Health Quality Alberta is seeking proposals from qualified consultants to undertake a comprehensive cybersecurity and resilience assessment that evaluates the current security posture, identifies vulnerabilities, and informs the development of a strategic roadmap for ongoing security improvement. The assessment must be conducted in alignment with recognized frameworks and be adapted to the organization’s size, sector, and risk profile.
Background Information
Health Quality Alberta is a provincial agency that brings together patients, families, and our partners from across healthcare and academia to inspire improvement in patient safety, person-centred care, and health service quality. We are grateful to work, live and learn on the traditional Treaty territories and Métis lands in Alberta. We assess and study the healthcare system, identify effective practices, and engage with Albertans to gather information about their experiences. We value diverse perspectives, and bring objective, evidence-based analysis to our work. Our responsibilities are outlined in the Health Quality Council of Alberta Act. To learn more about Health Quality Alberta, visit www.Health Quality Alberta.ca.
Purpose & Scope of Work
The purpose of the project is to:
• Provide an objective, end-to-end evaluation of cybersecurity governance, infrastructure, and practices.
• Identify strengths, weaknesses, and priority areas/actions for remediation.
• Develop a collaborative cybersecurity strategy that reflects organizational needs, resources, and risk tolerance.
• Present findings in formats suitable for both technical staff and executive leadership.
Scope of work and deliverables
The Consultant selected through this RFP will enter into an agreement with Health Quality Alberta to provide the following services:
1. Comprehensive Review and Scoping Session – Initiate the engagement with a review of Health Quality Alberta’s technology environment, governance structures, and service needs. Facilitate a scoping session with Health Quality Alberta’s leadership and technical staff to co-develop a tailored plan for the assessment and subsequent strategy development.
2. Governance and Risk Management Review – Assess cybersecurity governance structures, roles, policies, procedures, and AI applications. Evaluate alignment with legislation, regulatory requirements, and industry best practices, and identify gaps in risk management processes.
3. Technology and Infrastructure Assessment – Conduct a high-level vulnerability and configuration review of critical systems, networks, cloud environments, and AI applications.
4. Identity, Access, and Data Protection Review – Assess identity and access management practices, data protection measures, and monitoring/logging.
5. Incident Response and Resilience Evaluation – Evaluate incident detection, response, recovery capabilities, and business continuity practices. Review and provide recommendations to strengthen business continuity and disaster recovery capabilities.
6. Culture and Capacity Assessment – Evaluate staff awareness and cybersecurity training programs. Identify opportunities to build organizational capacity and reinforce a culture of cybersecurity awareness and accountability.
7. Assessment Report and Executive Summary – Prepare a comprehensive report summarizing findings, risk ratings, and prioritized recommendations, accompanied by a concise executive summary suitable for senior leadership and governance audiences.
8. Cybersecurity Strategy and Roadmap – Develop, in collaboration with Health Quality Alberta, a strategic roadmap that outlines short-, medium-, and long-term actions and priorities, resourcing considerations, and key performance measures to guide future security initiatives.
9. Best Practices Reference Document – Produce a practical guide that captures cybersecurity best practices tailored to Health Quality Alberta’s environment, serving as a reference tool for current and future staff.
10. Presentation of Findings – Deliver presentations to both technical teams and executive leadership, highlighting key findings, risks, and recommended next steps for strategic decision-making.
