Notice of Intended Procurement
NAME OF PROCURING ENTITY
The Governing Council of the University of Toronto (the “University”)
CONTACT PERSON AND CONTRACT PERSON COORDINATES
Raymond Siguenza
150 College Street, 3rd Floor
Toronto, ON, M5S 3E2
raymond.siguenza@utoronto.ca
PROCUREMENT DOCUMENTS
The procurement documents are available at www.merx.com.
Note that obtaining access to the procurement documents will require prospective suppliers to register and pay a registration fee. Pricing and Payment Terms are available on the MERX website.
DESCRIPTION OF PROCUREMENT
The intent of the RFP is to seek a Supplier (Successful Proponent) that will provide services to manage and resolve data security incidents at the University in conjunction with other parties.
All data security incidents are reported to and received by the University of Toronto Incident Response (IR) Team. In the event of a major data security incident, the IR Team will advise the Computer Security Incident Response Team (CSIRT) who will investigate and implement appropriate action. Depending on the incident, this may include third-party Forensic Incident Response Services, among other external services. These third-parties would work in conjunction with the University’s CSIRT and its incident response team to enhance the University’s in-house IR and forensics capabilities. Depending on the Successful Proponent’s staff’s capabilities and the location of an incident, they may be provided with direct access to security solutions or devices or may end up working through intermediaries.
The University currently has a global incident response plan and related playbooks, as does each unit. These are not published publicly but may be shared with the Successful Proponent. Depending on the incident, the membership of the CSIRT is flexible and will include the internal services needed to respond to the incident at hand and may also include external services such as forensics services. Typically, the internal CSIRT membership includes Incident Response, members of the University and unit management, Legal Counsel, FIPP Office, Communications, and Technical staff. The Successful Proponent, as a member of that CSIRT, would be able to make recommendations on bringing other internal or external services into the CSIRT if they identify a gap that needs to be addressed.
The University’s technology stack, architecture model, or Information Security toolset will not be provided but may be shared with the Successful Proponent.
The procurement is anticipated to involve negotiation. An electronic auction is not anticipated
ADDRESS AND FINAL DATE FOR SUBMISSIONS
Submissions must be submitted electronically at https://utoronto.bonfirehub.ca/ on or before Monday, March 16, 2026 (2:00 PM local time). The submissions will not be opened publicly.
CONDITIONS FOR PARTICIPATION
N/A
APPLICABLE TRADE AGREEMENTS
This procurement is subject to the following trade agreement(s):
- The Canadian Free Trade Agreement, Chapter Five
- The Comprehensive Economic and Trade Agreement, Chapter 19
- The Ontario-Quebec Trade and Cooperation Agreement, Chapter 9
CONTRACT DETAILS
The term of the Agreement will be for three years with an option to extend to two years.
EVALUATION CRITERIA
The University will base its selection of suppliers on the following criteria
EVALUATION CRITERIA WEIGHT
Experience and Qualification 25
Approach and Methodology 10
Retainer and Continuous Improvement 15
Building an Incident Management Program 10
Menu of Proactive Assessments 10
Price 30
Total 100
Vendor Presentation (optional) 20
NOTES
Suppliers should note that information contained within this notice is subject to change. Suppliers are encouraged to obtain the procurement documents which contain the most current information. If there is a conflict between the procurement documents and this notice, the procurement documents will take precedence.
