ATTACHMENT 4

TERMS OF REFERENCE
Prequalification For The Provision of Cloud Technology Services for The Government of the Republic of Trinidad and Tobago

7.1 Terms of Reference

7.1.1 Company Portfolio
The National ICT Company Limited (Branded as iGovTT and hereinafter referred as “the Company”) was
incorporated in July 2009 as a state-owned enterprise to continue the realisation of the National ICT
Strategy for transforming Trinidad and Tobago into a knowledge-based economy. The Company acts as
the implementation arm of the Government of the Republic of Trinidad & Tobago (GoRTT) in the execution
and administration of Government’s enterprise-wide ICT strategies and programmes. In addition, the
Company also procures, project manages, implements and maintains enterprise-wide ICT solutions for
Government and provides value-added ICT support services to Government Ministries and Agencies.
Currently the Company, as the premier ICT solution provider for GoRTT manages the following
Information, Communication and Technology (ICT) systems, platforms, data and contracts on behalf of
GoRTT:

 Government Enterprise Portal (ttConnect Portal) – a full-service Government Enterprise Portal

to provide government information and services to its citizens. Currently, the Government
Enterprise Portal delivers e-services, authentication services and other functionalities to GoRTT.
 Government Wide Area Network – GovNeTT provides secure high-speed connections among
Government Ministries, Divisions and Agencies as well as the means to work more collaboratively
and efficiently to deliver enhanced, seamless services to the public.
 Microsoft Enterprise Agreement – Management of the application and use of Enterprise-Wide
licenses for the use of Microsoft software in Government Ministries, Divisions and Agencies.
 Government Enterprise Endpoint Security Software – The provision of an enterprise-wide
standardized security infrastructure for GoRTT. The main objective of which is the provision of
continuous updated persistent and unified endpoint protection against industry threats, including
spam, malware, spyware zombies, phishing, malicious URL’s, password stealers and other
unknown emergent threats.

7.1.2 Background
The goal is to expand the scope of the Government Wide Area Network – GovNeTT to provide at least
three new services to our Ministries, Departments and Agencies (MDA) of the Government of the Republic
of Trinidad and Tobago (GoRTT). These new services will be in the form of Infrastructure as a Service (IaaS),
Backup as a Service (BaaS) and Storage as a Service (StaaS).

The Government Wide Area Network (GovNeTT) was formed on the premise that as an ICT service
platform it would provide common ICT services with secure connectivity across GoRTT thus allowing the
MDAs to focus on their niche business solutions. Some of the common ICT services provided by GovNeTT
today include filtered Internet, email, DNS, domain services, data centre and remote access.
Today centralised ICT services are commonplace but not so much as ‘on-premise’ solutions as compared
to Cloud services. Nonetheless Cloud services has not been without its challenges, especially in areas such
as data protection, data sovereignty and the legislative restrictions ( General Data Protection Regulation
2016/679 (GDPR)) we cannot avoid examining the extent to which it could be employed by the Public
Sector of the GoRTT for the benefit of the citizenry of the country.

Page | 2
Prequalification For The Provision of Cloud Technology Services for The Government of the Republic of Trinidad and Tobago

In particular, as we embark on the current GovNeTT Stabilisation exercise to provide more and more
reliable and secure services to the country and as client demands expand, we need to examine options
for introducing cloud services for GoRTT’s use especially in the aforementioned areas of laaS, BaaS and
StaaS.
The availability of these services would allow MDAs to take advantage of on-demand compute for hosting
their solutions, testing, storage and backup services without lengthy procurements or asset lifecycle
management. In addition, if these services are provided as a centralised service the Company will have
ability to monitor licence deployment and system implementation standardization on behalf of GoRTT.

7.1.3 Overview
To keep in alignment with the current Cloud services legislation as annunciated by the GoRTT, Cloud
Services Providers must ensure that their services satisfy the following criteria:
1. Locally hosted
2. Owned and managed via a local entity
3. Closed to GoRTT users only

To be able to meet these criteria, it is our intention to pre-qualify Cloud Service Providers for the provision
of the entire Cloud solution inclusive of LaaS, BaaS and StaaS platforms.

7.1.4 Goals
The goal of this procurement exercise is to pre-qualify and contract suitable Cloud Service Providers on
behalf of GoRTT to provide local IaaS, BaaS and StaaS Cloud services which will be managed by but not
owned by GoRTT.

7.1.5 Overview of the requested Cloud Services

It is envisioned that GoRTT will introduce the use of Cloud services in alignment with the
National ICT Plan and Government policies and legislation. The Cloud Service Provider shall
identify and provide management strategies for all potential risks, such as exposure of
GoRTT data, violation of security policies and recommended practices implemented by
GoRTT. Proposals shall include solutions that can be provided as a Clo ud service, on a pay-
as-you-use model. Proposals can include one or all of the following:
a. Infrastructure as a Service (IaaS) - The ability to request and turn-up compute power
(CPU, Memory, Storage, Security and Networking) on demand;
b. Back-up as a Service (BaaS) - Backup as a service provides a software mechanism
that allows clients to perform on demand backup of their data to a remote location,
this service should also restore data restoration from the cloud backup;
c. Storage as a Service (StaaS) - Storage as a service enables a client or end user to use
on-demand data storage.

Page | 3
Prequalification For The Provision of Cloud Technology Services for The Government of the Republic of Trinidad and Tobago

7.1.6 – Requirements
The Cloud Service Provider shall consider the following requirements in their proposal for the Cloud
Service Platform:

 The Solution must be resilient and redundant to achieve high service availability. Nodes should be
placed in different data centers and Virtual Machines would be replicated via a WAN connection.
Load Balancers would be used to allow failover and sharing of load.
 The Cloud must be secure at all installed sites with all required firewall and antivirus / malware
protection.
 Data Management is very important and services to protect the organization against data
corruption or loss from malware or other security breaches.
 Secure provisioning of Infrastructure as a Service, Storage as a Service, Backup as a service
solutions to GoRTT;
 Providers can opt between two hosting options for these services:
o Locally Hosted at vendors facility
o Hosted within GoRTT Data Centre
 Details of a proposed on-line management portal and client dashboard outlining service
uptime/downtime, service utilization and SLA parameters together with screen shots of various
Reports which can be obtained from the management portal must be submitted; and a
 Description of the mechanisms, procedures and processes they intend to use to ensure that all
listed requirements are met and maintained

The following assumptions are being made to accomplish this high level Design of a Cloud Service Platform
for GoRTT:

1. Data Centers will be readily available to house the equipment.

2. The Data Center would meet the requirements of the cloud in terms of connectivity, power, AC
etc.
3. The required personnel to install, configure, maintain and secure the Cloud on a 24/7 is easily
available and budgeted by the provider
4. SLA for all hardware, software, personnel would be available to support a cloud environment by
the provider
5. Funding for the Cloud solution is readily available by the provider
6. All software to support cloud configuration and its accompanied SLA would be provided such as
automation etc. is available from the provider’s service
7. Backup and Disaster recovery software and its required SLA would be provided by the provider’s
service
8. An Enterprise Monitoring solution would be deployed to support the Cloud by the provider
9. SIEM platform would be deployed to protect the Cloud by the provider
10. All Data in the Cloud would be encrypted
11. Data Center personnel will configure all necessary connectivity and security rules to allow the
cloud to function properly with the direction and support from the provider
12. Load Balancers would be provided at the Data Center level to support the Cloud implementation
by the provider
13. All certificates to access the Cloud software remotely would be provided within the solution

Page | 4
Prequalification For The Provision of Cloud Technology Services for The Government of the Republic of Trinidad and Tobago

7.1.7 Deliverables for the provision of the Prequalified Cloud Service Provider

Cloud Service Providers are required to propose one or more of the following options for
the hosting options for IaaS, BaaS and StaaS:
a. Locally Hosted (hosted within a DC facility inside of Trinidad and Tobago);
b. Hosted within GoRTT DC - hosted within the GovNeTT DC facility with the following
considerations:
i. GoRTT will be responsible for the provision of Rack Space;
ii. GoRTT will facilitate basic remote hands and access to the environment;
iii. The Cloud Service Provider will be responsible for connecting/ integrating
with the DC,
iv. The Cloud Service Provider will be responsible for connecting/publishing to
the internet; and
v. The Cloud Service Provider will be responsible for securing the environment.

The Cloud Service Provider shall provide the following technical requirements for IaaS,
BaaS, StaaS:
a. Provision of a catalogue of its compute offerings;
b. Provision of a management and monitoring interface that allows a client to
administer their subscriptions and resources;
c. Descriptions of mechanisms used to ensure performance, security and reliability of
the service;
d. Provision of multiple storage options for its compu te instances, storage options and
backups;and
e. Must provide services for complete restoration in the event of a disaster.

Infrastructure as a Service (IaaS)

The Cloud Service Provider shall provide:
a. A mechanism to connect compute resources to the client’s network for seamless
integration with clients on premises infrastructure;
b. An option for “automatic on demand increases” of compute resources;
c. A mechanism to limit the increase provided through the “automatic on demand
increase” feature;
d. Multiple storage options for its compute instances ;
e. The option to have dedicated instances and that instances can utilize the latest Intel
processor features.

Backup as a Service (BaaS)

The Cloud Service Provider shall:
a. Provide a mechanism to connect backup resources to the client’s network for
seamless integration with clients on premises infrastructure;
b. Ensure that the Cloud Services Platform has t he ability to seed backups on the client
premises for quicker restoration;
c. Provide verification of the integrity of all backups;
d. Allow clients the ability to restore backups as required;
Page | 5
Prequalification For The Provision of Cloud Technology Services for The Government of the Republic of Trinidad and Tobago

e. Ensure that backup and restore services maintain high availability and integrity.

Storage as a Service (StaaS)

The Cloud Service Provider shall:

a. Provide a catalogue of its StaaS offerings;

b. Provide a mechanism to connect storage resources to the client’s network for
seamless integration with clients on premises infrastructure;
c. Provide a management and monitoring interface that allows a client to adm inister
their subscriptions and resources;
d. Provide multiple storage options; and
e. Describe mechanisms used to ensure performance, security and reliability of the
service.

‘Cloud Service’ Management Console (SMC)

The Cloud Service Provider shall ensure that the ‘Cloud Service’ Management Console:
a. Provides the management framework for the administration of the cloud
infrastructure;
b. Is extensible and allow new cloud solutions to be added into the framework;
c. Allows for the administration and management of the list of cloud solutions
developed on the platform ;
d. Provides an audit trail feature to track the administrative changes.
e. Allows the system administrator to search an d view the audit trail;
f. Allows for the administration of access control to the cloud solution and services
based on the access control policies;
g. Allows for the management of cloud service subscriptions;
h. Provides User and Group Management to create, update and delete users and
groups. This allows for the administration of the cloud service users into logical
groups that corresponds to the organization structure.

Data Confidentiality and Integrity

The Cloud Service Provider shall ensure that:
a. Information is provided on control measures that are needed to protect the
confidentiality and integrity of information within the hosted environment and
during transit as well as a detailed description of the control measures;
b. No individual has access to the protected information and data (e.g. no single
person will know the entire encrypting key or have access to all the constituents
making up these keys);
c. Information is provided on all necessary measures and processe s to ensure that
there is no direct access to information to prevent unauthorized disclosure,
modification or deletion;
d. GoRTT owns all data and there are provisions to prevent disclosure of any content
without GoRTT authorization (subject to compliance wit h all applicable laws).

Access Control
The Cloud Service Provider shall:
Page | 6
Prequalification For The Provision of Cloud Technology Services for The Government of the Republic of Trinidad and Tobago

a. Ensure that access rights are granted based on job needs and reviewed on a regular
basis;
b. Ensure that individual user accounts are given for access to the System to provide
clear user accountability;
c. Propose security measures to prevent service providers, system and database
administrators or other privileged users from having direct access to the stored
data;
d. Describe the physical security measure s in place within the data cent res hosting the
application and storing GoRTT’s Data (if applicable);
e. Describe the security measures to prevent the privileged system users from having
direct access to the stored data, which shall at least include the security features,
the technologies and solutions, the administration and usage processes and
procedures;

Application Security
The Cloud Service Provider shall:

a. Provide details on checks conducted on its application’s functional capabilities and

implementation that ensures adequate security measures are taken throughout the
entire lifecycle of the application .

General Security
The Cloud Service Provider shall:

a. Provide details on end-to-end transport level security and ensure that encrypted
and authenticated sessions remain intact throughout the duration of the
communications. In the event of a security lapse, the session must be terminated;
b. Ensure the infrastructure supports non -repudiation that can provide conclusive
proof of participation by both sender and receiver in an on -line transactional
environment.
c. Provide detailed description of the non -repudiation feature in the proposed
solution;
d. Guarantee complete data segregation for secure multi -tenancy;
e. Provide information on end -to-end protection of the users’ passwords and other
sensitive information. The protection shall be kept intact from the point of entry to
the final system destination where decryption or authentication takes place;
f. Provide detailed description of the security measures or mechanisms, which include
the solutions and associated processes, for achieving end -to-end encryption of
users’ passwords and other sensitive information;
g. Adopt security practices and audit standards e.g. SOC 1, SOC 2, SOC 3, ISO 27001/2,
CSA etc. and proof of these alignments must be provided so as t o allow GoRTT to
conduct audits within the assigned tenant environment;
h. Execute remedial activities in the event the service provider is not in alignment with
security practices identified by GoRTT; Provide details on the use encryption
algorithms which are well established international standards, and which have been
approved by authoritative professional bodies, reputable security supplies or

Page | 7
Prequalification For The Provision of Cloud Technology Services for The Government of the Republic of Trinidad and Tobago

Government Agencies (e.g. RSA Public Key Encryption, Elliptical Curve Cryptography
(ECC) Advance Encryption Standa rd (AES));
i. Develop and maintain the security plan that is specific to the infrastructure, which
includes the monitoring of security vulnerabilities that affect the servic es, the
actions that need to be taken to address the security vulnerabilities, the timeline
and the function responsible for reviewing or testing, authorizing and implementing
the security patch.

Audit Logs
The Cloud Service Provider shall:
a. Describe a process for security logs to be reviewed and managed;
b. Ensure that the logs record all activities carried out by accounts including system
administrator, auditor, and database administrator accounts and should not be
easily modified by authorized personnel.

Operations and Maintenance Plan

The Cloud Service Provider shall:
a. Provide an Operations and Maintenance Manual and Schedule of Services which at a
minimum must include:
i. Details of how proactive monitoring takes place;
ii. Details of on-line portal proposed to GoRTT for monitoring uptime/downtime, SLA
parameters, and screen shots of various reports which can be obtained from the portal
to be submitted;

User / Training Guide

The Cloud Service Provider shall:

a. Provide complete and detailed documentation to ensure effective use of the

services by the users.
The User / Training Guide shall include the following:
i. Overview of System;
ii. Guidelines for and objectives of the system;
iii. Operational procedures by sub-system;
iv. Description of screens, reports and processes;
v. System interfaces; and
vi. System error messages and diagnostics.
b. Allow users to access the User / Training Guide on -line for easy reference as part of
the service; and
c. Ensure that all documentation for the users are detailed and described from the
user’s perspective.

Page | 8