France - IT services, consulting, software development, internet and support

Description

Aimed at all the entities of the SNCF GPU, the purpose of the present consultation is to set up a framework agreement, constituting a contractual vehicle for referencing IT intellectual services, for use by the SSI players.This framework agreement is intended to cover the entire life cycle of cybersecurity activities: phases of emergence and strategy, design and implementation, support and maintenance in operational security conditions, as well as complementary services and expertise specific to the SSI function.
Lot 1 covers the professions involved in steering the security approach, as well as those responsible for implementing IS security projects. This lot includes missions to cover project emergence operations (risk identification, definition of security requirements, regulatory compliance, contractual framing, test strategy, acceptance), to design solutions adapted to needs (planners, architects), to provide expertise on the solutions implemented, or to evaluate market solutions (engineers, experts). This work package also covers all project management support activities, from a governance angle (strategy design, risk mapping, creation of reference frameworks, evolution of the PSSI, certification support, etc.) to a technical and functional angle.These assignments may be one-off, or cover a long-term need through the implementation of a dedicated system (Service and/or Expertise Center) in order to reduce costs and optimize response times to requests from internal customers of the Group and its subsidiaries. Lot 2 covers the technical professions involved in taking security into account in IS design, providing security expertise in a particular field, defining secure architectures, administering security solutions, etc.This lot includes assignments that take IS security aspects into account in the design (architecture design, parameterization, choice of technical solutions, editors, suppliers and testing strategies) and implementation of an IT or business project, as well as business and/or IT support and training assignments to ensure that the proposed technical and functional solutions meet the security requirements identified. This work package also includes consulting, assistance, information, training and alert services, which can be provided directly for all or part of a project in a given field of expertise (systems, networks, workstations, industrial components, IoT, Active Directory and IAM, code and development solutions, cloud, Artificial Intelligence, etc.), whether during the design, implementation or security maintenance phases. Other tasks include auditing and monitoring security processes to ensure compliance with internal policies and regulations applicable to the organization; monitoring defined security policies and rules to ensure that security is implemented, respected and effective; identifying vulnerabilities and proposing remediation actions; working with legal experts and the DPO if the project involves the processing of personal data. Assignments give rise to one or more deliverables. These assignments may be one-off, or cover a long-term need through the implementation of a dedicated system (Service and/or Expertise Center) in order to reduce costs and optimize response times to requests from internal customers of the Group and its subsidiaries. "Some assignments may require on-call coverage. Lot 3 covers the identification of threats and vulnerabilities on a conventional IS technical object (Web application, mobile application, platform, environment, etc.) hosted OnPremise, in the Cloud, or by a partner host, throughout the Group and its subsidiaries.These missions are based on application SSI audits, process and/or configuration audits of a target or scope agreed in advance during a scoping meeting with the project(s) concerned, at the request of the CISO/RCS responsible for the SSI scope.The assignments result in one or more deliverables, indicating the threats and vulnerabilities identified on the technical object targeted by the audit, the CVSS score, the criticality, priority, exploitability and impact of each, as well as the associated recommendation(s) for remediation.These missions can be one-off, or cover a long-term need by implementing a dedicated system (Service and/or Expertise Center) in order to reduce costs and optimize response times to requests from internal customers of the Group and its subsidiaries. Batch 4 covers the activities of companies specializing in cybersecurity: consulting firms, training companies, assessment laboratories, security product publishers, security product integrators, research laboratories and institutes, etc. These missions are part of the "Operational Security" division of the Cybersecurity Department. They cover anticipation (intelligence on threats, vulnerability and attack surface management), detection (supervision and detection of cybersecurity events, qualification and prioritization of events based on alerts or reports, contributing to the continuous improvement of detection) and reaction (emergency response, handling of cybersecurity incidents, forensics, production of incident reports, intervention as part of a technical crisis unit)You may be asked to be on call during the assignment. Batch 5 covers all activities contributing to the cybersecurity certification process, the implementation of SSI pre-qualifications, SSI risk analyses, the monitoring of requirements and the implementation of the method for integrating cybersecurity into industrial projects, as well as the performance of Cyber Industriel audits. This work package includes pre-qualification of a project's DICT cybersecurity requirements, classification of Data using a "risk factors" questionnaire, and support in respect of SSI issues and processes and/or assistance in drafting specific SSI clauses. These assignments are based on a risk analysis that defines the additional cybersecurity requirements that projects must meet in order to reduce risks. The assignments give rise to one or more deliverables, such as the Risk Analysis document, which is updated as the interviews progress, the list of cybersecurity requirements, the updated risk map, the dashboards containing all the information needed to monitor the project, the reference documents, These assignments can be one-off, or cover a long-term need by setting up a dedicated facility (Service and/or Expertise Center) to reduce costs and optimize response times to requests from internal customers of the Group and its subsidiaries.

Opportunity closing date

19 February 2024

Value of contract

more than £50m