kenya commercial bank limited request for proposal · pdf filekenya commercial bank limited...

.

KENYA COMMERCIAL BANK LIMITED

REQUEST FOR PROPOSAL

IT/AUGUST 2014/SUPPLY AND IMPLEMENTATION OF A DATABASE AND

WEB APPLICATION SECURITY/FIREWALL SOLUTION (RE-TENDER)

Release Date: Friday, 22nd August 2014

Last Date for Receipt of bids: Friday, 5th September 2014 at 3.00pm

(GMT+3) Nairobi, Kenya

Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

of 58

ISSUE OF RFP DOCUMENT TO PROSPECTIVE BIDDERS

TENDER FOR SUPPLY AND IMPLEMENTATION OF A DATABASE AND WEB

APPLICATION SECURITY/FIREWALL SOLUTION (RE-TENDER)

This form serves as an acknowledgement of receipt of the tender and

participation. This page is to be completed immediately on download and a

scan copy e-mailed to [email protected]. Firms that do not register their

interest immediately in this manner may not be sent the RFP addenda should

any arise.

Table 1: Registration of Interest to Participate

Item Supplier Details

Name of Person

Organization Name

Postal Address

Tel No

Fax No

Email Address (this e-mail address

should be clearly written as

communication with bidders shall be

through e-mail)

Signature:

Date

Company Stamp

mailto:[email protected]


of 58

Table of Contents

IT/AUGUST 2014/SUPPLY AND IMPLEMENTATION OF A DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION (RE-TENDER) ............................................. 1

DEFINITIONS ................................................................................................................................. 4

1.1 INTRODUCTION ................................................................................................................ 5

1.2 Background of the Project ........................................................................................... 5

1.3 Aims and Objectives of the project ........................................................................ 5

1.4 Format of RFP Response and Other Information for Bidders .............................. 6

SECTION 2 – SCOPE OF WORK .............................................................................................. 16

SECTION 3 - GENERAL CONDITIONS OF CONTRACT ...................................................... 20

3.1 Introduction......................................................................................................................... 20

3.2 Award of Contract ........................................................................................................ 20

3.3 Application of General Conditions of Contract ................................................... 20

3.4 Ownership ....................................................................................................................... 20

3.5 Bid Validity Period ......................................................................................................... 20

3.6 Performance Security .................................................................................................. 21

3.7 Delays in the Bidder’s Performance ........................................................................ 21

3.8 Liquidated damages for delay ................................................................................. 22

3.9 Governing Language .................................................................................................. 22

3.10 Applicable Law .......................................................................................................... 22

3.11 Bidder’s Obligations ................................................................................................. 22

3.12 The Bank’s Obligations ............................................................................................ 23

3.13 Confidentiality ............................................................................................................ 24

3.14 Force Majeure ............................................................................................................ 24

SECTION 4 : APPENDIXES ........................................................................................................ 25

Appendix 1 – Technical Requirements Matrix ................................................................. 25

APPENDIX 2 – REFERENCE SITES ............................................................................................ 46

APPENDIX 3 - WEB APPLICATION SECURITY & COMMON ATTACKS ........................... 47

APPENDIX 4 : LIST OF DATABASES ......................................................................................... 48

APPENDIX 5 – SUPPLIER QUESTIONNAIRE ........................................................................... 49

APPENDIX 6 – PERFORMANCE SECURITY FORM (FORMAT) ........................................... 57

APPENDIX 7 – CERTIFICATE OF COMPLIANCE .................................................................. 58


of 58

DEFINITIONS

For purposes of this document, the following definitions shall apply:

The Bank KCB Ltd

Bid The Quotation or Response to this RFP submitted by prospective

Suppliers for fulfilment of the Contract.

Supplier The Company awarded the task of supplying all the items

described in this document installing and commissioning them.

Contract Supply, installation and commissioning of all the works, equipment

and/or services that are described in this document, which will

contribute towards meeting the objective of the RFP

Warranty Period from the time installation and testing is completed, during

which the Contractor undertakes to replace/rectify equipment

and/or installation failures at no cost to the Bank


of 58

1.1 INTRODUCTION

The Kenya Commercial Bank Limited (hereinafter referred to as “the Bank”) is

incorporated in Kenya and is a leading Commercial banking group in the East

African region, renowned for its diversity and growth. In addition to Kenya, it has

other subsidiaries namely; KCB (Tanzania) limited, a banking subsidiary operating

in Tanzania, KCB (Uganda) limited, a banking subsidiary operating in Uganda,

KCB (Sudan) limited, a banking subsidiary operating in Sudan, KCB (Rwanda)

limited, a banking subsidiary operating in Rwanda and KCB Burundi a banking

subsidiary operating in Burundi. The Head Office for the group is located in

KENCOM House Nairobi. The Bank‟s vision is to be the preferred financial

solutions provider in Africa with a global reach.

The platform is anchored on consolidation across our existing business,

expanding and modernizing delivery channels, improving operational

efficiencies, turning in returns commensurate with level of investment and

compliance with all regulatory and internal policy guidelines.

This document therefore constitutes the formal Request for Proposals (RFP) for

Supply and Implementation of a Database and Web Application

Security/Firewall solution and is being availed on a open tender basis.

1.2 Background of the Project

The bank operates in a highly computerised environment that includes

maintaining connections to its business partners and to the world at large

through the internet and dedicated point to point connections. Therefore like

similar organisations it is prone to business interruptions as a result of failed or

malfunctioning systems, business data corruption or stolen data.

Computer system holes and vulnerabilities make it possible to exploit unsecure

implementations and may result in system failures and exploits, whether by

malice, mistake or innocently. Further, the bank needs to ensure its systems are

protected and implemented as per best practice and thereby avoid damage

to itself or business partners.

1.3 Aims and Objectives of the project

The KCB Group has decided to implement a Database and Web Application

Firewall solutions to enhance security of Critical Systems that are accessed by

internal as well as external stakeholders, as part of an overall strategy to


of 58

implement a more secure, productive, industry standard information technology

(IT) management processes and supporting IT management applications.

Proposals responses are epected from suppliers of database and web

application firewall solutions.

The information in this document and its appendices and attachments is

confidential and is subject to the provisions of our non-disclosure agreement

and should not be disclosed to any external party without explicit prior written

consent of Kenya Commercial Bank.

Objectives

The purpose of the assignment is to acquire, implement and maintain Database

and Web Application Firewall solutions for the KCB Group that will improve KCB

Group‟s security of all public / internet facing applications and reinforce the

defense-in-depth approach in place.

Based on KCB Group strategy, the project will help KCB Group to mitigate the

risks related to web access control operations by:

Automatically learning the web application structure and user behavior

Virtually patching databases and applications through vulnerability

scanner integration.

Updating database and web defenses with research-driven intelligence

on current threats

Delivering high performance business-relevant reporting and alerts

1.4 Format of RFP Response and Other Information for Bidders

1.4.1 The overall summary information regarding the SUPPLY AND

IMPLEMENTATION OF A DATABASE AND WEB APPLICATION

SECURITY/FIREWALL SOLUTION is given in section 2 – Scope of Services and

the summary in 1.3 Aims and Objectives. The bidder shall include in their

offer any additional services considered necessary for the successful

implementation of their proposal.

1.4.2 Proposals from bidders should be submitted in two distinct parts, namely

Technical proposal and financial proposal and these should be in two

separate sealed envelopes, both of which should then be placed in a

common sealed envelope marked:


of 58

“IT/AUG 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL

SOLUTION

DO NOT OPEN BEFORE Friday, 5th September 2014 at 3.00 pm (GMT+3) Nairobi

Kenya

The two separate inner envelopes should be clearly marked “Technical

Proposal”, and “Financial Proposal”, respectively, and should bear the

name of the Bidder.

1.4.3 The Technical Proposal should contain the following:

Bidders, willing to be considered for SUPPLY AND IMPLEMENTATION OF A

DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION are

expected to furnish the Bank with among others the following vital

information, which will be treated in strict confidence by the Bank.

Provide a company profile as per supplier questionnaire in Appendix 5.

The RFP response document duly signed as per Appendix 7 –

CERTIFICATE OF COMPLIANCE

Approval licenses, by the various bodies for compliance/manufacturer

authorization, MUST be included where applicable.

Audited financial statements of the company submitting the RFP bid,

for the last two years

Demonstrate capability and capacity to provide technical and

functional requirements and functionalities as per KCB requirements in

section 2.0 – Scope of work.

All copies of any certificates included in the bid response should be

certified as “true copy of original” else the bank may not use them

in the evaluation process.

1.4.4 The Financial Proposal should be clearly indicate the total cost of carrying

out the solution as follows:-

a. The Supplier shall provide a firm, fixed price for the Original Contract Period.

All costs associated with the required system shall be included in the prices.

Kindly note that the cost should include supply, installation and

commissioning of the system inclusive of all freight charges and applicable

duties and taxes (VAT and withholding Tax).

Provide an itemized list of all items included and summarize your costs as shown

in the table below:-


of 58

No.

Description Unit Qty

Unit

Cost

(USD)

Sub

Total

Costs

(USD)

Taxes

(USD)

Grand

Total Cost

(USD)

1 Software/ License Cost

2

Hardware/Appliance

Costs

3

Installation and

Implementation costs

4 Training

5

Annual Maintenance

Cost for software

licences Year

6

Annual Maintenance

Cost for

Hardware/Appliance

Year 1

7

Annual Local Vendor

Support Year 1 (where

applicable)

8

Logistics costs and

other costs

Software,

implementation,

Training cost inclusive

of all taxes

n/a n/a n/a

-

-

-

9

Annual Maintenance

Cost for software

licences Year 2

10

Annual Maintenance

Cost for software

licences Year 3

11

Annual Maintenance

Cost for

Hardware/Appliance

Year 2

12

Annual Maintenance

Cost for

Hardware/Appliance

Year 3

13

Annual Local Vendor

Support Year 2

14

Annual Local Vendor

Support Year 3

Total Recurrent costs

(Year 2&3) n/a n/a n/a

-

-

-


of 58

Total cost of ownership

over 3 years inclusive

of all taxes (USD)

n/a n/a n/a

-

-

-

Total cost of ownership

over 3 years inclusive

of all taxes (KSHS)

n/a n/a n/a

-

-

-

Notes

1

The total cost above should be inclusive of all taxes and duties (VAT, duties, freight

costs and Witholding tax)

b. Additional Cost to Complete. Provide an itemized list of any items not

included above by the Bank and related costs that Supplier deems

necessary to provide the information to meet the requirements specified in

proposal. Failure to provide said list shall not relieve the Supplier from

providing such items as necessary to meeting all of the requirements

specified in proposal at the Fixed Price Purchase Costs proposed.

NOTE: The Financial proposal (MUST BE IN A SEPARATE SEALED ENVELOPE )

CLEARLY MARKED “ FINANCIAl PROPOSAL”

1.4.5 Soft Copies for each proposal are to be provided in the standard

Microsoft Office suite of Programs or Adobe Reader and delivered

together with hard copy of the tender.NOTE that only the information on

the Hard copy Bound bid document shall be considered as the MAIN

scource document.

1.4.6 Bidders are requested to hold their proposals valid for ninety (90) days

from the closing date for the submission. The Bank will make its best efforts

to arrive at a decision within this period.

1.4.7 Assuming that the Contract will be satisfactorily concluded, the bidders

shall be expected to commence the assignment after the final

agreement is reached.

1.4.8 The bid documents shall be addressed to the following address and

dropped at the tender box on 5th Floor, Kencom House, Wing B on or

before the closing date.

Head of Procurement

Kenya Commercial Bank

5th Floor Kencom House

P.O. Box 48400, 00100

Nairobi, Kenya


of 58

Please note that tenders received by facsimile or electronic mail will be

rejected.

1.4.9 If a bidding firm does not have all the expertise and/or resources for the

assignment, there is no objection to the firm associating with another firm

to enable a full range of expertise and/or resources to be presented. The

request for Joint Venture shall be accompanied with full documented

details of the proposed association.

1.4.10 In the case of a Joint Venture or Association, all the firms constituting the

Joint Venture or Association will be jointly and severally liable and at least

one firm in the Joint Venture or Association shall be financially capable of

meeting the contract requirements and potential liabilities on its own and

shall assume contracting responsibility and liability for satisfactory

execution of the assignment.

1.4.11 The contracting arrangements shall define clearly the responsibilities and

the services to be provided by each firm in the case of a joint venture.

1.4.12 The Bank reserves the right to accept or to reject any bid, and to annul

the bidding process and reject all bids at any time prior to the award of

the contract, without thereby incurring any liability to any Bidder or any

obligation to inform the Bidder of the grounds for its action.

1.4.13 The vendor‟s terms and conditions will not form part of any contract with

KCB in relation to this tender.

Canvassing is prohibited and will lead to automatic disqualification.

1.4.14 Cost of bidding

The Bidder shall bear all costs associated with the preparation and submission of

its bid, and the Bank will in no case be responsible or liable for those costs,

regardless of the conduct or outcome of the bidding process.

1.4.15 Clarification of Bidding Document

i. All correspondence related to the contract shall be made in English.

ii. Should there be any doubt or uncertainty, the Bidder shall seek

clarification in writing addressed to the Head of Procurement through e-

mail to: [email protected].



of 58

iii. Any clarification sought by the bidder in respect of the RFP shall be

addressed at least five (5) calendar days before the deadline for

submission of bids, in writing to the Head of Procurement through the

same mail.

iv. It is the responsibility of the Bidder to obtain any further information

required to complete this RFP.

v. Any clarification requests and their associated response will be circulated

to all Bidders.

vi. The last date for receipt of requests for clarifications from bidders is

Thursday, 28th August 2014.

vii. The RFQ Clarification Template is as follows:-

Company Name:

Contact Person: (primary Supplier contact)

E-mail:

Phone:

Fax:

Document Number/Supplier

# Date Section/ Paragraph(2) Question

1

2

3

(1) Question (s) mailing Date.

(2) From the KCB Document.

The queries and replies thereto shall then be circulated to all other prospective

bidders (without divulging the name of the bidder raising the queries) in the form

of an addendum, which shall be acknowledged in writing by the prospective

bidders.

Enquiries for clarifications should be sent by e-mail to: [email protected]

1.4.16 Amendment of Bidding Document

At any time prior to the deadline for submission of bids, the Bank, for any reason,

whether at its own initiative or in response to a clarification requested by a

prospective Bidder, may modify the bidding documents by amendment.

All prospective Bidders that have received the bidding documents will be

notified of the amendment in writing, and it will be binding on them. It is



of 58

therefore important that bidders give the correct details in the format given on

page 1 at the time of collecting/receiving the RFP document.

To allow prospective Bidders reasonable time to take any amendments into

account in preparing their bids, the Bank may at its sole discretion extend the

deadline for the submission of bids based on the nature of the amendments.

1.4.17 Deadline for Submission of Bids

Bids should be addressed to the Head of Procurement and sent for receipt on or

Before Friday, 5th September 2014. Any bid received by the Bank after

This deadline will be rejected.Those submitting tenders or their representatives

may attend the tender opening of date and time of submission.

1.4.18 Responsiveness of Proposals

The responsiveness of the proposals to the requirements of this RFP will be

determined. A responsive proposal is deemed to contain all documents or

information specifically called for in this RFP document. A bid determined not

responsive will be rejected by the Bank and may not subsequently be made

responsive by the Bidder by correction of the non-conforming item(s).

1.4.19 Bid Evaluation and Comparison of Bids

Technical proposals will be evaluated and will form the basis for bids

comparison. Alltender responses will be evaluated in three phases:-

a. Detailed technical evaluation to determine technical compliance and

support responsiveness of the vendor

c. Financial evaluation to consider pricing competitiveness and the financial

capability of the vendors

Once the bids are opened, bid evaluation will commence

1.4.19.1 Technical Evaluation

The technical evaluation will include a desktop evaluation and additional

detailed evaluations. The desktop evaluation will be scored as follows:

i. Vendors ability to meet and exceed the objectives of the RFP together

with the functional requirements detailed in Appendix 1 and Appendix 4.

ii. Experience and reliability of the Supplier‟s organization. Therefore, the

Supplier is advised to submit any information, which documents successful

and reliable experience in past performances, especially those

performances related to the requirements of this RFP.


of 58

iii. The Supplier should provide the following information related to previous

and current services/contracts performed by the Supplier‟s organization

and any proposed subcontractors which are similar to the requirements of

this RFP (This information may be shown on the form attached as Exhibit A

to this RFP or in a similar manner):

a. Name, address, and telephone number of client/contracting

agency and a representative of that client/agency who may be

contacted for verification of all information submitted;

b. Dates and locations of the service/contract; and

c. A brief, written description of the specific prior services performed

and requirements thereof.

iv. Proposals will be evaluated based on the Supplier‟s distinctive plan for

performing the requirements of the RFP. Therefore, the Supplier should

present a written narrative, which demonstrates the method or manner in

which the Supplier proposes to satisfy these requirements. The language of

the narrative should be straightforward and limited to facts, solutions to

problems, and plans of action.

Where the words “shall” or “must” are used, they signify a required minimum

function of system capacity that will heavily impact the Bidder‟s final response

rating.

Where the words “may” or “desired” are used, they signify that the feature or

capacity is desirable but not mandatory; therefore, the specifications in

question will possess minimal impact on the Bidder‟s final response rating.

The method by which the proposed method of performance is written will be left

to the discretion of the Supplier. However, the Supplier should address each

specific paragraph and subparagraph of the Specifications by paragraph and

page number as an item for discussion. Immediately below these numbers, write

descriptions of how, when, by whom, with what, to what degree, why, where,

etc, the requirements will be satisfied.

1.4.19.2 Demo /Proof of Concept

After the desktop evaluation as per RFP response, the prospective supplier may

be required to give further detailed proof of the viability of the solution

highlighting the functionality as represented in the RFP. This may include all or

part of the following:-


of 58

Vendor presentations

A solution demo with the actual installed solution

A Proof of Concept installation at the bank‟s premises in a test scenario if

so required

Site visits to current clients of the supplier who have implemented similar

solution as put forward in the RFP response

It should be noted that vendors will be progressively evaluated from one stage

to the other. Only shortlisted vendors will progress to the next stage

1.4.19.3 Site visits

In the event that the bank may need to visit client site, vendors will be notified in

writing. The bank may also make surprise unannounced visits to the vendors

offices to verify any information contained in the bid document. All visits are at

the discretion of the bank. Vendors may also be called upon to make brief and

short presentations and /or demos on their technical solutions before a panel

constituted by the bank.

1.4.19.4 Financial Evaluation (separate sealed envelope )

Financial evaluation will concentrate on the Costs inclusive of VAT and other

applicable taxes where necessary and Man/Day estimates, where appropriate,

broken down as per table in 1.4.4. Kindly also note the following as regard

financial evaluation.

a. Pricing

All bids in response to this RFP should be expressed in USD or KSH. For those

expressed in USD a Kenya Shilling equivalent MUST be given clearly indicating

the exchange rate. Those who do not indicate the Kenya Shilling equivalent

MAY not be considered further for evaluation.

NOTE : Expressions in other currencies shall not be permitted

The VAT amount must clearly be stipulated and separated from the base costs.

The quoted prices should be valid for a minimum of 90 days.Any other fees

required for deployment and ongoing support must be quoted separately.

Provide an itemized list of any other items and related costs that Supplier deems

necessary to meet the requirements specified in proposal. Failure to provide said

list shall not relieve the Supplier from providing such items as necessary to

meeting all of the requirements specified in proposal at the Fixed Price Purchase

Costs proposed.


of 58

KCB SHALL ONLY MAKE PAYMENTS THROUGH A KCB ACCOUNT AND THUS ALL

BIDDERS ARE ENCOURAGED TO OPEN AN ACCOUNT

The Bank will not make any payments in advance. The Bank will issue an LPO for

all the equipment and/or services ordered. The LPO will be paid within 45 days

after delivery, testing installation and acceptance of the equipment and/or

services supplied. The bank will not accept partial deliveries.Payment for

equipment and/or services will only be made once the entire ordered

equipment and/or services are delivered, installed and commissioned.

b. Correction of Errors. Bids determined to be substantially responsive will be checked by the Bank for any arithmetical errors. Errors will be corrected by the Bank as below:

Where there is a discrepancy between the amounts in figures and in words, the amount in words will govern, and

Where there is a discrepancy between the unit rate and

the line total resulting from multiplying the unit rate by the quantity, the unit rate as quoted will govern.

The price amount stated in the Bid will be adjusted by the Bank in accordance with the above procedure for the correction of errors.

c. Financial stability

This will involve an assessment of key standard financial ratios and trends for the

last 2 years such as profitability, leverage, debt ratio, gross margins and sales

turnover.

However, the Bank is under no obligation to award the tender as per clause

1.4.12


of 58

SECTION 2 – SCOPE OF WORK

The security of IT applications has become a mission-critical aspect of the IT

Security strategy. We are not only seeking a supplier for the software and

hardware but also partnership with the provider to help KCB Group in leveraging

this technology through a sound implementation approach with proven

organizational adoption tools. Based on the above, the scope will include the

following:

2.1 Supply, install, configure and maintain Database and Web Application

Firewall solutions (software, hardware) that will meet the functional and

technical requirements.

2.2 Provide Database Firewall solutions with core capabilities for the following

database platforms:

Oracle

MS-SQL

Sybase

DB2

Informix

MySQL

Teradata

PostgresSQL

Netezza

2.3 Provide Web Application Firewall solutions with core capabilities of

supporting Web and portal applications such Outlook Web Access

(OWA), SharePoint and all custom in-house web applications.

2.4 Develop and propose an implementation methodology with

roadmap/schedule with monitoring targets and risks towards the desired

target.

2.5 Provide the implementation services of the solution as stated in the

proposed roadmap from installation, configuration and final deployment

of the solution.

2.6 Deliver training services of the Database and Web Application Firewall

solution during the implementation for technical staff for knowledge

transfer both on the functional and technical aspects


of 58

2.7 Deliver documentation of the solution from the installation to deployment

2.8 Provide maintenance service for the solution including software version

upgrade and hardware replacement.

2.9 Provide support and assistance including both remote and local/onsite

assistance for resolution of major technical problems and/or issues.

2.10 Current Installations

This section provides a brief overview of KCB establishment that is relevant to the

proposed solution.The Kenya commercial Bank is incorporated in Kenya. The

bank‟s establishment in Kenya consists of 167 branches.

It has 4 other subsidiaries:

KCB Rwanda – Headquarter + 9 branches

KCB Tanzania - Headquarter + 10 branches

KCB Uganda - Headquarter + 14 branches

KCB Sudan - Headquarter + 20 branches

The Head Office for the group is located in Kencom house Nairobi,

Kenya.Further information about the bank can be obtained from the group‟s

website (http://www.kcbbankgroupgroup.com)

2.11 Brief Overview of Technical Systems Environment

The bank has several computerised systems, the most relevant (for the purpose

of this project) of which are as summarised below.

Database / Programming Environments

MS SQL Server 2000 /2005 /2008

Oracle; various flavours of the database including but not limited to

versions 8i /9i /10g/11i

Informix

JBOSS

Microsoft .Net 2.0 and above

Sybase Adaptive Enterprise Server database

Client-side applications developed in Visual studio/ .Net and

PowerBuilder 6.0

http://www.kcbbankgroupgroup.com/


of 58

Web Applications

T24 Core banking system from Temenos. This application runs on HP UX

at the backend while the clients are browser based (firefox and

Internet Explorer version 6.1 and above). The backend system is

programmed using JBOSS and Oracle.

Microsoft SharePoint 2007

Email Applications: MS Exchange 2010. Proxy Servers / firewalls:

Microsoft ISA Server 2006, CISCO PIX, ASA and Checkpoint firewalls. The

Microsoft ISA Server 2006 will be replaced with Microsoft Forefront

Threat Management Gateway during the year

Sybrin clearing system on windows environment

Internet & Mobile banking applications

TranzWare card system

2.12 Functional Requirements

Functional requirements are indicated in (Appendix 1 – Technical Requirements

Matrix). The section should be completed in its entirety in the vendor response.

Delivery, Testing and Acceptance (On Successful Bidding)

The product will deem to have been:

a) Delivered when

i. The complete machine readable form of the product together with the

product documentation is received at KCB‟s primary location (IT

Division, 7th floor Kencom House, Nairobi); and

b) Tested / POC

ii. The bank will test the proposed solution in a test environment to

ascertain that all the functionality as put forward by the supplier are

met. Incorrect information discovered at this time will constitute grounds

for disqualification. It is the responsibility of the supplier to ensure the

requirement defined in the proposal is achieved. The signed proposal

will be the sole reference document for any discussion issues arising

related to acceptance; and

c) Accepted when

iii. The solution has been successfully installed and configured on the

Production environment by the representative of the Supplier as per

product documentation; and

iv. Acceptance Criteria: the Bank will accept the proposed deliverable

after they have been fully tested by the bank and confirmed to meet

the requirement as specified in the original RFP.


of 58

KCB Shall endeavour to provide the Production environment as soon as it is

practically possible. Delivery and performance of the Services shall be made by

the successful Bidder in accordance with the time schedule as per Proposal and

subsequent Agreement.


of 58

SECTION 3 - GENERAL CONDITIONS OF CONTRACT

3.1 Introduction

Specific terms of contract shall be discussed with the bidder whose proposal

will be accepted by the Bank. The resulting contract shall include but not be

limited to the general terms of contract as stated below from 3.2 to 3.14.

3.2 Award of Contract

Following the opening and evaluation of proposals, the Bank will award the

Contract to the successful bidder whose bid has been determined to be

substantially responsive and has been determined as the best evaluated bid.

The Bank will communicate to the selected bidder its intention to finalize the

draft conditions of engagement submitted earlier with his proposals.

After agreement has been reached, the successful Bidder shall be invited for

signing of the Contract Agreement to be prepared by the Bank in

consultation with the Bidder.

3.3 Application of General Conditions of Contract

These General Conditions (sections 3.2 to 3.14) shall apply to the extent that

they are not superseded by provisions in other parts of the Contract that shall

be signed.

3.4 Ownership

The proposal should be modelled along the perpetual licensing with

annual maintenance costs which provides the bank the right to continue

using the product „as is‟ on expiry of the maintenance period.

The Supplier should include a 2-year bundled support and indicate (as a

percentage of the product cost where applicable) the cost of continued

support after the two years. The bundled support cost should be clearly

separated from the cost of the product

3.5 Bid Validity Period

Bidders are requested to hold their proposals valid for ninety (90) days from

the closing date for the submission.


of 58

3.6 Performance Security

The Bank may at it‟s discretion shall require the successful bidder to furnish it with

Performance Security. The performance bond amount will be one hundred

percent (100%) of the total bid price before the bank can issue any Purchase

Order. The performance bond will be valid for a minimum of 9 months and must

be provided within 14 days from the date of written notification to the Supplier

by the bank to provide the bond. Failure to comply with this requirement will

void the tender award and the bank at its sole discretion may award the tender

to any other Supplier.

3.6.1 The Performance Security shall be in the form of a bank guarantee issued

by a commercial bank operating in Kenya and shall be in a format

prescribed by the Bank. The performance guarantee shall be submitted

within 10 days of notification of award.

3.6.2 The proceeds of the Performance Security shall be payable to the Kenya

Commercial Bank as compensation for any loss resulting from the Bidder‟s

failure to complete its obligations under the Contract.

3.6.3 The Performance Security will be discharged by the Company not later

than two months following the date of completion of the Bidder‟s

performance obligations, and the Bank‟s acceptance of the final report

as specified in the contract.

It is a condition of the bank that the Supplier guarantees the sufficiency, and

effectiveness of the solution proposed to meet the bank requirements as

outlined in this document. The Bank will hold the Supplier solely responsible for

the accuracy and completeness of information supplied in response to this

tender. The bank will hold the Supplier responsible for the completeness of the

solution proposed and that were the Supplier to be awarded the tender, they

would implement the solution without any additional requirements from the

bank

3.7 Delays in the Bidder’s Performance

3.7.1 Delivery and performance of the Supply, installation and Maintenance of

Signage shall be made by the successful Bidder in accordance with the

time schedule as per Agreement.


of 58

3.7.2 If at any time during the performance of the Contract, the Bidder should

encounter conditions impeding timely delivery and performance of the

Services, the Bidder shall promptly notifies the Bank in writing of the fact of

the delay, its likely duration and its cause(s). As soon as practicable after

receipt of the Bidder's notice, the Bank shall evaluate the situation and

may at its discretion extend the Bidder's time for performance, with or

without liquidated damages, in which case the extension shall be ratified

by the parties by amendment of the Contract.

3.7.3 Except in the case of “force majeure” as provided in Clause 3.13, a delay

by the Bidder in the performance of its delivery obligations shall render the

Bidder liable to the imposition of liquidated damages pursuant to Clause

3.8 liquidated damages

3.8 Liquidated damages for delay

The contract resulting out of this RFP shall incorporate suitable provisions for

the payment of liquidated damages by the bidders in case of delays in

performance of contract.

3.9 Governing Language

The Contract shall be written in the English Language. All correspondence

and other documents pertaining to the Contract which are exchanged by

the parties shall also be in English.

3.10 Applicable Law

This agreement arising out of this RFP shall be governed by and construed in

accordance with the laws of Kenya and the parties submit to the exclusive

jurisdiction of the Kenyan Courts.

3.11 Bidder’s Obligations

3.11.1 The Bidder is obliged to work closely with the Bank's staff, act within its own

authority, and abide by directives issued by the Bank that are consistent

with the terms of the Contract.

3.11.2 The Bidder will abide by the job safety measures and will indemnify the

Bank from all demands or responsibilities arising from accidents or loss of

life, the cause of which is the Bidder's negligence. The Bidder will pay all


of 58

indemnities arising from such incidents and will not hold the Bank

responsible or obligated.

3.11.3 The Bidder is responsible for managing the activities of its personnel, or

subcontracted personnel, and will hold itself responsible for any

misdemeanors.

3.11.4 The Bidder will not disclose the Bank's information it has access to, during

the course of the work, to any other third parties without the prior written

authorization of the Bank. This clause shall survive the expiry or earlier

termination of the contract.

3.11.5 The Bidder shall appoint an experienced counterpart resource to handle

this requirement for the duration of the Contract. The Bank may also

demand a replacement of the manager if it is not satisfied with the

manager‟s work or for any other reason.

3.11.6 The Bidder shall take the lead role and be jointly responsible with the Bank

for producing a finalised project plan and schedule, including

identification of all major milestones and specific resources that the Bank

is required to provide.

3.11.7 The Supplier represents and warrants that it is entitled to respond to this

RFP and that it is fully entitled to the proposed Product by way of reseller

licensing or ownership and has the right to sell and/or licence the Product

as provided in their RFP response and shall hold KCB harmless from action

for infringement of patents and/or copyrights

3.12 The Bank’s Obligations

In addition to providing Bidder with such information as may be required by

the bidder the Bank shall,

(a) Provide the Bidder with specific and detailed relevant information

(b) In general, provide all relevant information and access to Bank's

premises.


of 58

3.13 Confidentiality

The parties undertake on behalf of themselves and their employees, agents

and permitted subcontractors that they will keep confidential and will not

use for their own purposes (other than fulfilling their obligations under the

contemplated contract) nor without the prior written consent of the other

disclose to any third party any information of a confidential nature relating to

the other (including, without limitation, any trade secrets, confidential or

proprietary technical information, trading and financial details and any other

information of commercial value) which may become known to them under

or in connection with the contemplated contract. The terms of this Clause

2.15 shall survive the expiry or earlier termination of the contract.

3.14 Force Majeure

(a) Neither Bidder nor Bank shall be liable for failure to meet contractual

obligations due to Force Majeure.

(b) Force Majeure impediment is taken to mean unforeseen events, which

occur after signing the contract with the successful bidder, including but

not limited to strikes, blockade, war, mobilization, revolution or riots,

natural disaster, acts of God, refusal of license by Authorities or other

stipulations or restrictions by authorities, in so far as such an event prevents

or delays the contractual party from fulfilling its obligations, without its

being able to prevent or remove the impediment at reasonable cost.

(c) The party involved in a case of Force Majeure shall immediately take

reasonable steps to limit consequence of such an event.

(d) The party who wishes to plead Force Majeure is under obligation to inform

in writing the other party without delay of the event, of the time it began

and its probable duration. The moment of cessation of the event shall also

be reported in writing.

(e) The party who has pleaded a Force Majeure event is under obligation,

when requested, to prove its effect on the fulfilling of the contemplated

contract.


of 58

SECTION 4 : APPENDIXES

Appendix 1 – Technical Requirements Matrix

Functional Requirements and Specifications

The tables below provide a feature summary for the products under

procurement. All products should be quoted for separately.

Please identify and describe where necessary the levels of support as: Full

Support, Partial Support and No Support:

Database Firewall

Specification Description Level of

support

Supported

Database Platforms

Oracle

MS-SQL

Sybase

DB2 (including LUW, z/OS and DB2/400)

Informix

MySQL

PostgreSQL

Teradata

Netezza

Deployment Modes Network: Non-inline sniffer, transparent

bridge

Agentless collection of 3rd party database

audit logs

Performance

Overhead

Network monitoring – Zero impact on

monitored servers

Agent based monitoring – 1-3% CPU

resources

Centralized

Management

across

geographically

Web User Interface (HTTP/HTTPS)

Command Line Interface (SSH/Console)


of 58

dispersed locations

Centralized

Administration

across

geographically

dispersed locations

MX Server for centralized management

Integrated management option

Hierarchical management

Database Audit

Details

SQL operation (raw or parsed)

SQL response (raw or parsed)

Database, Schema and Object

User name

Timestamp

Source IP,

Source OS,

Source application

Parameters used

Stored Procedures

DB Server restarts, row level operations

Privileged Activities All privileged activity, DDL and DCL

Schema Changes (CREATE, DROP, ALTER)

Creation, modification of accounts, roles

and privileges (GRANT, REVOKE)

Access to Sensitive

Data

Successful and Failed SELECTs

All data changes

Security Exceptions Failed Logins, Connection Errors, SQL errors

Data Modification INSERTs, UPDATEs, DELETEs (DML activity)

Stored Procedures Creation, Modification, Execution

Triggers Creation and Modification

Tamper-Proof Audit

Trail

Audit trail stored in a tamper-proof

repository

encryption or digital signing of audit data

Role based access controls to view audit

data (read-only)


of 58

Real-time visibility of audit data

Fraud Identification Unauthorized activity on sensitive data

Abnormal activity hours and source

Unexpected user activity

Unexpected Database growth/shrinkage

Data Leak

Identification

Requests for classified data

Unauthorized/abnormal data extraction

Database Security Dynamic Profile (White List security)

Protocol Validation (SQL and protocol

validation)

Real-time alerts

Platform Security Operating system intrusion signatures

Known and zero-day worm security

Network Security Stateful firewall

DoS prevention

Policy Updates Regular Application Defense Center security

and compliance updates

Real-Time Event

Management and

Report distribution

SNMP

Syslog

Email

Incident management ticketing integration

Custom followed action

task workflow

Integrated graphical reporting

Real-time dashboard

Server Discovery Automated discovery of database servers

Data Discovery and

Classification

Database servers

Financial Information

Credit Card Numbers

System and Application Credentials


of 58

Personal Identification Information

Custom data types

User Rights

Management (add-

on option)

Audit user rights over database objects

Validate excessive rights over sensitive data

Identify dormant accounts

Track changes to user rights

Vulnerability

Assessment

Operating System vulnerabilities

Database vulnerabilities

Configuration flaws

Risk scoring and mitigation steps

Training Standard product training at an authorized

training center for 5 KCB staff. This should

include training fees, travel and lodging

expenses. Logistics and allowances to be

computed at KCB rates.

Support One year standard support on hardware

and software

Two year standard support on hardware

and software

Three year standard support on hardware

and software

Specification for Database Activity Monitoring:

ID Specification Response

Architecture

1 Is the solution appliance based or virtual appliance based?

2 Does the solution require deployment of agents on the database

servers?

3 If So, There should be only one agent to monitor all DB activities

including local DB traffic and network DB traffic

4 All agents regardless of deployment mode should be managed

from the centralized management console

5 Agents should have only minimal overhead for the production DB

servers


of 58

6 Agent should support AIX,HPUX, LINUX, Solaris and Windows

platforms

7 There should not be additional agents required to be installed to

monitor and block DB traffic/attacks traffic if required

8 There should not be any 3rd party software to be installed for

agents

9 Audit trails should be stored within the solution and it should not

be stored in any database

10 Audit trails should be tamperproof and should be stored in

encrypted flat files.

11 Solution component should be managed centrally.

12 Solution Should support below DB platforms

Oracle

MS-SQL (Microsoft SQL Server)

DB2 (LUW, z/OS and DB2/400)

Sybase

Informix

MySQL

PostgreSQL

Teradata

Netezza

Database Discovery

1 Solution should discover both new and existing database systems

and should map all on the network.

2 Product should provide automated discovery of both new and

existing Database tables

3 Product should keep the historical information about the systems

and their configuration.

4 Product should show changes since the last scan for DB Discovery

and configuration

5 Solution support identification of rogue or test databases

6 Solution should discover asset management and change

management processes

Data Classification

1 The product should perform data discovery and classification

2 Solution should detect sensitive data types, such as credit card

numbers, social security numbers, etc., in database objects

3 The solution should locate custom data types in database objects

Vulnerability Assessments


of 58

1 Solution should have Database vulnerability assessment tests for

assessing the vulnerabilities and mis-configurations of database

servers, and their OS platforms. OSs and RDBMSs are tested for

known exploits and mis-configurations.

2 Solution should have a comprehensive list of pre-defined

assessment policies and tests to address PCI-DSS, SOX, and HIPAA

requirements. Vulnerabilities specific for Oracle EBS, and

PeopleSoft databases can also be detected. In addition, the

following tests should be included:

- Latest patches and releases installed

- Changes to database files

- Default accounts and passwords

- Newly created/updated logins

- Remote OS authentication enabled

- Escalated user privileges granted

3 Should be able to add custom assessments to the solution?

4 Solution should support user created scripts for assessment tests.

5 The product should identify missing patches

6 The solution should verify that default database accounts do not

have a “default” password

7 The product should be used to measure compliance with industry

standards and regulations

Vulnerability Assessment Result Analysis and Reporting

1 The product should present a view of risk to data – by vulnerability

and the sensitivity of the data

2 Solution should have Database vulnerability assessment tests for

assessing the vulnerabilities and mis-configurations of database

servers, and their OS platforms. OSs and RDBMSs are tested for

known exploits and mis-configurations.

3 Solution should have a comprehensive list of pre-defined

assessment policies and tests to address PCI-DSS, SOX, and HIPAA

requirements. Vulnerabilities specific for SAP, Oracle EBS, and

PeopleSoft databases can also be detected. In addition, the

following tests should be included:

- Latest patches and releases installed

- Changes to database files

- Default accounts and passwords

- Newly created/updated logins

- Remote OS authentication enabled


of 58

- Escalated user privileges granted

4 The solution should have pre-defined reports.

5 The product should support custom report generation.

6 The product should compare the results of a discovery,

classification or assessment job with a previous run

7 Should have an option to distribute reports on demand and

automatically (on schedule)

Remediation (optional : for future requirement)

1 The product can be upgraded for mitigation of risk to sensitive

data stored in databases?

2 Should have an option to upgrade the product to actively

prevent attempts to exploit known vulnerabilities

3 The solution can be upgraded to offer virtual patching

capabilities (protecting the database from known vulnerabilities

without deploying a patch or script on the system)

Database Activity Monitoring

1 Solution should have Appliance/virtual appliance solution to

monitor network based DataBase activity and should have agents

to monitor Local DB activity

2 Should product employ a centralized appliance

3 Solution should provide for centralized control of collected

information

4 Should have DBMS product to be used as part of the appliance

package to store configuration and alert logs, not for storing Audit

data

5 The solution should support high-availability

6 Product should be able to installed in Sniffing mode or Inline

mode.

7 Solution should have built in bypass(fail open) for inline mode

7 Solution should support below DataBases

Oracle, MS SQL, DB2, Informix, Sybase,MySQL, Teradata,Netezza

8 The solution should not use the native database audit

functionality.

9 the Solution should not employ transaction log auditing?

10 Should be able to integerate with leading SIEM tools

11 The product should have means to archive and restore data


of 58

12 The agent should not require a reboot after

installation/configuration

13 The solution should not require any changes to monitored

database and/or application

14 The Solution should not require a database restart after

installation/configuration?

15 The audited data transferred between the agent and the

appliance should be through an Encrypted channel

16 The solution should capture before and after image of data that is

being manipulated

17 Product should identify differences in baseline user activity.

18 The solution should capture Select activity by user/role

19 The solution should capture update, insert, delete (DML) activity

by user/role

20 The solution should capture schema/object changes (DDL)

activity by user/role

21 The solution should capture manipulation of accounts, roles and

privileges (DCL) by user/role

22 DAM Should monitor privileged operations including both SQL and

Protocol level operations be monitored.

23 DAM Should monitor MS SQL statements where caching is used

24 DAM solution be able to monitor activities at new DB interface/

connector created by any user/ system without any manual

intervention

25 The solution should have automated mechanism for updating

security configurations/policies

Alerting and Blocking Capabilities

1 The solution should provide automated, real-time event alert

mechanism

2 The solution should have an option to upgrade to database

attack in real-time

3 The solution should monitor privileged users

4 The solution should have an option to upgrade to block

privileged users activity if required

5 the Solution should monitor for all DB attacks like SQL injection and

alert despite the traffic is not audited.

6 The Solution should have an option to upgrade to block DB

attacks like SQL injections in real time.


of 58

7 The solution should 100% monitor the DB traffic for all DB violation

and attacks despite the traffic is not being audited

Reporting

1 Solution should have packaged reporting capabilities

2 product should support use of pre-configured policies/reports

(PCI, SOX, HIPAA) for ensuring regulatory compliance

3 Producti should have a functionality to assist with security event

forensics

Web Application Firewall

Specification Description Feature

Support

Web Security

Dynamic Profile (White List security)

Web server & application signatures

Reputation based security and IP

geolocation

HTTP RFC compliance

Normalization of encoded data

Automated-client detection

Required

Application Attacks

Prevented Refer to Appendix I Required

HTTPS/SSL Inspection

Passive decryption or termination

Optional HSM for SSL key storage

Required

Web Services Security

XML/SOAP profile enforcement

Web services signatures

XML protocol conformance

Required

Web Fraud Prevention Fraud and malware detection Required

Content Modification

URL rewriting (obfuscation)

Cookie signing

Cookie encryption

Custom error messages

Error code handling

Required

Platform Security Operating system intrusion signatures

Known and zero-day worm security

Required


of 58

Network Security Stateful firewall

DoS prevention

Required

Advanced Protection

Correlation rules incorporating all

security elements (white list, black list)

to detect complex, multi-stage

attacks

Required

Data Leak Prevention

Credit card numbers

PII (personally identifiable information)

Pattern matching

Required

Policy/Signature

Updates

Frequent security updates Required

Authentication

Support for RSA Access Manager for

two-factor authentication

Support for LDAP (Active Directory)

Support for SSL client certificates

Required

User Awareness

Automated Tracking of Web

Application Users

Required

Deployment Mode

Transparent Bridge (Layer 2)

Reverse Proxy and Transparent Proxy

(Layer 7)

Non-inline sniffer

Required

Management

Support for a Web User Interface

(HTTP/HTTPS)

Command Line Interface

(SSH/Console)

Required

Administration

MX Server for centralized

management

Required

Logging/Monitoring

SNMP

Syslog

Email


Real-time dashboard

Required


of 58

High Availability

IMPVHA (Active/Active,

Active/Passive)

Fail open interfaces (bridge mode

only)

Support for VRRP

Support for STP and RSTP

Required

Solution Delivery Option Physical appliance Required

Web Application

Vulnerability Scanner

Integration

WhiteHat, IBM, Cenzic, NT OBJECTives,

HP, Qualys, and Beyond Security

Required

Enterprise Application

Support

SIEM/SIM tools: ArcSight, RSA enVision,

Prism Microsystems, Q1 Labs, TriGeo,

NetIQ

Log Management: CA ELM, SenSage,

Infoscience Corporation

Required

TCP/IP Support IPv4, IPv6 Required

Training

Standard product training at an

authorized training center for 5 KCB

staff. This should include training fees,

travel and lodging expenses. Logistics

and allowances to be computed at

KCB rates.

Required

Support One year standard support on

hardware and software

Required

Specification for Web Access Firewall:

ID Specification Remarks

Policy Management

The WAF shall be able to automatically-build policies

The WAF shall be able to manually accept false positives by

simple means (check box)

The WAF shall be able to define different policies for different

applications


of 58

The WAF shall be able to create custom attack signatures or

events

The WAF shall be able to customize Denial of Service policies

The WAF shall be able to combine detection and prevention

techniques

The WAF shall have policy roll-back mechanism

The WAF shall be able to do versioning of polices

The WAF shall have a built-in real-time policy builder with

automatic self-learning and creation of security polices

The WAF shall have prebuilt polices for applications - eg

Microsoft Sharepoint, OWA, SAP, Oracle E-Business, Sieble for

fast deployment

Profile Learning Process

The WAF shall be able to recognise trusted hosts

The WAF shall be able to learn about the application without

human intervention

The WAF shall be able to inspect policy (auditing + reporting)

The WAF shall be able to protect new content pages and

objects without policy modifications

Configuration Management

The WAF shall have Role-based management with user

authentication

The WAF shall be able to replace/customize error and blocked

pages

The WAF shall have configurable security levels

Logs and Monitoring

The WAF shall have ability to identify and notify system faults

and loss of performance (SNMP, syslog, e-mail, …)

The WAF shall have ability to customize logging

The WAF shall have ability to generate service and system

statistics

The WAF shall be able to perform time synchronisation (ntp, …)

Miscellaneous

The WAF shall have a robustness and reliable GUI interface


of 58

The WAF shall be able to be managed via serial console, SSH

or https web gui

The WAF shall be able to support caching and compression in

a single platform

The WAF shall be able to prevent OS fingerprinting

The WAF shall be able to perform data guard and cloaking

(hiding of error pages and application error pages)

The WAF shall be able to Intergrate with vulnerability testing

tools (eg whitehat sentinel) for automated instant policy

tuning

The WAF shall be able to be implemented and installed on

application delivery controller (ADC) hardware platforms and

managed from the same GUI.

SSL capabilities

The WAF shall be capable of terminating https traffic for http

websites

The WAF shall be FIPS 140-2 compliant

The WAF shall have SSL accelerators available for SSL

offloading

The WAF shall store the certificate private key on the WAF

using a secure mechanism

The WAF shall store the certificate private key on the WAF

using a secure mechanism, and a passphrase

The WAF shall capable of communication to a backend

application server using https

The WAF shall be capable of tuning the SSL parameters, such

as SSL encryption methode used, SSL version

HTTP/HTML & XML

The WAF shall support HTTP 1.0 and 1.1 versions

The WAF shall support application/x-www-form-urlencoded

encoding

The WAF shall support v0 cookies

The WAF shall support v1 cookies

The WAF shall enforce cookie types used

The WAF shall support chunked encoding in requests

The WAF shall support chunked encoding in responses


of 58

The WAF shall support response compression

The WAF shall support application flows management and

manually define site flow and object policies

The WAF shall support all character sets during validation

The WAF shall restrict methods used eg GET, POST , all other

methods

The WAF shall restrict protocols and protocol versions used

The WAF shall support multi-byte language encoding

The WAF shall validate URL-encoded characters

The WAF shall restrict request method length

The WAF shall restrict request line length

The WAF shall restrict request URI length

The WAF shall restrict query string length

The WAF shall restrict protocol (name and version) length

The WAF shall restrict the number of headers

The WAF shall restrict header name length

The WAF shall restrict header value length

The WAF shall restrict request body length

The WAF shall restrict cookie name length

The WAF shall restrict cookie value length

The WAF shall restrict the number of cookies

The WAF shall restrict parameter name length

The WAF shall restrict parameter value length

The WAF shall restrict the number of parameters

The WAF shall restrict combined parameter length (names and

values together)

The WAF shall support protection of XML Web Services

The WAF shall restrict XML Web Services access to methods

defined via Web Services Description Language (WSDL)

The WAF shall be able to perform information display

masking/scrubbing on requests and responses

The WAF shall be able to perform validation for Web Services

XML Documents

The WAF shall be able to monitor latency of Layer 7

(application layer) traffic to detect the spikes and anomalies

in the typical traffic pattern to detect, report on, and prevent

layer 7 DOS attacks.


of 58

The WAF shall be able to to detect, report on, and prevent

Layer 7 (application layer) brute force attack attempts to

break in to secured areas of a web application by trying

exhaustive, systematic permutations of code or

username/password combinations to discover legitimate

authentication credentials.

Detection techniques

The WAF shall be able to support the following detection

techniques :

URL-decoding

Null byte string termination

Self-referencing paths (i.e. use of /./ and encoded

equivalents)

Path back-references (i.e. use of /../ and encoded

equivalents)

Mixed case

Excessive use of whitespace

Comment removal (e.g. convert DELETE/**/FROM to DELETE

FROM)

Conversion of (Windows-supported) backslash characters into

forward slash characters.

Conversion of IIS-specific Unicode encoding (%uXXYY)

Decode HTML entities (e.g. c,", ª)

Escaped characters (e.g. \t, \001, \xAA, \uAABB)

Negative security model techniques

Positive security model support - An "allow what's known"

policy, blocking all unknow traffic and data types

Positive security model configuration

Application flow

Dynamic Positive security model configuration maintenance

Built in process engine to detect evasion techniques like cross

site scripting

Is there an out of the box rule database available

Automated regular signature updates

Operates in a full Proxy architecture and inline control over all

traffic through the WAF

Ability to hide back-end application serverOS fingerprinting

data and application specific information


of 58

Ability to protect agaisnt malicious activity within and

hijacking of embedded client side code (javascript, vbscript,

ect…)

Incident Response capabilities

The WAF shall be capable of logging security events with

syslog

The WAF shall be capable of logging security events with

snmp

The WAF shall be capable of being monitored with snmp for

statistical information

The WAF shall support monitoring using snmp version 3

Support tools

The WAF shall be capable of being restored to factory

defaults

The WAF shall support an open api that will be able to fully

administer the WAF.

Redundancy Capabilities

The WAF shall be able to support High Availability Failover via

network or serial

The WAF shall be able to perform application level health

check of the back end servers

Network and Performance

The WAF shall be able to support vlan configuration through

built in switch

The WAF shall be able to perform TCP/IP optimization

The WAF shall be able to perform packet filtering

Implemented concepts to cover vulnerabilities (OWASP based)

The WAF shall be able to protect against :

Unvalidated input

Injection flaws

SQL injection

OS injection

Parameter tampering

Cookie poisoning

Hidden field manipulation

Cross site scripting flaws

Buffer overflows

Broken access control

Broken authentication and session management

Improper Error Handling


of 58

XML bombs/DOS

Forceful Browsing

Sensitive information leakage

Session hijacking

Denial of service

Request Smuggling

Cookie manipulation

Certification

The WAF shall be an ICSA certified web application firewall

MX Management Server

Specification Description Remarks

Management Intuitive Web User Interface (HTTP/HTTPS)

Command Line Interface (SSH/Console)

Provisioning

MX Management Server centrally provisions,

manages, and monitors up to 15 SecureSphere

gateways

Supports distributed, heterogeneous

deployments of Web and database gateways

Out-of-Band

Management

Out-of-band management supported via out-

of-band management ports in SecureSphere

gateways

Management

Communications

SSL encrypted communications between MX

Management server and SecureSphere

gateways

Policy/Signature

Updates

Security updates provided weekly or

immediately for critical threats

Hierarchical

Management

Policies may be defined hierarchically, via a

flexible, object –oriented policy framework.

Role-Based

Administration

Completely customizable roles and privileges

Users can be assigned roles

User inherit all privileges of the group

User authentication supports LDAP and SSL

certificate


of 58

Alerts

SNMP

Syslog

Email

Incident management ticketing integration

Custom followed action


Real-time dashboard

Workflow Task-oriented workflow engine

Internal Data

Storage

Audit trail stored in tamper-proof repository

Optional encryption or digital signing of audit

data

Role-based access controls to view audit data

(read-only)

Real-time visibility of audit data

External Data

Storage and

Archiving

SAN (Fibre Channel interfaces) for online

access

NAS for online access

NFS*

FTP*

HTTP/S*

SCP*

* Data is compressed and archived

Supported

Products

Database Activity Monitoring

Database Firewall

Discovery and Assessment Server

File Activity Monitoring

File Firewall

SecureSphere for SharePoint

Web Application Firewall

Support One year standard support on hardware and

software


of 58

Non -Functional Requirements and Specifications

ID Non Functional Requirements

USER INTERFACE

Remarks

Provision of portals/screens for non-

technical stakeholder usage, suitable for

auditors and security professionals without

detailed knowledge of database internals.

DOCUMENTATION

-Schematic Remarks

Provision of the Applicaton Architecture

Schematic for Production and DR Sites and

High Availability (HA)

-System Manual -provides an overview of the system including the system objectives,

system functionality, equipment configuration, software inventory, etc.

Remarks

Documentation of Application Objectives

Documentation of Application Functions i.e

Function ID/Name, Function

Description,Mode (e.g.

Online/Batch,Enquiry/Update)

Documentation of Equipment

Configurations i.e. Computer

Manufacturer,Model Number,Serial

Number,IP Address,OS Version,Database

Version

Documentation of Software Inventories i.e

Program ID/Name,Functions of the

program,in the case of client/server

application the location of the program

(e.g. Database Server, Application

Server,Client etc) should be specified

Documentation in detail of the system

security profiles and data protecton

measurement on system functions

Documentation in detail of the Disaster


of 58

Recovery Plan and Procedures of the

system

-Location of soft copy of the System

Remarks

The latest version of all the programs should

be kept in softcopy for future reference

and maintenance on KCB premises and

included in the documentation

-Data Manual- The Data Manual documents all data captured, processed or

produced by the system

Remarks

Documentation of the database schema of

the application which shows the relationship

among files/table and other groups of data

e.g Entity-Relationship Diagram

Screen/Report Description Documentation

i.e. List of Screens, Screen Layout,List of

Reports, Report Layout

-Application Manual -documents an overview of the system and provides detailed

user instructions and procedures for all functionality provided by the system.

Documenation of user procedures

descriptions and instructions in detail

covering areas like batching of input data,

control of documents, actions on specific

events, error amendments, etc

SYSTEM INTERFACING AND INTEGRATION

Remarks

Integration with existing reporting, workflow,

and trouble-ticketing systems e.g Synergy

Pro Helpdesk, App Server

Compliance to Service Oriented Arcitecture

The solution shall support Java Database

Connectivity (JDBC) and Microsoft connectivity

technology (such as Open Database

Connectivity (ODBC) or Object Linking and

Embedding Database [OLEDB]).


of 58

SECURITY

Remarks

Support Security Using Database Access

Controls. The solution shall support database

security using the following database access

controls: GRANT and REVOKE privilege facilities,

the VIEW definition capabilities, and some

Discretionary Access Control (DAC)

mechanisms.

CONFORMANCE TO INDUSTRY BEST STANDARDS

Remarks

The Web Application Firewall Solution shall be

endorsed by the Web Application Security

Consortium (WASC) and OWASP

Deliverables

At the end of the implementation exercise, the solution provider should provide

a comprehensive report with a detail of completed implementation work. The

report will consist among others the following:

1. Fully installed well integrated customized and functioning Database Firewall

solutions for the need of KCB.

2. Fully installed well integrated customized and functioning Web Application

Firewall solutions for the need of KCB.

3. Fully installed well integrated customized and functioning MX Management

Server

4. Two fully installed HP TouchSmart IQ816 Computers to facilitate a monitoring

center for this Database and Web Application Firewall solution

5. Presentation of the working solution to the IT management and staff of KCB

after completion of the implementation for review and feedback.

6. An executive summary report for Management of the implemented solutions


of 58

APPENDIX 2 – REFERENCE SITES

References of similar implementations/deployment of such product for

organizations similar to KCB in size and complexity done over the past one year.

1. Prior Services Performed for:

Company Name:

Address:

Contact Name:

Telephone Number:

Date of Contract:

Length of Contract:

Description of Prior Services (include dates):


Company Name:

Address:

Contact Name:

Telephone Number:

Date of Contract:

Length of Contract:



Company Name:

Address:

Contact Name:

Telephone Number:

Date of Contract:

Length of Contract:


(repeat as relevant)


of 58

APPENDIX 3 - WEB APPLICATION SECURITY & COMMON ATTACKS

The solution must be able to detect and block the following Web application

threats:

1. Anonymous Proxy

Vulnerabilities

2. Brute Force Login

3. Buffer Overflow

4. Cookie Injection

5. Cookie Poisoning

6. Corporate

Espionage

7. Credit Card

Exposure

8. Cross Site Request

Forgery (CSRF)

9. Cross Site Scripting

(XSS)

10. Data Destruction

11. Directory Traversal

12. Drive-by-Downloads

13. Forceful Browsing

14. Form Field

Tampering

15. Google Hacking

16. HTTP Distributed

Denial of Service

(DDoS)

17. HTTP Response

Splitting

18. HTTP Verb

Tampering

19. Illegal Encoding

1. Known Worms

2. Malicious Encoding

3. Malicious Robots

4. OS Command Injection

5. Parameter Tampering

6. Patient Data Disclosure

7. Phishing Attacks

8. Remote File Inclusion

Attacks

9. Sensitive Data Leakage

(Social Security Numbers,

Cardholder Data, PII, HPI)

10. Session Hijacking

11. Site Reconnaissance

12. Site Scraping

13. SQL Injection

14. Web server software and

operating system attacks

15. Web Services (XML) attacks

16. Zero Day Web Worms


of 58

APPENDIX 4 : LIST OF DATABASES

No. Application

Database

Type

Server

Machine

Type CPU cores

Processor

Type

Total

processor

Cores

1 T24 Oracle

HP

superdome

1 32 itanium 32

2 NetTeller Oracle

HP BLade

685c 32 intel xeon 32

3 CQ MsSQL

HP BLade

685c

2

processors(8

CPU's)

AMD

optron 16

4 Mobi Oracle

HP BLade


5 Mobiloan PosgreSQL

HP BLade


6 sybrin MsSQL

HP BLade

685c

2

processors(8

CPU's)

AMD

optron 16

7 kondor+ Sybase

HP BLade


8

Channel

Manager/NOBS MySQL

HP BLade


9 QuickPay MsSQL

HP BLade


10

TransWare -

TWO

-

TWCMS

-

TWI

-

TWFA

-

TWCF

Oracle

HP BLade

685c 32 intel xeon 32 each


of 58

APPENDIX 5 – SUPPLIER QUESTIONNAIRE

Bidders, willing to be considered for the tender for SUPPLY AND IMPLEMENTATION

OF A DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION are

expected to furnish the Company with among others the following vital

information, which will be treated in strict confidence by the Company.

1.0 CORPORATE INFORMATION

No. PARTICULARS RESPONSE [If space is

insufficient, please use a

separate sheet]

1.1

Full name of organization:

1.2 Is your

organiz

ation

(Please

tick

one)

i) a public limited incorporated

company? attach a copy of

Certificate of incorporation including

any Certificate of Change of Name,

Memorandum & Articles of

Association

ii) a public listed company? If yes,

please attach a copy of Certificate of

incorporation including any

Certificate of Change of Name,


Association

iii) a limited incorporated company?

If yes, please attach a copy of

Certificate of incorporation including

any Certificate of Change of Name,


Association

iv) a partnership? If yes, please

attach certified copy of the

Partnership Deed and business name

certificate

v) a sole trader? If yes, please attach

a certified copy of the business name

certificate

vi) other (please specify)


of 58

1.3 Company Registration number (if this applies)-

attach a copy of Certificate of incorporation

including any Certificate of Change of Name or

relevant certificate from country of

incorporation.

1.4 Date and country of Registration:

1.5 Full physical address of principal place of

business:

Full postal address of the business:

1.6 Registered address if different from the above:

Post Code:

1.7

Telephone number:

1.8 Fax number:

1.9 E-mail address:

1.10 Website address (if any):

1.11 Company/Partnership/Sole Trader Tax PIN:

(Please provide a certified copy of the PIN

Certificate)

1.12 VAT Registration number:

(Please provide a certified copy of the VAT

Certificate)

1.13 Period in which you have been in the specific

business for which you wish to bid.

1.14 Current Dealership letter/certification for

Equipment preferably issued in 2012.

1.15 Names of the Shareholders, Directors and

Partners.

If a Kenyan company please provide an

original search report issued by the Registrar of

Companies showing the directors and

shareholders (Companies Form CR 12).


of 58

1.16 Associated companies(if any)

1.17 Please provide a copy of the latest annual

returns together with the filing receipt as filed at

the Companies Registry

1.17 Name of (ultimate) parent/holding company (if

this applies):

1.18 Company number of parent/holding company

(if this applies):

1.19 If a consortium is expressing interest, please

give the full name of the other organisation

(the proposed consortium partners should also

complete this questionnaire in its entirety)

1.20 Name and contacts of the Legal

Representative of the company; Name, Title;

Telephone, Fax and Email address.

1.21 Contact person within the organisation to

whom enquiries about this bid should be

directed:

NAME:

TITLE

TEL:

FAX:

EMAIL:

2.0 FINANCIAL INFORMATION

No. PARTICULARS

2.1

What was your turnover in the last

two years?

…………

for year ended

--/--/----

………

for year

ended

--/--/----

2.2

Has your organisation met all its obligations to pay its

creditors and staff during the past year?

Yes / No

If no, please give details:


of 58

2.3 Have you had any contracts terminated for poor

performance in the last three years, or any contracts

where damages have been claimed by the

contracting authority?

Yes / No

If yes, please give details:

2.4

What is the name and

branch of your

bankers (who could

provide a reference)?

Name:

Branch:

Telephone Number:

Postal Address:

Contact Person

Name:

Contact Position

Contact E-mail:

2.5

Provide a copy of the following

A copy of your most recent audited accounts (for the last

three years)

A statement of your turnover, profit & loss account and cash

flow for the most recent year of trading (for the last three

years)

A statement of your cash flow forecast for the current year

and a bank letter outlining the current cash and credit

position.

3.0 BUSINESS ACTIVITIES

No. PARTICULARS

3.1

What are the main business activities of your organisation? i.e.

Manufacturer, Assembler, Distributor, service centre, retailer, (please

specify).


of 58

3.2

How many staff does your organisation have? ............

Indicate the number under each category

i. Technical (Permanent………, Temporary……)

ii. Semiskilled (Permanent……., Temporary……..)

3.3 Please generally describe the experience and expertise your organization

possesses that will enable you to effectively and efficiently undertake the

work you are bidding for, as required by KCB.

Attach you company organogram (organisation chart) with emphasis

on the job you are bidding for.

Attach CV‟s of key staff

3.4 Please submit a declaration that all staff within your organization that are or

will

Be involved in the project are or will be permitted to work within your

organization under the laws of Kenya or the laws of the country in which it is

established.

4.0 TRADE REFERENCES

4.1 Please provide in the table below details of the projects you have

undertaken relevant to the job you are bidding for performed over the

last three (3) years, or that are relevant to this bid document.

No

Customer

Organization

(name)

Customer

contact

name and

phone

number

Contract

reference

and brief

description:

Date

contract

awarded

Value of businesses

transacted:

(Kshs/USD/Euro)

1

2

3

4

5


of 58

6

7

8

5.0 CERTIFICATIONS, ACCREDITATIONS AND APPROVALS

Detail any relevant certifications and accreditations by principals or

accreditation bodies and attach copies of such certification. Such

certifications may be for your company or for your individual staff as

relevant to the work they do and the key skills for the service or goods you

propose to supply.

6.0 AGENCIES AND PARTNERSHIPS

a) Detail any agencies and partnerships that you have that are relevant

to the categories of goods and/or services you are interested in

supplying.

b) List your primary sources of supply for goods that you propose to

supply.

7.0 MANAGEMENT POLICIES

a) Employee Integrity

How does the firm ensure the integrity of staff? Detail any

related policies.

b) Code of Conduct/Ethics

Does your company have a code of conduct? If so, please attach

a copy.

Indicate if your company subscribes to a professional body with a

code of conduct/ethics.

c) Company employment policy

Does the firm have a documented employment policy? What

are key highlights from this policy if in existence?

d) Environmental Policy/Green Agenda Policy

Is your firm ISO 140001 certified or do you have an

environmental policy as an organization?

Are your waste segregated as per different waste streams?


of 58

How are wastes from your firm disposed?

e) Customer Service

Does the firm have a documented policy on Customer Service?

Which position in your firm is responsible for customer service and

how is this position supported by other functions?

Does your firm use any performance management techniques,

including customer satisfaction measurement? If so, what are

the key parameters?

8.0 BUSINESS PROBITY AND LITIGATION MANAGEMENT

Please confirm whether any of the following criteria applies to your organisation:

Note that failure to disclose information relevant to this section may result in your

exclusion as a potential KCB supplier.

No. PARTICULARS RESPONSE

8.1

Is the organisation bankrupt or being wound up,

having its affairs administered by the court, or have

you entered into an arrangement with creditors,

suspended business activities or any analogous

situation arising from similar proceedings in Kenya or

the country in which it is established?

8.2 Please provide a statement of any material

pending or threatened litigation or other legal

proceedings where the claim is of a value in excess

of USD 20,000.

8.3 Has any partner, director, shareholder or employee

whom you would propose to use to deliver this

service been convicted of an offence concerning

his professional conduct?

8.4 Has any partner, director or shareholder been the

subject of corruption or fraud investigations by the

police, Kenya Anti-Corruption Authority or similar

authority in the country in which your organisation is

established?

8.6 Has the organisation not fulfilled obligations relating

to the payment of any statutory deductions or

contributions including income tax as required

under Kenyan law or the laws of the country in


of 58

which it is established?

8.7 Please state if any Director shareholder/ Partner

and / or Company Secretary of the Organisation is

currently employed or has been employed in the

past 3 years by KCB.

8.8 Please state if any Director / Partner and / or

Company Secretary of the Organisation has a close

relative who is employed by KCB and who is in a

position to influence the award of any supply

award. A “close relative” refers to spouse, parents,

siblings and children

9.0 INSURANCE

Please provide details of your current insurance cover Value

9.1 Employer‟s Liability:

9.2 Public Liability:

9.3 Professional Indemnity (if applicable)

9.4 Other (specify)

10.0 EVALUATION

(a) Requirements For Evaluation

The following documents should be attached.

i. Certificate of Incorporation/Business Name Certificate

ii. Trading Certificate

iii. Business Permits

iv. Certificate from relevant regulatory authority (where applicable

v. Manufacturers Authorization /or equivalent (where applicable).

vi. TAX PIN Certificate or equivalent

vii. Tax Compliance certificate or equivalent

viii. Current dealership letter/certification of equipment

ix. List of Directors, telephone and their postal address

x. Form CR 12 as issued by the Registrar of Companies (original) or certified

as true copy

xi. Audited Accounts (Three years)

xii. Bank Account Information

xiii. CVs of Senior Staff

xiv. Organogram/Organization Chart


of 58

APPENDIX 6 – PERFORMANCE SECURITY FORM (FORMAT)

Know all men by these presents that we:

1. .....................................................................................

(Full name & address in block letters) PRINCIPAL

2. .....................................................................................

(Full name & address in block letters) SURETY

are held firmly bound, jointly and in severally, unto Kenya Commercial Bank

Limited in the principal sum of US Dollars

....................................................................................................

for which payment well and truly to be made we bind ourselves firmly by these

presents.

The condition of the above obligations being that should the said <name of

Bidder>

fulfill his /their obligation/s under an agreement entered into between the Kenya

Commercial Bank Limited, and themselves in respect of <<the requirement>>

for Kenya Commercial Bank Ltd. during the period ending

..................................................

and not incur cancellation of the agreement for any cause whatsoever then the

above obligation to be null and void; otherwise to remain in full force and

effect. The validity of this guarantee expires on

............................................................................

which is two months beyond the contract period (i.e. after submission and

acceptance by the Bank of final report).

.......................................................................................

PRINCIPAL (Signature).......................................................................................

Principal‟s Stamp

SURETY (Signature)………………………………………..

SURETY‟s Stamp…………………………………………….

Nairobi this ................. of .............. two thousand and ............................

( The following words should be inserted in the signatory‟s own handwriting)

“Good for the sum* of US Dollars ........................................................”

(*sum to be specified in words & figures)


of 58

APPENDIX 7 – CERTIFICATE OF COMPLIANCE

All Suppliers should sign the certificate of compliance below and return it

together with the bound tender document.

We___________________________ have read this tender document and agree with

the terms and conditions stipulated therein.

Signature of tenderer -------------------------------------------

Date………………………………………………………….

Company Stamp/Seal.