Information Security Services The Portfolio Action Tracker (PAT) is a transparency tool that can be used to monitor and review the real-time status of NASPO ValuePoint portfolios. Click here to view Status

These Master Agreements are to provide a suite of information security services including Risk Assessment and Mitigation, Event and Incident Management, and Breach Coach, and Notification Services.

A Purchasing Entity may customize services ordered from any of the awarded Categories by working with the Contractor to develop a Statement of Work for each order. The Participating Entity may elect to use a limited selection of services rather than all services available under any of the awarded Categories.

Category 1 Risk Assessment and Mitigation - - The Contractor will perform vulnerability assessments, privacy impact and policy assessments, and evaluation and analysis of internal controls critical to the detection and elimination of vulnerabilities to the protection of Data, as defined by a Purchasing Entity

Category 2 Event and Incident Management - - The Contractor will work with the Purchasing Entity to determine the actual scope of an Event and determine if the Event is an Incident. This may include, but is not limited to, gathering information from various sources such as log files, error messages, and other resources such as intrusion detection systems and firewalls that may produce evidence to determine if an Event is an Incident.

Category 3 Breach Coach Services - - The Contractor will provide guidance, advice and consultation to coordinate and support the Purchasing Entity’s Breach response, including the investigation and mitigation of a Breach impacting individuals or organizations that may be located within the state, region, or dispersed nationwide.

Category 4 Credit Monitoring Services - a la carte services as needed by the Purchasing Entity in the event of a data breach. Based on needs the purchasing entity may choose from any of the following services, or any combination thereof: Notification [of affected individuals], General Call Center, One Year Single-Bureau Credit Monitoring/Identity Theft Protection, One Year Triple-Bureau Credit Monitoring/Identity Theft Protection.