security and web application monitoring

8/10/2019 Security and Web Application Monitoring

1/58

.

KENYA COMMERCIAL BANK LIMITED

REQUEST FOR PROPOSAL

IT/AUGUST 2014/SUPPLY AND IMPLEMENTATION OF A DATABASE AND

WEB APPLICATION SECURITY/FIREWALL SOLUTION (RE-TENDER)

Release Date: Friday, 22 nd August 2014

Last Date for Receipt of bids: Friday, 5 th September 2014 at 3.00pm(GMT+3) Nairobi, Kenya


2/58

Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 2 of 58

ISSUE OF RFP DOCUMENT TO PROSPECTIVE BIDDERS

TENDER FOR SUPPLY AND IMPLEMENTATION OF A DATABASE AND WEBAPPLICATION SECURITY/FIREWALL SOLUTION (RE-TENDER)

This form serves as an acknowledgement of receipt of the tender andparticipation. This page is to be completed immediately on download and ascan copy e-mailed to [email protected] . Firms that do not register theirinterest immediately in this manner may not be sent the RFP addenda shouldany arise.

Table 1: Registration of Interest to ParticipateItem Supplier Details

Name of Person

Organization Name

Postal Address

Tel No

Fax No

Email Address (this e-mail addressshould be clearly written ascommunication with bidders shall bethrough e-mail)

Signature:

Date

Company Stamp
mailto:[email protected]:[email protected]:[email protected]


3/58


Table of ContentsIT/AUGUST 2014/SUPPLY AND IMPLEMENTATION OF A DATABASE AND WEBAPPLICATION SECURITY/FIREWALL SOLUTION (RE-TENDER) ............................................. 1

DEFINITIONS ................................................................................................................................. 4

1.1 INTRODUCTION ................................................................................................................ 5 1.2 Background of the Project ................................................. .......................................... 5

1.3 Aims and Objectives of the project ........................................................................ 5

1.4 Format of RFP Response and Other Information for Bidders .............................. 6

SECTION 2 SCOPE OF WORK ...................................................... ........................................ 16

SECTION 3 - GENERAL CONDITIONS OF CONTRACT ...................................................... 20

3.1 Introduction ......................................................................................................................... 20

3.2 Award of Contract ........................................................ ................................................ 20

3.3 Application of General Conditions of Contract .............................................. ..... 20

3.4 Ownership ....................................................................................................................... 20

3.5 Bid Validity Period ................................................ .................................................... ..... 20

3.6 Performance Security .................................................................................................. 21

3.7 Delays in the Bidders Performance ........................................................................ 21

3.8 Liquidated damages for delay .................................................. ............................... 22

3.9 Governing Language .................................................................................................. 22

3.10 Applicable Law ................................................. .................................................... ..... 22

3.11 Bidders Obligations ................................................................................................. 22

3.12 The Banks Obligations ............................................................................................ 23

3.13 Confidentiality ................................................... .................................................... ..... 24

3.14 Force Majeure ................................................... .................................................... ..... 24

SECTION 4 : APPENDIXES ........................................................................................................ 25

Appendix 1 Technical Requirements Matrix ..................................................... ............ 25

APPENDIX 2 REFERENCE SITES ............................................................................................ 46

APPENDIX 3 - WEB APPLICATION SECURITY & COMMON ATTACKS ........................... 47

APPENDIX 4 : LIST OF DATABASES ................................................. ........................................ 48

APPENDIX 5 SUPPLIER QUESTIONNAIRE ........................................................................... 49

APPENDIX 6 PERFORMANCE SECURITY FORM (FORMAT) ........................................... 57

APPENDIX 7 CERTIFICATE OF COMPLIANCE ...................................................... ............ 58


4/58


DEFINITIONS

For purposes of this document, the following definitions shall apply:

The Bank KCB Ltd

Bid The Quotation or Response to this RFP submitted by prospectiveSuppliers for fulfilment of the Contract.

Supplier The Company awarded the task of supplying all the itemsdescribed in this document installing and commissioning them.

Contract Supply, installation and commissioning of all the works, equipmentand/or services that are described in this document, which willcontribute towards meeting the objective of the RFP

Warranty Period from the time installation and testing is completed, duringwhich the Contractor undertakes to replace/rectify equipmentand/or installation failures at no cost to the Bank


5/58


1.1 INTRODUCTION

The Kenya Commercial Bank Limited (hereinafter referred to as the Bank) isincorporated in Kenya and is a leading Commercial banking group in the EastAfrican region, renowned for its diversity and growth. In addition to Kenya, it has

other subsidiaries namely; KCB (Tanzania) limited, a banking subsidiary operatingin Tanzania, KCB (Uganda) limited, a banking subsidiary operating in Uganda,KCB (Sudan) limited, a banking subsidiary operating in Sudan, KCB (Rwanda)limited, a banking subsidiary operating in Rwanda and KCB Burundi a bankingsubsidiary operating in Burundi. The Head Office for the group is located inKENCOM House Nairobi. The Banks vision is to be the preferred financialsolutions provider in Africa with a global reach.

The platform is anchored on consolidation across our existing business,expanding and modernizing delivery channels, improving operationalefficiencies, turning in returns commensurate with level of investment andcompliance with all regulatory and internal policy guidelines.

This document therefore constitutes the formal Request for Proposals (RFP) forSupply and Implementation of a Database and Web ApplicationSecurity/Firewall solution and is being availed on a open tender basis.

1.2 Background of the Project

The bank operates in a highly computerised environment that includes

maintaining connections to its business partners and to the world at largethrough the internet and dedicated point to point connections. Therefore likesimilar organisations it is prone to business interruptions as a result of failed ormalfunctioning systems, business data corruption or stolen data.

Computer system holes and vulnerabilities make it possible to exploit unsecureimplementations and may result in system failures and exploits, whether bymalice, mistake or innocently. Further, the bank needs to ensure its systems areprotected and implemented as per best practice and thereby avoid damageto itself or business partners.

1.3 Aims and Objectives of the project

The KCB Group has decided to implement a Database and Web ApplicationFirewall solutions to enhance security of Critical Systems that are accessed byinternal as well as external stakeholders, as part of an overall strategy to


6/58


implement a more secure, productive, industry standard information technology(IT) management processes and supporting IT management applications.

Proposals responses are epected from suppliers of database and webapplication firewall solutions.

The information in this document and its appendices and attachments isconfidential and is subject to the provisions of our non-disclosure agreementand should not be disclosed to any external party without explicit prior writtenconsent of Kenya Commercial Bank .

Objectives

The purpose of the assignment is to acquire , implement and maintain Databaseand Web Application Firewall solutions for the KCB Group that will improve KCBGroups security of all public / internet facing applications and reinforce thedefense-in-depth approach in place.

Based on KCB Group strategy, the project will help KCB Group to mitigate therisks related to web access control operations by:

Automatically learning the web application structure and user behavior Virtually patching databases and applications through vulnerability

scanner integration. Updating database and web defenses with research-driven intelligence

on current threats Delivering high performance business-relevant reporting and alerts

1.4 Format of RFP Response and Other Information for Bidders

1.4.1 The overall summary information regarding the SUPPLY ANDIMPLEMENTATION OF A DATABASE AND WEB APPLICATIONSECURITY/FIREWALL SOLUTION is given in section 2 Scope of Services andthe summary in 1.3 Aims and Objectives. The bidder shall include in theiroffer any additional services considered necessary for the successfulimplementation of their proposal.

1.4.2 Proposals from bidders should be submitted in two distinct parts, namelyTechnical proposal and financial proposal and these should be in twoseparate sealed envelopes, both of which should then be placed in acommon sealed envelope marked:


7/58


IT/AUG 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALLSOLUTION

DO NOT OPEN BEFORE Friday, 5 th September 2014 at 3.00 pm (GMT+3) NairobiKenya

The two separate inner envelopes should be clearly marked TechnicalProposal, and Financial Proposal , respectively, and should bear thename of the Bidder.

1.4.3 The Technical Proposal should contain the following:

Bidders, willing to be considered for SUPPLY AND IMPLEMENTATION OF ADATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION areexpected to furnish the Bank with among others the following vitalinformation, which will be treated in strict confidence by the Bank.

Provide a company profile as per supplier questionnaire in Appendix 5. The RFP response document duly signed as per Appendix 7

CERTIFICATE OF COMPLIANCE Approval licenses, by the various bodies for compliance/manufacturer

authorization, MUST be included where applicable. Audited financial statements of the company submitting the RFP bid,

for the last two years Demonstrate capability and capacity to provide technical and

functional requirements and functionalities as per KCB requirements in

section 2.0 Scope of work. All copies of any certificates included in the bid response should be

certified as true copy of original else the bank may not use themin the evaluation process.

1.4.4 The Financial Proposal should be clearly indicate the total cost of carryingout the solution as follows:-

a. The Supplier shall provide a firm, fixed price for the Original Contract Period.All costs associated with the required system shall be included in the prices.

Kindly note that the cost should include supply, installation andcommissioning of the system inclusive of all freight charges and applicableduties and taxes (VAT and withholding Tax).

Provide an itemized list of all items included and summarize your costs as shownin the table below:-


8/58


No.

Description Unit QtyUnitCost(USD)

SubTotalCosts(USD)

Taxes(USD)

GrandTotal Cost(USD)

1Software/ License Cost

2Hardware/ApplianceCosts

3Installation andImplementation costs

4 Training

5

Annual MaintenanceCost for softwarelicences Year

6

Annual MaintenanceCost for

Hardware/ApplianceYear 1

7

Annual Local VendorSupport Year 1 (whereapplicable)

8Logistics costs andother costsSoftware,implementation,Training cost inclusiveof all taxes

n/a n/a n/a - - -

9

Annual MaintenanceCost for softwarelicences Year 2

10

Annual MaintenanceCost for softwarelicences Year 3

11

Annual MaintenanceCost forHardware/ApplianceYear 2

12

Annual MaintenanceCost forHardware/ApplianceYear 3

13Annual Local VendorSupport Year 2

14Annual Local VendorSupport Year 3Total Recurrent costs(Year 2&3) n/a n/a n/a - - -


9/58


Total cost of ownershipover 3 years inclusiveof all taxes (USD)

n/a n/a n/a- - -

Total cost of ownershipover 3 years inclusive

of all taxes (KSHS)

n/a n/a n/a - - -

Notes

1The total cost above should be inclusive of all taxes and duties (VAT, duties, freightcosts and Witholding tax)

b. Additional Cost to Complete. Provide an itemized list of any items notincluded above by the Bank and related costs that Supplier deemsnecessary to provide the information to meet the requirements specified inproposal. Failure to provide said list shall not relieve the Supplier fromproviding such items as necessary to meeting all of the requirements

specified in proposal at the Fixed Price Purchase Costs proposed.

NOTE: The Financial proposal (MUST BE IN A SEPARATE SEALED ENVELOPE )CLEARLY MARKED FINANCIAl PROPOSAL

1.4.5 Soft Copies for each proposal are to be provided in the standardMicrosoft Office suite of Programs or Adobe Reader and deliveredtogether with hard copy of the tender.NOTE that only the information onthe Hard copy Bound bid document shall be considered as the MAINscource document.

1.4.6 Bidders are requested to hold their proposals valid for ninety (90) daysfrom the closing date for the submission. The Bank will make its best effortsto arrive at a decision within this period.

1.4.7 Assuming that the Contract will be satisfactorily concluded, the biddersshall be expected to commence the assignment after the finalagreement is reached.

1.4.8 The bid documents shall be addressed to the following address anddropped at the tender box on 5 th Floor, Kencom House, Wing B on or

before the closing date.Head of ProcurementKenya Commercial Bank5 th Floor Kencom HouseP.O. Box 48400, 00100Nairobi, Kenya


10/58


Please note that tenders received by facsimile or electronic mail will berejected.

1.4.9 If a bidding firm does not have all the expertise and/or resources for theassignment, there is no objection to the firm associating with another firm

to enable a full range of expertise and/or resources to be presented. Therequest for Joint Venture shall be accompanied with full documenteddetails of the proposed association.

1.4.10 In the case of a Joint Venture or Association, all the firms constituting theJoint Venture or Association will be jointly and severally liable and at leastone firm in the Joint Venture or Association shall be financially capable ofmeeting the contract requirements and potential liabilities on its own andshall assume contracting responsibility and liability for satisfactoryexecution of the assignment.

1.4.11 The contracting arrangements shall define clearly the responsibilities andthe services to be provided by each firm in the case of a joint venture.

1.4.12 The Bank reserves the right to accept or to reject any bid, and to annulthe bidding process and reject all bids at any time prior to the award ofthe contract, without thereby incurring any liability to any Bidder or anyobligation to inform the Bidder of the grounds for its action.

1.4.13 The vendors terms and conditions will not form part of any contract withKCB in relation to this tender.

Canvassing is prohibited and will lead to automatic disqualification.

1.4.14 Cost of bidding

The Bidder shall bear all costs associated with the preparation and submission ofits bid, and the Bank will in no case be responsible or liable for those costs,regardless of the conduct or outcome of the bidding process.

1.4.15 Clarification of Bidding Document

i. All correspondence related to the contract shall be made in English.ii. Should there be any doubt or uncertainty, the Bidder shall seek

clarification in writing addressed to the Head of Procurement through e-mail to: [email protected] .
mailto:[email protected]:[email protected]:[email protected]:[email protected]


11/58


iii. Any clarification sought by the bidder in respect of the RFP shall beaddressed at least five (5) calendar days before the deadline forsubmission of bids, in writing to the Head of Procurement through thesame mail.

iv. It is the responsibility of the Bidder to obtain any further informationrequired to complete this RFP.

v. Any clarification requests and their associated response will be circulatedto all Bidders.

vi. The last date for receipt of requests for clarifications from bidders isThursday, 28 th August 2014.

vii. The RFQ Clarification Template is as follows:-

Company Name: Contact Person: (primary Supplier contact) E-mail:

Phone: Fax: Document Number/Supplier

# Date Section/ Paragraph(2) Question1

2

3

(1) Question (s) mailing Date.(2) From the KCB Document.

The queries and replies thereto shall then be circulated to all other prospectivebidders (without divulging the name of the bidder raising the queries) in the formof an addendum, which shall be acknowledged in writing by the prospectivebidders.Enquiries for clarifications should be sent by e-mail to: [email protected]

1.4.16 Amendment of Bidding Document

At any time prior to the deadline for submission of bids, the Bank, for any reason,whether at its own initiative or in response to a clarification requested by aprospective Bidder, may modify the bidding documents by amendment.

All prospective Bidders that have received the bidding documents will benotified of the amendment in writing, and it will be binding on them. It is
mailto:[email protected]:[email protected]:[email protected]:[email protected]


12/58


therefore important that bidders give the correct details in the format given onpage 1 at the time of collecting/receiving the RFP document.

To allow prospective Bidders reasonable time to take any amendments intoaccount in preparing their bids, the Bank may at its sole discretion extend the

deadline for the submission of bids based on the nature of the amendments.

1.4.17 Deadline for Submission of Bids

Bids should be addressed to the Head of Procurement and sent for receipt on orBefore Friday, 5 th September 2014. Any bid received by the Bank afterThis deadline will be rejected.Those submitting tenders or their representativesmay attend the tender opening of date and time of submission.

1.4.18 Responsiveness of Proposals

The responsiveness of the proposals to the requirements of this RFP will bedetermined. A responsive proposal is deemed to contain all documents orinformation specifically called for in this RFP document. A bid determined notresponsive will be rejected by the Bank and may not subsequently be maderesponsive by the Bidder by correction of the non-conforming item(s).

1.4.19 Bid Evaluation and Comparison of Bids

Technical proposals will be evaluated and will form the basis for bidscomparison. Alltender responses will be evaluated in three phases:-a. Detailed technical evaluation to determine technical compliance and

support responsiveness of the vendorc. Financial evaluation to consider pricing competitiveness and the financial

capability of the vendors

Once the bids are opened, bid evaluation will commence

1.4.19.1 Technical Evaluation

The technical evaluation will include a desktop evaluation and additional

detailed evaluations. The desktop evaluation will be scored as follows:i. Vendors ability to meet and exceed the objectives of the RFP togetherwith the functional requirements detailed in Appendix 1 and Appendix 4.

ii. Experience and reliability of the Suppliers organization. Therefore, theSupplier is advised to submit any information, which documents successfuland reliable experience in past performances, especially thoseperformances related to the requirements of this RFP.


13/58


iii. The Supplier should provide the following information related to previousand current services/contracts performed by the Suppliers organizationand any proposed subcontractors which are similar to the requirements ofthis RFP (This information may be shown on the form attached as Exhibit A

to this RFP or in a similar manner):a. Name, address, and telephone number of client/contractingagency and a representative of that client/agency who may becontacted for verification of all information submitted;

b. Dates and locations of the service/contract; andc. A brief, written description of the specific prior services performed

and requirements thereof.iv. Proposals will be evaluated based on the S uppliers distinctive plan for

performing the requirements of the RFP. Therefore, the Supplier should

present a written narrative, which demonstrates the method or manner inwhich the Supplier proposes to satisfy these requirements. The language ofthe narrative should be straightforward and limited to facts, solutions toproblems, and plans of action.

Where the words shall or must are used, they signify a required minimumfunction of system capacity that will heavily impact the Bidders final response rating.

Where the words may or desired are used, they signify that the feature orcapacity is desirable but not mandatory; therefore, the specifications inquestion will possess minimal impact on the Bidders final response rating.

The method by which the proposed method of performance is written will be leftto the discretion of the Supplier. However, the Supplier should address eachspecific paragraph and subparagraph of the Specifications by paragraph andpage number as an item for discussion. Immediately below these numbers, writedescriptions of how, when, by whom, with what, to what degree, why, where,etc, the requirements will be satisfied.

1.4.19.2 Demo /Proof of Concept

After the desktop evaluation as per RFP response, the prospective supplier maybe required to give further detailed proof of the viability of the solutionhighlighting the functionality as represented in the RFP. This may include all orpart of the following:-


14/58


Vendor presentations A solution demo with the actual installed solution A Proof of Concept installation at the banks premises in a test scenario if

so required Site visits to current clients of the supplier who have implemented similar

solution as put forward in the RFP response

It should be noted that vendors will be progressively evaluated from one stageto the other. Only shortlisted vendors will progress to the next stage

1.4.19.3 Site visits

In the event that the bank may need to visit client site, vendors will be notified inwriting. The bank may also make surprise unannounced visits to the vendorsoffices to verify any information contained in the bid document. All visits are at

the discretion of the bank. Vendors may also be called upon to make brief andshort presentations and /or demos on their technical solutions before a panelconstituted by the bank.

1.4.19.4 Financial Evaluation (separate sealed envelope )

Financial evaluation will concentrate on the Costs inclusive of VAT and otherapplicable taxes where necessary and Man/Day estimates, where appropriate,broken down as per table in 1.4.4. Kindly also note the following as regardfinancial evaluation.

a. Pricing

All bids in response to this RFP should be expressed in USD or KSH. For thoseexpressed in USD a Kenya Shilling equivalent MUST be given clearly indicatingthe exchange rate. Those who do not indicate the Kenya Shilling equivalentMAY not be considered further for evaluation.

NOTE : Expressions in other currencies shall not be permitted

The VAT amount must clearly be stipulated and separated from the base costs.The quoted prices should be valid for a minimum of 90 days.Any other feesrequired for deployment and ongoing support must be quoted separately.Provide an itemized list of any other items and related costs that Supplier deemsnecessary to meet the requirements specified in proposal. Failure to provide saidlist shall not relieve the Supplier from providing such items as necessary tomeeting all of the requirements specified in proposal at the Fixed Price PurchaseCosts proposed.


15/58


KCB SHALL ONLY MAKE PAYMENTS THROUGH A KCB ACCOUNT AND THUS ALLBIDDERS ARE ENCOURAGED TO OPEN AN ACCOUNT

The Bank will not make any payments in advance. The Bank will issue an LPO forall the equipment and/or services ordered. The LPO will be paid within 45 days

after delivery, testing installation and acceptance of the equipment and/orservices supplied. The bank will not accept partial deliveries.Payment forequipment and/or services will only be made once the entire orderedequipment and/or services are delivered, installed and commissioned.

b. Correction of Errors.

Bids determined to be substantially responsive will be checkedby the Bank for any arithmetical errors. Errors will be correctedby the Bank as below:

Where there is a discrepancy between the amounts infigures and in words, the amount in words will govern,and

Where there is a discrepancy between the unit rate andthe line total resulting from multiplying the unit rate by thequantity, the unit rate as quoted will govern.

The price amount stated in the Bid will be adjusted by the Bank inaccordance with the above procedure for the correction of errors.

c. Financial stability

This will involve an assessment of key standard financial ratios and trends for thelast 2 years such as profitability, leverage, debt ratio, gross margins and salesturnover.

However, the Bank is under no obligation to award the tender as per clause1.4.12


16/58


SECTION 2 SCOPE OF WORK

The security of IT applications has become a mission-critical aspect of the ITSecurity strategy. We are not only seeking a supplier for the software andhardware but also partnership with the provider to help KCB Group in leveraging

this technology through a sound implementation approach with provenorganizational adoption tools. Based on the above, the scope will include thefollowing:

2.1 Supply, install, configure and maintain Database and Web ApplicationFirewall solutions (software, hardware) that will meet the functional andtechnical requirements.

2.2 Provide Database Firewall solutions with core capabilities for the followingdatabase platforms:

Oracle MS-SQL Sybase DB2 Informix MySQL Teradata PostgresSQL Netezza

2.3 Provide Web Application Firewall solutions with core capabilities ofsupporting Web and portal applications such Outlook Web Access(OWA), SharePoint and all custom in-house web applications.

2.4 Develop and propose an implementation methodology withroadmap/schedule with monitoring targets and risks towards the desiredtarget.

2.5 Provide the implementation services of the solution as stated in theproposed roadmap from installation, configuration and final deploymentof the solution.

2.6 Deliver training services of the Database and Web Application Firewallsolution during the implementation for technical staff for knowledgetransfer both on the functional and technical aspects


17/58


2.7 Deliver documentation of the solution from the installation to deployment

2.8 Provide maintenance service for the solution including software version

upgrade and hardware replacement.

2.9 Provide support and assistance including both remote and local/onsiteassistance for resolution of major technical problems and/or issues.

2.10 Current Installations

This section provides a brief overview of KCB establishment that is relevant to theproposed solution.The Kenya commercial Bank is incorporated in Kenya. Thebanks establishment in Kenya consists of 167 branches.

It has 4 other subsidiaries:

KCB Rwanda Headquarter + 9 branches KCB Tanzania - Headquarter + 10 branches KCB Uganda - Headquarter + 14 branches KCB Sudan - Headquarter + 20 branches

The Head Office for the group is located in Kencom house Nairobi,Kenya. Further information about the bank can be obtained from the groupswebsite (http://www.kcbbankgroupgroup.com )

2.11 Brief Overview of Technical Systems Environment

The bank has several computerised systems, the most relevant (for the purposeof this project) of which are as summarised below.

Database / Programming EnvironmentsMS SQL Server 2000 /2005 /2008Oracle; various flavours of the database including but not limited toversions 8i /9i /10g/11iInformixJBOSSMicrosoft .Net 2.0 and aboveSybase Adaptive Enterprise Server databaseClient-side applications developed in Visual studio/ .Net andPowerBuilder 6.0
http://www.kcbbankgroupgroup.com/http://www.kcbbankgroupgroup.com/http://www.kcbbankgroupgroup.com/http://www.kcbbankgroupgroup.com/


18/58


Web ApplicationsT24 Core banking system from Temenos. This application runs on HP UXat the backend while the clients are browser based (firefox andInternet Explorer version 6.1 and above). The backend system isprogrammed using JBOSS and Oracle.

Microsoft SharePoint 2007Email Applications: MS Exchange 2010. Proxy Servers / firewalls:Microsoft ISA Server 2006, CISCO PIX, ASA and Checkpoint firewalls. TheMicrosoft ISA Server 2006 will be replaced with Microsoft ForefrontThreat Management Gateway during the yearSybrin clearing system on windows environmentInternet & Mobile banking applicationsTranzWare card system

2.12 Functional Requirements

Functional requirements are indicated in ( Appendix 1 Technical RequirementsMatrix ). The section should be completed in its entirety in the vendor response.

Delivery, Testing and Acceptance (On Successful Bidding)

The product will deem to have been:a) Delivered when

i. The complete machine readable form of the product together with theproduct documentation is received at KCBs primary location (ITDivision, 7 th floor Kencom House, Nairobi); and

b) Tested / POCii. The bank will test the proposed solution in a test environment to

ascertain that all the functionality as put forward by the supplier aremet. Incorrect information discovered at this time will constitute groundsfor disqualification. It is the responsibility of the supplier to ensure therequirement defined in the proposal is achieved. The signed proposalwill be the sole reference document for any discussion issues arisingrelated to acceptance; and

c) Accepted wheniii. The solution has been successfully installed and configured on the

Production environment by the representative of the Supplier as perproduct documentation; and

iv. Acceptance Criteria: the Bank will accept the proposed deliverableafter they have been fully tested by the bank and confirmed to meetthe requirement as specified in the original RFP.


19/58


KCB Shall endeavour to provide the Production environment as soon as it ispractically possible. Delivery and performance of the Services shall be made bythe successful Bidder in accordance with the time schedule as per Proposal andsubsequent Agreement.


20/58


SECTION 3 - GENERAL CONDITIONS OF CONTRACT

3.1 Introduction

Specific terms of contract shall be discussed with the bidder whose proposalwill be accepted by the Bank. The resulting contract shall include but not belimited to the general terms of contract as stated below from 3.2 to 3.14.

3.2 Award of Contract

Following the opening and evaluation of proposals, the Bank will award theContract to the successful bidder whose bid has been determined to besubstantially responsive and has been determined as the best evaluated bid.The Bank will communicate to the selected bidder its intention to finalize thedraft conditions of engagement submitted earlier with his proposals.

After agreement has been reached, the successful Bidder shall be invited forsigning of the Contract Agreement to be prepared by the Bank inconsultation with the Bidder.

3.3 Application of General Conditions of Contract

These General Conditions (sections 3.2 to 3.14) shall apply to the extent thatthey are not superseded by provisions in other parts of the Contract that shallbe signed.

3.4 Ownership

The proposal should be modelled along the perpetual licensing withannual maintenance costs which provides the bank the right to continueusing the product as is on expiry of the maintenance period.

The Supplier should include a 2-year bundled support and indicate (as apercentage of the product cost where applicable) the cost of continuedsupport after the two years. The bundled support cost should be clearlyseparated from the cost of the product

3.5 Bid Validity Period

Bidders are requested to hold their proposals valid for ninety (90) days fromthe closing date for the submission.


21/58


3.6 Performance Security

The Bank may at its discretion shall require the successful bidder to furnish it with

Performance Security. The performance bond amount will be one hundredpercent (100%) of the total bid price before the bank can issue any PurchaseOrder. The performance bond will be valid for a minimum of 9 months and mustbe provided within 14 days from the date of written notification to the Supplierby the bank to provide the bond. Failure to comply with this requirement willvoid the tender award and the bank at its sole discretion may award the tenderto any other Supplier.

3.6.1 The Performance Security shall be in the form of a bank guarantee issuedby a commercial bank operating in Kenya and shall be in a format

prescribed by the Bank. The performance guarantee shall be submittedwithin 10 days of notification of award.

3.6.2 The proceeds of the Performance Security shall be payable to the KenyaCommercial Bank as compensation for any loss resulting from the Biddersfailure to complete its obligations under the Contract.

3.6.3 The Performance Security will be discharged by the Company not laterthan two months following the date of c ompletion of the Biddersperformance obligations, and the Banks acceptance of the final reportas specified in the contract.

It is a condition of the bank that the Supplier guarantees the sufficiency, andeffectiveness of the solution proposed to meet the bank requirements asoutlined in this document. The Bank will hold the Supplier solely responsible forthe accuracy and completeness of information supplied in response to thistender. The bank will hold the Supplier responsible for the completeness of thesolution proposed and that were the Supplier to be awarded the tender, theywould implement the solution without any additional requirements from the

bank

3.7 Delays in the Bidders Performance

3.7.1 Delivery and performance of the Supply, installation and Maintenance ofSignage shall be made by the successful Bidder in accordance with thetime schedule as per Agreement.


22/58


3.7.2 If at any time during the performance of the Contract, the Bidder shouldencounter conditions impeding timely delivery and performance of theServices, the Bidder shall promptly notifies the Bank in writing of the fact ofthe delay, its likely duration and its cause(s). As soon as practicable after

receipt of the Bidder's notice, the Bank shall evaluate the situation andmay at its discretion extend the Bidder's time for performance, with orwithout liquidated damages, in which case the extension shall be ratifiedby the parties by amendment of the Contract.

3.7.3 Except in the case of force majeure as provided in Clause 3.13, a delayby the Bidder in the performance of its delivery obligations shall render theBidder liable to the imposition of liquidated damages pursuant to Clause3.8 liquidated damages

3.8 Liquidated damages for delay

The contract resulting out of this RFP shall incorporate suitable provisions forthe payment of liquidated damages by the bidders in case of delays inperformance of contract.

3.9 Governing Language

The Contract shall be written in the English Language. All correspondenceand other documents pertaining to the Contract which are exchanged bythe parties shall also be in English.

3.10 Applicable Law

This agreement arising out of this RFP shall be governed by and construed inaccordance with the laws of Kenya and the parties submit to the exclusive

jurisdiction of the Kenyan Courts.

3.11 Bidders Obligations

3.11.1 The Bidder is obliged to work closely with the Bank's staff, act within its ownauthority, and abide by directives issued by the Bank that are consistentwith the terms of the Contract.

3.11.2 The Bidder will abide by the job safety measures and will indemnify theBank from all demands or responsibilities arising from accidents or loss oflife, the cause of which is the Bidder's negligence. The Bidder will pay all


23/58


indemnities arising from such incidents and will not hold the Bankresponsible or obligated.

3.11.3 The Bidder is responsible for managing the activities of its personnel, or

subcontracted personnel, and will hold itself responsible for anymisdemeanors.

3.11.4 The Bidder will not disclose the Bank's information it has access to, duringthe course of the work, to any other third parties without the prior writtenauthorization of the Bank. This clause shall survive the expiry or earliertermination of the contract.

3.11.5 The Bidder shall appoint an experienced counterpart resource to handlethis requirement for the duration of the Contract. The Bank may alsodemand a replacement of the manager if it is not satisfied with themanagers work or for any other reason.

3.11.6 The Bidder shall take the lead role and be jointly responsible with the Bankfor producing a finalised project plan and schedule, includingidentification of all major milestones and specific resources that the Bankis required to provide.

3.11.7 The Supplier represents and warrants that it is entitled to respond to thisRFP and that it is fully entitled to the proposed Product by way of resellerlicensing or ownership and has the right to sell and/or licence the Productas provided in their RFP response and shall hold KCB harmless from actionfor infringement of patents and/or copyrights

3.12

The Banks Obligations

In addition to providing Bidder with such information as may be required bythe bidder the Bank shall,

(a) Provide the Bidder with specific and detailed relevant information(b) In general, provide all relevant information and access to Bank'spremises.


24/58


3.13 ConfidentialityThe parties undertake on behalf of themselves and their employees, agentsand permitted subcontractors that they will keep confidential and will notuse for their own purposes (other than fulfilling their obligations under thecontemplated contract) nor without the prior written consent of the other

disclose to any third party any information of a confidential nature relating tothe other (including, without limitation, any trade secrets, confidential orproprietary technical information, trading and financial details and any otherinformation of commercial value) which may become known to them underor in connection with the contemplated contract. The terms of this Clause2.15 shall survive the expiry or earlier termination of the contract.

3.14 Force Majeure

(a) Neither Bidder nor Bank shall be liable for failure to meet contractual

obligations due to Force Majeure.(b) Force Majeure impediment is taken to mean unforeseen events, whichoccur after signing the contract with the successful bidder, including butnot limited to strikes, blockade, war, mobilization, revolution or riots,natural disaster, acts of God, refusal of license by Authorities or otherstipulations or restrictions by authorities, in so far as such an event preventsor delays the contractual party from fulfilling its obligations, without itsbeing able to prevent or remove the impediment at reasonable cost.

(c) The party involved in a case of Force Majeure shall immediately takereasonable steps to limit consequence of such an event.

(d) The party who wishes to plead Force Majeure is under obligation to informin writing the other party without delay of the event, of the time it beganand its probable duration. The moment of cessation of the event shall alsobe reported in writing.

(e) The party who has pleaded a Force Majeure event is under obligation,when requested, to prove its effect on the fulfilling of the contemplatedcontract.


25/58


SECTION 4 : APPENDIXES

Appendix 1 Technical Requirements Matrix

Functional Requirements and Specifications

The tables below provide a feature summary for the products underprocurement. All products should be quoted for separately.

Please identify and describe where necessary the levels of support as: FullSupport, Partial Support and No Support:

Database Firewall

Specification Description Level of

support

SupportedDatabase Platforms

Oracle MS-SQL Sybase DB2 (including LUW, z/OS and DB2/400) Informix MySQL PostgreSQL Teradata Netezza

Deployment Modes Network: Non-inline sniffer, transparentbridge

Agentless collection of 3rd party databaseaudit logs

PerformanceOverhead

Network monitoring Zero impact onmonitored servers

Agent based monitoring 1-3% CPUresources

CentralizedManagementacrossgeographically

Web User Interface (HTTP/HTTPS) Command Line Interface (SSH/Console)
http://d/Admin-Doc/Security/Imperva/ssp_agents_zos.htmlhttp://d/Admin-Doc/Security/Imperva/ssp_agents_db2-as400.htmlhttp://d/Admin-Doc/Security/Imperva/ssp_agents_db2-as400.htmlhttp://d/Admin-Doc/Security/Imperva/ssp_agents_zos.html


26/58


dispersed locations

CentralizedAdministrationacross

geographicallydispersed locations

MX Server for centralized management Integrated management option Hierarchical management

Database AuditDetails

SQL operation (raw or parsed) SQL response (raw or parsed) Database, Schema and Object User name Timestamp Source IP,

Source OS, Source application Parameters used Stored Procedures DB Server restarts, row level operations

Privileged Activities All privileged activity, DDL and DCL Schema Changes (CREATE, DROP, ALTER) Creation, modification of accounts, roles

and privileges (GRANT, REVOKE)

Access to SensitiveData

Successful and Failed SELECTs All data changes

Security Exceptions Failed Logins, Connection Errors, SQL errors

Data Modification INSERTs, UPDATEs, DELETEs (DML activity)

Stored Procedures Creation, Modification, Execution

Triggers Creation and Modification

Tamper-Proof AuditTrail

Audit trail stored in a tamper-proofrepository

encryption or digital signing of audit data Role based access controls to view audit

data (read-only)


27/58


Real-time visibility of audit data

Fraud Identification Unauthorized activity on sensitive data Abnormal activity hours and source Unexpected user activity Unexpected Database growth/shrinkage

Data LeakIdentification

Requests for classified data Unauthorized/abnormal data extraction

Database Security Dynamic Profile (White List security) Protocol Validation (SQL and protocol

validation) Real-time alerts

Platform Security Operating system intrusion signatures Known and zero-day worm security

Network Security Stateful firewall DoS prevention

Policy Updates Regular Application Defense Center securityand compliance updates

Real-Time Event

Management andReport distribution

SNMP

Syslog Email Incident management ticketing integration Custom followed action task workflow Integrated graphical reporting Real-time dashboard

Server Discovery Automated discovery of database serversData Discovery andClassification

Database servers Financial Information Credit Card Numbers System and Application Credentials


28/58


Personal Identification Information Custom data types

User RightsManagement (add-on option)

Audit user rights over database objects Validate excessive rights over sensitive data Identify dormant accounts Track changes to user rights

VulnerabilityAssessment

Operating System vulnerabilities Database vulnerabilities Configuration flaws Risk scoring and mitigation steps

Training Standard product training at an authorizedtraining center for 5 KCB staff. This shouldinclude training fees, travel and lodgingexpenses. Logistics and allowances to becomputed at KCB rates.

Support One year standard support on hardwareand software

Two year standard support on hardwareand software

Three year standard support on hardwareand software

Specification for Database Activity Monitoring:ID Specification ResponseArchitecture

1 Is the solution appliance based or virtual appliance based?2 Does the solution require deployment of agents on the database

servers?

3 If So, There should be only one agent to monitor all DB activitiesincluding local DB traffic and network DB traffic

4 All agents regardless of deployment mode should be managedfrom the centralized management console

5 Agents should have only minimal overhead for the production DBservers


29/58


6 Agent should support AIX,HPUX, LINUX, Solaris and Windowsplatforms

7 There should not be additional agents required to be installed tomonitor and block DB traffic/attacks traffic if required

8 There should not be any 3 rd party software to be installed foragents

9 Audit trails should be stored within the solution and it should notbe stored in any database

10 Audit trails should be tamperproof and should be stored inencrypted flat files.

11 Solution component should be managed centrally.12 Solution Should support below DB platforms

OracleMS-SQL (Microsoft SQL Server)DB2 (LUW, z/OS and DB2/400)SybaseInformixMySQLPostgreSQLTeradataNetezza

Database Discovery1 Solution should discover both new and existing database systems

and should map all on the network.2 Product should provide automated discovery of both new and

existing Database tables3 Product should keep the historical information about the systems

and their configuration.4 Product should show changes since the last scan for DB Discovery

and configuration5 Solution support identification of rogue or test databases6 Solution should discover asset management and change

management processesData Classification1 The product should perform data discovery and classification2 Solution should detect sensitive data types, such as credit card

numbers, social security numbers, etc., in database objects3 The solution should locate custom data types in database objectsVulnerability Assessments


30/58


1 Solution should have Database vulnerability assessment tests forassessing the vulnerabilities and mis-configurations of databaseservers, and their OS platforms. OSs and RDBMSs are tested forknown exploits and mis-configurations.

2 Solution should have a comprehensive list of pre-definedassessment policies and tests to address PCI-DSS, SOX, and HIPAArequirements. Vulnerabilities specific for Oracle EBS, andPeopleSoft databases can also be detected. In addition, thefollowing tests should be included:

- Latest patches and releases installed- Changes to database files- Default accounts and passwords- Newly created/updated logins- Remote OS authentication enabled

- Escalated user privileges granted3 Should be able to add custom assessments to the solution?4 Solution should support user created scripts for assessment tests.5 The product should identify missing patches6 The solution should verify that default database accounts do not

have a default password 7 The product should be used to measure compliance with industry

standards and regulations

Vulnerability Assessment Result Analysis and Reporting

1 The product should present a view of risk to data by vulnerabilityand the sensitivity of the data

2 Solution should have Database vulnerability assessment tests forassessing the vulnerabilities and mis-configurations of databaseservers, and their OS platforms. OSs and RDBMSs are tested forknown exploits and mis-configurations.

3 Solution should have a comprehensive list of pre-definedassessment policies and tests to address PCI-DSS, SOX, and HIPAArequirements. Vulnerabilities specific for SAP, Oracle EBS, andPeopleSoft databases can also be detected. In addition, thefollowing tests should be included:- Latest patches and releases installed- Changes to database files- Default accounts and passwords- Newly created/updated logins- Remote OS authentication enabled


31/58


- Escalated user privileges granted4 The solution should have pre-defined reports.5 The product should support custom report generation.6 The product should compare the results of a discovery,

classification or assessment job with a previous run7 Should have an option to distribute reports on demand and

automatically (on schedule)

Remediation (optional : for future requirement)1 The product can be upgraded for mitigation of risk to sensitive

data stored in databases?

2 Should have an option to upgrade the product to activelyprevent attempts to exploit known vulnerabilities

3 The solution can be upgraded to offer virtual patching

capabilities (protecting the database from known vulnerabilitieswithout deploying a patch or script on the system)

Database Activity Monitoring1 Solution should have Appliance/virtual appliance solution to

monitor network based DataBase activity and should have agentsto monitor Local DB activity

2 Should product employ a centralized appliance3 Solution should provide for centralized control of collected

information4 Should have DBMS product to be used as part of the appliance

package to store configuration and alert logs, not for storing Auditdata

5 The solution should support high-availability6 Product should be able to installed in Sniffing mode or Inline

mode.7 Solution should have built in bypass(fail open) for inline mode

7 Solution should support below DataBases

Oracle, MS SQL, DB2, Informix, Sybase,MySQL, Teradata,Netezza8 The solution should not use the native database audit

functionality.9 the Solution should not employ transaction log auditing?10 Should be able to integerate with leading SIEM tools11 The product should have means to archive and restore data


32/58


12 The agent should not require a reboot afterinstallation/configuration

13 The solution should not require any changes to monitoreddatabase and/or application

14 The Solution should not require a database restart afterinstallation/configuration?

15 The audited data transferred between the agent and theappliance should be through an Encrypted channel

16 The solution should capture before and after image of data that isbeing manipulated

17 Product should identify differences in baseline user activity.18 The solution should capture Select activity by user/role19 The solution should capture update, insert, delete (DML) activity

by user/role

20 The solution should capture schema/object changes (DDL)activity by user/role

21 The solution should capture manipulation of accounts, roles andprivileges (DCL) by user/role

22 DAM Should monitor privileged operations including both SQL andProtocol level operations be monitored.

23 DAM Should monitor MS SQL statements where caching is used24 DAM solution be able to monitor activities at new DB interface/

connector created by any user/ system without any manualintervention

25 The solution should have automated mechanism for updatingsecurity configurations/policies

Alerting and Blocking Capabilities1 The solution should provide automated, real-time event alert

mechanism2 The solution should have an option to upgrade to database

attack in real-time

3 The solution should monitor privileged users4 The solution should have an option to upgrade to block

privileged users activity if required5 the Solution should monitor for all DB attacks like SQL injection and

alert despite the traffic is not audited.

6 The Solution should have an option to upgrade to block DBattacks like SQL injections in real time.


33/58


7 The solution should 100% monitor the DB traffic for all DB violationand attacks despite the traffic is not being audited

Reporting1 Solution should have packaged reporting capabilities

2 product should support use of pre-configured policies/reports(PCI, SOX, HIPAA) for ensuring regulatory compliance3 Producti should have a functionality to assist with security event

forensics

Web Application Firewall

Specification Description FeatureSupport

Web Security

Dynamic Profile (White List security) Web server & application signatures Reputation based security and IP

geolocation HTTP RFC compliance Normalization of encoded data Automated-client detection

Required

Application AttacksPrevented

Refer to Appendix I Required

HTTPS/SSL Inspection Passive decryption or termination Optional HSM for SSL key storage

Required

Web Services Security

XML/SOAP profile enforcement Web services signatures XML protocol conformance

Required

Web Fraud Prevention Fraud and malware detection Required

Content Modification

URL rewriting (obfuscation) Cookie signing Cookie encryption Custom error messages Error code handling

Required

Platform Security Operating system intrusion signatures Known and zero-day worm security

Required


34/58


Network Security Stateful firewall DoS prevention

Required

Advanced Protection

Correlation rules incorporating allsecurity elements (white list, black list)to detect complex, multi-stageattacks

Required

Data Leak Prevention

Credit card numbers PII (personally identifiable information) Pattern matching

Required

Policy/SignatureUpdates

Frequent security updates Required

Authentication

Support for RSA Access Manager fortwo-factor authentication Support for LDAP (Active Directory) Support for SSL client certificates

Required

User Awareness Automated Tracking of Web

Application UsersRequired

Deployment Mode

Transparent Bridge (Layer 2) Reverse Proxy and Transparent Proxy

(Layer 7) Non-inline sniffer

Required

Management

Support for a Web User Interface(HTTP/HTTPS)

Command Line Interface(SSH/Console)

Required

Administration MX Server for centralized

managementRequired

Logging/Monitoring

SNMP Syslog Email Integrated graphical reporting Real-time dashboard

Required


35/58


High Availability

IMPVHA (Active/Active,Active/Passive)

Fail open interfaces (bridge modeonly)

Support for VRRP Support for STP and RSTP

Required

Solution Delivery Option Physical appliance Required

Web ApplicationVulnerability ScannerIntegration

WhiteHat, IBM, Cenzic, NT OBJECTives,HP, Qualys, and Beyond Security

Required

Enterprise ApplicationSupport

SIEM/SIM tools: ArcSight, RSA enVision,Prism Microsystems, Q1 Labs, TriGeo,

NetIQ Log Management: CA ELM, SenSage,Infoscience Corporation

Required

TCP/IP Support IPv4, IPv6 Required

Training

Standard product training at anauthorized training center for 5 KCBstaff. This should include training fees,travel and lodging expenses. Logistics

and allowances to be computed atKCB rates.

Required

Support One year standard support on

hardware and softwareRequired

Specification for Web Access Firewall:

ID Specification Remarks

Policy Management

The WAF shall be able to automatically-build policiesThe WAF shall be able to manually accept false positives bysimple means (check box)The WAF shall be able to define different policies for differentapplications


36/58


The WAF shall be able to create custom attack signatures oreventsThe WAF shall be able to customize Denial of Service policiesThe WAF shall be able to combine detection and preventiontechniquesThe WAF shall have policy roll-back mechanismThe WAF shall be able to do versioning of policesThe WAF shall have a built-in real-time policy builder withautomatic self-learning and creation of security policesThe WAF shall have prebuilt polices for applications - egMicrosoft Sharepoint, OWA, SAP, Oracle E-Business, Sieble forfast deployment

Profile Learning Process

The WAF shall be able to recognise trusted hostsThe WAF shall be able to learn about the application withouthuman interventionThe WAF shall be able to inspect policy (auditing + reporting)The WAF shall be able to protect new content pages andobjects without policy modifications

Configuration Management

The WAF shall have Role-based management with userauthenticationThe WAF shall be able to replace/customize error and blockedpagesThe WAF shall have configurable security levels

Logs and Monitoring

The WAF shall have ability to identify and notify system faults

and loss of performance (SNMP, syslog, e- mail, ) The WAF shall have ability to customize loggingThe WAF shall have ability to generate service and systemstatisticsThe WAF shall be able to perform time synchronisation (ntp, )

MiscellaneousThe WAF shall have a robustness and reliable GUI interface


37/58


The WAF shall be able to be managed via serial console, SSHor https web guiThe WAF shall be able to support caching and compression ina single platformThe WAF shall be able to prevent OS fingerprintingThe WAF shall be able to perform data guard and cloaking(hiding of error pages and application error pages)The WAF shall be able to Intergrate with vulnerability testingtools (eg whitehat sentinel) for automated instant policytuningThe WAF shall be able to be implemented and installed onapplication delivery controller (ADC) hardware platforms andmanaged from the same GUI.

SSL capabilities

The WAF shall be capable of terminating https traffic for httpwebsitesThe WAF shall be FIPS 140-2 compliantThe WAF shall have SSL accelerators available for SSLoffloadingThe WAF shall store the certificate private key on the WAFusing a secure mechanismThe WAF shall store the certificate private key on the WAF

using a secure mechanism, and a passphraseThe WAF shall capable of communication to a backendapplication server using httpsThe WAF shall be capable of tuning the SSL parameters, suchas SSL encryption methode used, SSL version

HTTP/HTML & XML

The WAF shall support HTTP 1.0 and 1.1 versionsThe WAF shall support application/x-www-form-urlencodedencodingThe WAF shall support v0 cookiesThe WAF shall support v1 cookiesThe WAF shall enforce cookie types usedThe WAF shall support chunked encoding in requestsThe WAF shall support chunked encoding in responses


38/58


The WAF shall support response compressionThe WAF shall support application flows management andmanually define site flow and object policiesThe WAF shall support all character sets during validationThe WAF shall restrict methods used eg GET, POST , all othermethodsThe WAF shall restrict protocols and protocol versions usedThe WAF shall support multi-byte language encodingThe WAF shall validate URL-encoded charactersThe WAF shall restrict request method lengthThe WAF shall restrict request line lengthThe WAF shall restrict request URI lengthThe WAF shall restrict query string lengthThe WAF shall restrict protocol (name and version) lengthThe WAF shall restrict the number of headersThe WAF shall restrict header name lengthThe WAF shall restrict header value lengthThe WAF shall restrict request body lengthThe WAF shall restrict cookie name lengthThe WAF shall restrict cookie value lengthThe WAF shall restrict the number of cookiesThe WAF shall restrict parameter name lengthThe WAF shall restrict parameter value length

The WAF shall restrict the number of parametersThe WAF shall restrict combined parameter length (names andvalues together)The WAF shall support protection of XML Web ServicesThe WAF shall restrict XML Web Services access to methodsdefined via Web Services Description Language (WSDL)The WAF shall be able to perform information displaymasking/scrubbing on requests and responsesThe WAF shall be able to perform validation for Web ServicesXML DocumentsThe WAF shall be able to monitor latency of Layer 7(application layer) traffic to detect the spikes and anomaliesin the typical traffic pattern to detect, report on, and preventlayer 7 DOS attacks.


39/58


The WAF shall be able to to detect, report on, and preventLayer 7 (application layer) brute force attack attempts tobreak in to secured areas of a web application by tryingexhaustive, systematic permutations of code orusername/password combinations to discover legitimateauthentication credentials.

Detection techniques

The WAF shall be able to support the following detectiontechniques :URL-decodingNull byte string terminationSelf-referencing paths (i.e. use of /./ and encodedequivalents)Path back-references (i.e. use of /../ and encodedequivalents)Mixed caseExcessive use of whitespaceComment removal (e.g. convert DELETE/**/FROM to DELETEFROM)Conversion of (Windows-supported) backslash characters intoforward slash characters.Conversion of IIS-specific Unicode encoding (%uXXYY)

Decode HTML entities (e.g. c,", )Escaped characters (e.g. \t, \001, \xAA, \uAABB)Negative security model techniquesPositive security model support - An "allow what's known"policy, blocking all unknow traffic and data typesPositive security model configurationApplication flowDynamic Positive security model configuration maintenanceBuilt in process engine to detect evasion techniques like crosssite scriptingIs there an out of the box rule database availableAutomated regular signature updatesOperates in a full Proxy architecture and inline control over alltraffic through the WAFAbility to hide back-end application serverOS fingerprintingdata and application specific information


40/58


Ability to protect agaisnt malicious activity within andhijacking of embedded client side code (javascript, vbscript,ect)

Incident Response capabilitiesThe WAF shall be capable of logging security events withsyslogThe WAF shall be capable of logging security events withsnmpThe WAF shall be capable of being monitored with snmp forstatistical informationThe WAF shall support monitoring using snmp version 3

Support toolsThe WAF shall be capable of being restored to factorydefaultsThe WAF shall support an open api that will be able to fullyadminister the WAF.

Redundancy CapabilitiesThe WAF shall be able to support High Availability Failover vianetwork or serialThe WAF shall be able to perform application level healthcheck of the back end servers

Network and PerformanceThe WAF shall be able to support vlan configuration throughbuilt in switch

The WAF shall be able to perform TCP/IP optimizationThe WAF shall be able to perform packet filteringImplemented concepts to cover vulnerabilities (OWASP based)The WAF shall be able to protect against :

Unvalidated inputInjection flawsSQL injectionOS injectionParameter tamperingCookie poisoningHidden field manipulationCross site scripting flawsBuffer overflowsBroken access controlBroken authentication and session managementImproper Error Handling


41/58


XML bombs/DOSForceful BrowsingSensitive information leakageSession hijacking

Denial of serviceRequest SmugglingCookie manipulation

CertificationThe WAF shall be an ICSA certified web application firewall

MX Management Server

Specification Description Remarks

Management Intuitive Web User Interface (HTTP/HTTPS) Command Line Interface (SSH/Console)

Provisioning

MX Management Server centrally provisions,manages, and monitors up to 15 SecureSpheregateways

Supports distributed, heterogeneousdeployments of Web and database gateways

Out-of-BandManagement

Out-of-band management supported via out-

of-band management ports in SecureSpheregateways

ManagementCommunications

SSL encrypted communications between MXManagement server and SecureSpheregateways

Policy/SignatureUpdates

Security updates provided weekly orimmediately for critical threats

HierarchicalManagement

Policies may be defined hierarchically, via aflexible, object oriented policy framework.

Role-BasedAdministration

Completely customizable roles and privileges Users can be assigned roles User inherit all privileges of the group User authentication supports LDAP and SSL

certificate


42/58


Alerts

SNMP Syslog Email Incident management ticketing integration Custom followed action Integrated graphical reporting Real-time dashboard

Workflow Task-oriented workflow engine

Internal Data

Storage

Audit trail stored in tamper-proof repository Optional encryption or digital signing of audit

data

Role-based access controls to view audit data(read-only)

Real-time visibility of audit data

External DataStorage andArchiving

SAN (Fibre Channel interfaces) for onlineaccess

NAS for online access NFS* FTP*

HTTP/S* SCP* * Data is compressed and archived

SupportedProducts

Database Activity Monitoring Database Firewall Discovery and Assessment Server File Activity Monitoring File Firewall SecureSphere for SharePoint Web Application Firewall

Support One year standard support on hardware and

software
http://d/Admin-Doc/Security/Imperva/dsc_database-activity-monitoring.htmlhttp://d/Admin-Doc/Security/Imperva/dsc_database-firewall.htmlhttp://d/Admin-Doc/Security/Imperva/dsc_database-discovery-and-assessment-server.htmlhttp://d/Admin-Doc/Security/Imperva/fsc_file-activity-monitoring.htmlhttp://d/Admin-Doc/Security/Imperva/fsc_file-firewall.htmlhttp://d/Admin-Doc/Security/Imperva/fsc_sharepoint.htmlhttp://d/Admin-Doc/Security/Imperva/wsc_web-application-firewall.htmlhttp://d/Admin-Doc/Security/Imperva/wsc_web-application-firewall.htmlhttp://d/Admin-Doc/Security/Imperva/fsc_sharepoint.htmlhttp://d/Admin-Doc/Security/Imperva/fsc_file-firewall.htmlhttp://d/Admin-Doc/Security/Imperva/fsc_file-activity-monitoring.htmlhttp://d/Admin-Doc/Security/Imperva/dsc_database-discovery-and-assessment-server.htmlhttp://d/Admin-Doc/Security/Imperva/dsc_database-firewall.htmlhttp://d/Admin-Doc/Security/Imperva/dsc_database-activity-monitoring.html


43/58


Non -Functional Requirements and SpecificationsID Non Functional Requirements

USER INTERFACERemarks

Provision of portals/screens for non-technical stakeholder usage, suitable forauditors and security professionals withoutdetailed knowledge of database internals.

DOCUMENTATION-Schematic Remarks

Provision of the Applicaton ArchitectureSchematic for Production and DR Sites andHigh Availability (HA)

-System Manual - provides an overview of the system including the system objectives,system functionality, equipment configuration, software inventory, etc.

RemarksDocumentation of Application ObjectivesDocumentation of Application Functions i.eFunction ID/Name, FunctionDescription,Mode (e.g.Online/Batch,Enquiry/Update)Documentation of Equipment

Configurations i.e. ComputerManufacturer,Model Number,SerialNumber,IP Address,OS Version,DatabaseVersion

Documentation of Software Inventories i.eProgram ID/Name,Functions of theprogram,in the case of client/serverapplication the location of the program

(e.g. Database Server, ApplicationServer,Client etc) should be specifiedDocumentation in detail of the systemsecurity profiles and data protectonmeasurement on system functionsDocumentation in detail of the Disaster


44/58


Recovery Plan and Procedures of thesystem

-Location of soft copy of the System Remarks

The latest version of all the programs shouldbe kept in softcopy for future referenceand maintenance on KCB premises andincluded in the documentation

-Data Manual- The Data Manual documents all data captured, processed orproduced by the system

RemarksDocumentation of the database schema ofthe application which shows the relationship

among files/table and other groups of datae.g Entity-Relationship DiagramScreen/Report Description Documentationi.e. List of Screens, Screen Layout,List ofReports, Report Layout

-Application Manual - documents an overview of the system and provides detaileduser instructions and procedures for all functionality provided by the system.

Documenation of user proceduresdescriptions and instructions in detailcovering areas like batching of input data,control of documents, actions on specificevents, error amendments, etc

SYSTEM INTERFACING AND INTEGRATION Remarks

Integration with existing reporting, workflow,and trouble-ticketing systems e.g Synergy

Pro Helpdesk, App Server Compliance to Service Oriented ArcitectureThe solution shall support Java DatabaseConnectivity (JDBC) and Microsoft connectivitytechnology (such as Open DatabaseConnectivity (ODBC) or Object Linking andEmbedding Database [OLEDB]).


45/58


SECURITYRemarks

Support Security Using Database AccessControls. The solution shall support databasesecurity using the following database accesscontrols: GRANT and REVOKE privilege facilities,the VIEW definition capabilities, and someDiscretionary Access Control (DAC)mechanisms.

CONFORMANCE TO INDUSTRY BEST STANDARDSRemarks

The Web Application Firewall Solution shall beendorsed by the Web Application SecurityConsortium (WASC) and OWASP

Deliverables

At the end of the implementation exercise, the solution provider should providea comprehensive report with a detail of completed implementation work. Thereport will consist among others the following:1. Fully installed well integrated customized and functioning Database Firewall

solutions for the need of KCB.2. Fully installed well integrated customized and functioning Web Application

Firewall solutions for the need of KCB.

3. Fully installed well integrated customized and functioning MX ManagementServer

4. Two fully installed HP TouchSmart IQ816 Computers to facilitate a monitoringcenter for this Database and Web Application Firewall solution

5. Presentation of the working solution to the IT management and staff of KCBafter completion of the implementation for review and feedback.

6. An executive summary report for Management of the implemented solutions


46/58


APPENDIX 2 REFERENCE SITES

References of similar implementations/deployment of such product fororganizations similar to KCB in size and complexity done over the past one year.

1. Prior Services Performed for:Company Name:

Address:Contact Name:Telephone Number:Date of Contract:Length of Contract:Description of Prior Services (include dates):

2. Prior Services Performed for:Company Name:Address:Contact Name:Telephone Number:Date of Contract:Length of Contract:Description of Prior Services (include dates):

3. Prior Services Performed for:Company Name:Address:Contact Name:Telephone Number:

Date of Contract:Length of Contract:Description of Prior Services (include dates):

(repeat as relevant)


47/58


APPENDIX 3 - WEB APPLICATION SECURITY & COMMON ATTACKS

The solution must be able to detect and block the following Web applicationthreats:

1. Anonymous ProxyVulnerabilities

2. Brute Force Login3. Buffer Overflow4. Cookie Injection5. Cookie Poisoning6. Corporate

Espionage7. Credit Card

Exposure

8. Cross Site RequestForgery (CSRF)9. Cross Site Scripting

(XSS)10. Data Destruction11. Directory Traversal12. Drive-by-Downloads13. Forceful Browsing14. Form Field

Tampering15. Google Hacking16. HTTP Distributed

Denial of Service(DDoS)

17. HTTP ResponseSplitting

18. HTTP VerbTampering

19. Illegal Encoding

1. Known Worms2. Malicious Encoding3. Malicious Robots4. OS Command Injection5. Parameter Tampering6. Patient Data Disclosure7. Phishing Attacks8. Remote File Inclusion

Attacks9. Sensitive Data Leakage

(Social Security Numbers,Cardholder Data, PII, HPI)

10. Session Hijacking11. Site Reconnaissance12. Site Scraping13. SQL Injection

14. Web server software andoperating system attacks

15. Web Services (XML) attacks16. Zero Day Web Worms


48/58


APPENDIX 4 : LIST OF DATABASES

No. Application

Database

Type

ServerMachine

Type CPU cores

Processor

Type

Totalprocessor

Cores

1 T24 Oracle

HPsuperdome1 32 itanium 32

2 NetTeller OracleHP BLade685c 32 intel xeon 32

3 CQ MsSQLHP BLade685c

2processors(8

CPU's)AMDoptron 16

4 Mobi OracleHP BLade685c 32 intel xeon 32

5 Mobiloan PosgreSQL HP BLade685c 32 intel xeon 32

6 sybrin MsSQLHP BLade685c

2processors(8

CPU's)AMDoptron 16

7 kondor+ SybaseHP BLade685c 32 intel xeon 32

8ChannelManager/NOBS MySQL

HP BLade685c 32 intel xeon 32

9 QuickPay MsSQLHP BLade685c 32 intel xeon 32

10

TransWare -TWO-

TWCMS-

TWI-

TWFA-

TWCF

Oracle

HP BLade685c 32 intel xeon 32 each


49/58


APPENDIX 5 SUPPLIER QUESTIONNAIRE

Bidders, willing to be considered for the tender for SUPPLY AND IMPLEMENTATIONOF A DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION areexpected to furnish the Company with among others the following vital

information, which will be treated in strict confidence by the Company.

1.0 CORPORATE INFORMATION

No. PARTICULARS RESPONSE [If space isinsufficient, please use aseparate sheet]

1.1 Full name of organization:

1.2 Is yourorganization

(Pleasetickone )

i) a public limited incorporatedcompany? attach a copy ofCertificate of incorporation includingany Certificate of Change of Name,Memorandum & Articles ofAssociation

ii) a public listed company? If yes,please attach a copy of Certificate ofincorporation including anyCertificate of Change of Name,

Memorandum & Articles ofAssociation

iii) a limited incorporated company?If yes, please attach a copy ofCertificate of incorporation includingany Certificate of Change of Name,Memorandum & Articles ofAssociation

iv) a partnership? If yes, pleaseattach certified copy of thePartnership Deed and business namecertificate

v) a sole trader? If yes, please attacha certified copy of the business namecertificate

vi) other (please specify)


50/58


1.3 Company Registration number (if this applies)-attach a copy of Certificate of incorporationincluding any Certificate of Change of Name orrelevant certificate from country ofincorporation.

1.4 Date and country of Registration:

1.5 Full physical address of principal place ofbusiness:

Full postal address of the business:

1.6 Registered address if different from the above:

Post Code:1.7 Telephone number:

1.8 Fax number:

1.9 E-mail address:

1.10 Website address (if any):

1.11 Company/Partnership/Sole Trader Tax PIN:

(Please provide a certified copy of the PIN

Certificate)1.12 VAT Registration number:

(Please provide a certified copy of the VATCertificate)

1.13 Period in which you have been in the specificbusiness for which you wish to bid.

1.14 Current Dealership letter/certification for

Equipment preferably issued in 2012.

1.15 Names of the Shareholders, Directors andPartners.

If a Kenyan company please provide anoriginal search report issued by the Registrar ofCompanies showing the directors andshareholders (Companies Form CR 12).


51/58


1.16 Associated companies(if any)

1.17 Please provide a copy of the latest annual returns together with the filing receipt as filed at

the Companies Registry 1.17 Name of (ultimate) parent/holding company (if

this applies):

1.18 Company number of parent/holding company(if this applies):

1.19 If a consortium is expressing interest, pleasegive the full name of the other organisation

(the proposed consortium partners should alsocomplete this questionnaire in its entirety)

1.20 Name and contacts of the LegalRepresentative of the company; Name, Title;Telephone, Fax and Email address.

1.21 Contact person within the organisation towhom enquiries about this bid should bedirected:

NAME:

TITLE

TEL:

FAX:

EMAIL:

2.0 FINANCIAL INFORMATION

No. PARTICULARS

2.1 What was your turnover in the lasttwo years?

for year ended

--/--/----

for yearended--/--/----

2.2 Has your organisation met all its obligations to pay itscreditors and staff during the past year?

Yes / No

If no, please give details:


52/58


2.3 Have you had any contracts terminated for poorperformance in the last three years, or any contractswhere damages have been claimed by thecontracting authority?

Yes / No

If yes, please give details:

2.4 What is the name andbranch of yourbankers (who couldprovide a reference)?

Name:

Branch:

Telephone Number:

Postal Address:

Contact PersonName:

Contact Position

Contact E-mail:

2.5 Provide a copy of the following

A copy of your most recent audited accounts (for the lastthree years)

A statement of your turnover, profit & loss account and cashflow for the most recent year of trading (for the last threeyears)

A statement of your cash flow forecast for the current yearand a bank letter outlining the current cash and creditposition.

3.0 BUSINESS ACTIVITIES

No. PARTICULARS

3.1 What are the main business activities of your organisation? i.e.Manufacturer, Assembler, Distributor, service centre, retailer,