April 23, 2019

GMWC-2019-02 – RFQ Information Technology Services
Clarifying Questions & Answers

Q1. What applications are you currently running?
A1:
1. Microsoft Suite of products – Excel, Word, Power Point, Outlook 365
2. Chrome and Internet Explorer
3. Adobe
4. PDF24-free version
5. SAGE
6. Lucity
7. Pacific Technology Purchase Workflow
8. Orchid Document Management Link
9. McAfee
10. VMWare - Veeam Essentials Standard
11. Auto Cad Software
12. Keptware
13. Watchguard
14. Scada Software (out of scope)
15. Ceridian (web)

As part of the RFQ, it is requested in the Scope of Work to compile the list of
inventory which includes all applications. These are some of the applications
I am aware of, but potentially there could be more.

“Initial Assessment
With the assistance of GMWC staff, compile an inventory of all Information
technology related assets, assess system assets, and make recommendations for
improved company-wide IT system performance. Inventory of assets will include
hardware, software packages and inventory of the assets corresponding
firmware, software package and operating system versions/levels.”

Q2. How much data is being backed up on a daily/weekly/monthly basis? What is
the source for this data (i.e., what is TransAqua backing up)?
A2:

Daily – Appx 7M KB
Weekly – 420 Million KB

The source is our server excluding SCADA. All files are on server are being
backed up as is SAGE.

Q3. What is the current model of your firewall and can you provide details on your
ISP connectivity/bandwidth?
A3:

We currently use WatchGuard XTM 33. Our internet provider is Bell, with a
Fibreop connection. Approximate speeds are 100Mbps Download and
50Mbps upload.

Q4. What are you currently using for anti-virus? Are you interested in the
proponent providing a solution?
A4:

Currently we are using McAfee and as part of our Cyber Security Committee we
will be reviewing this to validate we have the most efficient anti-virus. We will
look for suggestions in meeting, however you may propose your solution in RFQ.
Q5. Do you have a training coordinator or a Learning Management System?
A5:
No currently we do not have a training coordinator or a Learning Management
System.

Q6. Do you complete Disaster Recovery testing annually? If so, what type of testing?
A6:

Our backups are tested annually if not more frequently when we are missing a
file, we go to our backups to restore. As part of the Admin Consol, we have a
nightly backup performed and once a week, the weekly files are downloaded on
a USB storage device and taken offsite.

Q7. In regards to log monitoring, is it to be assumed that you’re looking for basic due
diligence on log monitoring, or is TransAqua interested in a separate line item for
Security Operation Center monitoring for comparison?
A7:

We are looking for more than just the traditional SOC where someone is
monitoring TransAqua’s systems remotely and that is it. We have had a couple
of incidents where we were unable to detect them until our system was infected.
To this day are not completely sure how it happened. Management was not
satisfied with the response on how it happened and how are we going to prevent
it from happening again.

I would like to see a proactive approach were we are better able to prevent an
attack from happening. The IT team should secure and monitor the network’s
perimeter, data and remote users so that the IT team can detect, analyze the
threats which can be responded to in an appropriate amount of time. TransAqua
would also like to be updated on why the incident happened and how we can
prevent it from happening again.