Security and Web Application Monitoring
Security and Web Application Monitoring
Security and Web Application Monitoring
Release Date:
Organization Name
Postal Address
Tel No
Fax No
Date
Company Stamp
Commercial in confidence
Table of Contents
IT/AUGUST 2014/SUPPLY AND IMPLEMENTATION OF A DATABASE AND WEB
APPLICATION SECURITY/FIREWALL SOLUTION (RE-TENDER) ............................................. 1
DEFINITIONS ................................................................................................................................. 4
1.1
INTRODUCTION ................................................................................................................ 5
3.3
3.4
Ownership ....................................................................................................................... 20
3.5
3.6
3.7
3.8
3.9
3.10
Applicable Law.......................................................................................................... 22
3.11
3.12
3.13
Confidentiality ............................................................................................................ 24
3.14
Commercial in confidence
DEFINITIONS
For purposes of this document, the following definitions shall apply:
The Bank
KCB Ltd
Bid
Supplier
Contract
Warranty
Commercial in confidence
1.1
INTRODUCTION
Commercial in confidence
1.4
Commercial in confidence
Description
Unit
Qty
n/a
n/a
n/a
n/a
n/a
n/a
No.
1
2
3
4
5
6
7
8
10
11
12
13
14
Sub
Unit
Total
Cost
Costs
(USD)
(USD)
Taxes
(USD)
Grand
Total Cost
(USD)
Commercial in confidence
n/a
n/a
n/a
n/a
n/a
n/a
Notes
The total cost above should be inclusive of all taxes and duties (VAT, duties, freight
costs and Witholding tax)
Commercial in confidence
Commercial in confidence
iii.
iv.
v.
vi.
vii.
Company Name:
Contact Person: (primary Supplier contact)
E-mail:
Phone:
Fax:
Document Number/Supplier
# Date
Section/ Paragraph(2)
Question
1
2
3
(1) Question (s) mailing Date.
(2) From the KCB Document.
The queries and replies thereto shall then be circulated to all other prospective
bidders (without divulging the name of the bidder raising the queries) in the form
of an addendum, which shall be acknowledged in writing by the prospective
bidders.
Enquiries for clarifications should be sent by e-mail to: [email protected]
1.4.16 Amendment of Bidding Document
At any time prior to the deadline for submission of bids, the Bank, for any reason,
whether at its own initiative or in response to a clarification requested by a
prospective Bidder, may modify the bidding documents by amendment.
All prospective Bidders that have received the bidding documents will be
notified of the amendment in writing, and it will be binding on them. It is
Commercial in confidence
therefore important that bidders give the correct details in the format given on
page 1 at the time of collecting/receiving the RFP document.
To allow prospective Bidders reasonable time to take any amendments into
account in preparing their bids, the Bank may at its sole discretion extend the
deadline for the submission of bids based on the nature of the amendments.
1.4.17 Deadline for Submission of Bids
Bids should be addressed to the Head of Procurement and sent for receipt on or
Before Friday, 5th September 2014. Any bid received by the Bank after
This deadline will be rejected.Those submitting tenders or their representatives
may attend the tender opening of date and time of submission.
1.4.18 Responsiveness of Proposals
The responsiveness of the proposals to the requirements of this RFP will be
determined. A responsive proposal is deemed to contain all documents or
information specifically called for in this RFP document. A bid determined not
responsive will be rejected by the Bank and may not subsequently be made
responsive by the Bidder by correction of the non-conforming item(s).
1.4.19 Bid Evaluation and Comparison of Bids
Technical proposals will be evaluated and will form the basis for bids
comparison. Alltender responses will be evaluated in three phases:a.
Detailed technical evaluation to determine technical compliance and
support responsiveness of the vendor
c.
Financial evaluation to consider pricing competitiveness and the financial
capability of the vendors
Once the bids are opened, bid evaluation will commence
1.4.19.1
Technical Evaluation
iii.
iv.
Where the words shall or must are used, they signify a required minimum
function of system capacity that will heavily impact the Bidders final response
rating.
Where the words may or desired are used, they signify that the feature or
capacity is desirable but not mandatory; therefore, the specifications in
question will possess minimal impact on the Bidders final response rating.
The method by which the proposed method of performance is written will be left
to the discretion of the Supplier. However, the Supplier should address each
specific paragraph and subparagraph of the Specifications by paragraph and
page number as an item for discussion. Immediately below these numbers, write
descriptions of how, when, by whom, with what, to what degree, why, where,
etc, the requirements will be satisfied.
1.4.19.2
After the desktop evaluation as per RFP response, the prospective supplier may
be required to give further detailed proof of the viability of the solution
highlighting the functionality as represented in the RFP. This may include all or
part of the following:-
Commercial in confidence
Vendor presentations
A solution demo with the actual installed solution
A Proof of Concept installation at the banks premises in a test scenario if
so required
Site visits to current clients of the supplier who have implemented similar
solution as put forward in the RFP response
It should be noted that vendors will be progressively evaluated from one stage
to the other. Only shortlisted vendors will progress to the next stage
1.4.19.3
Site visits
In the event that the bank may need to visit client site, vendors will be notified in
writing. The bank may also make surprise unannounced visits to the vendors
offices to verify any information contained in the bid document. All visits are at
the discretion of the bank. Vendors may also be called upon to make brief and
short presentations and /or demos on their technical solutions before a panel
constituted by the bank.
1.4.19.4
Financial evaluation will concentrate on the Costs inclusive of VAT and other
applicable taxes where necessary and Man/Day estimates, where appropriate,
broken down as per table in 1.4.4. Kindly also note the following as regard
financial evaluation.
a. Pricing
All bids in response to this RFP should be expressed in USD or KSH. For those
expressed in USD a Kenya Shilling equivalent MUST be given clearly indicating
the exchange rate. Those who do not indicate the Kenya Shilling equivalent
MAY not be considered further for evaluation.
NOTE : Expressions in other currencies shall not be permitted
The VAT amount must clearly be stipulated and separated from the base costs.
The quoted prices should be valid for a minimum of 90 days.Any other fees
required for deployment and ongoing support must be quoted separately.
Provide an itemized list of any other items and related costs that Supplier deems
necessary to meet the requirements specified in proposal. Failure to provide said
list shall not relieve the Supplier from providing such items as necessary to
meeting all of the requirements specified in proposal at the Fixed Price Purchase
Costs proposed.
Commercial in confidence
KCB SHALL ONLY MAKE PAYMENTS THROUGH A KCB ACCOUNT AND THUS ALL
BIDDERS ARE ENCOURAGED TO OPEN AN ACCOUNT
The Bank will not make any payments in advance. The Bank will issue an LPO for
all the equipment and/or services ordered. The LPO will be paid within 45 days
after delivery, testing installation and acceptance of the equipment and/or
services supplied. The bank will not accept partial deliveries.Payment for
equipment and/or services will only be made once the entire ordered
equipment and/or services are delivered, installed and commissioned.
b. Correction of Errors.
Bids determined to be substantially responsive will be checked
by the Bank for any arithmetical errors. Errors will be corrected
by the Bank as below:
The price amount stated in the Bid will be adjusted by the Bank in
accordance with the above procedure for the correction of errors.
c. Financial stability
This will involve an assessment of key standard financial ratios and trends for the
last 2 years such as profitability, leverage, debt ratio, gross margins and sales
turnover.
However, the Bank is under no obligation to award the tender as per clause
1.4.12
Commercial in confidence
2.2
2.3
2.4
2.5
2.6
Commercial in confidence
2.7
2.8
2.9
2.10
Current Installations
This section provides a brief overview of KCB establishment that is relevant to the
proposed solution.The Kenya commercial Bank is incorporated in Kenya. The
banks establishment in Kenya consists of 167 branches.
It has 4 other subsidiaries:
The Head Office for the group is located in Kencom house Nairobi,
Kenya.Further information about the bank can be obtained from the groups
website (http://www.kcbbankgroupgroup.com)
2.11 Brief Overview of Technical Systems Environment
The bank has several computerised systems, the most relevant (for the purpose
of this project) of which are as summarised below.
Database / Programming Environments
MS SQL Server 2000 /2005 /2008
Oracle; various flavours of the database including but not limited to
versions 8i /9i /10g/11i
Informix
JBOSS
Microsoft .Net 2.0 and above
Sybase Adaptive Enterprise Server database
Client-side applications developed in Visual studio/ .Net and
PowerBuilder 6.0
Commercial in confidence
Web Applications
T24 Core banking system from Temenos. This application runs on HP UX
at the backend while the clients are browser based (firefox and
Internet Explorer version 6.1 and above). The backend system is
programmed using JBOSS and Oracle.
Microsoft SharePoint 2007
Email Applications: MS Exchange 2010. Proxy Servers / firewalls:
Microsoft ISA Server 2006, CISCO PIX, ASA and Checkpoint firewalls. The
Microsoft ISA Server 2006 will be replaced with Microsoft Forefront
Threat Management Gateway during the year
Sybrin clearing system on windows environment
Internet & Mobile banking applications
TranzWare card system
2.12 Functional Requirements
Functional requirements are indicated in (Appendix 1 Technical Requirements
Matrix). The section should be completed in its entirety in the vendor response.
Delivery, Testing and Acceptance (On Successful Bidding)
The product will deem to have been:
a) Delivered when
i.
The complete machine readable form of the product together with the
product documentation is received at KCBs primary location (IT
Division, 7th floor Kencom House, Nairobi); and
b) Tested / POC
ii.
The bank will test the proposed solution in a test environment to
ascertain that all the functionality as put forward by the supplier are
met. Incorrect information discovered at this time will constitute grounds
for disqualification. It is the responsibility of the supplier to ensure the
requirement defined in the proposal is achieved. The signed proposal
will be the sole reference document for any discussion issues arising
related to acceptance; and
c) Accepted when
iii.
The solution has been successfully installed and configured on the
Production environment by the representative of the Supplier as per
product documentation; and
iv.
Acceptance Criteria: the Bank will accept the proposed deliverable
after they have been fully tested by the bank and confirmed to meet
the requirement as specified in the original RFP.
Commercial in confidence
Commercial in confidence
Ownership
The proposal should be modelled along the perpetual licensing with
annual maintenance costs which provides the bank the right to continue
using the product as is on expiry of the maintenance period.
The Supplier should include a 2-year bundled support and indicate (as a
percentage of the product cost where applicable) the cost of continued
support after the two years. The bundled support cost should be clearly
separated from the cost of the product
3.7.2 If at any time during the performance of the Contract, the Bidder should
encounter conditions impeding timely delivery and performance of the
Services, the Bidder shall promptly notifies the Bank in writing of the fact of
the delay, its likely duration and its cause(s). As soon as practicable after
receipt of the Bidder's notice, the Bank shall evaluate the situation and
may at its discretion extend the Bidder's time for performance, with or
without liquidated damages, in which case the extension shall be ratified
by the parties by amendment of the Contract.
3.7.3 Except in the case of force majeure as provided in Clause 3.13, a delay
by the Bidder in the performance of its delivery obligations shall render the
Bidder liable to the imposition of liquidated damages pursuant to Clause
3.8 liquidated damages
3.8 Liquidated damages for delay
The contract resulting out of this RFP shall incorporate suitable provisions for
the payment of liquidated damages by the bidders in case of delays in
performance of contract.
3.9 Governing Language
The Contract shall be written in the English Language. All correspondence
and other documents pertaining to the Contract which are exchanged by
the parties shall also be in English.
3.10
Applicable Law
This agreement arising out of this RFP shall be governed by and construed in
accordance with the laws of Kenya and the parties submit to the exclusive
jurisdiction of the Kenyan Courts.
3.11
Bidders Obligations
3.11.1 The Bidder is obliged to work closely with the Bank's staff, act within its own
authority, and abide by directives issued by the Bank that are consistent
with the terms of the Contract.
3.11.2 The Bidder will abide by the job safety measures and will indemnify the
Bank from all demands or responsibilities arising from accidents or loss of
life, the cause of which is the Bidder's negligence. The Bidder will pay all
Commercial in confidence
indemnities arising from such incidents and will not hold the Bank
responsible or obligated.
3.11.3 The Bidder is responsible for managing the activities of its personnel, or
subcontracted personnel, and will hold itself responsible for any
misdemeanors.
3.11.4 The Bidder will not disclose the Bank's information it has access to, during
the course of the work, to any other third parties without the prior written
authorization of the Bank. This clause shall survive the expiry or earlier
termination of the contract.
3.11.5 The Bidder shall appoint an experienced counterpart resource to handle
this requirement for the duration of the Contract. The Bank may also
demand a replacement of the manager if it is not satisfied with the
managers work or for any other reason.
3.11.6 The Bidder shall take the lead role and be jointly responsible with the Bank
for producing a finalised project plan and schedule, including
identification of all major milestones and specific resources that the Bank
is required to provide.
3.11.7 The Supplier represents and warrants that it is entitled to respond to this
RFP and that it is fully entitled to the proposed Product by way of reseller
licensing or ownership and has the right to sell and/or licence the Product
as provided in their RFP response and shall hold KCB harmless from action
for infringement of patents and/or copyrights
3.12
3.13 Confidentiality
The parties undertake on behalf of themselves and their employees, agents
and permitted subcontractors that they will keep confidential and will not
use for their own purposes (other than fulfilling their obligations under the
contemplated contract) nor without the prior written consent of the other
disclose to any third party any information of a confidential nature relating to
the other (including, without limitation, any trade secrets, confidential or
proprietary technical information, trading and financial details and any other
information of commercial value) which may become known to them under
or in connection with the contemplated contract. The terms of this Clause
2.15 shall survive the expiry or earlier termination of the contract.
3.14
Force Majeure
(a) Neither Bidder nor Bank shall be liable for failure to meet contractual
obligations due to Force Majeure.
(b) Force Majeure impediment is taken to mean unforeseen events, which
occur after signing the contract with the successful bidder, including but
not limited to strikes, blockade, war, mobilization, revolution or riots,
natural disaster, acts of God, refusal of license by Authorities or other
stipulations or restrictions by authorities, in so far as such an event prevents
or delays the contractual party from fulfilling its obligations, without its
being able to prevent or remove the impediment at reasonable cost.
(c) The party involved in a case of Force Majeure shall immediately take
reasonable steps to limit consequence of such an event.
(d) The party who wishes to plead Force Majeure is under obligation to inform
in writing the other party without delay of the event, of the time it began
and its probable duration. The moment of cessation of the event shall also
be reported in writing.
(e) The party who has pleaded a Force Majeure event is under obligation,
when requested, to prove its effect on the fulfilling of the contemplated
contract.
Commercial in confidence
SECTION 4 : APPENDIXES
Appendix 1 Technical Requirements Matrix
Functional Requirements and Specifications
The tables below provide a feature summary for the products under
procurement. All products should be quoted for separately.
Please identify and describe where necessary the levels of support as: Full
Support, Partial Support and No Support:
Database Firewall
Specification
Description
Supported
Database Platforms
Oracle
Sybase
Informix
MySQL
PostgreSQL
Teradata
Netezza
Deployment Modes
Performance
Overhead
Centralized
Management
across
geographically
Commercial in confidence
Level of
support
MS-SQL
dispersed locations
Centralized
Administration
across
geographically
dispersed locations
Database Audit
Details
User name
Timestamp
Source IP,
Source OS,
Source application
Parameters used
Stored Procedures
Privileged Activities
Access to Sensitive
Data
Security Exceptions
Data Modification
Stored Procedures
Triggers
Tamper-Proof Audit
Trail
Commercial in confidence
Fraud Identification
Data Leak
Identification
Network Security
Policy Updates
Real-time alerts
Stateful firewall
DoS prevention
task workflow
Real-time dashboard
Commercial in confidence
Real-Time Event
Management and
Report distribution
Server Discovery
Database Security
Platform Security
Database servers
Financial Information
User Rights
Management (add-
on option)
Database vulnerabilities
Configuration flaws
Training
Support
Vulnerability
Assessment
Response
6
7
8
9
10
11
12
4
5
12
13
Commercial in confidence
The solution should 100% monitor the DB traffic for all DB violation
and attacks despite the traffic is not being audited
Reporting
1
Solution should have packaged reporting capabilities
2
product should support use of pre-configured policies/reports
(PCI, SOX, HIPAA) for ensuring regulatory compliance
3
Producti should have a functionality to assist with security event
forensics
Specification
Description
Refer to Appendix I
Required
Required
Required
Required
Required
Required
Web Security
Application Attacks
Prevented
HTTPS/SSL Inspection
Content Modification
Platform Security
Commercial in confidence
Feature
Support
Required
Network Security
Stateful firewall
DoS prevention
Required
Required
Required
Required
Required
Required
SNMP
Syslog
Email
Integrated graphical reporting
Real-time dashboard
Required
Advanced Protection
Authentication
User Awareness
Deployment Mode
Management
Administration
Logging/Monitoring
Commercial in confidence
Required
Required
IMPVHA (Active/Active,
Active/Passive)
Fail open interfaces (bridge mode
only)
Support for VRRP
Support for STP and RSTP
Physical appliance
Required
High Availability
Enterprise Application
Support
TCP/IP Support
IPv4, IPv6
Training
Support
Required
Required
Specification
Remarks
Commercial in confidence
XML bombs/DOS
Forceful Browsing
Sensitive information leakage
Session hijacking
Denial of service
Request Smuggling
Cookie manipulation
Certification
The WAF shall be an ICSA certified web application firewall
MX Management Server
Specification
Description
Policy/Signature
Updates
Hierarchical
Management
Management
Provisioning
Out-of-Band
Management
Management
Communications
Role-Based
Administration
Commercial in confidence
Remarks
Alerts
Workflow
Internal Data
Storage
External Data
Storage and
Archiving
Supported
Products
Support
SNMP
Syslog
Real-time dashboard
NFS*
FTP*
HTTP/S*
SCP*
Commercial in confidence
SECURITY
Remarks
Support Security Using Database Access
Controls. The solution shall support database
security using the following database access
controls: GRANT and REVOKE privilege facilities,
the VIEW definition capabilities, and some
Discretionary Access Control (DAC)
mechanisms.
Deliverables
At the end of the implementation exercise, the solution provider should provide
a comprehensive report with a detail of completed implementation work. The
report will consist among others the following:
1. Fully installed well integrated customized and functioning Database Firewall
solutions for the need of KCB.
2. Fully installed well integrated customized and functioning Web Application
Firewall solutions for the need of KCB.
3. Fully installed well integrated customized and functioning MX Management
Server
4. Two fully installed HP TouchSmart IQ816 Computers to facilitate a monitoring
center for this Database and Web Application Firewall solution
5. Presentation of the working solution to the IT management and staff of KCB
after completion of the implementation for review and feedback.
6. An executive summary report for Management of the implemented solutions
Commercial in confidence
Commercial in confidence
Anonymous Proxy
Vulnerabilities
Brute Force Login
Buffer Overflow
Cookie Injection
Cookie Poisoning
Corporate
Espionage
Credit Card
Exposure
Cross Site Request
Forgery (CSRF)
Cross Site Scripting
(XSS)
Data Destruction
Directory Traversal
Drive-by-Downloads
Forceful Browsing
Form Field
Tampering
Google Hacking
HTTP Distributed
Denial of Service
(DDoS)
HTTP Response
Splitting
HTTP Verb
Tampering
Illegal Encoding
Commercial in confidence
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Known Worms
Malicious Encoding
Malicious Robots
OS Command Injection
Parameter Tampering
Patient Data Disclosure
Phishing Attacks
Remote File Inclusion
Attacks
Sensitive Data Leakage
(Social Security Numbers,
Cardholder Data, PII, HPI)
Session Hijacking
Site Reconnaissance
Site Scraping
SQL Injection
Web server software and
operating system attacks
Web Services (XML) attacks
Zero Day Web Worms
No.
1
2
3
4
5
6
7
8
9
10
Server
Database Machine
Application
Type
Type
CPU cores
HP
superdome
T24
Oracle
1
32
HP BLade
NetTeller
Oracle
685c
32
2
HP BLade
processors(8
CQ
MsSQL
685c
CPU's)
HP BLade
Mobi
Oracle
685c
32
HP BLade
Mobiloan
PosgreSQL 685c
32
2
HP BLade
processors(8
sybrin
MsSQL
685c
CPU's)
HP BLade
kondor+
Sybase
685c
32
Channel
HP BLade
Manager/NOBS MySQL
685c
32
HP BLade
QuickPay
MsSQL
685c
32
TransWare Oracle
TWO
TWCMS
TWI
TWFA
HP BLade
TWCF
685c
32
Commercial in confidence
Processor
Type
Total
processor
Cores
itanium
32
intel xeon
32
AMD
optron
16
intel xeon
32
intel xeon
32
AMD
optron
16
intel xeon
32
intel xeon
32
intel xeon
32
intel xeon
32 each
CORPORATE INFORMATION
No.
PARTICULARS
1.1
1.2
Is your
organiz
ation
(Please
tick
one)
Commercial in confidence
1.3
1.4
1.5
1.6
1.7
Telephone number:
1.8
Fax number:
1.9
E-mail address:
1.10
1.11
1.12
1.13
1.14
1.15
Commercial in confidence
1.16
1.17
1.17
1.18
1.19
1.20
1.21
NAME:
TITLE
TEL:
FAX:
EMAIL:
2.0
No.
2.1
FINANCIAL INFORMATION
PARTICULARS
What was your turnover in the last
two years?
for year ended
--/--/----
for year
ended
--/--/----
2.2
Yes / No
2.3
Yes / No
2.4
Name:
Branch:
Telephone Number:
Postal Address:
Contact Person
Name:
Contact Position
Contact E-mail:
2.5
3.0
BUSINESS ACTIVITIES
No. PARTICULARS
3.1
Commercial in confidence
3.2
3.3
i.
ii.
3.4
Please submit a declaration that all staff within your organization that are or
will
Be involved in the project are or will be permitted to work within your
organization under the laws of Kenya or the laws of the country in which it is
established.
4.0
TRADE REFERENCES
4.1
Please provide in the table below details of the projects you have
undertaken relevant to the job you are bidding for performed over the
last three (3) years, or that are relevant to this bid document.
No
Customer
Organization
(name)
Customer
contact
name and
phone
number
Contract
Date
reference
contract
and brief
awarded
description:
Value of businesses
transacted:
(Kshs/USD/Euro)
1
2
3
4
5
Commercial in confidence
6
7
8
5.0
6.0
7.0
MANAGEMENT POLICIES
a) Employee Integrity
How does the firm ensure the integrity of staff? Detail any
related policies.
b) Code of Conduct/Ethics
Commercial in confidence
Please confirm whether any of the following criteria applies to your organisation:
Note that failure to disclose information relevant to this section may result in your
exclusion as a potential KCB supplier.
No.
PARTICULARS
8.1
8.2
RESPONSE
8.3
8.4
8.6
Commercial in confidence
which it is established?
8.7
8.8
9.0
INSURANCE
Employers Liability:
9.2
Public Liability:
9.3
9.4
Other (specify)
10.0
Value
EVALUATION
Commercial in confidence
Date.
Company Stamp/Seal.
Commercial in confidence