Embed Size (px)
Citation preview
System Requirement Specifications of Insurance Authority Levy System (“LS”)
System Requirements
The Tenderer will supply the hardware and software to support minimum 140 external users (insurers) who will be using the System in different functional capacities. There will be 3 environments for System, namely, user acceptance test (UAT), production and disaster recovery (DR) environment. The UAT environment does not have to be a full-blown production environment and is anticipated to support not more than 50 external users (insurers) at any one time for testing. Resiliency is not expected for the UAT environment. The production environment will support minimum 140 external users (insurers) at any one time and full resiliency shall be supported. Meticulous sizing with industry recognized methodology must be used to size the production environment. The use of virtual machines is recommended for the hardware platform with proper security setup and coverage.
The DR platform is expected to support the full loading in the event of a disaster which disrupts the delivery of service from the production platform. It is not necessary to have resiliency for the DR platform. The production site will replicate to the DR site in technically viable ‘Real’ time arrangement.
The Tenderer is expected to provide a comprehensive list of the hardware with details of the configuration and the accompanying software for each environment. The Tenderer is also expected to include any network and/or security hardware or software in the proposed solution and clearly state the purpose of such hardware and software.
The Tenderer shall deliver all requirements stated below in the solutioning of the infrastructure platform to host the System.
1. Network Traffic Load balancing Requirements (This is Optional, please propose as optional):
1.1 The load balancer shall support application protocols which include HTTP, SSL / TLS etc. 1.2 The load balancer shall have Intelligent load balancing, application health monitoring, application
connection state management. 1.3 The load balancer shall support advanced routing like BGP, RIP, OSPF, etc. 1.4 The load balancer shall have Application Delivery Optimization. 1.5 The load balancer shall have SSL connection and session mirroring. 1.6 The load balancer shall support SSL visibility (inbound / outbound). 1.7 The load balancer shall have Performance dashboard to monitor the performance histories and
figures. 1.8 The load balancer shall have logging history for the performance counters. 1.9 The load balancer shall be Microsoft Certified Load Balancer model with Application delivery
functionality. 1.10 The load balancer shall support Global Traffic Management with failover within Primary
DataCenter and Disaster Recovery (DR) DataCenter.
1.11 The load balancer shall support reuse of the loadbalancing for other applications, for example: we use https://levy.ia.org.hk, it can redirect from one datacenter to another datacenter for external users.
1.12 The load balancer shall be compatible to current Loadbalancer - Citrix NetScaler MPX 5901. 1.13 The load balancer shall have function – Application Cache, Application Firewall with XML security,
IP Reputation, Cloud Connector, Central Policy Management, Monitoring Gateway Traffic with History.
1.14 The load balancer shall have more than 1 G System throughput, Gbps (L7 throughput). 1.15 Exemplary Products: Citrix NetScaler MPX 5901 Enterprise Edition.
2. Internet Requirements:
2.1 Current Internet at Primary DataCenter: 2 X 100M Internet Connections. It mainly serves current email, antivirus definition updates and patch updates services. These connections are currently in used and no spare bandwidth is available.
2.2 Current Internet at DR DataCenter: 1 X 100M Internet Connection. These connections are currently in used and no spare bandwidth is available.
2.3 The tenderer shall propose additional internet connectivity with sufficient bandwidth for the internet requirements on top of what is currently available to ensure transactions could be conducted via the internet connectivity between the insurers (submitters) and the Authority.
3. Storage and SAN Switch Requirements
3.1 The tenderer shall provide enough disks and enough SAN chassis at Production DataCenter and DR DataCenter if required.
3.2 The tenderer shall provide SAN Switch or port licenses with resilience at Production DataCenter or DR DataCenter if required.
3.3 The tenderer shall provide enough storage spaces for whole proposed system if required. 3.4 The tenderer shall provide the disks with self-encrypted drives. 3.5 The tenderer shall provide the disks to support encryption when data at rest with self-encrypted
drives. 3.6 The tenderer shall provide the disks to support 10K SFF FIPS Encrypted. 3.7 The tenderer shall provide the disks to support at least RAID 1 model. 3.8 The tenderer shall provide enough disks spaces for cache swap during backup and virtualization
log. 3.9 The tenderer shall add local disks to current UAT Servers (Server Model is at Server Section).
Addon disks spaces = total spaces of Production / DR server X 0.25. 3.10 Current Storage: HPE 3PAR 8200 at Production / DR (No UAT SAN).
3.11 Current Production SAN Switch has 2 free ports at each Production SAN Switch, no free port at DR SAN Switch.
3.12 Current SAN Switch: Production: HPE SN3000B 24/24 FC Switch 2.4m Jumper (IEC320 C13/C14, M/F CEE 22) HPE B-series 16Gb SFP+SW XCVR X 24 HPE SN3000B Optional Power Supply HPE Premier Flex LC/LC OM4 2f 5m Cbl X 24 DR: HPE SN3000B 24/12 FC Switch 2.4m Jumper (IEC320 C13/C14, M/F CEE 22) HPE B-series 16Gb SFP+SW XCVR X 12 HPE SN3000B Optional Power Supply HPE Premier Flex LC/LC OM4 2f 5m Cbl X 12
3.13 Current HPE 3PAR 8200 Details: HPE 3PAR 8200 2N+SW Storage Field Base HPE 3PAR 8000 4-pt 16Gb FC Adapter X 2 HPE 3PAR 8000 1.2TB+SW 10K SFF FIPS Encrypted HDD X 20 HPE 3PAR 8200 All-in Multi-system SW LTU HPE 3PAR 8200 Data Encryption LTU HPE 3PAR 8000 SFF (2.5in) Fld Int Dr Encl X 2 HPE 3PAR 8000 1.2TB+SW 10K SFF FIPS Encrypted HDD X 36 HPE 3PAR 8000 920GB+SW SFF FIPS Encrypted SSD X 4 HPE 3PAR 8000 SFF (2.5in) Fld Int Dr Encl HPE 3PAR 8000 1.2TB+SW 10K SFF FIPS Encrypted HDD X 20 HPE 3PAR 8000 920GB+SW SFF FIPS Encrypted SSD X 2 HPE Premier Flex LC/LC OM4 2f 5m Cbl X 12
4. Server Requirements:
4.1 The tenderer shall provide equivalent model of server, for example HP DL 360 or HP DL 380. 4.2 It shall include web servers which are connected to DMZ Access Layer Switches. 4.3 It shall include internal servers which are connected to Internal Zone Access Layer Switches. 4.4 It shall include Production and DR servers. 4.5 It shall include at least RAID 1 Protection with one hot spare disk for Local Disk. 4.6 It shall include adequate memory with DDR3 or faster. 4.7 It shall include PCIe 3.0 based 12Gb/s SAS Raid Controller with RAID 0/1/1+0 Advanced Data
Mirroring/10 Advanced Data Mirroring with 4GB battery backed write cache; Advanced Data
Mirroring is a RAID system which support with a minimum of 3 drives. RAID 1 ADM creates redundant copies of the data using 3 drives. RAID 10 ADM stripes data across two or more sets of RAID 1 ADM volumes. This level of fault tolerance can withstand a double drive failure within a RAID 1 ADM volume without downtime or data loss.
4.8 It shall support intermixing of SSD / SAS hard drives. 4.9 It shall support Encryption of the data on both the internal storage and cache module of the
array controllers using encryption keys. 4.10 It shall include at least FOUR Gigabit Ethernet Network Ports. 4.11 It shall include high resilient of the 10 Gigabit Ethernet Connection to the storage system. 4.12 It shall include backup connection to the backup system where high resilient for backup is
optional. 4.13 It shall support add-on fiber network card. 4.14 It shall include fiber connection equipment part, which is used to SAN Switch with resilient
connection. 4.15 It shall include Video and at least 6 X USB ports. 4.16 It shall be able to be mounted on standard 19 inches rack. 4.17 It shall include bundle with integrated system management controller to enhance server setup,
health monitoring, power and thermal control, and remote administration. 4.18 It shall provide at least one dedicated Ethernet port to support out-of-band remote
management. 4.19 It shall be certified by popular virtualization platform management software like vCenter,
SCVMM and RedHat RHEV. 4.20 It shall be supported one management view to manage multiple servers, like Group Power
Control, Group Power Capping, Group Firmware Update, Group Configuration, Group Virtual Media, Group License Activation.
4.21 It shall include Redundant hot-swappable power supplies with power cord, Comply with Energy Star.
4.22 It shall provide ONE internal DVD-RW drive with at least 8x speed. 4.23 It shall provide front security bezel kit, cable management arm, rack mount kit, all necessary
cables, software drivers and documentation for server installation. 4.24 Current Server Model:
Sample: HP Proliant DL380 G9 2U Rack Mount Server 2x E5-2650v4 (12-core) CPU 10 X HPE 16GB 2Rx4 PC4-2400T-R Kit 2x 1 port Fiber HBA 2x 1 port 10G network card HPE iLO Adv incl TSU 1-Svr Lic Brezel Kit, Cable management kit, DVDRW Redundant Power Supply 3 X HPE 300GB SAS 10k SFF SC HDD
5. Virtualization Requirements:
5.1 The Virtualization software shall provide a Virtualization layer that sits directly on the bare metal server hardware with no dependence on a general purpose OS for greater reliability and security.
5.2 The Virtualization software shall be in Leaders Quadrant of 2014 Gartner Magic Quadrant for x86 Server Virtualization Infrastructure for continuous last 4 years.
5.3 The Virtualization software shall have the capability to create Virtual machines with up to 128 virtual processors and 4TB virtual RAM in virtual machines for all the guest operating system supported by the hypervisor.
5.4 The Virtualization software shall support live Virtual Machine migration from one physical host to another and between virtual switches with enhanced CPU compatibility and without the need for shared storage.
5.5 The Virtualization software shall have the ability to live migrate Virtual machines files from one storage array to another without any Virtual Machine downtime. It shall support this migration from one storage protocol to another (ex. FC, iSCSI, NFS, DAS).
5.6 The Virtualization software shall have High Availability capabilities for the virtual machines in the sense, if in case one server fails all the Virtual machines running on that server shall be automatically restarted to another physical server running same virtualization software. The feature should be independent of Guest Operating System Clustering and should work with FC / iSCSI SAN and NAS shared storage.
5.7 The virtualization solution shall provide a storage efficient backup solution, which utilizes patented variable-length deduplication, rapid recovery and WAN-optimized replication for DR. It should integrate with virtualization solution and provide a simple user interface making it an easy and effective backup tool. It should also provide agentless, image-level VM backups to disk and application-aware protection for business-critical applications (e.g., Exchange, SQL Server, etc.) along with WAN-efficient, encrypted backup replication across sites.
5.8 The Virtualization software shall have the provision to provide zero downtime, zero data loss and continuous availability for the applications running in virtual machines in the event of physical host failure, without the cost and complexity of traditional hardware or software clustering solutions. This option shall be supported for up to 2 virtual CPU per virtual machine.
5.9 The Virtualization software shall provide option for securing virtual machines with offloaded antivirus and antimalware solutions without the need for agents inside the virtual machine with integration with 3rd party Anti-Virus / Anti-Malware solutions.
5.10 The Virtualization software shall provide efficient, array agnostic replication of virtual machine data over the LAN / WAN and should simplify management by enabling replication at virtual machine level.
5.11 The Virtualization software shall support for increasing capacity by adding CPU, Memory or any other devices to virtual machines on an as needed basis without any disruption in working or downtime for the virtual machines.
5.12 The Virtualization software shall enable abstraction for external storage (SAN and NAS) devices by means of making them virtual machine aware.
5.13 The Virtualization software shall allow common management across storage tiers and dynamic storage class of service automation via a policy-driven control plane.
5.14 The Virtualization software shall provide a content library to provide simple and effective centralized management for VM templates, virtual appliances, ISO images, and scripts.
5.15 The Virtualization software shall provide special integration with Storage API's providing integration with supported third-party data protection, multi-pathing and disk array solutions.
5.16 The Virtualization software shall provide support or placing critical virtualization components (such as the hypervisor) into memory regions identified as “reliable” on supported hardware. This would further protect components from an uncorrectable memory error.
5.17 The Virtualization software shall have Special Big Data Extensions, which should support multiple Hadoop distributions and make it seamless for IT to deploy, run and manage Hadoop workloads on one common platform leading to achieve higher utilization, reliability and agility.
5.18 The Virtualization software shall be able to dynamically allocate and balance computing capacity across collections of hardware resources aggregated into one unified resource pool with optional control over movement of virtual machines like restricting VMs to run on selected physical hosts.
5.19 The Virtualization software shall be able to automate energy efficiency in Distributed Resource Scheduler clusters by continuously optimizing server power consumption within each cluster.
5.20 The Virtualization software shall support live Virtual Machine migrations across Physical Hosts, between virtual switches, between two different virtualization managers or between servers. Physically separated over a long distance leading up to 100ms of network latency.
5.21 The Virtualization software shall have the provision to provide zero downtime, zero data loss and continuous availability for the applications running in virtual machines in the event of physical host failure, without the cost and complexity of traditional hardware or software clustering solutions. This option should be supported for up to 4 virtual CPU per virtual machine.
5.22 The Virtualization software shall be able to create a cluster out of multiple storage datastores and automate load balancing by using storage characteristics to determine the best place for a virtual machine’s data to reside, both when it is created and when it is used over time.
5.23 The Virtualization software shall provide network traffic-management controls to allow flexible partitioning of physical NIC bandwidth between different network-traffic types and allow user-defined network resource pools, enabling multi-tenancy deployment, and to bridge virtual and physical infrastructure QoS with per resource pool 802.1 tagging.
5.24 The Virtualization software shall be able to set quality-of-service priorities for storage for guaranteed access to resources.
5.25 The Virtualization software shall allow one PCI express (PCIe) adapter to be presented as multiple separate logical devices to the virtual machines, which in turn should enable users with the ability to offload I/O processing and reduce network latency.
5.26 The Virtualization software shall be able to virtualize server-side flash providing a high performance read cache layer that dramatically lowers application latency.
5.27 The Virtualization software shall have support to deliver the full benefits of NVIDIA hardware-accelerated graphics to virtualized solutions.
5.28 The Virtualization software shall provide a virtual switch, which can span across a virtual datacenter and multiple hosts should be able to connect to it. This in turn will simplify and enhance virtual-machine networking in virtualized environments and enables those environments to use third-party distributed virtual switches.
5.29 The Virtualization software shall provide feature, which can perform quick, as-needed deployment of additional virtualized hosts. When the service is running, it can push out update images, eliminating patching and the need to schedule patch windows.
5.30 The Virtualization software shall provide reports for performance and utilization of Virtual Machines. It shall co-exist and integrate with leading systems management vendors.
5.31 The Virtualization software shall provide capability to monitor and analyze virtual machines, and server utilization and availability with detailed performance graphs.
5.32 The Virtualization software shall allow cloning of both powered on and powered off virtual machines.
5.33 The Virtualization software shall provide Interactive topology maps to visualize the relationships between physical servers, virtual machines, networks and storage.
5.34 The Virtualization software shall maintain a record of significant configuration changes and the administrator who initiated them.
5.35 The Virtualization software shall provide a global search function to access the entire inventory of multiple instances of virtualization management server, including virtual machines, hosts, datastores and networks, anywhere from within Virtualization management server.
5.36 The Virtualization software shall support user role and permission assignment (RBAC). 5.37 The Virtualization software shall provide Single-Sign-On capability, which should dramatically
simplify administration by allowing users to log in once to access all instances or layers of management without the need for further authentication.
5.38 The Virtualization software shall Orchestration facility, which would simplify installation and configuration of the powerful workflow engine in Management. The workflows should be launched directly from the Web Client itself.
5.39 The tenderer shall include enough VMWare Licenses. 5.40 Current Virtualization Software: VMWare ESXi 6.5 and VMWare vSphere 6 Enterprise Plus
6. Backup Requirements:
6.1 The backup solution system shall have function to recover entire VMs, individual files and application items.
6.2 The backup solution system shall have fast, agentless item recovery and includes Microsoft Exchange, SharePoint and Active Directory.
6.3 The backup solution system shall have Transaction-level restore of Oracle databases and SQL Server databases.
6.4 The backup solution system shall have Automatic recoverability testing of every backup and every replica, every time.
6.5 The backup solution system shall have Unlimited Scale-out Backup Repository, Direct Storage Access and built-in deduplication and compression.
6.6 The backup solution system shall have Disaster recovery with 1-click site failover and failback with little to no business interruption.
6.7 The backup solution system shall have Image-level VM backups: Create application-consistent backups with advanced application-aware processing.
6.8 The backup solution system shall have Instant File-Level Recovery: Recover guest OS files and folders from the image.
6.9 The backup solution system shall have ability to recover Microsoft Active Directory, individual AD objects and entire containers, easily recover user accounts and passwords, enable restores of Group Policy Objects (GPOs), Active Directory integrated DNS records, etc.
6.10 The backup solution system shall have ability to recover Microsoft SQL Server Fast transaction and table level recovery, which allows for precise point-in-time restore.
6.11 The backup solution system shall have ability to recover Transaction-level recovery of Oracle databases, including agentless transaction log backups, enabling precise point-in-time restore.
6.12 The backup solution system shall have Native tape support: Store entire VM backups or individual files on tape including features for growing enterprise environments.
6.13 The backup solution system shall provide advanced, image-based VM replication and streamlined disaster recovery - ensuring the Availability of your mission-critical applications.
6.14 The backup solution system shall have Image-based VM replication: Replicate VMs onsite for High-Availability or offsite for disaster recovery.
6.15 The backup solution system shall have test automatically and verify every VM replica for recoverability.
6.16 The backup solution system shall have Failover and Failback ability: Replica rollback and assisted failover and failback with little to no business interruption.
6.17 The backup solution shall have added-on management pack for monitoring solution. 6.18 The backup solution shall provide us with a copy of your virtual machine (VM) in a ready-to-start
state, so if a VM goes down, you can immediately fail over to a standby VM. 6.19 The backup solution shall be no impact on production environment, performing replication from
backup files. 6.20 The backup solution shall have ability to perform following scenario. If a production VM goes
down, you can immediately fail over to a VM replica, giving users access to the services and applications they need with minimum disruption while you resolve the issue. We make replication easy so that you can improve your disaster recovery (DR) plan and avoid data loss.
6.21 The backup solution shall have ability to plan our entire failover in advance, and start it with a single click using our new Failover Plans. Add VMs from replicas, move them up or down to get a boot order and set a delay for each VM so that they don’t start before a previous one starts up.
6.22 The backup solution shall have ability to facilitate data center migrations or perform maintenance on your production hosts with our new Planned Failover feature. Planned Failover shuts down the source VM, replicates any changes to the target VM and starts the VM—all with no data loss and little downtime.
6.23 The solution shall have a heat / fire resistant cabinet for storing backup media.
6.24 The backup device can be disk backup or tape backup, which can have the best Recovery time. 6.25 It shall define the incremental backup can be completed within 9 hours during backup windows
(09:00PM to 06:00AM). The Full backup can be completed at Saturday and Sunday. 6.26 The solution shall have a single console to backup and restore VMWare vSphere 4.1 or above and
Microsoft HyperV 2008 R2 SP1 or above. 6.27 The solution shall have distributed architecture, single management server can manage multiple
proxy servers (media server) and multiple backup destinations. 6.28 The solution shall be agentless solution, no need to install any agent on host or VM guest , no
virtual appliance on VM host to perform backup, replication, restore (single file, application item level, instant VM recovery) on both VMware and Hyper-v platform.
6.29 The solution shall support Full backup, Sythentic Full backup, incremental backup, reserve incremental backup.
6.30 The solution shall have built-in block level deduplication and compression. 6.31 The solution shall support one pass VM image level backup with multiple restore options, such as
whole VM restore, single file restore, single application item level restore. 6.32 The solution shall support backup image tape out feature. 6.33 The solution shall support auto skip deleted block in VM guest, SWAP and hibernate file. 6.34 The solution shall support include and exclude list backup method in VM guest without any agent
install inside VM guest, this list support both volume level and folder level inside the guest. 6.35 The solution shall support backup image offsite replication and run automatic verification to
ensure the replicated copy is valid. Verification including boot up heartbeat test, network ping test, application level testing, customize script testing, VM disk CRC checksum testing. A report of the test result will be sent to admin's email automatically. This verification shall run within an isolated environment, which no any manual configuration on virtual environment, such as vCenter/ESXi, SCVMM / Hyper-V host, all the setting shall be done within the backup software console and without any script, command or manual tasks.
6.36 The solution shall integrate with specified service provider to perform backup to cloud capability to achieve offsite purpose.
6.37 The solution shall integrate with VMware vSphere Web Client, allow admin to manage backup / restore job, monitor backup status, check unprotected VM, simplified capacity planning, all the tasks are done in VSphere Web Client.
6.38 The solution shall support VMware vCloud vApp and VM metadata and attributes backup, support vApps and VM restore to vCloud environment directly, also support fast-provisioned VM.
6.39 The solution shall support direct backup from storage via FC, iSCSI and NFS without via network. 6.40 The solution shall support PowerShell command and provide RESTful API, all the tasks can be
automated to simplify the admin job. 6.41 The solution shall support AES 256 bits encryption on backup image, network traffic, tape
without any impact on deduplication ratio and WAN acceleration. 6.42 The solution shall have Native integrated with HPE StoreOnce, EMC Data Domain, ExaGrid
without any agent installed to speed up the backup performance.
6.43 The solution shall support generation of different separated backup files from multiple VMs within one backup policy, which means each VM will generated separated backup file in order to speed up the performance.
6.44 The solution shall support storage I/O latency setting to ensure the backup / replication job will not have impact on production storage.
6.45 The solution shall support Oracle VM application consistent backup and restore without any agent or script. No any Oracle RMAN command or script is required.
6.46 The solution shall support SQL and Oracle transaction log backup, archived log management and transaction-level recovery of databases back to the original or new server. Transaction log backup (will not trigger snapshot backup) interval support up to 5 mins, which means the max data loss is up to 5 mins.
6.47 The solution shall support Windows 2016, Nano server 2016, Hyperv server 2016, ReFS 3.0 file system, Exchange 2016, Sharepoint 2016, Active Directory 2016, SQL 2016, Storage Space Direct, Powershell direct.
6.48 The solution shall support leverage Windows 2016 ReFS 3.0 as backup disk pool, integrated with ReFS 3.0 to support virtual synthetic full backup, which means no data movement, just pointer update to complete the synthetic full backup job automatically.
6.49 The solution shall support production VM to do cross-sites replication, faillover, failback, test failover feature.
6.50 The solution shall support replication from production VM or backup copy to DR site as replica. 6.51 The solution shall support hardware independent replication and support near - CDP replication
(continuous replication). 6.52 The solution shall support Instant Recovery of VM on both VMWare and Microsoft HyperV
environment through native GUI interface, no any plug in, script or command is required. This action will skip the restore process so that the recovery time is just mins instead of hours.
6.53 The solution shall support restore VM to original location or different location. 6.54 The solution shall support multiple OS, such as Windows, Linux, FreeBSD, Mac, Novell, Unix OS
with single file restore without any agent assist. 6.55 The solution shall support multiple file system, such as NTFS, ReFS 2.0, ReFS 3.0, FAT, FAT32,
ext2, ext3, ext4, ReiserFS, JFS, XFS, Btrfs, UFS, UFS2, HFS, HFS+, ZFS …. to do single file restore without any agent assist.
6.56 The solution shall support recovery from storage hardware snapshot, such as EMC VNX/VNXe, HPE 3Par StorServ, StoreVirtual, StoreVirtual VSA, NetApp FAS, FlexArray, E series, IBM N series, Nimble storage, directly even there is no backup copy. Restore scenario including single file restore, instant recovery of VM.
6.57 The solution shall support single application item level restore, such as user account attributes, on Active Directory without any agent assist.
6.58 The solution shall support single application item level restore, such as SQL instant, SQL transaction and schema level on SQL without any agent assist.
6.59 The solution shall support single application item level restore, such as transaction level, on Oracle without any agent assist or RMAN command.
6.60 The solution shall support self-service portal to restore guest files and VMs with a single click through a web UI, restore missing mailbox items back to the original mailbox with a single click through a web UI and restore individual databases back to the original server, or a new SQL server, with a single click through a web UI.
6.61 The solution shall support automatic verification from backup image copy, including heartbeat test, network ping test, application level (SQL, Mail, AD..) and customized script test. This verification shall run within an isolated environment which no any manual configuration on virtual environment, such as vCenter/ESXi, SCVMM / Hyper-v host, all the setting shall be done within the backup software console and without any script, command or manual tasks.
6.62 The solution shall Support automatically verification from replica copy, including heartbeat test, network ping test, application level (SQL, Mail, AD..) and customized script test. This verification shall run within an isolated environment which no any manual configuration on virtual environment, such as vCenter/ESXi, SCVMM / Hyper-v host, all the setting shall be done within the backup software console and without any script, command or manual tasks.
6.63 The solution shall support leverage backup image copy to provision a UAT / testing environment without additional storage capacity, this is an isolated environment for patch testing, application testing or drill test purpose. This shall run within an isolated environment which no any manual configuration on virtual environment, such as vCenter/ESXi, SCVMM / Hyper-V host, all the setting shall be done within the backup software console and without any script, command or manual tasks.
6.64 It shall have tape library at production datacenter and DR DataCenter for backup purposes. 6.65 The solution shall include the virtualized spaces at the storage. 6.66 The solution shall be backuped to Disk and then to Tape Library. 6.67 Offered device shall be offered with Minimum of 48TB of raw space scalable to at-least 280TB
raw space. 6.68 Offered device shall have separate dedicated drives for Operating System of appliance and shall
not participate in data backup. 6.69 Offered device shall support emulation of both VTL and NAS target like CIFS. 6.70 Offered device shall have the ability to configure at-least combination of 30 tape Libraries & NAS
targets along with 30,000 or more Cartridge slots in the single appliance. 6.71 Offered device shall have capability to deliver selective restore from disk Library itself. 6.72 Offered Device shall integrate and utilize customer's current tape backup infrastructure in the
following aspects: a. Compatibility with the existing backup server / media servers at customer. b. Compatibility with existing tape library and tape drives. c. Compatibility with existing backup software.
6.73 Offered device shall have integrated de-duplication license and shall have optional support for replication to remote location in a low bandwidth mode so that only unique - Non Duplicated data flows to remote location.
6.74 Offered device shall support intelligence for understanding Source based (At Client application level, Backup Server level and media server level) de-duplication so that only unique - Non duplicated data copies to offered device.
6.75 Offered device shall support receiving non duplicated data from remote locations or branch office directly from the application servers / Client servers in low bandwidth mode without using any backup or replication based device at remote location / Branch office.
6.76 Ability to flexibly emulate tape drive/ tape formats LTO-Gen4, LTO-Gen5, and LTO-Gen6 etc. 6.77 Offered device shall have Minimum of 4 x 10Gbps IP, 4 x 8Gbps FC and minimum of 4 x 1Gbps IP
connection. 6.78 Offered disk based backup device shall also support encryption functionality. 6.79 Offered disk based backup appliance shall have flexibility to enable or disable the de-duplication
for a given virtual tape library or CIFS share. 6.80 Offered disk based backup appliance shall support VLAN tagging. Offered IP ports shall also
support Port bonding in Adaptive Load balancing as well as in Active-backup mode. 6.81 When fully populated, offered device shall support rated write performance of more than 12TB
per hour in native mode. 6.82 The solution shall reserve the diskspaces in storage system if it needs extra virtualized OS. 6.83 The solution shall separate the database role and application role into different VMs. 6.84 The solution shall have complete product development like the backup unsuccessful rate < 5%
after production launch. 6.85 The solution shall support proposed infrastructure and proposed virtualization backup. 6.86 For short-term data retention, a daily snapshot of all user data will be stored to backup media.
Daily snapshot is a differential incremental backup. A full backup is done on a weekly basis. We will keep total 31 snapshots versions (i.e. for 31 days.) The physical backup media can be recycled on a monthly basis.
6.87 For long-term data retention, a monthly snapshot of all user data will be stored to backup media. Monthly snapshot is a full backup. We will keep total 84 snapshots versions (i.e. for 7 years.)
6.88 Service provider has to provision sufficient physical backup media for the first year. 6.89 Current Backup Program: Veeam Backup & Replication Enterprise Plus
7. Network Requirements:
7.1 The tenderer shall prepare enough stack cables for connected to current core layer network switches for all layers switches.
7.2 The tenderers shall prepare Access Layer Switches at Production / DR DataCenter which compatible model of current switches.
7.3 Current Core Layer Switch at Production and DR DataCenter: Cisco 4650 7.4 Current Internal Access Layer Switch at Production and DR DataCenter: Cisco 3650 7.5 Current DMZ Access Layer Switch at Production and DR DataCenter: Cisco 3650 7.6 Current Core Layer Switch Details:
Catalyst 4500-X 40 Port 10G Ent. Services, Frt-to-Bk, No P/S Catalyst 4500X 750W AC front to back cooling 2nd PWR supply Catalyst 4500X 750W AC front to back cooling power supply
BS-1363 to IEC-C15 8ft UK X 2 CAT4500-X Universal Crypto Image IP Base to Ent. Services license for 32 Port Catalyst 4500-X Console Cable 6ft with RJ-45-to-RJ-45 Catalyst 4500X 8 Port 10G Network Module
7.7 Current Access Layer Switch Details for DMZ and Internal Zone: Cisco Catalyst 3650 24 Port Data 4x1G Uplink LAN Base 250W AC Config 2 Power Supply 250W AC Config 2 Secondary Power Supply Cisco Catalyst 3650 Stack Module Cisco Catalyst 3650 Stack Module X 2 Type 2 Stacking Cable
8. Account Management Requirements:
8.1 The proposed solution shall include a Privileged Account Security (PAS) solution with Session Recording and account access control with password.
8.2 The proposed solution shall include design, supply, delivery, installation, testing, commissioning and maintenance.
8.3 The proposed solution shall provide the proposed architecture with Primary and Disaster Recovery at two different sites.
8.4 The proposed solution shall ensure interoperability with the existing infrastructure, network, systems and applications including their future upgrades.
8.5 The proposed solution shall include the following scope of work in their proposal. 8.6 The proposed solution shall include the latest version of software with media kit. 8.7 The proposed solution shall include 25 user licenses, 5 concurrent recording sessions, 500 of
passwords management, Unlimited installation of web portal, Unlimited installation of session management module, All required hardware for Primary site and Disaster Recovery site.
8.8 The proposed solution shall secure and manage privileged password and session of systems and applications effectively.
8.9 The proposed solution shall support the ability to manage passwords and perform session recording for the privileged accounts on the following platforms: a. Windows (local and domain) b. Linux c. Solaris d. Databases (Session management and recording through preferred database client. please
indicate the supported clients) e. Network Devices via SSH and Telnet f. AS/400 (iSeries) g. zSeries (OS/390)
h. Mainframe (Access Control Software) i. Virtual Servers (e.g. VMware, Oracle VM, etc) j. Client Server Based Applications i.e. SAP, Checkpoint Smart Dashboard etc. k. Support any SSH devices l. Support any ODBC devices
8.10 The proposed solution shall support target accounts organized by both policies and password safes.
8.11 The proposed solution shall automatically detect new Windows Desktops & Laptops devices, Windows services, scheduled tasks; IIS service accounts etc., provision them to the product and automatically enforce the right password policy on these new managed devices.
8.12 The proposed solution shall also automatically discover privileged accounts in a Windows Active Directory environment using a simple and intuitive web based wizard, and following a review of the results, to allow automatic provisioning of these accounts for password management.
8.13 The proposed solution shall be able to automatically detect new hypervisors, guest machines in a dynamic virtualized environment, provision them to the product and automatically enforce the right password policy on these new managed devices.
8.14 The proposed solution shall provide multi-tier architecture where the database and application level is separated.
8.15 The proposed solution shall support for high redundancy or DR architecture even when deployed on different network segments or locations.
8.16 The proposed system should use build-in database with no DBA to prevent direct access to the objects inside the vault.
8.17 The proposed solution shall have the ability to support multiple mirrored systems at offsite Disaster Recovery Facilities across different DataCenter locations.
8.18 The proposed solution shall have ease of recovery should any fault occur, DR activation shall be as seamless as possible with minimum disruption to the day-to-day operations.
8.19 The proposed solution shall have built-in options for backup or integration with existing backup solutions.
8.20 The proposed solution backup shall be encrypted with strong security controls. Restoration of the backup data to the proposed solution shall be protected with strong authentication.
8.21 The proposed solution shall handle loss of connectivity to the centralized password management solution automatically.
8.22 The proposed solution shall not require any network topology changes in order to ensure all privileged sessions are controlled by the solution. Supports distributed network architecture where different segments need to be supported from a central location.
8.23 The proposed solution should use built-in FIPS 140-2 validated cryptography for all data encryption. Communication between system components, including components residing on the same server should be encrypted.
8.24 The proposed solution shall provide full-encrypted backups where back up keys are self-managed and securely stored by the system.
8.25 The proposed solution main password storage repository should be highly secured (built-in firewall, hardened machine, limited and controlled remote access etc.) where the super administrator user should not be accessible via web interface / remote client.
8.26 The proposed solution shall provide Secure and tamper-proof storage for audit records, policies, entitlements, privileged credentials, recordings etc. Each password containers and password object stored in the password safes in the solution shall be encrypted by unique encryption keys. Access to super administrator account (for recovery and full access) of the system should be allowed only locally from the application server where the database and secured passwords and recordings are stored.
8.27 The proposed solution shall have Administrative configurations (e.g. configuration of user matrix) shall be accessible via a separate client where client access is controlled by IP address.
8.28 The proposed solution shall have Segregation of Duties - The Administrator user cannot view the data (passwords) that are controlled by other teams/working groups (UNIX, Oracle etc.). If external identity stores are used, the proposed solution should perform reconciliation to ensure synchronization. E.g. when a user is added/removed from the directory, it is automatically provisioned/de-provisioned in the solution.
8.29 The proposed solution shall support integration with the Hardware Security Module (HSM) devices to store the encryption keys.
8.30 The proposed solution shall provide several authentication options for logging on to the system such as local database, Windows, PKI, RADIUS, RSA SecurID, Oracle SSO, and LDAP.
8.31 The proposed solution shall have ability to provide detailed auditing information regarding any privileged access related activities.
8.32 The proposed solution shall preferably provide a tool to discover where the privileged accounts exist, verify privileged accounts risks, identify all privileged passwords/SSH Keys/password hashes.
8.33 The proposed solution shall provide ease of policy management like Allow single baseline security policy across all systems, applications and devices (e.g. one single update to enforce baseline policy), Ability to create exception policies for selected systems, applications and devices.
8.34 The proposed solution shall perform password change options which is parameter driven, for example like ability to set password options every x days, months, years and compliance options via the use of a single, master policy, Ability to change passwords at one time for single, group and all systems based on specific criteria.
8.35 The proposed solution shall support changing a password or group of passwords via a single master policy: a. According to a policy (every x days or 'on-demand'). b. Manually by a user. c. Automatically, when a password is not synchronized (verification failure). d. The proposed solution should change target accounts passwords be set to a random value. e. Ability to change target accounts passwords manually by an administrator at any time. f. Ability to automatically "check-out" after a specific time and "check-in" within a specified
time.
8.36 The proposed solution shall support password verification like Automatically verify password value against its target system, Auto notify on 'out of sync' passwords, Report on all 'out of sync' passwords.
8.37 The proposed solution shall support password reconciliation, like Automatically reconcile passwords that are detected 'out of sync' or lost without using external restore utilities, Ability to reconcile the passwords on selected, multiple or all systems, Ability to reconcile passwords manually, upon demand.
8.38 The proposed solution shall have support password policies: a. Ability to set a minimum password length and complexity for super-user accounts across all
systems in a single master policy. b. Ability to maintain password history, e.g., last three passwords or by timeframe and provide
easy access to them through the product web interface. c. Ability to manage super-user accounts that have been renamed from the default name. d. Ability to enforce the password policy when manually changing accounts as well as when the
systems randomly changes the password. e. Ability to enforce x last unique passwords (i.e. do not repeat last x passwords). f. Ability to provide unique passwords per device. g. Ability to enforce different policies per line of business when the device type is the same. h. Ability to enforce unified policies for privileged account management and session monitoring.
8.39 The proposed solution shall have the following password checkout process: a. Supports multiple LDAP realms for authentication, e.g. Sun One, MS AD. b. Ability to generate 'one-time' passwords as an optional workflow. c. Ability to send notifications via email or other delivery methods triggered by any type of
activity. d. Ability to checkout a password for a specified time period, e.g., hour and/or days. e. Ability to send notification via email to the user requesting the password that checkout is
completed. f. Ability to send notification via email to the user notifying them of password expiration where
a new password has not been assigned (e.g. password needs to be changed manually). g. Flexibility that allows exclusivity for password retrieval or multiple users checking out the
same password for the same device in the same time period. 8.40 The proposed solution shall be able to connect to the target systems:
a. Supports transparent connection to the target device, without seeing the password or typing it as part of the connection.
b. Provides the ability to support direct connection to the Windows Managed Devices. c. Provides the ability to support direct connection to the Unix / Linux Managed Devices (SSH) d. Dynamic support for additional target systems that are not supported out-of-box.
8.41 The proposed solution shall have the ability to send emails report for the following: a. System Access b. System Changes c. Password Usage d. Password Requests and Approvals
8.42 The proposed solution shall support management of privileged accounts on Windows, UNIX, and Databases, which are configured with IPv6.
8.43 The proposed solution shall support Active Directory (AD) Bridge capability to provide authentication and provisioning for UNIX/Linux users and centrally control access to those systems. The support for AD Bridge capability must be agent-less. The AD Bridge must be able to integrate with centralized management and auditing capabilities.
8.44 The proposed solution shall be expandable to support any application or device connection including web applications for monitoring and enabling privileged single sign on.
8.45 The proposed solution shall not require any forms of agent to be deployed on target systems to allow for recording search capability across all platforms.
8.46 The proposed solution shall have keystroke recording across all platforms. 8.47 The proposed solution shall have the capability to search across both text and windows based
recording by keywords, time, users and target address. 8.48 The proposed solution shall allow reviewing of recording from point in time of the searched
keyword for both text and windows based recording instead of playing from beginning of the recording.
8.49 The proposed solution shall cater for live monitoring of sessions and manual termination of sessions when necessary.
8.50 The proposed solution shall allow a blacklist of SQL commands that will be excluded from audit records during the session recording. All other commands will be included.
8.51 The proposed solution shall enable users to connect securely to remote machines through the session recording tool from their own workstations using all types of accounts, including accounts that are not managed by the privileged account management solution.
8.52 The proposed solution shall allow configuration at platform level to allow selective recording of specific users and groups. In addition, certain users and groups can be excluded from that this list.
8.53 The proposed solution shall allow specific commands to be executed for RDP connections (e.g. Start the connection by launching a dedicated program on the target machine without exposing the desktop or any other executables).
8.54 The proposed solution shall support correlated and unified auditing for shared and privileged account management and activity.
8.55 The proposed solution shall support adding custom code in session pre-connection or post-connection phases to perform specific logic before the session starts or ends in order to trigger certain activities and workflows with external systems.
8.56 The proposed system shall support full color and resolution video recording. 8.57 The proposed system shall support video session compression with no impact on video quality. 8.58 The proposed system shall include enough license If Microsoft Remote Desktop Host / Terminal
server is needed as part of implementation, to include CAL licensing required. 8.59 The proposed system shall have Central administration within unified suite (single user interface,
central repository). 8.60 The proposed solution shall support both client based (in the case where browser is not
available) as well as browser-based administration. If a back-end database is used, the solution
needs to be fully self-managed and should not require a database administrator (DBA) for production deployment, backup/recovery or database hardening.
8.61 The proposed solution should restrict the solution administrators from accessing or viewing passwords or approve password requests.
8.62 The proposed system shall have ability to provision users via AD or LDAP Directory including ongoing, transparent and automatic provisioning of accounts to reflect changes in the directory.
8.63 The proposed system shall support transparent group / role management using AD Groups or via LDAP Directory for Role Based access control.
8.64 The proposed solution should support bulk operations performed on accounts. 8.65 The proposed solution should be able to assess privileged account security risks and highlight
potential pass-the-hash risks. 8.66 The proposed solution should be 100% agentless that includes password storage, password
management and session recording features. 8.67 The proposed system shall have ability to integrate with enterprise authentication methods e.g.
multiple 3rd party authentication methods including LDAP, Windows SSO, PKI, RADIUS and a built-in authentication mechanism.
8.68 The proposed system shall have ability to integrate with LDAP/AD Directories. 8.69 The proposed system shall have ability to support querying and controlling access to passwords
for nested global groups, including multiple forests, geographical locations, sophisticated LDAP searches and high performance queries.
8.70 The proposed system shall ability to integrate with ticketing systems. 8.71 The proposed system shall ability to verify if a valid ticket exists and has the right status to
retrieve a privileged password. 8.72 The proposed system shall have ability automatically create a new trouble-ticket when retrieving
a privileged password. 8.73 The proposed system shall have ability to enforce ticketing integration as well as approval
workflow for specific ticket types (e.g. change / incident ticket). 8.74 The proposed system shall have ability to support dual control - The system should support
different configurations of approvals e.g. "4-eyes principle" when trying to retrieve a password including automatic email notification support.
8.75 The proposed solution shall support user requesting the use of a target account for a future date / time.
8.76 The proposed system shall support a workflow approval process that is flexible to assign multiple level of approvers based on product or model (i.e. require 2 or more approvals before access is allowed).
8.77 The proposed system shall support a workflow approval process that requires approvers to be in sequence before final approval is granted.
8.78 The proposed system shall support a workflow approval process that only allows the direct manager of a requester to approve a request based on information from the LDAP server.
8.79 The proposed system shall have ability to support split password process where each half of a password can only be checked out by an authorized requester while storage of password is in full to ensure password is changed automatically.
8.80 The proposed system shall have ability to log workflow processes and / or have the ability to be reported or audited.
8.81 The proposed solution shall provide UNIX users to use their preferred SSH clients while having their sessions recorded without logging in through the solution's preferred client.
8.82 The proposed system shall map privileged and personal accounts in the organization with a standalone tool.
8.83 The proposed system shall have ability to easily discover and flag accounts that do not adhere to the corporate password policy without having to implement another solution.
8.84 The proposed system shall have ability to list accounts used to login to workstations / servers in the last X days (last quarter for example) without having to implement another solution.
8.85 The proposed system shall have ability to quickly identify all non-built-in local administrator accounts in your environment (flag possible 'backdoor' accounts) without having to implement a privileged account management system.
8.86 The proposed system shall have ability to quickly identify private and public SSH keys, including orphaned SSH keys, on Unix/Linux machines, extracts key related data and ascertain the status of each key.
8.87 The proposed system shall have Dashboard - for at a glance management of devices, events and password policies. Describe your dashboard capabilities.
8.88 The proposed system shall have the ability to run all reports by frequency, on-demand and schedule them.
8.89 The proposed system shall have interface to provide detailed and scheduled reporting with the following basic reports: a. Entitlement b. User's activities c. Privileged Accounts inventory d. Applications inventory e. Compliance
8.90 The proposed system shall support the following report outputs: a. Formatted Microsoft Excel b. CSV c. Output to an external database (MS SQL) d. Ability to report on All System Administrative Changes e. Ability to report on System Access f. Ability to report password checkouts on systems and users requesting passwords g. Ability to report password lockouts (failure logon attempts) h. Ability to report on verification of password value i. Ability to report on password change following verification process j. Ability to report on reconciliations on single & multiple systems. Reconciliation is the
automatic recovery by the system when a password has been (mistakenly) changed on the target device but not synchronized with the solution
k. Ability to report on passwords that mismatch their policy l. Ability to report by system id or device type within a policy
m. Ability to report on password status n. Reports should be customizable
8.91 Audit data of the system can be exported for use with, e.g. Crystal Reports. Reports shall be automatically distributed by email. The Access to audit reports (and report configuration) shall be restricted to "auditor" end-users.
8.92 The solution shall include the virtualized spaces at the storage. 8.93 The solution shall reserve the diskspaces in storage system if it needs extra virtualized OS. 8.94 The solution shall separate the database role and application role into different VMs. 8.95 The solution shall require high resilience at production datacenter, and single node at DR
datacenter. 8.96 The proposed system shall have ability to replay actual session recordings for forensic analysis. 8.97 It shall include enough licenses for manage all servers and switches and all equipment etc. 8.98 Current Password and Monitoring System: CyberArk 8.99 Current Account and Management System:
CyberArk Privileged Identity Management (PIM) Enterprise Password Vault Licenses Package PAS Package Additional Users Enterprise DR / HA Package PSM concurrent session licenses - per PSM Server Included:
Enough user licenses Enough Password Management and SSH up to 200 nodes Enough PSM concurrent session
9. Antivirus and Advanced Threat Protection (ATP):
9.1 It shall verify and control the legitimacy and authority of using peripherals at work, i.e. control USB Access etc. (It shall include Production for testing purpose). The total numbers of licenses include PC licenses, also the licenses for servers. It also has protection to USB virus plus malware, also widely recognized in the markets and less influent to the performance of the PC or servers. The protection covers 32-bits and 64-bits OS.
9.2 Virus signature update and schedule shall be performed regularly and configured centrally. 9.3 The virus definition shall be distributed centrally by the management console rather than
download it from internet. 9.4 The Anti-virus software shall have function to detect and block virus and malicious software. 9.5 Virus signature update records shall be reviewed to detect any failures in the signature update
and result shall be reviewed for abnormality and followed up to remove any detected virus and malicious software. The administration control panel could summarize the information and sent the report through email automatically.
9.6 Non-Admin Users shall not have right to disable the anti-virus agent in the workstations.
9.7 The management console of the Endpoint Protection shall be another standalone / separate server with required software licenses. Please work with software license vendor.
9.8 Provide any software maintenance fees / annual subscription for coming years. 9.9 The management console shall support virtualized environment. 9.10 ATP - Endpoint protection shall leverage existing Endpoint Protection installations, requires no
new endpoint agents. 9.11 ATP - Endpoint protection shall cover Email, for complete cross-control point visibility and
remediation of advanced attacks. 9.12 ATP - Endpoint protection shall deploy Endpoint Security via on premise appliances with
endpoint agent software to monitor corporate and remote endpoints. 9.13 ATP - Endpoint protection shall extend protection against advanced threats with Dynamic Threat
Intelligence (DTI) from the core network to endpoints. 9.14 ATP - Endpoint protection shall search for, detect, identify and contain threats on tens of
thousands of endpoints (connected or not) in minutes. 9.15 ATP - Endpoint protection shall easily assess all endpoint activities from a single interface to
identify exploits to analyze and make containment or response decisions. 9.16 ATP - Endpoint protection shall respond rapidly to known and unknown threats with critical
contextual information. 9.17 ATP - Endpoint protection shall contain threats and compromised devices with a single click while
still allowing for remote investigation. 9.18 ATP - Endpoint protection shall support multiple DMZ deployments and extend threat
intelligence to every endpoint. 9.19 ATP - Endpoint protection shall detect hidden endpoint exploit processes. 9.20 ATP - Endpoint protection shall have ability after validating a threat, we can determine which
vectors an attack used to infiltrate an endpoint; whether an attack occurred (and persists) on a specific endpoint; if lateral spread occurred and to which endpoints, how long an endpoint(s) has been compromised; If IP has been ex-filtrated, which endpoints and systems to contain to prevent further compromise.
9.21 ATP - Network protection shall take less than an hour to install Advanced Threat Protection: Network and start uncovering attacks.
9.22 ATP - Network protection shall correlate across events from existing installations of Endpoint Protection and Email Security to greatly reduce the number of incidents that a security analyst needs to examine.
9.23 ATP - Network protection shall send all suspicious files to the new Cynic cloud-based sandboxing and detonation service.
9.24 ATP - Network protection shall be able to use hardware appliance or a virtual machine (VM). 9.25 ATP - Network protection shall detect advanced, targeted and other evasive attacks with the
patented, signature-less engine and rule-based IDA engines. 9.26 ATP - Network protection shall identify common and known attacks with traditional, signature-
based IPS technology and intelligence-based detection. 9.27 ATP - Network protection shall improve operational effectiveness with a low, false-positive rate
and alert categorization.
9.28 ATP - Network protection shall simplify management with low-touch deployment and a high degree of automation.
9.29 ATP - Network protection shall provide deployment flexibility with an all-in-one hardware appliance.
9.30 Provide enough licenses for ATP platform. 9.31 Provide enough licenses for AntiVirus platform for different OSes like Linux and Microsoft
Windows etc. 9.32 Current Antivirus: Symantec AntiVirus 9.33 Current ATP: Symantec Advanced Threat Protection Platform with Endpoint and Network and
Email, Initial Hybrid Subscription License with Support (Remark: Subscription basis license)
10. Monitoring System:
10.1 The proposed monitoring system shall support for multiple systems, like monitor Hyper-V, Microsoft Windows, SQL Server and IIS etc.
10.2 The proposed monitoring system shall monitor the latest version Microsoft Windows Server configuration, health, and compliance and before version.
10.3 The proposed monitoring system shall diagnose and troubleshoot infrastructure, workload, or application issues to maintain reliability and high performance.
10.4 The proposed monitoring system shall monitor physical, virtual and cloud infrastructure and workloads in real-time.
10.5 The proposed monitoring system shall plan and schedule maintenance windows, seamless management packs discovery and greater fine-tuning of alerts.
10.6 The proposed monitoring system shall monitor diverse environments, like a. Monitor your deployment of Nano Servers and associated workloads, such as DNS workloads b. Monitor servers, with up to 1000 hosts monitored per management server c. Monitor SQL, Exchange, Server OS, DHCP, DNS, NLB, IIS, etc. using new management packs
(MP) 10.7 The proposed monitoring system shall monitor live network performance such as loss and
latency within and across your datacenters and hybrid cloud infrastructure. 10.8 The proposed monitoring system shall have dashboard views from any browser using the new
HTML5 web console. 10.9 The proposed monitoring system shall have option to plan and schedule maintenance windows
for workloads without generating spurious alerts in OM console. 10.10 The proposed monitoring system shall have seamlessly discover, install and update required
management packs right from the OM console. 10.11 The proposed monitoring system shall have rich data analytics dashboard. 10.12 The proposed monitoring system shall utilize new services for audit collection. 10.13 The proposed monitoring system shall visualize data in richer form in OM dashboards.
10.14 The proposed monitoring system shall provide automated discovery of Windows Server machines and monitors key components including health and availability, Windows services, performance data, network resources, and storage resources.
10.15 The proposed monitoring system shall offer extended monitoring capabilities to streamline monitoring across different types of workloads. It helps organizations gain visibility into availability and performance for their business-critical workloads. System Center provides detailed monitoring for both Microsoft and non-Microsoft workloads.
10.16 The proposed monitoring system shall help in monitoring of all Windows Platform local activities. 10.17 The proposed monitoring system shall be implemented in the servers, which is running Microsoft
Windows. The monitoring shall include application / database / IIS level. 10.18 The proposed monitoring system is required to design & size the Monitoring solution at Primary
Site and DR site. The tenderer is also required to supply, install, configure and provide onsite comprehensive services for the same over the tenure of the contract.
10.19 The tenderer is required to propose a system activity monitoring solution to ensure protection of all servers of the Authority.
10.20 The proposed monitoring system shall be able to capture all proposed database activities, including from across the network, from local users logged into the server itself, and even from inside the database itself via stored procedures or triggers.
10.21 The proposed monitoring system shall deliver high performance without inducing any latency, and I/O overheads also shall not require any kernel changes or reboot.
10.22 The proposed monitoring system shall have support for virtualized environments. 10.23 The proposed monitoring system shall be able to deploy quickly and non-intrusively, utilizing
minimal resources. 10.24 The proposed monitoring system shall have ability to alert via inbuilt dashboard or any other
tools. 10.25 The proposed monitoring system shall have ability to automatically discover servers on the
network, locate and identify the servers' versions. 10.26 The solution shall have a single browser based console for management and reporting. 10.27 The solution shall generate detailed reports, support custom generated reports, and reduce time
and effort preparing for the reports to the Authority. 10.28 For monitoring the system activities, an agent shall be deployed on target servers and there shall
be only one agent for monitoring the activities including local traffic and the network traffic. 10.29 Monitoring Agents shall have only minimal overhead for the production servers. The CPU
utilization on the server shall not increase beyond 5% of the present utilization. 10.30 The Application server and database server shall be different server to improve stability. The
monitoring solution does not need high resilient at DR. 10.31 The solution shall include the virtualized spaces at the storage. 10.32 The solution shall reserve the diskspaces in storage system if it needs extra virtualized OS. 10.33 The solution shall separate the database role and application role into different VMs. 10.34 The solution does not require the high resilience, and only at production datacenter. 10.35 Prepare Enough Licenses for Microsoft Windows Servers and SQL Servers even it is Virtual
Machines, Extra Monitoring Licenses for SCOM if it required.
10.36 Current Microsoft Servers Monitoring System: Microsoft System Center Operation Manager
11. Other Devices Monitoring:
11.1 The Monitoring solution shall allow system and network administrators to receive alerts, status, notifications, and information relating to the solution and integrate to current monitoring solution.
11.2 The Monitoring solution shall be able to monitor Routers, Switches, Firewalls, Wireless devices, Servers and Other SNMP-enabled devices.
11.3 The solution shall automatically provide real-time, in-depth network performance statistics after discovery / configuration of devices, including but not limited to CPU load, Memory utilization, Interface utilization and packet loss.
11.4 The solution shall show statistics like interface bandwidth, current traffic in bps, total bytes received / transmitted etc.
11.5 The solution shall be able to discover and troubleshoot network paths hop-by-hop for both on premises and cloud environment for specific TCP connections.
11.6 The solution shall display information including alerting for major routing protocols (BGP, OSPF , RIP, EIGRP) with options to view and search routing tables including VRFs, changes in default routes and flapping routes, router topology and neighbor statuses.
11.7 The solution shall help with multicast traffic information monitoring, alerting including topology information, multicast information, route information, multicast errors etc.
11.8 The solution shall display device status and interface status by different colors to represent warning and critical status.
11.9 The solution shall monitor hardware health for popular vendors like Cisco, DELL, F5, Juniper, HP etc. and should allow alerting and reporting on hardware health monitoring.
11.10 The solution shall show both real-time details and historical details in form of charts with option to choose the time periods.
11.11 The solution shall be able to discover and monitor both IPv4 and IPv6 devices. 11.12 The solution shall have options to poll using SNMP v1, v2c and v3 and WMI. 11.13 The solution shall have options to configure polling intervals as needed. 11.14 The solution shall have options to specify data retention periods. 11.15 The solution shall have the option to determine device availability using SNMP only. 11.16 The solution shall be able to discover devices in the network with SNMP and ICMP capabilities
automatically, on input of IP address ranges, subnets, individual IP addresses and Active Directory.
11.17 The solution shall allow interface filtering on discovery results to exclude virtual interfaces and access ports and select interfaces based on pattern matching.
11.18 The solution shall have option to automate and schedule discovery process. 11.19 The solution shall be able to automatically imports discovered devices. 11.20 The solution shall prompt in web console on discovery of new devices in network.
11.21 The solution shall use discovered information for creating topology maps. 11.22 The solution shall provide a high-quality graphical user interface with asynchronous view
refreshing. 11.23 This web console shall be accessible centrally or remotely. 11.24 The web console shall allow multiple users to log in at the same time. 11.25 The solution shall have load-balancing options available if too many users login at same time. 11.26 The solution shall allow customization by having options to add / remove sections in web pages
as necessary. 11.27 The solution shall provide a unified view of alerts, traps, events, syslog messages in a single page. 11.28 The solution shall give a single unified view of multicast information, route information and
device information for a device. 11.29 The solution shall quickly highlight devices with issues, based on different properties like
response time, CPU load, memory usage, high interface usage etc. 11.30 The solution shall allow creation of custom dashboards and restrict views for users based on
devices or interfaces, i.e. it should have role-based access. 11.31 The solution shall log user actions and events in the web console for audit purposes and they
should be available for alerting and reporting. 11.32 The solution shall allow interactive charting for node, interface, and volume charts etc. 11.33 The solution shall provide a dynamic dashboard that allows in-depth visibility and correlates
disparate historical data points across different part of the infrastructure. 11.34 The solution shall allow export of any web page in console to PDF format. 11.35 The solution shall integrate with Active Directory for user login purposes. 11.36 The solution shall be easy to use and intuitive with drill-down features. 11.37 The solution shall provide current and historical out-of-the-box reports for various statistics
monitored. 11.38 The solution shall be able to generate / create the report via the web console. 11.39 The solution shall be able to generate statistical reports that can be used as reference for future
planning or troubleshooting. 11.40 The solution shall allow customization of reports by adding/removing columns, setting filters,
specifying timeframes, grouping columns etc. 11.41 The solution shall allow advanced customization by providing options to enter custom queries to
query the database directly. 11.42 The solution shall have options to save the customized reports permanently and have them
accessible in web console. 11.43 The solution shall allow reports to be sent out on schedule as daily, weekly, monthly reports. 11.44 The solution shall allow emailing of dashboards created in web console. 11.45 The solution shall be able to configure both charts and tables into a single report. 11.46 The solution shall have options to import / exports reported created by other users. 11.47 The solution shall support multiple formats such as pdf, HTML and CSV. 11.48 The solution shall be able to manage and display events / alerts in the web console. 11.49 The alerts and events information shall be logged into the database for future reference.
11.50 The alerting mechanism shall allow complex conditions and condition groups to be specified for narrowing down the alert condition.
11.51 The solution shall allow custom queries to be entered to create rules against the database. 11.52 The solution shall allow creation of new alerts from scratch and customizable threshold limits. 11.53 The solution shall allow creation of alerts based on sustained states. 11.54 The solution shall have various actions that can be taken, including but not limited to, sending
out emails, forwarding SNMP traps, running executables, sending SMS text alerts, playing sound, emailing a web page etc.
11.55 The solution shall have support for variables in alert email message to make the content more self-explanatory.
11.56 The solution shall have the ability to dynamically baseline statistics and automatically set Warning and Critical threshold.
11.57 The solution shall allow alerts suppression during scheduled maintenance. 11.58 The proposed monitoring solution shall allow grouping of devices by various properties -- by
department, by location, by name and by other properties gathered. 11.59 The solution shall also allow adding members to groups’ on-the-fly by specifying a property
which can dynamically change values, like volumes reaching low free space. 11.60 The solution shall be able to define dependencies and relationships between connected devices
and interfaces to avoid false-positive email alerts in case of outage. 11.61 The solution shall be able to represent the network pictorially and display performance details of
devices in real time. 11.62 The solution shall allow customization of background, icons etc. and should allow multiple
network maps to be nested with drill-down capabilities. 11.63 The solution shall be able to display not just the device status on the map but also status of any
other detail obtained through custom MIB polling. 11.64 The solution shall have the capability to display the status of nodes or an aggregated group of
nodes over dynamically updated street data. 11.65 The solution shall be able to automatically connect devices by means of topology information
gathered during discovery, like Cisco Discovery Protocol or Link Layer Discovery Protocol. 11.66 The solution shall be able to view multicast topology using upstream and downstream device list
information. 11.67 The discovered devices shall be detected as that of a specific vendor and categorized
automatically. 11.68 The proposed monitoring solution shall allow gathering of custom properties from SNMP-
enabled devices by specifying the OID of the properties. 11.69 The solution shall be able to fetch properties from devices without need to import device MIBs
into MIB database. 11.70 The solution shall be able to get real-time values, charts and also alerts on these custom
properties. 11.71 The solution shall have APIs available to programmatically import / export nodes and do similar
functionality.
11.72 The solution shall be able to provide Network Response Time (NRT) and Application Response time (ART) for critical applications.
11.73 The solution shall have the ability to create custom HTTP applications. 11.74 The solution shall be able to contextually provide QoE data for nodes in Node Details subview. 11.75 The solution shall have utilities to view the database, to stop and start application services. 11.76 The solution shall have options to receive, display and alert on syslog messages and traps from
devices. 11.77 The solution shall have customized mobile views of console for administrators' immediate
viewing. 11.78 The solution shall be able to monitor individual member switches, power stack and data stack
rings in Cisco switch stacks. 11.79 The solution shall be able to report on technologies like Cisco UCS, Energywise features. 11.80 The solution shall be able to report on virtualized Cisco Nexus 1000V switches, VSAN, Fibre
Channel switches like Cisco MDS, Brocade, McData devices. 11.81 The solution shall be able to monitor entire VMware and Hyper-V virtual infrastructure, including
Virtual Centers, Datacenters and ESX clusters, and automatically track VM performance. 11.82 The solution shall be able to monitor individual components in F5 BIG-IP load balancing
environment. 11.83 The solution shall be able to integrate with modules serving other monitoring purposes and
provide a single-pane-of-glass view. 11.84 The solution shall allow integration with third-party applications at user-interface layer, through
message exchanges and through APIs. 11.85 The proposed monitoring solution shall be able to accommodate network growth through
addition of load-balancing applications. 11.86 Load-balancing engines shall handle interruptions in the connection between the engines and
the main application. 11.87 The solution shall allow information from multiple instances of application to be consolidated
into a single view. 11.88 The solution shall be deployable within one hour and should not require consultants for
deployment, implementation, configuration or customization 11.89 The solution shall be able to monitor network traffic by capturing flow data from network
devices, including Cisco NetFlow v5 or v9, Juniper J-Flow, IPFIX, sFlow, NetStream data and sampled NetFlow data.
11.90 The solution shall identify which users, applications, and protocols are consuming the most bandwidth.
11.91 The solution shall highlight the IP addresses of the top bandwidth consumers on the network and find out unwanted bandwidth usage.
11.92 The solution shall be able to associate traffic coming from different sources to application names. 11.93 The solution shall be able to receive flows from non-SNMP-enabled devices, like VMware
vSwitch.
11.94 The solution shall monitor Class-Based Quality of Service (CBQoS) to find out if traffic prioritization policies are effective and if business-critical applications have network traffic priority.
11.95 The solution shall also support CBQoS Nested policies. 11.96 The solution shall monitor Type of Service (ToS), Differentiated Services Codepoint (DSCP), and
Per-Hop Behavior (PHB). 11.97 The solution shall monitor BGP information. 11.98 The solution shall show both recent and historical details in form of charts with option to choose
the time periods. 11.99 The solution shall have options to specify data retention periods to avoid strain on database and
server resources. 11.100 The solution shall provide flow analysis with 1-minute granularity and support 60k sustained flow
per second. 11.101 The solution shall be able to automatically add flow sources, which are already being monitored
for performance. 11.102 The solution shall notify the flows coming in from unmanaged devices and / or unmanaged
interfaces and allow adding them for monitoring with minimum effort. 11.103 The solution shall provide diverse views categorized by user, application, department,
conversation, interface, protocol, type of service, Autonomous System Networks. 11.104 The solution shall allow creation of personalized views of network traffic by providing list of
parameters from which we can choose to set filters. 11.105 The solution shall have ability to save customized filtered views as new links in web page for easy
access later, with options to search for IP ranges / CIDR etc. 11.106 The solution shall provide a dynamic dashboard that allows in-depth visibility and correlates
disparate historical data points across different part of the infrastructure. 11.107 This web console of the solution shall be accessible centrally or remotely. 11.108 The web console shall allow multiple users to log in at the same time. 11.109 The solution shall have load-balancing options available if too many users’ login at same time. 11.110 The solution shall allow customization by having options to add / remove sections in web pages
as necessary. 11.111 The solution shall allow export of any web page in console to PDF format. 11.112 The solution shall allow creation of custom dashboards and restrict views for users based on
devices or interfaces, i.e. it should have role-based access. 11.113 The solution shall integrate with Active Directory for user login purposes. 11.114 The solution shall be easy to use and intuitive with drill-down features. 11.115 The solution shall provide current and historical out-of-the-box reports for various statistics
monitored. 11.116 The solution shall be able to generate statistical reports that can be used as reference for future
planning or troubleshooting. 11.117 The solution shall allow customization of reports by adding / removing columns, setting filters,
specifying timeframes, grouping columns etc.
11.118 The solution shall allow advanced customization by providing options to enter SQL queries to query the database directly.
11.119 The solution shall have options to save the customized reports permanently and have them accessible in web console.
11.120 The solution shall allow reports to be sent out on schedule as daily, weekly, monthly reports. 11.121 The solution shall allow emailing of dashboards created in web console. 11.122 The solution shall be able to display events and alerts in the web console. 11.123 The alerting mechanism shall allow complex conditions and condition groups to be specified for
narrowing down the alert condition. 11.124 The solution shall allow SQL queries to be entered to create rules against the database. 11.125 The solution shall allow creation of new alerts from scratch and customizable threshold limits. 11.126 The solution shall have various actions that can be taken, including but not limited to, sending
out emails, forwarding SNMP traps, running executables, sending SMS text alerts, playing sound, emailing a web page etc.
11.127 The solution shall have support for variables in message to make the content more self-explanatory,
11.128 The solution shall allow creating custom IP address groups to categorize flows by geography, department, device type etc.
11.129 The solution shall be able to use these groups while creating customized views of network traffic. 11.130 The solution shall not be vendor-specific and should be able to monitor devices from Cisco,
Foundry, Juniper Networks, Extreme Networks, HP, Riverbed etc. 11.131 The solution shall be able to provide a unified summary view taking into account all the
monitored devices from different vendors. 11.132 The solution shall allow gathering of flow information from devices, which are not flow-capable
when used with third-party flow exporters. 11.133 The solution shall help in locating and isolating infected computers in case of virus outbreak. 11.134 The solution shall compress data in database for optimal performance of application. 11.135 The solution shall ensure database maintenance happens in background to prevent
overwhelming of database with flow traffic data. 11.136 The solution shall allow NetBIOS and DNS resolution of endpoint domain names. 11.137 The solution shall have utilities to view the database, to stop and start its own services. 11.138 The solution shall be able to integrate with modules serving other monitoring purposes and
provide a single-pane-of-glass view. 11.139 The solution shall allow information from multiple instances of application to be consolidated
into a single view. 11.140 The solution shall support multiple-deployment options -- centralized, distributed and hybrid
deployments with option for a centralized operations console view. 11.141 The solution shall have options for ensuring high-availability of application, with / without use of
failover products. 11.142 The solution shall be deployable within one hour and should not require consultants for
deployment, implementation, configuration or customization.
11.143 The solution shall automatically provide real-time view of windows event logs including the level of the event logs, Event ID, and source.
11.144 The solution shall have expert monitoring methods that point out the status and performance of key parameters (like services, queue length in case of Exchange, SQL queries in case of databases etc.) of applications based on best practices.
11.145 The solution shall allow use of custom scripts with various scripting engine options like VBscript, Perl, Powershell etc.
11.146 The solution shall be able to report on hardware details (like CPU, memory, fan state, power etc.) of servers from popular vendors like IBM, HP, DELL and VMware Hosts.
11.147 The solution shall have options to poll using SNMP, WMI and other methods. 11.148 The solution shall display application status and status of important services by different colors
to represent warning and critical status. 11.149 The solution shall show both real-time details and historical details in form of charts with option
to choose the time periods. 11.150 The solution shall be able to get Disk I/O Performance Metrics for Processes & Services
Monitored via WMI. 11.151 The solution shall be able to discover applications in the chosen servers, apply monitoring for
them and start report statistics in few minutes 11.152 The solution shall have option to find processes through either WMI or SNMP, Performance
Counter Monitors, WMI Monitors, VMware Performance Counter Monitors etc. 11.153 The solution shall have option to find JMX monitors for monitoring Java-based applications like
JBoss, Tomcat, WebLogic etc. 11.154 The solution shall be able to discover email and directory servers, databases, network services,
operating systems, VMware ESX servers etc. automatically by means of inbuilt monitoring templates.
11.155 The solution shall be able to create and set automatic Calculation of Warning & Critical Thresholds From Baseline Data.
11.156 The solution shall have web console, which can be accessible centrally or remotely. 11.157 The web console should allow multiple users to log in at the same time. 11.158 The solution shall have load-balancing options available if too many users’ login at same time. 11.159 The solution shall allow customization by having options to add / remove sections in web pages
as necessary. 11.160 The solution shall provide a unified view of alerts, traps, events etc. in a single page. 11.161 The solution shall quickly highlight applications with issues, based on different properties like
down applications, applications with problems, parameters with high CPU, memory usage etc. 11.162 The solution shall allow creation of custom dashboards and restrict views for users based on
applications, i.e. it should have role-based access. 11.163 The solution shall allow interactive charting. 11.164 The solution shall allow export of any web page in console to PDF format. 11.165 The solution shall integrate with Active Directory for user login purposes. 11.166 The solution shall be easy to use and intuitive with drill-down features.
11.167 The solution shall have integration options to automatically visualize relevant virtual infrastructure objects such as datastores and storage objects such as LUNs.
11.168 The solution shall provide a dynamic dashboard that allows in-depth visibility and correlates disparate historical data points across different part of the infrastructure.
11.169 The solution shall provide current and historical out-of-the-box reports for various statistics monitored.
11.170 The solution shall be able to generate / create the report via the web console. 11.171 The solution shall be able to generate statistical reports that can be used as reference for future
planning or troubleshooting. 11.172 The solution shall allow customization of reports by adding / removing columns, setting filters,
specifying timeframes, grouping columns etc. 11.173 The solution shall allow advanced customization by providing options to enter custom queries to
query the database directly. 11.174 The solution shall have options to save the customized reports permanently and have them
accessible in web console. 11.175 The solution shall allow reports to be sent out on schedule as daily, weekly, monthly reports. 11.176 The solution shall allow emailing of dashboards created in web console. 11.177 The solution shall be able to configure both charts and tables into a single report. 11.178 The solution shall have options to import / exports reported created by other users. 11.179 The solution shall be able to manage and display events/alerts in the web console. 11.180 The alerts and events information shall be logged into the database for future reference. 11.181 The solution shall allow custom queries to be entered to create rules against the database. 11.182 The solution shall allow creation of new alerts from scratch and customizable threshold limits. 11.183 The solution shall allow creation of alerts based on sustained states. 11.184 The solution shall have various actions that can be taken, including but not limited to, sending
out emails, forwarding SNMP traps, running executables, sending SMS text alerts, playing sound, emailing a web page etc.
11.185 The solution shall have support for variables in alert email message to make the content more self-explanatory.
11.186 The solution shall allow grouping of applications by various properties -- by department, by location, by name and by other properties gathered.
11.187 The solution shall also allow adding members to groups’ on-the-fly by specifying a property which can dynamically change values, like volumes reaching low free space.
11.188 The solution shall be able to define relationships between servers and applications to avoid false-positive email alerts in case of outage.
11.189 The solution shall be able to represent the applications pictorially and display performance details of applications in real time.
11.190 The solution shall allow customization of background, icons etc. and should allow multiple maps to be nested with drill-down capabilities.
11.191 The solution shall should allow custom scripts to be included to extend application-monitoring capabilities.
11.192 The solution shall be able to get realtime values, charts and alerts on these custom properties.
11.193 The solution shall have utilities to view the database, to stop and start application services. 11.194 The solution shall have customized mobile views of console for administrators' immediate
viewing. 11.195 The solution shall proactively monitor, detect and troubleshoot virtualization capacity
bottlenecks. 11.196 The solution shall provide predictive recommendations to CPU, memory and storage resources
that make use of historical trends and patterns. 11.197 The solution shall allow reports to be sent out on schedule as daily, weekly, monthly reports. 11.198 The solution shall be installable either in a VMware or Hyper-V environment and should require
only one installation to manage a mixed VMware and Hyper-V environment. 11.199 The solution shall have options to save the customized reports permanently and have them
accessible in web console. 11.200 The solution shall allow reports to be sent out on schedule as daily, weekly, monthly reports. 11.201 The solution shall have management reports that show information about entire environment. 11.202 The solution shall include the virtualized spaces at the storage. 11.203 The solution shall reserve the diskspaces in storage system if it needs extra virtualized OS. 11.204 The solution shall separate the database role and application role into different VMs. 11.205 It shall include enough license for monitoring devices. 11.206 The solution does not require the high resilience, and only at production datacenter. 11.207 Ensure to have enough licenses for monitoring Linux Devices and extra network devices etc. 11.208 Current Monitoring System: SolarWinds Network Performance Monitor 11.209 Current Monitoring System: SolarWinds Network Performance Monitor SL2000 - License with
1st-year Maintenance, SolarWinds NetFlow Traffic Analyzer Module for SolarWinds Network Performance Monitor SL2000 - License with 1st-year Maintenance
12. Patch Management:
12.1 It shall automate the process of vulnerability identification, patch acquisition, patch deployment schedule, also tracking of patch deployment status.
12.2 This system shall also capture hardware, software and user information, which can facilitate centralized control and reporting of software and hardware inventories.
12.3 This system shall support software deployment automatically based on schedule. 12.4 The offered Patch Management solution shall not have any impact on the Wide Area Network
and on working of applications. Deployment of desktop management solution on desktops shall not deteriorate their performance.
12.5 The offered Patch Management Solution shall support centralized and distributed architecture, and support role-based access control.
12.6 The solution shall support non-domain based / standalone or member servers’ deployment. 12.7 The offered solution shall support the virtualized environment. 12.8 The Patch Management solution may be Agent based or non-agent based.
12.9 The offered solution shall have the capability to discover the Assets operational across Insurance Authority locations i.e. Scan the network / Active Directory to produce a full inventory of IT assets, and provide flexible ways to group and classify these assets.
12.10 The Patch Management solution shall not be machine or configuration dependent. The solution shall work smoothly and independently irrespective of configuration and hardware.
12.11 The Patch management solution shall support the range of applications (Adobe, Mozilla, Real Networks, Apple, Java) etc.
12.12 The Patch Management solution shall support the Dynamic IP environment. 12.13 The Patch Management solution shall support the applications working on non-standard ports. 12.14 The Patch Management solution shall support the IPs into groups, IP range, Network Groups,
Arrangement of Assets into groups, etc. 12.15 The solution shall support the remote assessment, local checks with credentials, passive
assessment etc. 12.16 The solution shall have the flexibility to change the existing rules or customization of rules as per
business requirement of the Authority. 12.17 The solution shall support the various reporting formats, i.e. reports can be downloaded easily
and or exported at excel, pdf etc. 12.18 Ability to inform users via a pop-up message box, which shall be Customizable prior to
installation of patch / service pack and facility to re-start of computer after installation, shall be available.
12.19 Ability to allow users to defer installation of patch / service pack by a period / number of time, Configurable by the administrator.
12.20 Report server shall have ability to list all applications installed on a particular PC / group of PC. 12.21 Report server shall have ability to provide software-auditing report for individual PC and group of
PC, also it can provide report of a particular software for a group of PC. 12.22 It shall have ability to integrate our existing patch management system infrastructure, further
enhancing the ability to manage PCs, Macs, and Unix / Linux servers, as well as mobile devices from a single management console, while building on existing investments and skills.
12.23 It shall collect information about hardware configurations and software installed on managed computers, allowing you to generate reports, organize groups of computers, and more effectively target software deployments.
12.24 It shall simplify administration by deploying software and configuring Windows Firewall settings on computers based upon policies defined by the administrator.
12.25 The Authority envisages the deployment of the Patch Management solution, which shall provide an automated, simplified patching process, and tool that is administered from a centralized browser based console. The tool and process shall provide a unified, near real-time visibility and enforcement to deploy and manage patches to all distributed endpoints regardless of their location, connection type or status.
12.26 The tenderer is required to design & size the patch management solution to cover all the endpoints & servers located across all the Authority. Currently Authority will have 50 Servers and 300 PC at main site, and 50 servers at DR site. The proposed solution shall be sized to meet the requirement.
12.27 The tenderer is also required to supply, install, configure and provide onsite comprehensively. 12.28 The tenderer shall provide onsite resources for deployment of the patch monthly, but not limited
to monitoring of the patch compliance, configuration, reporting, problem remediation, etc. 12.29 The solution shall divide the database role and application server at different servers. 12.30 The solution shall reserve the diskspaces in storage system if it needs extra virtualized OS. 12.31 The solution shall include the virtualized spaces at the storage. 12.32 The solution does not need resilience and only need production datacenter. 12.33 The Patch management solution shall provide the following functionality:
a. Automatically manage patches endpoints for multiple operating systems and applications, regardless of location, connection type or status.
b. Enable automation to the level of correct patches to the correct endpoint. c. Provide visibility into patch compliance with flexible, near real-time monitoring and
reporting. d. Provides near real-time visibility and control from a single management console. e. Reduce security risk by streamlining and reducing remediation cycles. f. A Patch Management process & tool to be built with a focus of addressing Technical System
and Software Vulnerabilities of the managed assets or endpoints (Desktops, Laptops, Servers).
g. Documenting Standards / Procedures – Including Roles & Responsibilities, classification of critical & non-critical assets.
h. Assessing Vulnerabilities of the managed endpoints or assets. i. Ascertaining a validity of the patch source. j. Critical Patches to have gone through a testing cycle at UAT. k. Methodology to ascertain whether a patch is required to be applied or not based on the
business impact. l. Documenting timelines of applying patches based on criticality and adhering to the timelines. m. Comprehensive Patch Deployment options and documentation of the same Identifying
vulnerable assets and method to isolate until the vulnerability is addressed. n. Reporting of existing patches applied on the assets & software applications. o. Shall provide Real-time reporting information on which patches were deployed, when they
were deployed, and who deployed them, as well as automatic confirmation that patches were applied for a complete closed-loop solution to the patching process.
p. A single management server shall support up to 400 endpoints, shortening times for patches with no loss of endpoint functionality.
q. The solution shall be able to quickly create a report showing which endpoints need updates and then distribute those updates to the endpoints within minutes.
r. The solution shall automatically reassess the endpoint status to confirm successful installation and immediately updates the management server in real time. The operators shall be able to watch the patch deployment process in real time via a centralized management console to receive installation confirmation within minutes of initiating the patch process.
s. The solution shall provide web-reporting capabilities to allow end users, administrators, executives, management and others to view dashboards and receive up-to-the-minute reports. Dashboards and reports shall indicate which patches were deployed, when they were deployed, who deployed them, and to which endpoints. The dashboards shall also show patch management progress in real time.
t. The solution shall divide database and application servers, it does not need resilience and only required at production datacenter.
12.34 Tenderer shall prepare enough System Center licenses for new VM or Physical Machines. 12.35 Tenderer shall prepare patch management software for other OSes. 12.36 Current Patch Software for Microsoft Platform: Microsoft System Center Configuration Manager
13. Support Level and installation and Other Information:
13.1 It shall have 7 X 24 X 365 with 2 hours responding time for hardware replacement is 4 hours. 13.2 Provide standard documentation including basic / design installation plan, User Acceptance Test
(UAT) plan in Word / Excel / PDF format. 13.3 Provide standard documentation including skill transfer manual of the system. 13.4 The tenderers shall include all configuration works for new infrastructure components. 13.5 The tenderers shall include all cabling works if required at Long Term Office or Production and DR
DataCenter. 13.6 We have MSDN Enterprise Subscription, i.e. UAT Microsoft Licenses can be waived. 13.7 The tenderer shall design the DR Drill Plan and conduct DR Drill for the application. 13.8 The application design must support realtime synchronization for the data 13.9 The tenderer shall propose a system with Recovery Time Objectives of 24 hours for the levy
data collection function and the function of the collection of payment for outstanding levy owed to the Authority of the Levy System.
13.10 The instantaneous Recovery Time Objectives should also be proposed as an option for the function collection of Payment for outstanding levy owed to the Authority for consideration.
13.11 It shall include all cabling for the servers to connect to current infrastructures. The patching shall comply with TIA-569 standards.
14. Failover testing and load test:
14.1 It shall include failover testing for application together with infrastructure for the proposal. 14.2 The recovery time shall be within 24 hours. 14.3 It shall include load testing for application of the proposal.
14.4 Load test shall simulate full loading of levy transactions by all insurers at one go. The tenderer shall provision the necessary load test tool or simulator such as load runner and so on so forth.
14.5 It shall conduct a load test with the use of automatic load generation software installed on-site to prove the validity of the sizing estimation under a production-like environment. Selective user functions and corresponding transaction volume, which are identified in the tender, will be treated as standard transaction mix for loading measurement, test cases will also be setup for the load test.
14.6 The test will start with small scale testing for rehearsal purpose, and then further extend to full-scale testing. The testing objectives for load test are to: a. Identify bottleneck(s)/problem area(s) of different system component for future
improvement/performance tuning. b. Identify system capability under peak transaction loading. c. Collect the response time of the business transactions. d. Review the system's ability to enable a smooth processing from end-to-end among on-line and
batch functions. e. Measure and compare the daily batch jobs processing time versus the allowable batch window.
15. Application Requirements:
15.1 The design shall support single sign on with current Active Directory, with logout function. 15.2 The design shall support non-repudiation of submission of transactions by the submitter through
the use of unique client certificates and so on so forth. 15.3 The design shall allow insurers with different accounts to identify their upload. 15.4 The design shall allow insurers to upload data through secure connection. 15.5 The design shall implement auto-check after the data upload from insurers. 15.6 The design shall support be web-based interface for insurers to upload the levy information. 15.7 The design shall include the handling case of failed upload or incorrect format of upload levy
information. 15.8 The interface shall support drag and drop through the most popular web browsers, like Microsoft
Internet Explorer, Google Chrome or Firefox with the most updated version, etc. 15.9 The design shall allow insurers to upload data up to several hundred MegaBytes. 15.10 The design shall have a dashboard to show but not limited to statistic, log for upload, submission
status of insurers, etc. 15.11 It is an instant updated area to show major KPIs of levy submission status at a glance in order to
enable IA key users to monitor the levy submission progress by the insurers. 15.12 The KPIs of levy submission status including, but not limit to,
- no. of insurers - submission deadline - no. of submission out of total no. of insurers (target vs actual) - no. of submission per day
- complete vs incomplete submission - repeated submission - overdue submission
15.13 Single sign-on targets to enable IA users with a seamless authentication experience when they access the levy system.
15.14 Levy system can allow IA users to gain access to the Levy system by using the MS Windows credentials (i.e. username/password) without prompting for additional username and password.
15.15 IA is using MS Windows Active Directory service with back-end infrastructure of MS Windows server 2016 architecture.
15.16 The application must be able to work in a fully distributed manner to provide high system availability.
15.17 Current state and change of state of transaction data must be available all the time and cannot be reversed by any means, application must ensure full state synchronicity among all the parties in the transaction.
15.18 Transaction data must be hashed using algorithm that is at least of SHA3-256 strength 15.19 The application shall deliver confidential data encryptions, enabling of SSL during data
exchange, digital signatures with the use of PKI and 3DES technologies to comply with the requirements on content protection. Furthermore, the systems will also use high-speed and high ranked SSL accelerator that comes with the load balancers for fast & secure connections to the web and application servers to form a completely secured system.
15.20 The application shall use digital certificate as an identification purpose, along with a digital signature created from the digital certificate which ensure transaction is of non-repudiation and tamper-safe nature. The security parameters shall support at least below or higher standards: a. LDAP V3 (Lightweight Directory Access Protocol) b. SHA3-256 or algorithm with equal strength (Hash algorithms) c. 128bit or 256bit AES (Encryption algorithms) d. RSA algorithm (Public key algorithms) e. PKCS #7 and PKCS #12(key file format)
16. Anti-DDOS Requirements:
16.1 The tenderer must ensure that the Levy System is protected against DDOS attack of any types via anti-DDOS tool or service.
16.2 Current Anti-DDOS: CloudFlare Business Plan
17. Privacy Information Assessment (PIA):
17.1 The tenderer must provision a PIA consultant to conduct PIA. 17.2 The major responsibilities of the tenderer include, but are not limited to, the following:
a. Conduct PIA to ensure that the System is compliant with the requirements under the Personal Data (Privacy) Ordinance (Cap. 486, Laws of Hong Kong) in all aspects. The Tenderer shall review the user requirements and shall be responsible for the following duties:
i. Perform data processing cycle analysis; ii. Perform privacy risks analysis;
iii. Make recommendations on measures for avoiding or mitigating privacy risks; and iv. Compile a PIA report.
18. Security Risk Audit Assessment (SRAA):
18.1 The tenderer shall provision a third party contractor to conduct SRAA of the Levy System prior to production deployment. Prior to production deployment all findings reported in the SRAA findings must be rectified by the tenderer.
18.2 Security Risk Assessment Report – According to IA standards 18.3 Presentation on security risk assessment 18.4 Security Audit Report - According to IA standards 18.5 Presentation on security audit 18.6 Security Risk Assessment Report which includes, but not limited to
a. Introduction / background information; b. Assessment scope and objectives; c. Methods and assessment tools used; d. Security requirements; e. Summary of findings and recommendations; f. The vulnerability test results; g. Risk assessment results including identified assets, threats, vulnerabilities, impact and
likelihood assessment; h. The risk results analysis; i. Recommended safeguards with cost / benefit analysis.
18.7 Security Audit Report which includes, but not limited to, the following information; a. Audit scope and objectives; b. Assumptions and limitations; c. Methods and auditing tools used; d. Descriptions of current environment; e. Summary of findings; f. Details of tests and their results and findings; g. Analysis of test results with rankings or grading; h. Vulnerabilities revealed;
i. Recommendations and corrective actions based on the problem areas found, e.g. violation of security policy, mis-configuration, well-known and potential vulnerabilities, information leaks, unused services especially those default ones, and unused user accounts etc.
18.8 Follow-up Plan which include, but not limited to the following information: a. Finding No., b. Security Area, c. Risk Level (High, Medium, Low), d. Finding Details, e. Recommendations, f. Planned Completion Date, g. Status, h. Actual Completion Date.
19. Infrastructure Schematic Diagrams (i.e. attached separately)
19.1 Proposed Infrastructure Schematic Diagram - Phase I Levy Data Collection 19.2 Proposed Infrastructure Schematic Diagram - Phase II Outstanding Levy Payment Collection
End
![Directory/File Manager[V1.0]](https://img.pdfslide.net/doc/110x75/632787f4cedd78c2b50d9ea8/directoryfile-managerv10.jpg)