security and web application monitoring
TRANSCRIPT
-
8/10/2019 Security and Web Application Monitoring
1/58
.
KENYA COMMERCIAL BANK LIMITED
REQUEST FOR PROPOSAL
IT/AUGUST 2014/SUPPLY AND IMPLEMENTATION OF A DATABASE AND
WEB APPLICATION SECURITY/FIREWALL SOLUTION (RE-TENDER)
Release Date: Friday, 22 nd August 2014
Last Date for Receipt of bids: Friday, 5 th September 2014 at 3.00pm(GMT+3) Nairobi, Kenya
-
8/10/2019 Security and Web Application Monitoring
2/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 2 of 58
ISSUE OF RFP DOCUMENT TO PROSPECTIVE BIDDERS
TENDER FOR SUPPLY AND IMPLEMENTATION OF A DATABASE AND WEBAPPLICATION SECURITY/FIREWALL SOLUTION (RE-TENDER)
This form serves as an acknowledgement of receipt of the tender andparticipation. This page is to be completed immediately on download and ascan copy e-mailed to [email protected] . Firms that do not register theirinterest immediately in this manner may not be sent the RFP addenda shouldany arise.
Table 1: Registration of Interest to ParticipateItem Supplier Details
Name of Person
Organization Name
Postal Address
Tel No
Fax No
Email Address (this e-mail addressshould be clearly written ascommunication with bidders shall bethrough e-mail)
Signature:
Date
Company Stamp
mailto:[email protected]:[email protected]:[email protected] -
8/10/2019 Security and Web Application Monitoring
3/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 3 of 58
Table of ContentsIT/AUGUST 2014/SUPPLY AND IMPLEMENTATION OF A DATABASE AND WEBAPPLICATION SECURITY/FIREWALL SOLUTION (RE-TENDER) ............................................. 1
DEFINITIONS ................................................................................................................................. 4
1.1 INTRODUCTION ................................................................................................................ 5 1.2 Background of the Project ................................................. .......................................... 5
1.3 Aims and Objectives of the project ........................................................................ 5
1.4 Format of RFP Response and Other Information for Bidders .............................. 6
SECTION 2 SCOPE OF WORK ...................................................... ........................................ 16
SECTION 3 - GENERAL CONDITIONS OF CONTRACT ...................................................... 20
3.1 Introduction ......................................................................................................................... 20
3.2 Award of Contract ........................................................ ................................................ 20
3.3 Application of General Conditions of Contract .............................................. ..... 20
3.4 Ownership ....................................................................................................................... 20
3.5 Bid Validity Period ................................................ .................................................... ..... 20
3.6 Performance Security .................................................................................................. 21
3.7 Delays in the Bidders Performance ........................................................................ 21
3.8 Liquidated damages for delay .................................................. ............................... 22
3.9 Governing Language .................................................................................................. 22
3.10 Applicable Law ................................................. .................................................... ..... 22
3.11 Bidders Obligations ................................................................................................. 22
3.12 The Banks Obligations ............................................................................................ 23
3.13 Confidentiality ................................................... .................................................... ..... 24
3.14 Force Majeure ................................................... .................................................... ..... 24
SECTION 4 : APPENDIXES ........................................................................................................ 25
Appendix 1 Technical Requirements Matrix ..................................................... ............ 25
APPENDIX 2 REFERENCE SITES ............................................................................................ 46
APPENDIX 3 - WEB APPLICATION SECURITY & COMMON ATTACKS ........................... 47
APPENDIX 4 : LIST OF DATABASES ................................................. ........................................ 48
APPENDIX 5 SUPPLIER QUESTIONNAIRE ........................................................................... 49
APPENDIX 6 PERFORMANCE SECURITY FORM (FORMAT) ........................................... 57
APPENDIX 7 CERTIFICATE OF COMPLIANCE ...................................................... ............ 58
-
8/10/2019 Security and Web Application Monitoring
4/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 4 of 58
DEFINITIONS
For purposes of this document, the following definitions shall apply:
The Bank KCB Ltd
Bid The Quotation or Response to this RFP submitted by prospectiveSuppliers for fulfilment of the Contract.
Supplier The Company awarded the task of supplying all the itemsdescribed in this document installing and commissioning them.
Contract Supply, installation and commissioning of all the works, equipmentand/or services that are described in this document, which willcontribute towards meeting the objective of the RFP
Warranty Period from the time installation and testing is completed, duringwhich the Contractor undertakes to replace/rectify equipmentand/or installation failures at no cost to the Bank
-
8/10/2019 Security and Web Application Monitoring
5/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 5 of 58
1.1 INTRODUCTION
The Kenya Commercial Bank Limited (hereinafter referred to as the Bank) isincorporated in Kenya and is a leading Commercial banking group in the EastAfrican region, renowned for its diversity and growth. In addition to Kenya, it has
other subsidiaries namely; KCB (Tanzania) limited, a banking subsidiary operatingin Tanzania, KCB (Uganda) limited, a banking subsidiary operating in Uganda,KCB (Sudan) limited, a banking subsidiary operating in Sudan, KCB (Rwanda)limited, a banking subsidiary operating in Rwanda and KCB Burundi a bankingsubsidiary operating in Burundi. The Head Office for the group is located inKENCOM House Nairobi. The Banks vision is to be the preferred financialsolutions provider in Africa with a global reach.
The platform is anchored on consolidation across our existing business,expanding and modernizing delivery channels, improving operationalefficiencies, turning in returns commensurate with level of investment andcompliance with all regulatory and internal policy guidelines.
This document therefore constitutes the formal Request for Proposals (RFP) forSupply and Implementation of a Database and Web ApplicationSecurity/Firewall solution and is being availed on a open tender basis.
1.2 Background of the Project
The bank operates in a highly computerised environment that includes
maintaining connections to its business partners and to the world at largethrough the internet and dedicated point to point connections. Therefore likesimilar organisations it is prone to business interruptions as a result of failed ormalfunctioning systems, business data corruption or stolen data.
Computer system holes and vulnerabilities make it possible to exploit unsecureimplementations and may result in system failures and exploits, whether bymalice, mistake or innocently. Further, the bank needs to ensure its systems areprotected and implemented as per best practice and thereby avoid damageto itself or business partners.
1.3 Aims and Objectives of the project
The KCB Group has decided to implement a Database and Web ApplicationFirewall solutions to enhance security of Critical Systems that are accessed byinternal as well as external stakeholders, as part of an overall strategy to
-
8/10/2019 Security and Web Application Monitoring
6/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 6 of 58
implement a more secure, productive, industry standard information technology(IT) management processes and supporting IT management applications.
Proposals responses are epected from suppliers of database and webapplication firewall solutions.
The information in this document and its appendices and attachments isconfidential and is subject to the provisions of our non-disclosure agreementand should not be disclosed to any external party without explicit prior writtenconsent of Kenya Commercial Bank .
Objectives
The purpose of the assignment is to acquire , implement and maintain Databaseand Web Application Firewall solutions for the KCB Group that will improve KCBGroups security of all public / internet facing applications and reinforce thedefense-in-depth approach in place.
Based on KCB Group strategy, the project will help KCB Group to mitigate therisks related to web access control operations by:
Automatically learning the web application structure and user behavior Virtually patching databases and applications through vulnerability
scanner integration. Updating database and web defenses with research-driven intelligence
on current threats Delivering high performance business-relevant reporting and alerts
1.4 Format of RFP Response and Other Information for Bidders
1.4.1 The overall summary information regarding the SUPPLY ANDIMPLEMENTATION OF A DATABASE AND WEB APPLICATIONSECURITY/FIREWALL SOLUTION is given in section 2 Scope of Services andthe summary in 1.3 Aims and Objectives. The bidder shall include in theiroffer any additional services considered necessary for the successfulimplementation of their proposal.
1.4.2 Proposals from bidders should be submitted in two distinct parts, namelyTechnical proposal and financial proposal and these should be in twoseparate sealed envelopes, both of which should then be placed in acommon sealed envelope marked:
-
8/10/2019 Security and Web Application Monitoring
7/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 7 of 58
IT/AUG 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALLSOLUTION
DO NOT OPEN BEFORE Friday, 5 th September 2014 at 3.00 pm (GMT+3) NairobiKenya
The two separate inner envelopes should be clearly marked TechnicalProposal, and Financial Proposal , respectively, and should bear thename of the Bidder.
1.4.3 The Technical Proposal should contain the following:
Bidders, willing to be considered for SUPPLY AND IMPLEMENTATION OF ADATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION areexpected to furnish the Bank with among others the following vitalinformation, which will be treated in strict confidence by the Bank.
Provide a company profile as per supplier questionnaire in Appendix 5. The RFP response document duly signed as per Appendix 7
CERTIFICATE OF COMPLIANCE Approval licenses, by the various bodies for compliance/manufacturer
authorization, MUST be included where applicable. Audited financial statements of the company submitting the RFP bid,
for the last two years Demonstrate capability and capacity to provide technical and
functional requirements and functionalities as per KCB requirements in
section 2.0 Scope of work. All copies of any certificates included in the bid response should be
certified as true copy of original else the bank may not use themin the evaluation process.
1.4.4 The Financial Proposal should be clearly indicate the total cost of carryingout the solution as follows:-
a. The Supplier shall provide a firm, fixed price for the Original Contract Period.All costs associated with the required system shall be included in the prices.
Kindly note that the cost should include supply, installation andcommissioning of the system inclusive of all freight charges and applicableduties and taxes (VAT and withholding Tax).
Provide an itemized list of all items included and summarize your costs as shownin the table below:-
-
8/10/2019 Security and Web Application Monitoring
8/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 8 of 58
No.
Description Unit QtyUnitCost(USD)
SubTotalCosts(USD)
Taxes(USD)
GrandTotal Cost(USD)
1Software/ License Cost
2Hardware/ApplianceCosts
3Installation andImplementation costs
4 Training
5
Annual MaintenanceCost for softwarelicences Year
6
Annual MaintenanceCost for
Hardware/ApplianceYear 1
7
Annual Local VendorSupport Year 1 (whereapplicable)
8Logistics costs andother costsSoftware,implementation,Training cost inclusiveof all taxes
n/a n/a n/a - - -
9
Annual MaintenanceCost for softwarelicences Year 2
10
Annual MaintenanceCost for softwarelicences Year 3
11
Annual MaintenanceCost forHardware/ApplianceYear 2
12
Annual MaintenanceCost forHardware/ApplianceYear 3
13Annual Local VendorSupport Year 2
14Annual Local VendorSupport Year 3Total Recurrent costs(Year 2&3) n/a n/a n/a - - -
-
8/10/2019 Security and Web Application Monitoring
9/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 9 of 58
Total cost of ownershipover 3 years inclusiveof all taxes (USD)
n/a n/a n/a- - -
Total cost of ownershipover 3 years inclusive
of all taxes (KSHS)
n/a n/a n/a - - -
Notes
1The total cost above should be inclusive of all taxes and duties (VAT, duties, freightcosts and Witholding tax)
b. Additional Cost to Complete. Provide an itemized list of any items notincluded above by the Bank and related costs that Supplier deemsnecessary to provide the information to meet the requirements specified inproposal. Failure to provide said list shall not relieve the Supplier fromproviding such items as necessary to meeting all of the requirements
specified in proposal at the Fixed Price Purchase Costs proposed.
NOTE: The Financial proposal (MUST BE IN A SEPARATE SEALED ENVELOPE )CLEARLY MARKED FINANCIAl PROPOSAL
1.4.5 Soft Copies for each proposal are to be provided in the standardMicrosoft Office suite of Programs or Adobe Reader and deliveredtogether with hard copy of the tender.NOTE that only the information onthe Hard copy Bound bid document shall be considered as the MAINscource document.
1.4.6 Bidders are requested to hold their proposals valid for ninety (90) daysfrom the closing date for the submission. The Bank will make its best effortsto arrive at a decision within this period.
1.4.7 Assuming that the Contract will be satisfactorily concluded, the biddersshall be expected to commence the assignment after the finalagreement is reached.
1.4.8 The bid documents shall be addressed to the following address anddropped at the tender box on 5 th Floor, Kencom House, Wing B on or
before the closing date.Head of ProcurementKenya Commercial Bank5 th Floor Kencom HouseP.O. Box 48400, 00100Nairobi, Kenya
-
8/10/2019 Security and Web Application Monitoring
10/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 10 of 58
Please note that tenders received by facsimile or electronic mail will berejected.
1.4.9 If a bidding firm does not have all the expertise and/or resources for theassignment, there is no objection to the firm associating with another firm
to enable a full range of expertise and/or resources to be presented. Therequest for Joint Venture shall be accompanied with full documenteddetails of the proposed association.
1.4.10 In the case of a Joint Venture or Association, all the firms constituting theJoint Venture or Association will be jointly and severally liable and at leastone firm in the Joint Venture or Association shall be financially capable ofmeeting the contract requirements and potential liabilities on its own andshall assume contracting responsibility and liability for satisfactoryexecution of the assignment.
1.4.11 The contracting arrangements shall define clearly the responsibilities andthe services to be provided by each firm in the case of a joint venture.
1.4.12 The Bank reserves the right to accept or to reject any bid, and to annulthe bidding process and reject all bids at any time prior to the award ofthe contract, without thereby incurring any liability to any Bidder or anyobligation to inform the Bidder of the grounds for its action.
1.4.13 The vendors terms and conditions will not form part of any contract withKCB in relation to this tender.
Canvassing is prohibited and will lead to automatic disqualification.
1.4.14 Cost of bidding
The Bidder shall bear all costs associated with the preparation and submission ofits bid, and the Bank will in no case be responsible or liable for those costs,regardless of the conduct or outcome of the bidding process.
1.4.15 Clarification of Bidding Document
i. All correspondence related to the contract shall be made in English.ii. Should there be any doubt or uncertainty, the Bidder shall seek
clarification in writing addressed to the Head of Procurement through e-mail to: [email protected] .
mailto:[email protected]:[email protected]:[email protected]:[email protected] -
8/10/2019 Security and Web Application Monitoring
11/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 11 of 58
iii. Any clarification sought by the bidder in respect of the RFP shall beaddressed at least five (5) calendar days before the deadline forsubmission of bids, in writing to the Head of Procurement through thesame mail.
iv. It is the responsibility of the Bidder to obtain any further informationrequired to complete this RFP.
v. Any clarification requests and their associated response will be circulatedto all Bidders.
vi. The last date for receipt of requests for clarifications from bidders isThursday, 28 th August 2014.
vii. The RFQ Clarification Template is as follows:-
Company Name: Contact Person: (primary Supplier contact) E-mail:
Phone: Fax: Document Number/Supplier
# Date Section/ Paragraph(2) Question1
2
3
(1) Question (s) mailing Date.(2) From the KCB Document.
The queries and replies thereto shall then be circulated to all other prospectivebidders (without divulging the name of the bidder raising the queries) in the formof an addendum, which shall be acknowledged in writing by the prospectivebidders.Enquiries for clarifications should be sent by e-mail to: [email protected]
1.4.16 Amendment of Bidding Document
At any time prior to the deadline for submission of bids, the Bank, for any reason,whether at its own initiative or in response to a clarification requested by aprospective Bidder, may modify the bidding documents by amendment.
All prospective Bidders that have received the bidding documents will benotified of the amendment in writing, and it will be binding on them. It is
mailto:[email protected]:[email protected]:[email protected]:[email protected] -
8/10/2019 Security and Web Application Monitoring
12/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 12 of 58
therefore important that bidders give the correct details in the format given onpage 1 at the time of collecting/receiving the RFP document.
To allow prospective Bidders reasonable time to take any amendments intoaccount in preparing their bids, the Bank may at its sole discretion extend the
deadline for the submission of bids based on the nature of the amendments.
1.4.17 Deadline for Submission of Bids
Bids should be addressed to the Head of Procurement and sent for receipt on orBefore Friday, 5 th September 2014. Any bid received by the Bank afterThis deadline will be rejected.Those submitting tenders or their representativesmay attend the tender opening of date and time of submission.
1.4.18 Responsiveness of Proposals
The responsiveness of the proposals to the requirements of this RFP will bedetermined. A responsive proposal is deemed to contain all documents orinformation specifically called for in this RFP document. A bid determined notresponsive will be rejected by the Bank and may not subsequently be maderesponsive by the Bidder by correction of the non-conforming item(s).
1.4.19 Bid Evaluation and Comparison of Bids
Technical proposals will be evaluated and will form the basis for bidscomparison. Alltender responses will be evaluated in three phases:-a. Detailed technical evaluation to determine technical compliance and
support responsiveness of the vendorc. Financial evaluation to consider pricing competitiveness and the financial
capability of the vendors
Once the bids are opened, bid evaluation will commence
1.4.19.1 Technical Evaluation
The technical evaluation will include a desktop evaluation and additional
detailed evaluations. The desktop evaluation will be scored as follows:i. Vendors ability to meet and exceed the objectives of the RFP togetherwith the functional requirements detailed in Appendix 1 and Appendix 4.
ii. Experience and reliability of the Suppliers organization. Therefore, theSupplier is advised to submit any information, which documents successfuland reliable experience in past performances, especially thoseperformances related to the requirements of this RFP.
-
8/10/2019 Security and Web Application Monitoring
13/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 13 of 58
iii. The Supplier should provide the following information related to previousand current services/contracts performed by the Suppliers organizationand any proposed subcontractors which are similar to the requirements ofthis RFP (This information may be shown on the form attached as Exhibit A
to this RFP or in a similar manner):a. Name, address, and telephone number of client/contractingagency and a representative of that client/agency who may becontacted for verification of all information submitted;
b. Dates and locations of the service/contract; andc. A brief, written description of the specific prior services performed
and requirements thereof.iv. Proposals will be evaluated based on the S uppliers distinctive plan for
performing the requirements of the RFP. Therefore, the Supplier should
present a written narrative, which demonstrates the method or manner inwhich the Supplier proposes to satisfy these requirements. The language ofthe narrative should be straightforward and limited to facts, solutions toproblems, and plans of action.
Where the words shall or must are used, they signify a required minimumfunction of system capacity that will heavily impact the Bidders final response rating.
Where the words may or desired are used, they signify that the feature orcapacity is desirable but not mandatory; therefore, the specifications inquestion will possess minimal impact on the Bidders final response rating.
The method by which the proposed method of performance is written will be leftto the discretion of the Supplier. However, the Supplier should address eachspecific paragraph and subparagraph of the Specifications by paragraph andpage number as an item for discussion. Immediately below these numbers, writedescriptions of how, when, by whom, with what, to what degree, why, where,etc, the requirements will be satisfied.
1.4.19.2 Demo /Proof of Concept
After the desktop evaluation as per RFP response, the prospective supplier maybe required to give further detailed proof of the viability of the solutionhighlighting the functionality as represented in the RFP. This may include all orpart of the following:-
-
8/10/2019 Security and Web Application Monitoring
14/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 14 of 58
Vendor presentations A solution demo with the actual installed solution A Proof of Concept installation at the banks premises in a test scenario if
so required Site visits to current clients of the supplier who have implemented similar
solution as put forward in the RFP response
It should be noted that vendors will be progressively evaluated from one stageto the other. Only shortlisted vendors will progress to the next stage
1.4.19.3 Site visits
In the event that the bank may need to visit client site, vendors will be notified inwriting. The bank may also make surprise unannounced visits to the vendorsoffices to verify any information contained in the bid document. All visits are at
the discretion of the bank. Vendors may also be called upon to make brief andshort presentations and /or demos on their technical solutions before a panelconstituted by the bank.
1.4.19.4 Financial Evaluation (separate sealed envelope )
Financial evaluation will concentrate on the Costs inclusive of VAT and otherapplicable taxes where necessary and Man/Day estimates, where appropriate,broken down as per table in 1.4.4. Kindly also note the following as regardfinancial evaluation.
a. Pricing
All bids in response to this RFP should be expressed in USD or KSH. For thoseexpressed in USD a Kenya Shilling equivalent MUST be given clearly indicatingthe exchange rate. Those who do not indicate the Kenya Shilling equivalentMAY not be considered further for evaluation.
NOTE : Expressions in other currencies shall not be permitted
The VAT amount must clearly be stipulated and separated from the base costs.The quoted prices should be valid for a minimum of 90 days.Any other feesrequired for deployment and ongoing support must be quoted separately.Provide an itemized list of any other items and related costs that Supplier deemsnecessary to meet the requirements specified in proposal. Failure to provide saidlist shall not relieve the Supplier from providing such items as necessary tomeeting all of the requirements specified in proposal at the Fixed Price PurchaseCosts proposed.
-
8/10/2019 Security and Web Application Monitoring
15/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 15 of 58
KCB SHALL ONLY MAKE PAYMENTS THROUGH A KCB ACCOUNT AND THUS ALLBIDDERS ARE ENCOURAGED TO OPEN AN ACCOUNT
The Bank will not make any payments in advance. The Bank will issue an LPO forall the equipment and/or services ordered. The LPO will be paid within 45 days
after delivery, testing installation and acceptance of the equipment and/orservices supplied. The bank will not accept partial deliveries.Payment forequipment and/or services will only be made once the entire orderedequipment and/or services are delivered, installed and commissioned.
b. Correction of Errors.
Bids determined to be substantially responsive will be checkedby the Bank for any arithmetical errors. Errors will be correctedby the Bank as below:
Where there is a discrepancy between the amounts infigures and in words, the amount in words will govern,and
Where there is a discrepancy between the unit rate andthe line total resulting from multiplying the unit rate by thequantity, the unit rate as quoted will govern.
The price amount stated in the Bid will be adjusted by the Bank inaccordance with the above procedure for the correction of errors.
c. Financial stability
This will involve an assessment of key standard financial ratios and trends for thelast 2 years such as profitability, leverage, debt ratio, gross margins and salesturnover.
However, the Bank is under no obligation to award the tender as per clause1.4.12
-
8/10/2019 Security and Web Application Monitoring
16/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 16 of 58
SECTION 2 SCOPE OF WORK
The security of IT applications has become a mission-critical aspect of the ITSecurity strategy. We are not only seeking a supplier for the software andhardware but also partnership with the provider to help KCB Group in leveraging
this technology through a sound implementation approach with provenorganizational adoption tools. Based on the above, the scope will include thefollowing:
2.1 Supply, install, configure and maintain Database and Web ApplicationFirewall solutions (software, hardware) that will meet the functional andtechnical requirements.
2.2 Provide Database Firewall solutions with core capabilities for the followingdatabase platforms:
Oracle MS-SQL Sybase DB2 Informix MySQL Teradata PostgresSQL Netezza
2.3 Provide Web Application Firewall solutions with core capabilities ofsupporting Web and portal applications such Outlook Web Access(OWA), SharePoint and all custom in-house web applications.
2.4 Develop and propose an implementation methodology withroadmap/schedule with monitoring targets and risks towards the desiredtarget.
2.5 Provide the implementation services of the solution as stated in theproposed roadmap from installation, configuration and final deploymentof the solution.
2.6 Deliver training services of the Database and Web Application Firewallsolution during the implementation for technical staff for knowledgetransfer both on the functional and technical aspects
-
8/10/2019 Security and Web Application Monitoring
17/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 17 of 58
2.7 Deliver documentation of the solution from the installation to deployment
2.8 Provide maintenance service for the solution including software version
upgrade and hardware replacement.
2.9 Provide support and assistance including both remote and local/onsiteassistance for resolution of major technical problems and/or issues.
2.10 Current Installations
This section provides a brief overview of KCB establishment that is relevant to theproposed solution.The Kenya commercial Bank is incorporated in Kenya. Thebanks establishment in Kenya consists of 167 branches.
It has 4 other subsidiaries:
KCB Rwanda Headquarter + 9 branches KCB Tanzania - Headquarter + 10 branches KCB Uganda - Headquarter + 14 branches KCB Sudan - Headquarter + 20 branches
The Head Office for the group is located in Kencom house Nairobi,Kenya. Further information about the bank can be obtained from the groupswebsite (http://www.kcbbankgroupgroup.com )
2.11 Brief Overview of Technical Systems Environment
The bank has several computerised systems, the most relevant (for the purposeof this project) of which are as summarised below.
Database / Programming EnvironmentsMS SQL Server 2000 /2005 /2008Oracle; various flavours of the database including but not limited toversions 8i /9i /10g/11iInformixJBOSSMicrosoft .Net 2.0 and aboveSybase Adaptive Enterprise Server databaseClient-side applications developed in Visual studio/ .Net andPowerBuilder 6.0
http://www.kcbbankgroupgroup.com/http://www.kcbbankgroupgroup.com/http://www.kcbbankgroupgroup.com/http://www.kcbbankgroupgroup.com/ -
8/10/2019 Security and Web Application Monitoring
18/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 18 of 58
Web ApplicationsT24 Core banking system from Temenos. This application runs on HP UXat the backend while the clients are browser based (firefox andInternet Explorer version 6.1 and above). The backend system isprogrammed using JBOSS and Oracle.
Microsoft SharePoint 2007Email Applications: MS Exchange 2010. Proxy Servers / firewalls:Microsoft ISA Server 2006, CISCO PIX, ASA and Checkpoint firewalls. TheMicrosoft ISA Server 2006 will be replaced with Microsoft ForefrontThreat Management Gateway during the yearSybrin clearing system on windows environmentInternet & Mobile banking applicationsTranzWare card system
2.12 Functional Requirements
Functional requirements are indicated in ( Appendix 1 Technical RequirementsMatrix ). The section should be completed in its entirety in the vendor response.
Delivery, Testing and Acceptance (On Successful Bidding)
The product will deem to have been:a) Delivered when
i. The complete machine readable form of the product together with theproduct documentation is received at KCBs primary location (ITDivision, 7 th floor Kencom House, Nairobi); and
b) Tested / POCii. The bank will test the proposed solution in a test environment to
ascertain that all the functionality as put forward by the supplier aremet. Incorrect information discovered at this time will constitute groundsfor disqualification. It is the responsibility of the supplier to ensure therequirement defined in the proposal is achieved. The signed proposalwill be the sole reference document for any discussion issues arisingrelated to acceptance; and
c) Accepted wheniii. The solution has been successfully installed and configured on the
Production environment by the representative of the Supplier as perproduct documentation; and
iv. Acceptance Criteria: the Bank will accept the proposed deliverableafter they have been fully tested by the bank and confirmed to meetthe requirement as specified in the original RFP.
-
8/10/2019 Security and Web Application Monitoring
19/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 19 of 58
KCB Shall endeavour to provide the Production environment as soon as it ispractically possible. Delivery and performance of the Services shall be made bythe successful Bidder in accordance with the time schedule as per Proposal andsubsequent Agreement.
-
8/10/2019 Security and Web Application Monitoring
20/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 20 of 58
SECTION 3 - GENERAL CONDITIONS OF CONTRACT
3.1 Introduction
Specific terms of contract shall be discussed with the bidder whose proposalwill be accepted by the Bank. The resulting contract shall include but not belimited to the general terms of contract as stated below from 3.2 to 3.14.
3.2 Award of Contract
Following the opening and evaluation of proposals, the Bank will award theContract to the successful bidder whose bid has been determined to besubstantially responsive and has been determined as the best evaluated bid.The Bank will communicate to the selected bidder its intention to finalize thedraft conditions of engagement submitted earlier with his proposals.
After agreement has been reached, the successful Bidder shall be invited forsigning of the Contract Agreement to be prepared by the Bank inconsultation with the Bidder.
3.3 Application of General Conditions of Contract
These General Conditions (sections 3.2 to 3.14) shall apply to the extent thatthey are not superseded by provisions in other parts of the Contract that shallbe signed.
3.4 Ownership
The proposal should be modelled along the perpetual licensing withannual maintenance costs which provides the bank the right to continueusing the product as is on expiry of the maintenance period.
The Supplier should include a 2-year bundled support and indicate (as apercentage of the product cost where applicable) the cost of continuedsupport after the two years. The bundled support cost should be clearlyseparated from the cost of the product
3.5 Bid Validity Period
Bidders are requested to hold their proposals valid for ninety (90) days fromthe closing date for the submission.
-
8/10/2019 Security and Web Application Monitoring
21/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 21 of 58
3.6 Performance Security
The Bank may at its discretion shall require the successful bidder to furnish it with
Performance Security. The performance bond amount will be one hundredpercent (100%) of the total bid price before the bank can issue any PurchaseOrder. The performance bond will be valid for a minimum of 9 months and mustbe provided within 14 days from the date of written notification to the Supplierby the bank to provide the bond. Failure to comply with this requirement willvoid the tender award and the bank at its sole discretion may award the tenderto any other Supplier.
3.6.1 The Performance Security shall be in the form of a bank guarantee issuedby a commercial bank operating in Kenya and shall be in a format
prescribed by the Bank. The performance guarantee shall be submittedwithin 10 days of notification of award.
3.6.2 The proceeds of the Performance Security shall be payable to the KenyaCommercial Bank as compensation for any loss resulting from the Biddersfailure to complete its obligations under the Contract.
3.6.3 The Performance Security will be discharged by the Company not laterthan two months following the date of c ompletion of the Biddersperformance obligations, and the Banks acceptance of the final reportas specified in the contract.
It is a condition of the bank that the Supplier guarantees the sufficiency, andeffectiveness of the solution proposed to meet the bank requirements asoutlined in this document. The Bank will hold the Supplier solely responsible forthe accuracy and completeness of information supplied in response to thistender. The bank will hold the Supplier responsible for the completeness of thesolution proposed and that were the Supplier to be awarded the tender, theywould implement the solution without any additional requirements from the
bank
3.7 Delays in the Bidders Performance
3.7.1 Delivery and performance of the Supply, installation and Maintenance ofSignage shall be made by the successful Bidder in accordance with thetime schedule as per Agreement.
-
8/10/2019 Security and Web Application Monitoring
22/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 22 of 58
3.7.2 If at any time during the performance of the Contract, the Bidder shouldencounter conditions impeding timely delivery and performance of theServices, the Bidder shall promptly notifies the Bank in writing of the fact ofthe delay, its likely duration and its cause(s). As soon as practicable after
receipt of the Bidder's notice, the Bank shall evaluate the situation andmay at its discretion extend the Bidder's time for performance, with orwithout liquidated damages, in which case the extension shall be ratifiedby the parties by amendment of the Contract.
3.7.3 Except in the case of force majeure as provided in Clause 3.13, a delayby the Bidder in the performance of its delivery obligations shall render theBidder liable to the imposition of liquidated damages pursuant to Clause3.8 liquidated damages
3.8 Liquidated damages for delay
The contract resulting out of this RFP shall incorporate suitable provisions forthe payment of liquidated damages by the bidders in case of delays inperformance of contract.
3.9 Governing Language
The Contract shall be written in the English Language. All correspondenceand other documents pertaining to the Contract which are exchanged bythe parties shall also be in English.
3.10 Applicable Law
This agreement arising out of this RFP shall be governed by and construed inaccordance with the laws of Kenya and the parties submit to the exclusive
jurisdiction of the Kenyan Courts.
3.11 Bidders Obligations
3.11.1 The Bidder is obliged to work closely with the Bank's staff, act within its ownauthority, and abide by directives issued by the Bank that are consistentwith the terms of the Contract.
3.11.2 The Bidder will abide by the job safety measures and will indemnify theBank from all demands or responsibilities arising from accidents or loss oflife, the cause of which is the Bidder's negligence. The Bidder will pay all
-
8/10/2019 Security and Web Application Monitoring
23/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 23 of 58
indemnities arising from such incidents and will not hold the Bankresponsible or obligated.
3.11.3 The Bidder is responsible for managing the activities of its personnel, or
subcontracted personnel, and will hold itself responsible for anymisdemeanors.
3.11.4 The Bidder will not disclose the Bank's information it has access to, duringthe course of the work, to any other third parties without the prior writtenauthorization of the Bank. This clause shall survive the expiry or earliertermination of the contract.
3.11.5 The Bidder shall appoint an experienced counterpart resource to handlethis requirement for the duration of the Contract. The Bank may alsodemand a replacement of the manager if it is not satisfied with themanagers work or for any other reason.
3.11.6 The Bidder shall take the lead role and be jointly responsible with the Bankfor producing a finalised project plan and schedule, includingidentification of all major milestones and specific resources that the Bankis required to provide.
3.11.7 The Supplier represents and warrants that it is entitled to respond to thisRFP and that it is fully entitled to the proposed Product by way of resellerlicensing or ownership and has the right to sell and/or licence the Productas provided in their RFP response and shall hold KCB harmless from actionfor infringement of patents and/or copyrights
3.12
The Banks Obligations
In addition to providing Bidder with such information as may be required bythe bidder the Bank shall,
(a) Provide the Bidder with specific and detailed relevant information(b) In general, provide all relevant information and access to Bank'spremises.
-
8/10/2019 Security and Web Application Monitoring
24/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 24 of 58
3.13 ConfidentialityThe parties undertake on behalf of themselves and their employees, agentsand permitted subcontractors that they will keep confidential and will notuse for their own purposes (other than fulfilling their obligations under thecontemplated contract) nor without the prior written consent of the other
disclose to any third party any information of a confidential nature relating tothe other (including, without limitation, any trade secrets, confidential orproprietary technical information, trading and financial details and any otherinformation of commercial value) which may become known to them underor in connection with the contemplated contract. The terms of this Clause2.15 shall survive the expiry or earlier termination of the contract.
3.14 Force Majeure
(a) Neither Bidder nor Bank shall be liable for failure to meet contractual
obligations due to Force Majeure.(b) Force Majeure impediment is taken to mean unforeseen events, whichoccur after signing the contract with the successful bidder, including butnot limited to strikes, blockade, war, mobilization, revolution or riots,natural disaster, acts of God, refusal of license by Authorities or otherstipulations or restrictions by authorities, in so far as such an event preventsor delays the contractual party from fulfilling its obligations, without itsbeing able to prevent or remove the impediment at reasonable cost.
(c) The party involved in a case of Force Majeure shall immediately takereasonable steps to limit consequence of such an event.
(d) The party who wishes to plead Force Majeure is under obligation to informin writing the other party without delay of the event, of the time it beganand its probable duration. The moment of cessation of the event shall alsobe reported in writing.
(e) The party who has pleaded a Force Majeure event is under obligation,when requested, to prove its effect on the fulfilling of the contemplatedcontract.
-
8/10/2019 Security and Web Application Monitoring
25/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 25 of 58
SECTION 4 : APPENDIXES
Appendix 1 Technical Requirements Matrix
Functional Requirements and Specifications
The tables below provide a feature summary for the products underprocurement. All products should be quoted for separately.
Please identify and describe where necessary the levels of support as: FullSupport, Partial Support and No Support:
Database Firewall
Specification Description Level of
support
SupportedDatabase Platforms
Oracle MS-SQL Sybase DB2 (including LUW, z/OS and DB2/400) Informix MySQL PostgreSQL Teradata Netezza
Deployment Modes Network: Non-inline sniffer, transparentbridge
Agentless collection of 3rd party databaseaudit logs
PerformanceOverhead
Network monitoring Zero impact onmonitored servers
Agent based monitoring 1-3% CPUresources
CentralizedManagementacrossgeographically
Web User Interface (HTTP/HTTPS) Command Line Interface (SSH/Console)
http://d/Admin-Doc/Security/Imperva/ssp_agents_zos.htmlhttp://d/Admin-Doc/Security/Imperva/ssp_agents_db2-as400.htmlhttp://d/Admin-Doc/Security/Imperva/ssp_agents_db2-as400.htmlhttp://d/Admin-Doc/Security/Imperva/ssp_agents_zos.html -
8/10/2019 Security and Web Application Monitoring
26/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 26 of 58
dispersed locations
CentralizedAdministrationacross
geographicallydispersed locations
MX Server for centralized management Integrated management option Hierarchical management
Database AuditDetails
SQL operation (raw or parsed) SQL response (raw or parsed) Database, Schema and Object User name Timestamp Source IP,
Source OS, Source application Parameters used Stored Procedures DB Server restarts, row level operations
Privileged Activities All privileged activity, DDL and DCL Schema Changes (CREATE, DROP, ALTER) Creation, modification of accounts, roles
and privileges (GRANT, REVOKE)
Access to SensitiveData
Successful and Failed SELECTs All data changes
Security Exceptions Failed Logins, Connection Errors, SQL errors
Data Modification INSERTs, UPDATEs, DELETEs (DML activity)
Stored Procedures Creation, Modification, Execution
Triggers Creation and Modification
Tamper-Proof AuditTrail
Audit trail stored in a tamper-proofrepository
encryption or digital signing of audit data Role based access controls to view audit
data (read-only)
-
8/10/2019 Security and Web Application Monitoring
27/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 27 of 58
Real-time visibility of audit data
Fraud Identification Unauthorized activity on sensitive data Abnormal activity hours and source Unexpected user activity Unexpected Database growth/shrinkage
Data LeakIdentification
Requests for classified data Unauthorized/abnormal data extraction
Database Security Dynamic Profile (White List security) Protocol Validation (SQL and protocol
validation) Real-time alerts
Platform Security Operating system intrusion signatures Known and zero-day worm security
Network Security Stateful firewall DoS prevention
Policy Updates Regular Application Defense Center securityand compliance updates
Real-Time Event
Management andReport distribution
SNMP
Syslog Email Incident management ticketing integration Custom followed action task workflow Integrated graphical reporting Real-time dashboard
Server Discovery Automated discovery of database serversData Discovery andClassification
Database servers Financial Information Credit Card Numbers System and Application Credentials
-
8/10/2019 Security and Web Application Monitoring
28/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 28 of 58
Personal Identification Information Custom data types
User RightsManagement (add-on option)
Audit user rights over database objects Validate excessive rights over sensitive data Identify dormant accounts Track changes to user rights
VulnerabilityAssessment
Operating System vulnerabilities Database vulnerabilities Configuration flaws Risk scoring and mitigation steps
Training Standard product training at an authorizedtraining center for 5 KCB staff. This shouldinclude training fees, travel and lodgingexpenses. Logistics and allowances to becomputed at KCB rates.
Support One year standard support on hardwareand software
Two year standard support on hardwareand software
Three year standard support on hardwareand software
Specification for Database Activity Monitoring:ID Specification ResponseArchitecture
1 Is the solution appliance based or virtual appliance based?2 Does the solution require deployment of agents on the database
servers?
3 If So, There should be only one agent to monitor all DB activitiesincluding local DB traffic and network DB traffic
4 All agents regardless of deployment mode should be managedfrom the centralized management console
5 Agents should have only minimal overhead for the production DBservers
-
8/10/2019 Security and Web Application Monitoring
29/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 29 of 58
6 Agent should support AIX,HPUX, LINUX, Solaris and Windowsplatforms
7 There should not be additional agents required to be installed tomonitor and block DB traffic/attacks traffic if required
8 There should not be any 3 rd party software to be installed foragents
9 Audit trails should be stored within the solution and it should notbe stored in any database
10 Audit trails should be tamperproof and should be stored inencrypted flat files.
11 Solution component should be managed centrally.12 Solution Should support below DB platforms
OracleMS-SQL (Microsoft SQL Server)DB2 (LUW, z/OS and DB2/400)SybaseInformixMySQLPostgreSQLTeradataNetezza
Database Discovery1 Solution should discover both new and existing database systems
and should map all on the network.2 Product should provide automated discovery of both new and
existing Database tables3 Product should keep the historical information about the systems
and their configuration.4 Product should show changes since the last scan for DB Discovery
and configuration5 Solution support identification of rogue or test databases6 Solution should discover asset management and change
management processesData Classification1 The product should perform data discovery and classification2 Solution should detect sensitive data types, such as credit card
numbers, social security numbers, etc., in database objects3 The solution should locate custom data types in database objectsVulnerability Assessments
-
8/10/2019 Security and Web Application Monitoring
30/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 30 of 58
1 Solution should have Database vulnerability assessment tests forassessing the vulnerabilities and mis-configurations of databaseservers, and their OS platforms. OSs and RDBMSs are tested forknown exploits and mis-configurations.
2 Solution should have a comprehensive list of pre-definedassessment policies and tests to address PCI-DSS, SOX, and HIPAArequirements. Vulnerabilities specific for Oracle EBS, andPeopleSoft databases can also be detected. In addition, thefollowing tests should be included:
- Latest patches and releases installed- Changes to database files- Default accounts and passwords- Newly created/updated logins- Remote OS authentication enabled
- Escalated user privileges granted3 Should be able to add custom assessments to the solution?4 Solution should support user created scripts for assessment tests.5 The product should identify missing patches6 The solution should verify that default database accounts do not
have a default password 7 The product should be used to measure compliance with industry
standards and regulations
Vulnerability Assessment Result Analysis and Reporting
1 The product should present a view of risk to data by vulnerabilityand the sensitivity of the data
2 Solution should have Database vulnerability assessment tests forassessing the vulnerabilities and mis-configurations of databaseservers, and their OS platforms. OSs and RDBMSs are tested forknown exploits and mis-configurations.
3 Solution should have a comprehensive list of pre-definedassessment policies and tests to address PCI-DSS, SOX, and HIPAArequirements. Vulnerabilities specific for SAP, Oracle EBS, andPeopleSoft databases can also be detected. In addition, thefollowing tests should be included:- Latest patches and releases installed- Changes to database files- Default accounts and passwords- Newly created/updated logins- Remote OS authentication enabled
-
8/10/2019 Security and Web Application Monitoring
31/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 31 of 58
- Escalated user privileges granted4 The solution should have pre-defined reports.5 The product should support custom report generation.6 The product should compare the results of a discovery,
classification or assessment job with a previous run7 Should have an option to distribute reports on demand and
automatically (on schedule)
Remediation (optional : for future requirement)1 The product can be upgraded for mitigation of risk to sensitive
data stored in databases?
2 Should have an option to upgrade the product to activelyprevent attempts to exploit known vulnerabilities
3 The solution can be upgraded to offer virtual patching
capabilities (protecting the database from known vulnerabilitieswithout deploying a patch or script on the system)
Database Activity Monitoring1 Solution should have Appliance/virtual appliance solution to
monitor network based DataBase activity and should have agentsto monitor Local DB activity
2 Should product employ a centralized appliance3 Solution should provide for centralized control of collected
information4 Should have DBMS product to be used as part of the appliance
package to store configuration and alert logs, not for storing Auditdata
5 The solution should support high-availability6 Product should be able to installed in Sniffing mode or Inline
mode.7 Solution should have built in bypass(fail open) for inline mode
7 Solution should support below DataBases
Oracle, MS SQL, DB2, Informix, Sybase,MySQL, Teradata,Netezza8 The solution should not use the native database audit
functionality.9 the Solution should not employ transaction log auditing?10 Should be able to integerate with leading SIEM tools11 The product should have means to archive and restore data
-
8/10/2019 Security and Web Application Monitoring
32/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 32 of 58
12 The agent should not require a reboot afterinstallation/configuration
13 The solution should not require any changes to monitoreddatabase and/or application
14 The Solution should not require a database restart afterinstallation/configuration?
15 The audited data transferred between the agent and theappliance should be through an Encrypted channel
16 The solution should capture before and after image of data that isbeing manipulated
17 Product should identify differences in baseline user activity.18 The solution should capture Select activity by user/role19 The solution should capture update, insert, delete (DML) activity
by user/role
20 The solution should capture schema/object changes (DDL)activity by user/role
21 The solution should capture manipulation of accounts, roles andprivileges (DCL) by user/role
22 DAM Should monitor privileged operations including both SQL andProtocol level operations be monitored.
23 DAM Should monitor MS SQL statements where caching is used24 DAM solution be able to monitor activities at new DB interface/
connector created by any user/ system without any manualintervention
25 The solution should have automated mechanism for updatingsecurity configurations/policies
Alerting and Blocking Capabilities1 The solution should provide automated, real-time event alert
mechanism2 The solution should have an option to upgrade to database
attack in real-time
3 The solution should monitor privileged users4 The solution should have an option to upgrade to block
privileged users activity if required5 the Solution should monitor for all DB attacks like SQL injection and
alert despite the traffic is not audited.
6 The Solution should have an option to upgrade to block DBattacks like SQL injections in real time.
-
8/10/2019 Security and Web Application Monitoring
33/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 33 of 58
7 The solution should 100% monitor the DB traffic for all DB violationand attacks despite the traffic is not being audited
Reporting1 Solution should have packaged reporting capabilities
2 product should support use of pre-configured policies/reports(PCI, SOX, HIPAA) for ensuring regulatory compliance3 Producti should have a functionality to assist with security event
forensics
Web Application Firewall
Specification Description FeatureSupport
Web Security
Dynamic Profile (White List security) Web server & application signatures Reputation based security and IP
geolocation HTTP RFC compliance Normalization of encoded data Automated-client detection
Required
Application AttacksPrevented
Refer to Appendix I Required
HTTPS/SSL Inspection Passive decryption or termination Optional HSM for SSL key storage
Required
Web Services Security
XML/SOAP profile enforcement Web services signatures XML protocol conformance
Required
Web Fraud Prevention Fraud and malware detection Required
Content Modification
URL rewriting (obfuscation) Cookie signing Cookie encryption Custom error messages Error code handling
Required
Platform Security Operating system intrusion signatures Known and zero-day worm security
Required
-
8/10/2019 Security and Web Application Monitoring
34/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 34 of 58
Network Security Stateful firewall DoS prevention
Required
Advanced Protection
Correlation rules incorporating allsecurity elements (white list, black list)to detect complex, multi-stageattacks
Required
Data Leak Prevention
Credit card numbers PII (personally identifiable information) Pattern matching
Required
Policy/SignatureUpdates
Frequent security updates Required
Authentication
Support for RSA Access Manager fortwo-factor authentication Support for LDAP (Active Directory) Support for SSL client certificates
Required
User Awareness Automated Tracking of Web
Application UsersRequired
Deployment Mode
Transparent Bridge (Layer 2) Reverse Proxy and Transparent Proxy
(Layer 7) Non-inline sniffer
Required
Management
Support for a Web User Interface(HTTP/HTTPS)
Command Line Interface(SSH/Console)
Required
Administration MX Server for centralized
managementRequired
Logging/Monitoring
SNMP Syslog Email Integrated graphical reporting Real-time dashboard
Required
-
8/10/2019 Security and Web Application Monitoring
35/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 35 of 58
High Availability
IMPVHA (Active/Active,Active/Passive)
Fail open interfaces (bridge modeonly)
Support for VRRP Support for STP and RSTP
Required
Solution Delivery Option Physical appliance Required
Web ApplicationVulnerability ScannerIntegration
WhiteHat, IBM, Cenzic, NT OBJECTives,HP, Qualys, and Beyond Security
Required
Enterprise ApplicationSupport
SIEM/SIM tools: ArcSight, RSA enVision,Prism Microsystems, Q1 Labs, TriGeo,
NetIQ Log Management: CA ELM, SenSage,Infoscience Corporation
Required
TCP/IP Support IPv4, IPv6 Required
Training
Standard product training at anauthorized training center for 5 KCBstaff. This should include training fees,travel and lodging expenses. Logistics
and allowances to be computed atKCB rates.
Required
Support One year standard support on
hardware and softwareRequired
Specification for Web Access Firewall:
ID Specification Remarks
Policy Management
The WAF shall be able to automatically-build policiesThe WAF shall be able to manually accept false positives bysimple means (check box)The WAF shall be able to define different policies for differentapplications
-
8/10/2019 Security and Web Application Monitoring
36/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 36 of 58
The WAF shall be able to create custom attack signatures oreventsThe WAF shall be able to customize Denial of Service policiesThe WAF shall be able to combine detection and preventiontechniquesThe WAF shall have policy roll-back mechanismThe WAF shall be able to do versioning of policesThe WAF shall have a built-in real-time policy builder withautomatic self-learning and creation of security policesThe WAF shall have prebuilt polices for applications - egMicrosoft Sharepoint, OWA, SAP, Oracle E-Business, Sieble forfast deployment
Profile Learning Process
The WAF shall be able to recognise trusted hostsThe WAF shall be able to learn about the application withouthuman interventionThe WAF shall be able to inspect policy (auditing + reporting)The WAF shall be able to protect new content pages andobjects without policy modifications
Configuration Management
The WAF shall have Role-based management with userauthenticationThe WAF shall be able to replace/customize error and blockedpagesThe WAF shall have configurable security levels
Logs and Monitoring
The WAF shall have ability to identify and notify system faults
and loss of performance (SNMP, syslog, e- mail, ) The WAF shall have ability to customize loggingThe WAF shall have ability to generate service and systemstatisticsThe WAF shall be able to perform time synchronisation (ntp, )
MiscellaneousThe WAF shall have a robustness and reliable GUI interface
-
8/10/2019 Security and Web Application Monitoring
37/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 37 of 58
The WAF shall be able to be managed via serial console, SSHor https web guiThe WAF shall be able to support caching and compression ina single platformThe WAF shall be able to prevent OS fingerprintingThe WAF shall be able to perform data guard and cloaking(hiding of error pages and application error pages)The WAF shall be able to Intergrate with vulnerability testingtools (eg whitehat sentinel) for automated instant policytuningThe WAF shall be able to be implemented and installed onapplication delivery controller (ADC) hardware platforms andmanaged from the same GUI.
SSL capabilities
The WAF shall be capable of terminating https traffic for httpwebsitesThe WAF shall be FIPS 140-2 compliantThe WAF shall have SSL accelerators available for SSLoffloadingThe WAF shall store the certificate private key on the WAFusing a secure mechanismThe WAF shall store the certificate private key on the WAF
using a secure mechanism, and a passphraseThe WAF shall capable of communication to a backendapplication server using httpsThe WAF shall be capable of tuning the SSL parameters, suchas SSL encryption methode used, SSL version
HTTP/HTML & XML
The WAF shall support HTTP 1.0 and 1.1 versionsThe WAF shall support application/x-www-form-urlencodedencodingThe WAF shall support v0 cookiesThe WAF shall support v1 cookiesThe WAF shall enforce cookie types usedThe WAF shall support chunked encoding in requestsThe WAF shall support chunked encoding in responses
-
8/10/2019 Security and Web Application Monitoring
38/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 38 of 58
The WAF shall support response compressionThe WAF shall support application flows management andmanually define site flow and object policiesThe WAF shall support all character sets during validationThe WAF shall restrict methods used eg GET, POST , all othermethodsThe WAF shall restrict protocols and protocol versions usedThe WAF shall support multi-byte language encodingThe WAF shall validate URL-encoded charactersThe WAF shall restrict request method lengthThe WAF shall restrict request line lengthThe WAF shall restrict request URI lengthThe WAF shall restrict query string lengthThe WAF shall restrict protocol (name and version) lengthThe WAF shall restrict the number of headersThe WAF shall restrict header name lengthThe WAF shall restrict header value lengthThe WAF shall restrict request body lengthThe WAF shall restrict cookie name lengthThe WAF shall restrict cookie value lengthThe WAF shall restrict the number of cookiesThe WAF shall restrict parameter name lengthThe WAF shall restrict parameter value length
The WAF shall restrict the number of parametersThe WAF shall restrict combined parameter length (names andvalues together)The WAF shall support protection of XML Web ServicesThe WAF shall restrict XML Web Services access to methodsdefined via Web Services Description Language (WSDL)The WAF shall be able to perform information displaymasking/scrubbing on requests and responsesThe WAF shall be able to perform validation for Web ServicesXML DocumentsThe WAF shall be able to monitor latency of Layer 7(application layer) traffic to detect the spikes and anomaliesin the typical traffic pattern to detect, report on, and preventlayer 7 DOS attacks.
-
8/10/2019 Security and Web Application Monitoring
39/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 39 of 58
The WAF shall be able to to detect, report on, and preventLayer 7 (application layer) brute force attack attempts tobreak in to secured areas of a web application by tryingexhaustive, systematic permutations of code orusername/password combinations to discover legitimateauthentication credentials.
Detection techniques
The WAF shall be able to support the following detectiontechniques :URL-decodingNull byte string terminationSelf-referencing paths (i.e. use of /./ and encodedequivalents)Path back-references (i.e. use of /../ and encodedequivalents)Mixed caseExcessive use of whitespaceComment removal (e.g. convert DELETE/**/FROM to DELETEFROM)Conversion of (Windows-supported) backslash characters intoforward slash characters.Conversion of IIS-specific Unicode encoding (%uXXYY)
Decode HTML entities (e.g. c,", )Escaped characters (e.g. \t, \001, \xAA, \uAABB)Negative security model techniquesPositive security model support - An "allow what's known"policy, blocking all unknow traffic and data typesPositive security model configurationApplication flowDynamic Positive security model configuration maintenanceBuilt in process engine to detect evasion techniques like crosssite scriptingIs there an out of the box rule database availableAutomated regular signature updatesOperates in a full Proxy architecture and inline control over alltraffic through the WAFAbility to hide back-end application serverOS fingerprintingdata and application specific information
-
8/10/2019 Security and Web Application Monitoring
40/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 40 of 58
Ability to protect agaisnt malicious activity within andhijacking of embedded client side code (javascript, vbscript,ect)
Incident Response capabilitiesThe WAF shall be capable of logging security events withsyslogThe WAF shall be capable of logging security events withsnmpThe WAF shall be capable of being monitored with snmp forstatistical informationThe WAF shall support monitoring using snmp version 3
Support toolsThe WAF shall be capable of being restored to factorydefaultsThe WAF shall support an open api that will be able to fullyadminister the WAF.
Redundancy CapabilitiesThe WAF shall be able to support High Availability Failover vianetwork or serialThe WAF shall be able to perform application level healthcheck of the back end servers
Network and PerformanceThe WAF shall be able to support vlan configuration throughbuilt in switch
The WAF shall be able to perform TCP/IP optimizationThe WAF shall be able to perform packet filteringImplemented concepts to cover vulnerabilities (OWASP based)The WAF shall be able to protect against :
Unvalidated inputInjection flawsSQL injectionOS injectionParameter tamperingCookie poisoningHidden field manipulationCross site scripting flawsBuffer overflowsBroken access controlBroken authentication and session managementImproper Error Handling
-
8/10/2019 Security and Web Application Monitoring
41/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 41 of 58
XML bombs/DOSForceful BrowsingSensitive information leakageSession hijacking
Denial of serviceRequest SmugglingCookie manipulation
CertificationThe WAF shall be an ICSA certified web application firewall
MX Management Server
Specification Description Remarks
Management Intuitive Web User Interface (HTTP/HTTPS) Command Line Interface (SSH/Console)
Provisioning
MX Management Server centrally provisions,manages, and monitors up to 15 SecureSpheregateways
Supports distributed, heterogeneousdeployments of Web and database gateways
Out-of-BandManagement
Out-of-band management supported via out-
of-band management ports in SecureSpheregateways
ManagementCommunications
SSL encrypted communications between MXManagement server and SecureSpheregateways
Policy/SignatureUpdates
Security updates provided weekly orimmediately for critical threats
HierarchicalManagement
Policies may be defined hierarchically, via aflexible, object oriented policy framework.
Role-BasedAdministration
Completely customizable roles and privileges Users can be assigned roles User inherit all privileges of the group User authentication supports LDAP and SSL
certificate
-
8/10/2019 Security and Web Application Monitoring
42/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 42 of 58
Alerts
SNMP Syslog Email Incident management ticketing integration Custom followed action Integrated graphical reporting Real-time dashboard
Workflow Task-oriented workflow engine
Internal Data
Storage
Audit trail stored in tamper-proof repository Optional encryption or digital signing of audit
data
Role-based access controls to view audit data(read-only)
Real-time visibility of audit data
External DataStorage andArchiving
SAN (Fibre Channel interfaces) for onlineaccess
NAS for online access NFS* FTP*
HTTP/S* SCP* * Data is compressed and archived
SupportedProducts
Database Activity Monitoring Database Firewall Discovery and Assessment Server File Activity Monitoring File Firewall SecureSphere for SharePoint Web Application Firewall
Support One year standard support on hardware and
software
http://d/Admin-Doc/Security/Imperva/dsc_database-activity-monitoring.htmlhttp://d/Admin-Doc/Security/Imperva/dsc_database-firewall.htmlhttp://d/Admin-Doc/Security/Imperva/dsc_database-discovery-and-assessment-server.htmlhttp://d/Admin-Doc/Security/Imperva/fsc_file-activity-monitoring.htmlhttp://d/Admin-Doc/Security/Imperva/fsc_file-firewall.htmlhttp://d/Admin-Doc/Security/Imperva/fsc_sharepoint.htmlhttp://d/Admin-Doc/Security/Imperva/wsc_web-application-firewall.htmlhttp://d/Admin-Doc/Security/Imperva/wsc_web-application-firewall.htmlhttp://d/Admin-Doc/Security/Imperva/fsc_sharepoint.htmlhttp://d/Admin-Doc/Security/Imperva/fsc_file-firewall.htmlhttp://d/Admin-Doc/Security/Imperva/fsc_file-activity-monitoring.htmlhttp://d/Admin-Doc/Security/Imperva/dsc_database-discovery-and-assessment-server.htmlhttp://d/Admin-Doc/Security/Imperva/dsc_database-firewall.htmlhttp://d/Admin-Doc/Security/Imperva/dsc_database-activity-monitoring.html -
8/10/2019 Security and Web Application Monitoring
43/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 43 of 58
Non -Functional Requirements and SpecificationsID Non Functional Requirements
USER INTERFACERemarks
Provision of portals/screens for non-technical stakeholder usage, suitable forauditors and security professionals withoutdetailed knowledge of database internals.
DOCUMENTATION-Schematic Remarks
Provision of the Applicaton ArchitectureSchematic for Production and DR Sites andHigh Availability (HA)
-System Manual - provides an overview of the system including the system objectives,system functionality, equipment configuration, software inventory, etc.
RemarksDocumentation of Application ObjectivesDocumentation of Application Functions i.eFunction ID/Name, FunctionDescription,Mode (e.g.Online/Batch,Enquiry/Update)Documentation of Equipment
Configurations i.e. ComputerManufacturer,Model Number,SerialNumber,IP Address,OS Version,DatabaseVersion
Documentation of Software Inventories i.eProgram ID/Name,Functions of theprogram,in the case of client/serverapplication the location of the program
(e.g. Database Server, ApplicationServer,Client etc) should be specifiedDocumentation in detail of the systemsecurity profiles and data protectonmeasurement on system functionsDocumentation in detail of the Disaster
-
8/10/2019 Security and Web Application Monitoring
44/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 44 of 58
Recovery Plan and Procedures of thesystem
-Location of soft copy of the System Remarks
The latest version of all the programs shouldbe kept in softcopy for future referenceand maintenance on KCB premises andincluded in the documentation
-Data Manual- The Data Manual documents all data captured, processed orproduced by the system
RemarksDocumentation of the database schema ofthe application which shows the relationship
among files/table and other groups of datae.g Entity-Relationship DiagramScreen/Report Description Documentationi.e. List of Screens, Screen Layout,List ofReports, Report Layout
-Application Manual - documents an overview of the system and provides detaileduser instructions and procedures for all functionality provided by the system.
Documenation of user proceduresdescriptions and instructions in detailcovering areas like batching of input data,control of documents, actions on specificevents, error amendments, etc
SYSTEM INTERFACING AND INTEGRATION Remarks
Integration with existing reporting, workflow,and trouble-ticketing systems e.g Synergy
Pro Helpdesk, App Server Compliance to Service Oriented ArcitectureThe solution shall support Java DatabaseConnectivity (JDBC) and Microsoft connectivitytechnology (such as Open DatabaseConnectivity (ODBC) or Object Linking andEmbedding Database [OLEDB]).
-
8/10/2019 Security and Web Application Monitoring
45/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 45 of 58
SECURITYRemarks
Support Security Using Database AccessControls. The solution shall support databasesecurity using the following database accesscontrols: GRANT and REVOKE privilege facilities,the VIEW definition capabilities, and someDiscretionary Access Control (DAC)mechanisms.
CONFORMANCE TO INDUSTRY BEST STANDARDSRemarks
The Web Application Firewall Solution shall beendorsed by the Web Application SecurityConsortium (WASC) and OWASP
Deliverables
At the end of the implementation exercise, the solution provider should providea comprehensive report with a detail of completed implementation work. Thereport will consist among others the following:1. Fully installed well integrated customized and functioning Database Firewall
solutions for the need of KCB.2. Fully installed well integrated customized and functioning Web Application
Firewall solutions for the need of KCB.
3. Fully installed well integrated customized and functioning MX ManagementServer
4. Two fully installed HP TouchSmart IQ816 Computers to facilitate a monitoringcenter for this Database and Web Application Firewall solution
5. Presentation of the working solution to the IT management and staff of KCBafter completion of the implementation for review and feedback.
6. An executive summary report for Management of the implemented solutions
-
8/10/2019 Security and Web Application Monitoring
46/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 46 of 58
APPENDIX 2 REFERENCE SITES
References of similar implementations/deployment of such product fororganizations similar to KCB in size and complexity done over the past one year.
1. Prior Services Performed for:Company Name:
Address:Contact Name:Telephone Number:Date of Contract:Length of Contract:Description of Prior Services (include dates):
2. Prior Services Performed for:Company Name:Address:Contact Name:Telephone Number:Date of Contract:Length of Contract:Description of Prior Services (include dates):
3. Prior Services Performed for:Company Name:Address:Contact Name:Telephone Number:
Date of Contract:Length of Contract:Description of Prior Services (include dates):
(repeat as relevant)
-
8/10/2019 Security and Web Application Monitoring
47/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 47 of 58
APPENDIX 3 - WEB APPLICATION SECURITY & COMMON ATTACKS
The solution must be able to detect and block the following Web applicationthreats:
1. Anonymous ProxyVulnerabilities
2. Brute Force Login3. Buffer Overflow4. Cookie Injection5. Cookie Poisoning6. Corporate
Espionage7. Credit Card
Exposure
8. Cross Site RequestForgery (CSRF)9. Cross Site Scripting
(XSS)10. Data Destruction11. Directory Traversal12. Drive-by-Downloads13. Forceful Browsing14. Form Field
Tampering15. Google Hacking16. HTTP Distributed
Denial of Service(DDoS)
17. HTTP ResponseSplitting
18. HTTP VerbTampering
19. Illegal Encoding
1. Known Worms2. Malicious Encoding3. Malicious Robots4. OS Command Injection5. Parameter Tampering6. Patient Data Disclosure7. Phishing Attacks8. Remote File Inclusion
Attacks9. Sensitive Data Leakage
(Social Security Numbers,Cardholder Data, PII, HPI)
10. Session Hijacking11. Site Reconnaissance12. Site Scraping13. SQL Injection
14. Web server software andoperating system attacks
15. Web Services (XML) attacks16. Zero Day Web Worms
-
8/10/2019 Security and Web Application Monitoring
48/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 48 of 58
APPENDIX 4 : LIST OF DATABASES
No. Application
Database
Type
ServerMachine
Type CPU cores
Processor
Type
Totalprocessor
Cores
1 T24 Oracle
HPsuperdome1 32 itanium 32
2 NetTeller OracleHP BLade685c 32 intel xeon 32
3 CQ MsSQLHP BLade685c
2processors(8
CPU's)AMDoptron 16
4 Mobi OracleHP BLade685c 32 intel xeon 32
5 Mobiloan PosgreSQL HP BLade685c 32 intel xeon 32
6 sybrin MsSQLHP BLade685c
2processors(8
CPU's)AMDoptron 16
7 kondor+ SybaseHP BLade685c 32 intel xeon 32
8ChannelManager/NOBS MySQL
HP BLade685c 32 intel xeon 32
9 QuickPay MsSQLHP BLade685c 32 intel xeon 32
10
TransWare -TWO-
TWCMS-
TWI-
TWFA-
TWCF
Oracle
HP BLade685c 32 intel xeon 32 each
-
8/10/2019 Security and Web Application Monitoring
49/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 49 of 58
APPENDIX 5 SUPPLIER QUESTIONNAIRE
Bidders, willing to be considered for the tender for SUPPLY AND IMPLEMENTATIONOF A DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION areexpected to furnish the Company with among others the following vital
information, which will be treated in strict confidence by the Company.
1.0 CORPORATE INFORMATION
No. PARTICULARS RESPONSE [If space isinsufficient, please use aseparate sheet]
1.1 Full name of organization:
1.2 Is yourorganization
(Pleasetickone )
i) a public limited incorporatedcompany? attach a copy ofCertificate of incorporation includingany Certificate of Change of Name,Memorandum & Articles ofAssociation
ii) a public listed company? If yes,please attach a copy of Certificate ofincorporation including anyCertificate of Change of Name,
Memorandum & Articles ofAssociation
iii) a limited incorporated company?If yes, please attach a copy ofCertificate of incorporation includingany Certificate of Change of Name,Memorandum & Articles ofAssociation
iv) a partnership? If yes, pleaseattach certified copy of thePartnership Deed and business namecertificate
v) a sole trader? If yes, please attacha certified copy of the business namecertificate
vi) other (please specify)
-
8/10/2019 Security and Web Application Monitoring
50/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 50 of 58
1.3 Company Registration number (if this applies)-attach a copy of Certificate of incorporationincluding any Certificate of Change of Name orrelevant certificate from country ofincorporation.
1.4 Date and country of Registration:
1.5 Full physical address of principal place ofbusiness:
Full postal address of the business:
1.6 Registered address if different from the above:
Post Code:1.7 Telephone number:
1.8 Fax number:
1.9 E-mail address:
1.10 Website address (if any):
1.11 Company/Partnership/Sole Trader Tax PIN:
(Please provide a certified copy of the PIN
Certificate)1.12 VAT Registration number:
(Please provide a certified copy of the VATCertificate)
1.13 Period in which you have been in the specificbusiness for which you wish to bid.
1.14 Current Dealership letter/certification for
Equipment preferably issued in 2012.
1.15 Names of the Shareholders, Directors andPartners.
If a Kenyan company please provide anoriginal search report issued by the Registrar ofCompanies showing the directors andshareholders (Companies Form CR 12).
-
8/10/2019 Security and Web Application Monitoring
51/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 51 of 58
1.16 Associated companies(if any)
1.17 Please provide a copy of the latest annual returns together with the filing receipt as filed at
the Companies Registry 1.17 Name of (ultimate) parent/holding company (if
this applies):
1.18 Company number of parent/holding company(if this applies):
1.19 If a consortium is expressing interest, pleasegive the full name of the other organisation
(the proposed consortium partners should alsocomplete this questionnaire in its entirety)
1.20 Name and contacts of the LegalRepresentative of the company; Name, Title;Telephone, Fax and Email address.
1.21 Contact person within the organisation towhom enquiries about this bid should bedirected:
NAME:
TITLE
TEL:
FAX:
EMAIL:
2.0 FINANCIAL INFORMATION
No. PARTICULARS
2.1 What was your turnover in the lasttwo years?
for year ended
--/--/----
for yearended--/--/----
2.2 Has your organisation met all its obligations to pay itscreditors and staff during the past year?
Yes / No
If no, please give details:
-
8/10/2019 Security and Web Application Monitoring
52/58
Commercial in confidence IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTIONPage 52 of 58
2.3 Have you had any contracts terminated for poorperformance in the last three years, or any contractswhere damages have been claimed by thecontracting authority?
Yes / No
If yes, please give details:
2.4 What is the name andbranch of yourbankers (who couldprovide a reference)?
Name:
Branch:
Telephone Number:
Postal Address:
Contact PersonName:
Contact Position
Contact E-mail:
2.5 Provide a copy of the following
A copy of your most recent audited accounts (for the lastthree years)
A statement of your turnover, profit & loss account and cashflow for the most recent year of trading (for the last threeyears)
A statement of your cash flow forecast for the current yearand a bank letter outlining the current cash and creditposition.
3.0 BUSINESS ACTIVITIES
No. PARTICULARS
3.1 What are the main business activities of your organisation? i.e.Manufacturer, Assembler, Distributor, service centre, retailer,