Request for Proposal for cybersecurity services

1. Introduction and context

Equitas is an organization actively seeking to strengthen its cybersecurity posture and elevate the maturity of its security system. A recent baseline diagnostic, based on the CIS Critical Security Control framework, identified gaps and areas for improvement.

The objective of this RFP is to select a qualified, Canada-based cybersecurity services partner to implement a comprehensive remediation plan and provide continuous monitoring and support. The selected partner will be crucial in ensuring Equitas achieves a robust security maturity level and meets regulatory requirements.

• Current Security Maturity Score (CIS): 32/100
• Priority: The lack of security governance has been identified as a notable failure, leading to risks of security breaches and compliance violations.

2. Proposal instructions and timeline (deliverables)

Milestone	Date
RFP open	04/12/2025
Final deadline for proposal submission	09/01/2026
Selected partner notification	16/01/2026

3. Detailed scope of work (SOW)

The prospective partner must submit a technical and cost proposal for the services described below, addressing the critical gaps identified in Equitas’ cybersecurity program:

3.1. Governance and compliance

Item	Key requirement	Baseline score
Incident Response Plan (IRP)	Develop, document, and test an Incident Response Plan (IRP). This plan is mandatory for Law 25 compliance and must include communication protocols with proper authorities in case of a PII breach.	0/4
Information Security Policy (ISP)	Create a comprehensive Information Security Policy (ISP) that includes critical sub-policies such as Acceptable Use, Access Control, Onboarding/Offboarding, Remote Work/BYOD, and Vendor/Third-Party Risk Management.	4/8
Policy Adoption and Sign-off	Implement a process to ensure all developed policies are propagated and formally signed off by all employees for legal compliance and risk minimization purposes.	0/1

3.2. Critical Security Controls (Highest Priority)

Item	Key Requirement	Baseline Score
Vulnerability Management	Deploy a vulnerability scanning tool (e.g., Tenable) and establish a structured patch management process. The process must include clear remediation timelines: weekly external and monthly internal scans and patching.	0/8
Log Management (SIEM)	Implement a SIEM (Security Information and Event Management) solution to centralize, correlate, and preserve logs from critical systems, supporting real-time threat detection and forensic investigations.	0/6
Security Awareness Training	Implement an awareness solution to educate employees and regularly conduct phishing simulations to assess and improve user resilience.	0/6

 

3.3. Operational and defense enhancements

• Threat monitoring and response (XDR/SOC): Implement an XDR (Extended Detection and Response) solution and a 24×7 SOC (Security Operations Center) for continuous monitoring. The XDR solution must provide automatic threat remediation capabilities.
• XDR/SIEM/SOAR integration: Propose the integration of the XDR with the new SIEM and, if applicable, with SOAR (Security Orchestration, Automation, and Response) to accelerate investigation and automated response playbooks.
• Asset management: Implement automated tools (RMM, CMDB, Vulnerability Management Platform) to maintain a continuously updated hardware inventory and a documented inventory of all authorized software.
• Access controls: Strengthen the use of MFA (Multi-Factor Authentication) for all access. Establish and enforce a formal Onboarding and Offboarding process and periodically review Role-Based Access Controls (RBAC).
• Data recovery: Implement a 3rd-party backup solution (outside the Microsoft 365 environment) for the M365 environment. It is mandatory to regularly test the integrity and restoration capabilities of backups.
• Cyber insurance review: Conduct a review of the current insurance policy to: 1) Assess whether the $1M coverage is sufficient for recovery costs; 2) Clarify Clause number 6, TECHNOLOGY ERRORS AND OMISSIONS, as it may result in incidents not being covered.
  

  4. Proposal submission requirements

To ensure fair and comparable evaluation, each proposal must contain the following detailed sections:

4.1. Technical proposal and methodology

• Work plan:  Detailed breakdown of implementation steps for each item listed in Section 3 (Scope), including methodology, required resources, expected deliverables, and coordination mechanisms. The consultant must collaborate closely with the IT Manager at Equitas, who will shadow all technical work to ensure full visibility, knowledge transfer and alignment with existing systems and protocols.
• Strategy and timeline: Proposed detailed strategy and timeline (e.g., 12, 18, or 24 months) for the security program, prioritizing the implementation of high-risk controls (IRP, SIEM, vulnerability management).
• Tools and technology: Clear specification of which tools and solutions considering Non Profitable Organizations (e.g., SIEM, XDR, Awareness Platform) will be utilized and why they are suitable for Equitas’ environment and budget.

4.2. Cost and licensing proposal

• Detailed pricing: An itemized budget that clearly separates the costs of:
  • Professional services (consulting, implementation)
  • Software licensing and tools (annual/monthly)
  • Managed services (MS/MDR/24×7 SOC) – recurring cost
• Pricing structure: Indicate whether the prices are fixed or based on time and material

4.3. Company experience and credentials

• Qualifications: A brief summary of the company’s experience in similar cybersecurity projects, especially with clients using the CIS framework
• Canadian compliance: Proof of experience and knowledge of Canadian and Quebec regulatory requirements, with an emphasis on implementing measures to comply with Law 25
• References: Provide at least two client references (preferably in Canada) with projects of a similar scope
• Experience with Non Profit Organizations and flexibility to work with Microsoft Environment