
Implement a process for making and
recording Insert date Day 32
decisions on processing activities
beyond theprocessing
personal scope for which consent was given,
taking into
data
account the factors in GDPR, Art 6(4).
Communicating
Finalise updated privacy notices.
Insert date Day 32
privacy information
Make changes to your consent systems
and Insert date Day 32
processes as required to ensure:
−− any request for consent is clearly
distinguishable from the other matters,
and is made available in an intelligible
and
easily accessible form, using clear and
plain language
Consent
−− consent is given by a clear
affirmative act, Day 33
eg a written statement, electronic
means,
or oral statement
−− separate consent is given for distinct
processing obligations
−− there is an effective audit trail of
consent
being given
−− there are simple methods for
withdrawing
consent
If you offer information society services Insert date Day 33
directly to children, make necessary
changes
to your systems and processes:
Children/consent
−− in relation to parental consent

9
−− to demonstrate you properly
consider
whether a child’s interests may override
your own (if relying on legitimate
interests
to justify processing)
Update your Data breach plan for
consistency Insert date Day 34
Data breaches with the GDPR, eg regarding notification
requirements.

CATEGORY TASK
DATE
COMMENTCOMPLETE
D
Ensure data protection clauses with
external Insert date Day 34
Data breaches
providers require prompt notification to
you
of any data security breach and
incorporate
appropriate remedies, including
termination.
Embed a culture of privacy by design, Insert date Day 35
Privacy by design
ensuring that any high privacy-risk or
high
impact projects incorporate a PIA.
Review contract documentation for all Insert date Day 35
third parties with whom you share data.
Consider the extent to which contract
clauses require amendment for
compliance with the GDPR. See
Information audit
Precedents: Data processing
provisions— Day 35
DPA 1998 and GDPR compliant—
pro-controller and Data processing
provisions—DPA 1998 and GDPR
compliant—pro-processor.
Negotiate with relevant third parties.
Awareness
Plan a programme of staff training and Insert date Day 36
awareness.

Phase 4: Embed, test and review — by the end of April 2018
CATEGORY TASK
DATE
COMMENTCOMPLETE
D
Ensure system and process changes
have Insert date Day 37
gone live in relation to:
−− consent (including in relation to
children)
−
− data portability
−
− data deletion
−
− direct marketing
−
− objections to processing
−
− restricted processing
−
− subject access requests
−− processing activities beyond the
scope
for which consent was given
Test and review the new systems.
Communicating
Publish updated privacy notices and
ensure Insert date Day 38
any external providers update relevant
privacy
privacy information
notices published on your behalf.
Roll out and test updated Data breach
plan Insert date Day 39
Data breaches
for consistency with the GDPR, e.g.
regarding
notification requirements.
Data breaches Insert date Day 40

1
Train staff on all new policies and
procedures.
Privacy by design
Ensure any large-scale projects that
impact on Insert date Day 41
privacy incorporate a PIA.
Check that contract documentation for all Insert date Day 42
Information audit third parties with whom you share data is
GDPR-compliant.
2.1.7 Compliance Dashboards
The compliance team рrоvіdеѕrеаl time datavisibilityformonitoring asperthe following dashboards:

3
Fig: NOC Main Dashboard
Fig: Threat Activity report

4
Fig: Types of report dashboard
Fig: Devices dashboard
Fig: Device Executive summary

5
Fig: Device executive summary – 2
Fig: Device executive summary - 3
2.1.8 VULNERABILITY TESTING
A vulnerabilityassessment/evaluationisaprocedure usedtorecognizeanddole outseriousnesslevelsto
whatever number security surrenders as could reasonably be expected in a given time period. This
procedure may include robotized and manual systems with changing degrees of meticulousness and an
accentuation on thorough scope. Utilizing a hazard-based approach, weakness appraisals may target

6
diverse layers of innovation, the most widely recognized being host-, network-, and application-layer
evaluations.
Directing vulnerability appraisals enable associations to distinguish vulnerabilities in their product and
supporting framework before a bargain can happen. A vulnerability can be characterized in two ways:
• A bug in code or an imperfectioninprogrammingplanthatcan be abusedto cause hurt. Misuse
may happen by means of a verified or unauthenticated aggressor.
• A hole in securitymethodsora shortcomingininteriorcontrolsthat whenmisusedoutcomesin
a security break.
Our dedicated team at EnrollHostel provides Vulnerability evaluations that are intended to yield a
positionedororganizedrundownof aframework'svulnerabilitiesfordifferentsortsof dangers.Usingthis,
we will utilize these evaluations know about security hazards and comprehend they require help
distinguishing and organizing potential issues. By understanding their vulnerabilities, we can plan
arrangements and patches for those vulnerabilities for consolidation with their hazard administration
framework.
The pointof viewof adefenselessnessmayvary,contingentuponthe frameworksurveyed.Forinstance,
a utilityframework,similartopowerand water,may organize vulnerabilitiestothingsthat coulddisturb
administrations or harm offices, similar to cataclysms, altering and psychological oppressor assaults.
Notwithstanding, a data framework (IS), like a site with databases, may require an appraisal of its
powerlessnesstoprogrammersanddifferenttypesof cyberattack.Thenagain,aserverfarmmayrequire
an appraisal of bothphysical andvirtual vulnerabilitiessinceitrequiressecurityforitsphysical office and
digital nearness. This is where we pitch in to provide the best of services and line up the possible cases
and assessments you need.
2.2 EXECUTION PLAN
2.2.1 SERVICE DELIVERY APPROACH
EnrollHostel isof the opinionthatgovernance ismultifacetedwithitsorganizational structure,customer
engagement, relationship models, processes and metrics. When the business and operational
environmentiscomplexthere isagreaterneedforrobustgovernance,aswithoutitthereisincreasedrisk
of shared service and vendor partnership value leakage.
1. Plan Assessment
2. Design & Architect for privacy
3. Fill The Gap
4. Operate
5. Conform to Standard
BusinesssucceedswhenITrunsbetterandquickerwithreducedcost.OurOperations&SupportServices
is based on ITIL driven Service management framework, coupled with the state of the art tooling and
processes helps IT organizations cut cost, reduce risk and drive down IT Cost. Our mission is to reduce
incident trend targeting zero count and to ensure availability and reliability of applications to meet the
service levelcommitmentforeachapplication.We proactivelymonitoruserexperience,businessmetrics,

7
critical components and processes to analyze and fix incidents before end-users are impacted or
experience any delay, and thus ensure business critical apps perform at peak efficiency and availability
without any downtime.
The diagram below illustrates our approach to building an effective and high-performing
support/operations service.

8
2.2.2 INCEPTION
A teamcomprisingthe service deliverymanagersfrom EnrollHostel andSchool will be setupfordetailed
planning/resource assignmentand scope finalization.The teamwouldschedule,prioritize andmonitor
the tasks,as well asprovide statusreports.The tasksassociatedwiththisphase are highlightedbelow:
Activities Teams Involved
EnrollHostel
Team
School
Team(s)
Existing
Vendor
Team(s)
Identify Processes:
Standard
ProcessFlowCharts
  
Identify existing Documentation and Knowledgebase   
Team Ramp-up 
2.2.3 KNOWLEDGE TRANSFER
During this phase, the EnrollHostel support team will gain and share the knowledge about the
environmentandinfrastructure tobe supported.Existing School andvendorteamswill alsobe involved,
as required.
Activities Teams Involved
ENROLLHOSTEL
Team
School
Team(s)
Existing
Vendor
Team(s)
Study Processes:
Standard
ProcessFlowCharts
  
Reporting / Interfaces (If any changes) / Access   
Environment / System Landscape / Architecture /
Database
/ Servers / Hosting
  
Study Documentation and Knowledge Base   
Issue /Back Log forlast 3 monthsandlast quarterof
previousyear(foryear-endissues)   
DetailedRolesandResponsibilities  
The EnrollHostel Knowledge Transfer model promotes:
 Preparing SOPs and other documents (e.g. architectural details of environment, workflow
diagrams etc.)
 Maintaining strong known issues databases

9
 Capture of knowledge through collaboration both by explicit (interviewing and observation
process; ticket-by-ticket analysis) and implicit (discussion forums, blogs, error database and
reusable components repository) means.
 Ensure acquired knowledge is easily retrievable.
 Knowledgesharingacrossmultiple anddisparate ENROLLHOSTELresources
 Reductionof informationoverload/capturethroughreplicationbestpractices.

10
2.2.4 STEADY STATE OPERATIONS
EnrollHostel’s team will commence steady-state operations will full SLA compliance. SLA
measurement as per targets would be measured and reported to SCHOOL.
All the handover from current vendor team(s) will be considered complete, and they can be
disengaged from the project at the start of Steady-State Operations.

12
Effective implementationof Auditstrategy,andleverage the bestpracticesof ITService Management
(ITSM) concepts.The main focusfor IT Auditandcompliance istoexecute the businessrequirements
definedatthe Service Deliverytothe business.The diagrambelow illustratesthe variouscomponentsof
an ITSM approach.
The important components of ITSMfor having a Network-First strategy are as per below:
Access Management
Implementation of security polices defined by Information Security Management. The implementation
should include physical barriers to systems such as VLAN separation, firewalling, and access to storage
and applications.
Change Management
Establisha processfor controllingthe life cycle of all changeswhile minimizingdisruptiontooperations.
Test and review all changes that are candidates for automation vs, mechanized.

13
Service Asset and Configuration Management
Establish a process for maintaining information on assets, component, and infrastructure needed to
provide services. Informationonassetsshouldcontainpast andcurrentstatesandfuture-statesforecast
for demand portfolio.
Release & Deployment Management
Establish a predictable and homogenized release and deployment process to protect the production
environment. Ensure during capacity planning hardware and VM specifications are pre-defined and
tested,priortodeploymentcycle. UtilizeVMcomponenttemplatesapprovedforproductionsuchasVM
images and Gold images.
Knowledge Management
Establisha knowledgemanagementprocessforgathering,analyzing,andstoringandsharingknowledge
within the IT organization
Incident & Problem Management
Establishaprocessforresolvingeventsthatare impactingservicesinthe virtualizedenvironmentassoon
as possible with minimal disruption. Identify and resolve root causes of incidents that have occurred as
well as identity and prevent or minimize the impact of incidents that may re-occur.
Request Fulfillment
Management of all service requests while utilizing best practices for managing requests. All services
requests will be documented in the services catalog and will include SLA on when the request will be
completed.
Systems Administration
Regularly perform systems administration tasks and mature towards automation and scripting skills.
2.3 ACCOUNT MANAGEMENT & TECHNOLOGY TEAM STRUCTURE
2.3.1 AUDIT ACCOUNT MANAGEMENT
Despite havingmultiple Centersof Excellence,practicesandbeingdrivenbyIndustry’sStandardsandBest
Practices, EnrollHostel firmly believes and promotes a Client Centric model where each engagement is
tailored explicitly around the client’s needs and business drivers.
To thisextent,ithascreatedthe ClientSolutionsgroup,whichprovidesadedicatedAccountManagerand
Solution Specialists who actively interact with all the stakeholders within each client’s organization not
only to understand the business needs and requirements but also to align the proper services and
resources that will ensure maximum benefits to the client. Additional, these two entities indirectly
validate the qualityof the deliveryandprovide feedbackandinputstothe Global DeliveryOrganization.

15
2.3.2 PROJECT TEAM STRUCTURE
2.3.2.1 TEAM STRUCTURE
Director Audit Committee
IT Audit Team IT Audit Team Legal IT complaince Team
IT Audit Manager
Chief Audit Executive
IT AuditManager
Lead Auditor
Internal Auditors
Department 1
Internal Auditors
Department 2

16
2.3.2.2 TEAM ROLES & RESPONSIBILITES
Role Description
Data Subject A living natural person – they have rights and PII refers to them
Data
Controller
Specifies how PII is to be manipulated
Data Processor Manipulates the PII on behalf of the Data Controller
DPO Data Protection Officer: A person charged with protecting PII and helping
an organisation to meet the GDPR compliance requirements
Supervisory
Authority (SA)
A national body who enforces the GDPR in EU member states.
EDPB European Data Protection Board: The coordinating layer who provides
consistency between SAs
Third Country A country outside of the EU
Third Party An individual linked in some way to the Data Subject or any company or
organisation to who data is sent
Role Responsibilities
Delivery
Manager
(Audit)
 Reviewingandunderstandingthe responsibilitiesof eachpartyunderthisSOW.
 Workingwith School teamto accomplishthe tasksoutlinedinthisSOW.
 Maintainingregularcommunicationswiththe School teamonengagementprogress.
 Assistinginthe resolutionof deviationsfromthe scope/planthatmayimpact
deliverables,schedulesand/orcosts.
 Provide managementupdate of the projectteamdeliverablesprogramgovernance
metricsandreport onengagementhealthto School stakeholders.
 Ensure that the engagementremainshealthyandtasksoutlinedwithinthe SOWare
executedtothe client’ssatisfaction.

17
SeniorAuditors  Coordinate/manageendtoendsupportandoperationsrelatedactivitiesandprioritize
userrequestsand problemsaccordingtoseverityandexistingworkload.
 Optimize effortwithembeddedbestpracticesthataccelerate time tovalue
 Manage projectteamdeliverables/qualityissues/SLAs.
 Ensure all outagesare communicatedandaddressedwithinthe stipulatedtimeframe.
 Manage the shiftschedule andavailabilityof resources
 Supportoperational tools
 Manage properdelegationof supporttaskamongall supportteammembers.
 Provide clarificationaboutnew andexistingprocesses
 AssistSchool managersinall projectrelatedtasks,includingticketmanagement.
 Maintainand update documentation.
 Followdefinedguidelinesand processesand ensure the otherteammembersalso
followit.
 Planand participate inService ImprovementandValue-additionactivities
 Plancross-traininginitiativeswithinthe team
JuniorAuditors  Work on supportandoperationsrelatedactivities/tasks/tickets–primarilyon Network
Operations/activities
 Optimize effortwithembeddedbestpracticesthataccelerate time to market
 Guide otherteammembersonbestpracticesandtechnologyenhancements
 Planand participate inService ImprovementandValue-additionactivities
 Define andenhance supportprocesses
 Provide necessaryadvisoryservicesto SCHOOL
 Provide on-call supportonweekends/USholidays
Lead Auditor
GDPR
 Work on support and operationsrelatedactivities/tasks/tickets – primarilyon IT
Operations/ activities
 Maintain constant communicationwith customers and SCHOOL stakeholders,
especiallywiththe onsite leads.
 Prioritizationof userrequestsand problems,withlead /manager, according to
severityand existingwork load
 Coordinate with other SCHOOL teams for issue resolution
 Support operational tools
 PerformRCAs
 Followguidelinesofdefinedsupportprocesses.

18
3 PART III – REFERENCES & ENROLLHOSTEL CAPABILITIES
3.1 CASE STUDIES
Some of the salientprojectsthat EnrollHostel hasdone inthe pastinclude the following(additional
detailshave beenprovidedasCase Studiesinthe proposal documentinANNEXUREI)
Customer* Services Details
LeadingGovernment GDPR Consulting GDPR assessment,GDPRGap
Analysis,GDPRinternal audit,
GDPR external audit,DPIA Data
protectionimpactassessment,
Leadingglobal Insurance Regulator PrivacyControls
consulting
PrivacyLaw based
audit/assessment, AssigningDPO
Role/team,PrivacyGapAnalysis
Privacyinternal audit,Privacylaw
external audit.
Leadingmulti-nationalBank PrivacyLaw consulting PIIassessment,PrivacyLaw based
audit/assessment,,PrivacyGap
AnalysisPrivacyinternal audit,
Privacylaw basedexternal audit
*Due to contractual obligations, we are not permitted to explicitly name the organization for which these
services were provided.
Some of the key tasks that EnrollHostel teams have been involved in projects with Managed
Operations/Support included:
a) Privacy Audit/assessment , PII processing lawfully.
b) GAP Analysis to Reach for GDPR compliance
c) Privacy by design
d) Data Protection Impact assessment
e) Appointing and building Data Protection Officer Team.
f) Remedies, liability, & penalties
g) Provisions relating to specific processing situations
h) Delegated acts and implementing acts

19
3.1.1 CASE STUDY 1
Name and Address Leading Government in EMEA Region
Contracting Activity GDPR Audit
Contract Type Fixed Price
Description of Services
*Due to contractual obligations, we are not permitted to explicitly name the organization for which these
services were provided.
The Challenges
 Client wanted to Assess its privacy based on new privacy law.
 Privacy Audit/assessment , PII processing lawfully.
 GAP Analysis to Reach for GDPR compliance
 Privacy by design
 Data Protection Impact assessment
 Appointing and building Data Protection Officer Team.
 Remedies, liability, & penalties
 Provisions relating to specific processing situations
 Delegated acts and implementing acts
Solution
The enterprise leveragedServerOperationsandCrisisManagementteams.Teamalsoworkedclosely
withthe other dependent team for any changes and upgrades to the production web applications.
Benefits Delivered
3.1.2 CASE STUDY 2
Name and Address Leading media and entertainment company in US*
Contracting Activity 24 x 7 Infra-support

20
*Due to contractual obligations, we are not permitted to explicitly name the organization for which
these services were provided.
The Challenges
The IT team of the Insurance company is responsible for provisioning and managing the entire
enterprise ITinfrastructure acrossmultiple locations.The primaryobjective wasto fix Privacyaspect
withrespecttoprovidinglegally,regulatorycomplaintandcompetitive ITelements.Thisautomation
would enable higher compliance to privacy and help the IT team and customer in managing day-to-
day operations more effectively. The IT team had a challenge in terms of managing IT across
distributed locations and the huge impact of smooth IT operations on business services.
Solution
The privacyassessmentwasdone and solutionwasdeployedcentrallyatthe IT operationscenterto
proactively monitor the network, systems, applications and database infrastructure and notify users
if there is any privacy issue.
The solution deployed is used to monitor privacy aspect for regulatory and legal compliance of the
critical networkdevices.Service levelcommittedbythe service providerisbeenverifiedbyusingthe
availability service level report available from NOC solution service.
The solution was deployed for monitoring multiple key performance indicators of various elements
including;
 Routers,switches ->Availability,responsetimes,CPUutilizationandmemoryutilization,
customSNMP expressions-basedperformance metrics
 MPLS links -> availability,response timesandutilization
 Servers->Resource utilizationbyCPU,Memory,Disk,Bandwidth,etc
 Databases-> table space utilization,logfileutilization,deadlocksandqueryresponse times
 Applications ->service availability
 WebServices ->availability
Benefits Delivered
 Privacy by design service was deployed to centralize incoming service requests to various
departments.
 A streamlined service request, routing, tracking, escalation, resolution and closure has
brought about accountability within each department.
 The automatedroutingandSLA monitoringcapabilitieshave reducedissueclosure timesand
have improved end user satisfaction.
 The NOC solution deployed has helpedthe IT staff to provide better service response, quick
resolution of end user reported issues with flexible workflow-based automation and has
enabled higher customer satisfaction across organization.
3.1.3 CASE STUDY 3
Name and Address Leading media and entertainment company in US*
Contracting Activity 24 x 7 Infra-support

21
*Due to contractual obligations, we are not permitted to explicitly name the organization for which
these services were provided.
The Challenges
The IT infrastructure companyisdistributedacross10 locations.There are about100 critical network
elementsincludingrouters,switches,linksetc.The IToperationsrunon20+critical windows2000and
2003 servers. There are about 15+ mission critical applications that run on variety of Microsoft SQL
and proprietary databases. These applications also include web based middleware and other web
services based application.
The few objectives for IT Infrastructure monitoring include the following:
 Proactive auditing/assessment of networks, systems, applications, databases, IT services
infrastructure for availability and performance
 Determine root cause, fix problems quickly and ensure mission critical applications are
healthy and available for end users conflicting with GDPR.
 Enhance enduserperceptionof IT servicesbyensuring privacy protection resolutiontoend
userissues.Ensurethatthe ITteamisaccountableinclosingenduserreportedissuesontime
with higher user satisfaction.
 Auditprivacy of hosts,applications,locations,departmentsincludinghourly,weekly,monthly
usage trends
 Plan future privacy needs like privacy by design need are met in advance and maintain the
competitive edge
Solution
 The Privacy by design solution was deployed to monitor core IT services like messaging
services, ERPservicesandEIPservices.The teamusesNOCtool toensure availabilityof these
services to the branches is proactively monitored and accounted
 Real time dashboards and historical reports were made available as part of a build in web
based portal and are used by the IT team to examine and optimize resource compliance.
 The non-invasive,agentlessmonitoringcapabilityof complaince wasdeployedtohelpthe IT
team for easy and faster deployment for monitoring across local and remote servers,
databases, applications
 Flexible notification and escalation capabilities of Complaince were used for proactive
monitoring of faults and performance breaches. This helped the IT engineers to fix issues
before they are reported by end users.
Benefits Delivered
 The Complaince Assessment and analysis helped to audit better manage applications
compliance across locations, departments
 Better manage compliance for PII assessment, Privacy Law based audit/assessment, Privacy
Gap Analysis Privacy internal audit, Privacy law based external audit
 Better Privacy Compliance for application, link availability and performance
 Quick response time & resolution resulting in customer delight
3.2 ENROLLHOSTEL | CAPABILITY

22
EnrollHostel isfoundedonastrong foundationof architecture,process,and aprivacy-basedapproachto
technologysolutions.Ourprofessionalsconsistentlyuse these fundamental principlescoupledwithout-
of-the-box thinking to deliver creative and robust solutions that meet our clients stated as well as
unanticipated needs. This approach allows us to deliver solutions that combine our expertise around
development,supportandtestingusingacontinuousintegrationapproachwithindustryleadingproducts
in various functional domains. Our core competency is the ability to quickly understand the client’s
business needs and deliver an elegant and robust, yet cost-effective solution.
Over the past 10 years, customers have engaged EnrollHostel for solutions and services across a wide
variety of technologies. EnrollHostel has constantly innovated and kept abreast of new and emerging
technologies in IT infrastructure, Security & Internet Of Things, amongst others.
3.2.1 PROGRAM GOVERNANCE
EnrollHostel has a well-defined program governance process, which closely monitors customer
satisfaction, service levels and quality. Periodic reviews are conducted to ensure that services are being
delivered to exceed customer expectation and seek feedback.
 Monthly business review is conducted to review service levels, process compliance, issues to be
escalated, targets and improvements for next month.
 Quarterlyexecutive briefings,presentopportunitytodiscusspastperformance,recommendations
and focus areas for future.
3.2.2 CONTINUAL SERVICE IMPROVEMENT (CSI)
EnrollHostel continuallyinstitute processandmethodologythatmeetsrequirementsandalso allowsfor
needsthatadjustbasedonclientchangingbusinessdynamics.Toachieve ourobjective of providingbest
in class services, our project teams adhere to continual improvement framework based on ITIL best
practices. The team will continually identify areas of improvement and provide recommendation on:
 Deployingandenhancingcontinuousintegration frameworksforcode deploymentandautomated
deployment
 Build IT automation for important processes, such as automatic deployment and operations,
automatic ticket creation based on monitoring alert, integration of monitoring tools
 Proactivelymonitor,identifytrendandaddresssituationsandproposesolutionsinordertorestore
and resolve critical issues in a timely fashion
 Use ITIL techniques to improve the processes used.
 Proactively work closelywith client teamsand third-party development for operational readiness
and hand off of new development and applications
3.2.3 KNOWLEDGE MANAGEMENT
The EnrollHostel Knowledge Management approach promotes:

23
 Capture of knowledgethroughcollaborationbothbyexplicit(interviewingandobservationprocess;
case-by-case analysis) and implicit (discussion forums, blogs, error database and reusable
components repository) means.
 Organize the acquired knowledge so that it is easily retrievable.
 Share and distribute knowledge through wiki documentation, run-books, standard operating
procedures etc.
 Use and reuse knowledge for operational efficiency, improvement, automation
3.2.4 TEAM COMPETENCY AND SKILLS ENHANCEMENTS
To be on the forefrontof the ever-changingITtrends in business,itisimperative foranyorganizationto
constantly update and reinvent itself. EnrollHostel aims to achieve this through a strategic skill
enhancement program that involves every employee. Industry trend, analysts identify key areas of skill
enhancement keeping in view, our core competencies and goals.
EnrollHostel continuallystrivestoaugmentitsteamcompetencyandskillsconsideringthe changeinclient
processes, technology,tools, and domain knowledge and encourages and facilitates across the board
technical certification programs. Along with acquiring formal technical certification, it also empowers
employeeswithenhancedskillsandknowledge.We sponsorthese certificationsandproactivelyarrange
formal sessionsbetween industry expertsand our professionals. Some of the where our projects teams
get trainings from internal and external trainers are, Soft Skills, Technical Trainings on disruptive and
emerging technologies, team management, leadership etc.
3.3 ENROLLHOSTEL | PROJECT MANAGEMENT PROCESS
EnrollHostel ensuresthatall projectsundertakenby itsteamare beinggovernedandmanagedeffectively
meeting the customer expectations.
Below are the key project monitoring & control processesthat will be followed to track the progress of
the project delivery. Some of these may be tailored based on specific plans during project execution.
 Track project planned activities against the actual and update critical dependenciesin schedule
accordingly with the revised planned dates
 Status Reporting of ongoing project activities & implement corrective actions based on the
comments received from different stakeholder
 Internal team meetings
 Project customer meeting
 Monthly business reviews
 Track the estimates for reviewing the planned vs. actual effort throughout the project lifecycle
 Monitor Risks associated with cost, resource and schedule aspects and perform ongoing risk
identification and management in conjunction with client stakeholders.
 Review any changes to the allocated requirements according to change management process

24
 Collect measurement data for the project regularly throughout the project life cycle in data
collection plan on a monthly basis. This is done for the purpose of analysis & plan the preventive
and corrective actions
 SLA Monitoring & Tracking
3.3.1 REPORTING METRICS
Below is a list of typical metrics that EnrollHostel team would produce during the course of thisproject.
These metrics can be tailored in discussion with School at the time of project initiation.
Service Desk Support Reports
 Daily – ticket report, Pending & Closed ticket reports.
 Weekly – ticket trend report, ticket analysis report.
 Monthly – ticketAnalysis report, ticketTrendReport,Uptime reports,Backup and restore Report,
RCA, Escalated ticket report
Incident Management
 Number of repeated Incidents, with known resolution methods
 Number of Incidents resolved remotely by the support teams
 Number of escalations for Incidents not resolved in the agreed resolution time
 Average time for resolving an incident
 Percentage of Incidents resolved by L2 without L3 involvement
 Rate of incidents resolved during solution times agreed in SLA
Problem Management
 Number of problems logged
 Average time for resolving problems
 Number of problems where the underlying root cause is not known at a particular time
 Number of reported incidents linked to the same problem after problem identification
 Average time betweenfirstoccurrenceof anincidentandidentificationofthe underlyingrootcause
 Average work effort for resolving problems
Service Level Management
 Number of services covered by SLAs
 Number of Services where SLAs are backed up by corresponding OLAs/ UCs
 Number of monitored Services/ SLAs, where weak-spots and counter-measures are reported
 Number of Services/ SLAs which are regularly reviewed
 Number of Services/ SLAs where the agreed service levels are fulfilled
 Number of issues in the service provision, which are identified and addressed in an improvement
plan
Availability Management
 Availability of applications relative to the availability agreed in SLAs and OLAs
 Number of service interruptions
 Average duration of service interruptions
 Percentage of applications components under availability monitoring
 Number of implemented measures with the objective of increasing availability

25
Security Management
 Number of preventive security measures which were implemented in response to identified
security threats
 Duration from the identification of a security threat to the implementation of a suitable counter
measure
 Number of identified security incidents, classified by severity category
 Number of security incidents causing service interruption or reduced availability
 Number of security tests and trainings carried out
 Number of identified shortcomings in security mechanisms which were identified during tests
3.3.2 ESCALATION HANDLING
EnrollHostel expects that all queries & issues related to successful execution of the project would be
discussed and resolved via various meetings as per the CommunicationPlan. However, there may be
instanceswhere eitherSchool orEnrollHostel managementencounters orforeseesanyissuesthatneed
direct and prompt attention of other side’s management.
3.3.3 COMMUNICATION PLAN
Meeting
Type/Purpose
Frequency Participants (EnrollHostel) Participants (School)
Project
Discussion/Issue
Resolution
Needbasis • Technical Lead
• Otherteammembers
(optional)
• ProjectManager
• IT SPOC
Project Status Review Weekly • Service DeliveryManager
• Technical Lead
• ProjectManager
SteeringCommittee
Review
Monthly • EngagementManager
• Technical Lead
• Service DeliveryManager
• ProjectManager
• ProjectChampion

26
3.3.4 RISK MANAGEMENT PLAN
EnrollHostel proposes to use industry-standard FMEA tool (Failure Mode Effect Analysis) for managing
risks.FMEA aidsinanalysisof potential failures,problemsordefectswithinasystemusingaclassification
by the severity and likelihood of the failures. Using the FMEA analysis, the project team can plan for
appropriate mitigation & contingency strategies.
3.3.5 CHANGE MANAGEMENT PROCEDURE
EnrollHostel understands that a project often requires changes during execution, and hence proposesa
robust change management procedure. EnrollHostel proposes that a Change Management Board is
established that has authority to approve, partially approve or reject any change request. The Board
would comprise of:
ENROLLHOSTEL
 Service Delivery Manager
 Engagement Manager
School
 Project Manager
 Project Champion
 Sourcing (optional)
Risk
Identification
via FMEA
Develop
Mitigation &
Contingency
Plan
PeriodicRisk
Review
Address
major risks
Update
FMEA
Trigger for Change
 Scope
 Requirements
 Tools & Technology
 Schedule Adjustments

27
Impact Analysis
• Schedule
• Effort
• Cost
• Artifacts and Deliverables
Submission of formal Change
Request (CR)
Discussion & Approval of CR by
Change Management Board
Updated CR
Implementation of CR
• Contract
• Project plan
• Artifacts & Deliverables

28
3.4 ENROLLHOSTEL | COMPLIMENTARY VALUE ADDED SERVICES
EnrollHostel’s decade old expertise in managing networks infrastructure brings a lot of advantages as
compared to other IT Managed service providers.
Since we always strive for bringing the best possible robustness to our clients’ networks, we will be
bringing the following as complimentary services:
- Complimentary Anti-virus software license for all end-point devices along with maintenance
- Complimentary Penetration Testing to test the robustness of the installed network
3.5 ENROLLHOSTEL | DIFFERENTIATORS | Services
EnrollHostel is one of those rare organisations, that not only possesses leading IT Infrastructure
management professionals but also a global group of cybersecurity professionals.
With security clearances of the highest order (US Fed clearance), our professionals have led many
“Incident Response teams” carrying out “Forensics” for networks that have been breached.

30
3.5.1 CYBERSECURITY SERVICES
In tоdау’ѕinformationесоnоmу,dаtасаnbe уоur оrgаnіzаtіоn’ѕmostvaluableаѕѕеt,butwіththе rіѕе of
mоbіlе tесhnоlоgу, сlоud соmрutіng,аnd еxроnеntіаllу grоwіng vоlumе of digital іnfоrmаtіоn, kееріng
that dаtа ѕесurе аlѕо bесоmеѕ оnе оf уоur grеаtеѕt сhаllеngеѕ.
No оnе is immune to data lоѕѕ іnсіdеntѕ, and nо оnе is bеttеr еԛuірреd than EnrollHostel tо help уоu
іdеntіfуаnd сlоѕе gарѕ thаt рut уоur оrgаnіzаtіоn’ѕ cyber ѕесurіtу аt rіѕk. Information ѕесurіtу іѕѕuеѕ —
such as data brеасhеѕor employee mіѕсоnduсt — are a соnѕtаnt worry fоr C-ѕuіtе lеаdеrѕаѕwеll as fоr
frоnt-lіnеmаnаgеrѕіnуоurorganization.Cуbеrѕесurіtусhаllеngеѕputѕеnѕіtіvеdataаt rіѕkandсаn соѕt
your соmраnу time, revenue and rеѕоurсеѕ.
EnrollHostel offersextensivecybersecuritystrategyandѕеrvісеѕthatсаnbе аррlіеdtomееtyourunіԛuе
rеԛuіrеmеntѕ,whеthеr thеуbе rеlаtеd tо a ѕуѕtеm, аn аrсhіtесturе, a network, роlісу establishmentоr
рrосеѕѕ implementationand improvement. Wе wоrk with оrgаnіzаtіоnѕ аt vаrіоuѕ stages оf thеіr суbеr
ѕесurіtу ѕtrаtеgу dеvеlорmеnt and суbеr ѕесurіtу program іmрlеmеntаtіоn.
3.5.1.1 GDPR Services
A Penetration test(Pen-test) is a procedure to assess the security of an IT foundation by securely
attempting to misuse its vulnerabilities. These vulnerabilities may exist in working frameworks,
administrations,operatingsystemsandapplicationblemishes, inappropriate arrangementsordangerous
end-client conduct. Such evaluations are likewise helpful in approving the viability of protective
components, and, end-client adherence to security arrangements.
EnrollHostel’steamof leadingPen-testersthattestthe effectivenessof the security of the organization.
This is accomplished by emulating the behaviors and techniques of likely attackers in the most realistic
way possible.

31
3.5.1.2 Corporate Trainings Privacy/Security Awareness
Privacy/Security awareness is the learning and demeanor individuals from an association have with
respect to the assurance of the physical, and particularly enlightening, resources of that association.
Numerousassociationsrequire formalsecuritymindfulnesspreparingforallspecialistswhentheyjointhe
association and intermittently from there on, normally every year.
EnrollHostel commitson providing this training and practice to all its employees and clients and letting
them know about the possible outcomes thereafter.
Being“securely aware”means;onecomprehendsthatthere isthe potentialforafew peopletopurposely
or coincidentally take, harm, or abuse the information that is set aside inside an organization's PC
frameworks and through its association. Along these lines, it is judicious to help the advantages of the
foundation (data, physical, and individual) by attempting to prevent that from happening.
The focal point of Security Awareness here at EnrollHostel is to accomplish a long haul move in the
disposition of workers towards security, while advancing a social and behavioral change inside an
organization.Securitystrategiesoughttobe seenaskeyempoweringagentsforthe association,notasa
progression of principles confining the proficient working of your business. We provide Security
Awareness training to our new employees and keep them up to date with these principles.

32
3.5.1.3 Email Privacy & Security with Office 365 Integration
Email isthe mostimportantbusinesscommunicationtool—andsimultaneously,the leadingthreatvector
for cyber-attacks.Infact,accordingto the CiscoMidyearCybersecurityReport,attackersturntoemail as
the primary vector for spreading ransomware and other malware.
Mass spamcampaignsare no longeryouronlyemail securityconcern.Attackersscoursocial mediasites
to find information on their intended victims and then create sophisticated and highly targeted
ransomware, business email compromise (BEC), and phishing campaigns.
EnrollHostel’sEmailSecurityenablessecure emailuseandprotectstheleadingattackvectorwithmultiple
layers of protection using Cisco’s Email Security.
Gain a robust layerof defense againstransomware,businessemail compromise,phishing,andmore for
Office 365 solution.
It helpsprotectyour networkfrom threatsin incomingemail while helpingpreventthe lossof business-
sensitive data in outgoing mail.
Benefits
 Block more threats with comprehensive threat intelligence from Cisco Talos- one of the largest
commercial threatintelligence teamsinthe world,comprisedof world-classresearchers,analysts
and engineers.
 Combat ransomware hidden in attachments that evade initial detection with Cisco Advanced
Malware Protection (AMP).
 Stop BEC and phishing attacks with superior URL intelligence and forged-email detection

33
 Protectsensitive contentinoutgoingemailswithdatalossprevention(DLP) andeasy-to-use email
encryption, all in one solution.
 Gain maximum deployment flexibilitywith a cloud, virtual, on-premises,or hybrid deployment or
move to the cloud in phases.
3.5.1.4 Cyber-Forensics
Our Forensics and Investigation solutions provide an attack’s context, infrastructure-wide visibility,
codified expertise, rich intelligence, and insights gained from front-line experience responding to the
world’s most impactful threats. Empowering your infrastructure with everything you require to rapidly
detect, triage, investigate, and minimize the impact of attacks.
One of the veryfeworganizationswith cybersecurityprofessionalswithTop-levelsecurityclearances(US
Fedsecurityclearance),enablesourclientswiththe highestlevel of confidencein performingthesecurity
incident analysis and forensics.

34
3.5.1.5 Social Privacy Test Engineering
Social engineeringismandatorytocounterthe social engineers,hackerswhoexploitthe one weakness
that isfoundineach and everyorganization:humanpsychology.Usingavarietyof media,including
phone callsandsocial media,these attackerstrickpeople intoofferingthemaccesstosensitive
information.
These are the common types of social engineering attacks:
 Phishing: These assaults can incorporate situations like the previously mentioned, however may
likewise bemorefocusedon.Lancephishingassaultsare morerefinedandcanincorporate tweaked
email sends or focused on advertisements that require more research on the aggressor's part.
 Wateringgap: In a wateringopeningassault,clientbunchesare particularlybeingfocusedon.For
instance,aggressorswouldinquire aboutparticularworkersthatvisitspecialtysitesandafterward
have malware particularly focusing on these representatives.
 Bedeviling:Justlike the termproposes,teasingassaultsinclude offeringcasualtiessomethingthey
need. The hazard is that you might download malware rather than, or notwithstanding, the
documents you really need. Teasing can likewise incorporate pipe dream online arrangements or
phony messages with answers to questions you never asked on any gatherings.
EnrollHostel’sdecadeof experienceenablesustoprovide assistance andservicesonhow anorganization
can adhere itself and its employees against such attacks and prepare to tackle them anytime.

35
3.5.2 SECURITY ASSESSMENT AND COMPLIANCE
Securitythreats,risks,andvulnerabilitiesare presentthroughoutorganizationsof all sizes.Anyintrusions
orbreachesof critical systems,data,andapplicationswilllikelyresultinbusiness-impactingconsequences
that have varyingdegreesof severity.Witha solidsecurityplanandevaluation,however,theseriskscan
be identified and mitigated without impacting compliance and regulatory requirements.
EnrollHostel offersacomprehensivesecurityassessmentservice thatevaluatesanorganization’scurrent
information security program and infrastructure. The assessment identifies vulnerabilities and
weaknesses, and measures any risks associated with the organization’s current IT environment and
security practices.
FEATURES & COVERAGE
 Identify internal and external security gaps and vulnerabilities
 Discoveranyareasof concern,includingunpatchedsystems,openports,andcompliance violations
 Find security bugs and loopholes that could potentially be used to harm your network
 Verify network connections are secure, encrypted, and working as expected
 Outline and develop an actionable plan to mitigate the identified risks and vulnerabilities
 Approachand methodologiesare basedon industrystandardsand practices,such as the National
Institute of Science and Technology (NIST), Health Insurance Portability and Accountability
Act(HIPAA)
Our Network Vulnerability Assessment services are grouped into three categories of services:
 PeriodicnetworkVulnerabilityAssessmentasaservice: Ourclientsoftenrequestthatwe perform
a one time or periodicnetworkVA toverifythe strengthof theirnetworksecurityprofile.Industry
best practices suggest that you periodically rotate vendors for a more comprehensive VA.
 Deployment of network Vulnerability Assessment solutions: We help our clients select and
configure the mostsuitable networkVA solutionandmanage it on theirbehalf ortransferday-to-
day operation to their staff.
 Compliance Reporting for network Vulnerability Assessment: We provide a network VA that
supports your compliance obligations.Accordingly,we leverage our eGRC compliance reporting
solutions that supports more than 500 regulatory compliance reports. Specifically, we provide
reports that support:
o Payment Card Industry (PCI) Data Security Standards
o ISO 27001
o General data protection regulation (GDPR)
o Health Insurance Portability and Accountability Act(HIPAA)
 Scope of Network Vulnerability Assessment Services: As part of our network Vulnerability
Assessment we typically cover the following areas:
o Network Topology Risk Assessment: Discover and assess the risk of network topology and
zones including: Public, Operational, Restricted, and Highly Restricted zones.

36
o DiscoverNetworkAssets:Aspart of the networkVA,ourpersonnelhelpyoudiscovernetwork
assets,includingnetworknodes,firewalls,IPSs,IDSs,routers andswitches,servers,databases,
applications.
o Discover Network Asset Vulnerabilities: Utilizing an array of commercial and open source
tools,we probe eachnetworkassetforpotentialvulnerabilities.Tocomplete ournetworkVA,
we deploy host configuration review.
o Verify Vulnerabilities (or Penetration Testing): With management approval, we verify
identified network vulnerabilities by actively trying to leverage it for further network
penetration and subversion of existing controls.
o NetworkSecurityConfigurationAssessment:We review thedeviceconfigurationforpotential
networkvulnerabilities.Ourpersonnelutilizeasetof automatedtoolsandmanual techniques
to review such vulnerabilities.
o Reporting: Our reportingprocessis designedtoinform executives,managementgroups,and
technical teams, compliance and audit departments. We carefully explain each vulnerability,
its respective exposure, and discoverability. Our personnel also provide pragmatic
prioritizationandrecommendations.Whendeemedappropriate,ourteamwill provideatrend
report to demonstrate the status of network VA over a designated period of time.
BENEFITS
 Validates current security programs and practices
 Identifies known security risks and vulnerabilities before they are exploited
 Provides organizations with an outline and action plan to remediate issues and improve IT
environment resiliency and performance
 Prepares organizations for audits and other reviews, and ensures compliance and regulatory
requirements are continuously met
 Can be performed at your convenience, either onsite or remotely

37
3.5.3 SECURITY OPERATIONS CENTER – Privacy Or Confidentiality
Asadvancedcyberthreatsbecome more sophisticatedandorganized,vulnerabilitiesmore complex,with
the intentof notonlystealingyourdatabut alsoinstallingcryptocurrency-miningmalware,orusingyour
systemas a pivotpointto other attack vectors,businessestodayrecognize theycan't manage or handle
thischallenge alone.They're turningtomanagedsecurityservice providerslike EnrollHostel tokeeptheir
business protected.
Managed and monitored by highly skilled and highly sought after cyber security experts 24x7x365,
EnrollHostel’s SOC is one of its most advancedthreat intelligence monitoring, provided at an affordable
monthly price
Benefits:
 Security made easy – EnrollHostel’s NOC handles 24/7/365 monitoring of your network and
data. We identify and correlate any suspicious behavior, and we immediately alert you of any
suspicious or active threat alongwith detailed remediation instructions your IT staff can follow
for any malicious activity.
 Cost-effective security – EnrollHostel’sNOC is a comprehensive security services offering
that leverages security products you already own. And best of all, you won’t have to recruit,
hire and pay hard-to-find cyber security talent.
 Simplified compliance reporting – EnrollHostel’s NOC consolidates data from hundreds of
security products to ease the pain of manually compiling regulatory and compliance reports.
Plus, there are many built-in reports for regulations such as PCI- DSS, HIPAA, and many others.
 Comprehensive Forensics – Gain the capability to conduct detailed forensic investigations to
help remediate a breach
Fig: SOC Monitoring Dashboard

38
Fig: SOC Monitoring Tool Analysis report
Fig: SOC Monitoring SIEM

40
4 PART IV – PROJECT COST
4.1 FIXED PRICE
Audit consultant cost: $15,000
Auditors/assessors documentation, travel, miscellenous : $5,000
charges= $20,000 least cost bid for 42 man days project
4.2 RATE CARD FOR ADDITIONAL WORK
** For each project we might have few different type of resources and project management
office involve.
PRICE IN USD
 Support Engineer – 120/hr
 Sr. Engineer – 150/hr
 Project Manager – 140/hr
 Database Engineer – 150/hr
 Hardware move and installation – 80/hr
4.2.1 ADDITIONAL INITIATIVES
In additiontothe ongoingmanagedservicesprovidedunderafixedfeecontract,there are otherservices
related to the onboarding that would be billed separately, including but not limited to the following:
Network Equipment Upgrades
• UPS: Replacement of multiple aging APC UPS 1500 units with a proper NOC room UPS with Power
DistributionUnits(PDU) ineachrack capable of remote managementandenvironmental monitoring
• Switches:Replacementof agingCiscoCatalyst3750floorswitchesandCiscoCatalyst6506Core Switch
• Bandwidth:Deploymentof alargermulti-source DirectInternetCircuittosupportanticipatedgrowth
fromadditional trafficgeneratedbySkype videoconferencingandamultitudeof hostedcloud-based
applications
Server Maintenance
• Upgrade of existing Microsoft Server 2008 to Microsoft Server 2016
• Upgrade of existing Microsoft 2008 Active Directory (AD) Domain Server to MS AD 2016
• Virtualizing the remaining on-premise servers to provide for better support/security
• Archiving of existing on-premise data storage to a virtualized environment
Advisory Services

41
The MSP shall provide advisory services including, but not limited to:
• Technology planning & cost forecasting
• Business continuity planning
• Disaster recovery planning
• Enterprise architecture
• Technology consulting
• Process development
• Incident Response Process
4.3 ASSUMPTIONS
EnrollHostel has made general assumptions that the information which was provided during the
preparationof thisproposal isaccurate andup-to-date. Duringthe course of thisproject,itmaybe found
that, assumptions that were made are invalid due to lack of information at the time of proposal
development. In such a case, EnrollHostel will work with School to make suitable amendments to this
proposal that is mutually agreed upon by both parties and when applicable, the corresponding change
request process would be initiated.
It is understoodand agreedupon that the followingitemsmustbe in place and/or providedat the start
of the engagement:

42
4.3.1 USER COUNT AND DEMOGRAPHIC
Approximate 250 users are located at School’s
The followingisahigh-leveloverviewof the on-premiseSchool computingassets:
4.3.1.1 Desktops/Laptops
We are concerned How replaced laptop
4.3.1.2 On-Premise Network/Software hosted
School Network andsoftware hosteddetailsare notknown.
4.3.1.3 Hosted Cloud Environment
It is anticipated that the majority of School’s services will be cloud-based by the end of FY2018. Cloud
details are not known. All software , platform and infrastructure information storing processing or
transmitting PII informationis not known [ Depending on how many applications we needto check the
amount of work may vary]
4.3.1.4 Legacy Business Applications
Details not known.
4.3.1.5 3rd Party Vendors
We wouldneed to understandthe SLAs whichthird party vendorsare onwith respect to
handlingofPII informationbeingprocessed,storedor transmitted.

GDPR And Privacy By design Consultancy

More Related Content

What's hot

More from Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW

Recently uploaded

GDPR And Privacy By design Consultancy