exhibit 2.2 description of services: cross functional

Contract No. VA-160926-HPEN, Exhibit 2.2 (Description of Services: Cross Functional) September 26, 2016

Exhibit 2.2 (Description of Services: Cross Functional) of 47

Exhibit 2.2

Description of Services: Cross Functional

Table of Contents 1.0 Introduction ............................................................................................................................................................................................................. 4

1.1 Service Management Practices ............................................................................................................................................................................ 5

2.0 Service Strategy........................................................................................................................................................................................................ 7

2.1 Strategy Generation and Management ............................................................................................................................................................... 7

2.2 Financial Management....................................................................................................................................................................................... 10

2.3 Service Portfolio Management .......................................................................................................................................................................... 11

2.4 Demand Management ....................................................................................................................................................................................... 12

2.5 Business Relationship Management .................................................................................................................................................................. 12

3.0 Service Design ........................................................................................................................................................................................................ 13

3.1 Design Coordination........................................................................................................................................................................................... 13

3.2 Services Catalog Management ........................................................................................................................................................................... 14

3.3 Service Level Management ................................................................................................................................................................................ 14

3.4 Availability Management ................................................................................................................................................................................... 15

3.5 Capacity Management ....................................................................................................................................................................................... 16

3.6 IT Service Continuity Management .................................................................................................................................................................... 16

3.6.1 Optional Supplier IT Service Continuity Management Solution ................................................................................................................. 17

3.7 Security Management ........................................................................................................................................................................................ 18

3.7.1 Optional Supplier Security Encryption Solution(s) ...................................................................................................................................... 19

3.8 Risk Management .............................................................................................................................................................................................. 19

4.0 Service Transition ................................................................................................................................................................................................... 20

4.1 Change Management ......................................................................................................................................................................................... 20



4.2 Change Evaluation ............................................................................................................................................................................................. 21

4.3 Project Management Transition Planning and Support .................................................................................................................................... 22

4.4 Release and Deployment Management ............................................................................................................................................................ 23

4.5 Service Validation and Testing (SV&T) ............................................................................................................................................................... 24

4.6 Service Asset and Configuration Management (SACM)..................................................................................................................................... 25

4.7 Knowledge Management ................................................................................................................................................................................... 26

5.0 Service Operation................................................................................................................................................................................................... 28

5.1 Service Desk ....................................................................................................................................................................................................... 28

5.2 Incident Management ........................................................................................................................................................................................ 30

5.3 Event Management ............................................................................................................................................................................................ 31

5.4 Problem Management ....................................................................................................................................................................................... 32

5.5 Request Management and Fulfillment .............................................................................................................................................................. 33

5.6 Access Management .......................................................................................................................................................................................... 34

6.0 Continual Service Improvement ............................................................................................................................................................................ 35

6.1 Service Review and Reporting ........................................................................................................................................................................... 35

6.2 Process Evaluation and Currency ....................................................................................................................................................................... 36

6.3 Service Measurement ........................................................................................................................................................................................ 36

7.0 Other Processes and Services ................................................................................................................................................................................ 37

7.1 Supplier IT Operations ....................................................................................................................................................................................... 37

7.1.1 Currency, Hardware and Software Maintenance ....................................................................................................................................... 37

7.1.2 Software Support, Installation, Upgrades and Changes ............................................................................................................................. 38

7.1.3 Malicious code or unauthorized code Protection ....................................................................................................................................... 39

7.1.4 Intrusion Systems ........................................................................................................................................................................................ 40

7.1.5 Supplier License Management and Compliance ......................................................................................................................................... 41

7.1.6 Network Connectivity ................................................................................................................................................................................. 42



8.0 Optional Services ................................................................................................................................................................................................... 43

8.1 Level 1 Service Desk ........................................................................................................................................................................................... 43



1.0 Introduction

Supplier confirms that, unless otherwise specifically stated, it will provide a solution that supports all of the business processes described in this Exhibit, and that all Services, unless otherwise specifically stated, are included in the Base Charges. Supplier is committed to an approach that provides continuous improvement.

Supplier must propose a solution describing their best practices to meet the cross-functional services typical of leading organizations employing the ITIL framework. The requirements included in this Exhibit are intended to highlight key components of interest to the Commonwealth, and do not reflect all such solution elements that are included in cross functional services.

The Supplier will deliver the Services in the best interests of VITA and Other Customers. Supplier will be responsive to the current and future requirements of Customers by proactively anticipating needs and adjusting Services accordingly within the Base Charges.



1.1 Service Management Practices

VITA bases its service management practices on the Information Technology Infrastructure Library, which focuses on the Service Management Lifecycle and the linkages between service management components.

The Service Management Lifecycle for ITIL consists of five stages: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement. The major sections of this Exhibit are based on those five stages. Within each of those Service Management Lifecycle stages are Main Processes for which the Supplier responsibilities are described in this Description of Services.

The stages and Main Processes are listed in the following table:

Service Life Cycle Stage Main Processes

Service Strategy

Strategy Generation and Management Financial Management for IT Services Service Portfolio Management Demand Management Business Relationship Management

Service Design

Design Coordination Service Catalog Management Service Level Management Availability Management Capacity Management IT Service Continuity Mgmt. Information Security Mgmt.

Service Transition

Change Management Release and Deployment Management Project Management Service Asset and Configuration Management Knowledge Management

Service Operation

Service Desk Incident Management Event Management Problem Management Request Management and Fulfillment



Service Life Cycle Stage Main Processes Access Management

Continuous Service Improvement

Service Review and Reporting Process Evaluation and Currency Service Measurement



Ref# Requirement Comply (Y/N) Supplier Response

R1. 2.0 Service Strategy

R2. Service Strategy defines the high-level approach to offering services to the Customers; it drives service offerings and envisions future service offerings. The Supplier will undertake Service Strategy processes in order to support Customers in taking a long-term view of the business value of the Tower Services.

R3. The Service Strategy Main Processes described in this section are as follows: R4. • Strategy Generation and Management

R5. • Financial Management for IT Services

R6. • Service Portfolio Management

R7. • Demand Management

R8. • Business Relationship Management

R9. 2.1 Strategy Generation and Management

R10. Supplier will describe its Solution to meet the requirements of this Section in Exhibit 2.3 (Solution).

R11. The Supplier will support the development and management of an IT service strategy by the Customers. Strategy Generation and Management will incorporate input from VITA, Customers, and business units of Customers.

R12. Programs that are included within Strategy Generation and Management are: R13. • Technology Planning: This program produces the technology plan, the

technology implementation plan, and conducts an annual technology planning event.

R14. • Technology Roadmap: For the term of the contract for the hardware and software for the mainframe environment, updated annually.

R15. • Refresh/Currency plan: Provide a schedule of hardware and software refresh items on an annual basis.

R16. 1) Assist VITA and Customers to understand, develop, and confirm business and IT Service requirements of the Commonwealth. Y

R17. 2) Assist in projecting future volume, technology, and geographic changes that could impact VITA and Customer’s systems and technical architectures. Y

R18. 3) Identify candidates and requirements for the deployment of new technology or the automation of tasks associated with the Services and Customer’s business processes.

Y




R19. 4) Proactively submit proposals regarding new technology and automation to VITA for its review and approval. Y

R20. 5) Proactively seek to automate manual tasks associated with the Services. Y

R21. 6) Facilitate and coordinate the Equipment and Software architectures and standards, and participate in continuously keeping VITA and Customers’ technical architectures current

Y

R22. 7) Proactively identify strategies and approaches for future IT delivery that the Supplier believes will provide VITA and Customers with competitive advantages and that may result in increased efficiency, performance, or cost savings.

Y

R23. 8) Gather, incorporate, and report to VITA the data and lessons learned from the operating environment that may impact VITA and Customers’ plans. Y

R24. 9) Perform and report to VITA the trend analysis from the resource consumption data to project future demand that may impact VITA and Customers’ plans. Y

R25. 10) Coordinate with VITA and Customers in researching and implementing automated tools to improve Service Levels or performance of the computing environment

Y

R26. 11) Ensure that tool selections are in accordance with VITA and Customers’ standards and technical architectures. Y

R27. 12) Develop the annual plan for Technical Currency (the Currency Plan), including: Y

R28. a) Establish and maintain the definitions of Software Currency and Refresh for all systems and Software related to the delivery of the Services, in compliance with the requirements of Exhibit 4 (Pricing and Financial Provisions)

Y

R29. i.) Establish which particular Software releases and system platforms are not current (i.e. which are approaching end-of-life, which are going out of support, and which have been released and should be considered current).

Y

R30. ii.) Monitor end-of-life hardware and Software resident in the mainframe environment and ensure proactive notification is provided to VITA, Customers and Third Party vendors regarding support and software currency plans

Y

R31. iii.) Publish quarterly reports of upcoming Software releases, Software renewals and end-of-support notices to VITA and Y




affected Customers

R32. 13) Develop and update the long-range, comprehensive plan for VITA and Customers information technology (IT) systems, processes, technical architecture and standards (the “Technology Plan”) applicable to the Services.

Y

R33. a) VITA and Customers will approve the plan. Y

R34. b) The Technology Plan will be developed on an annual basis, and will include a rolling three (3) year projection of anticipated changes (subject to VITA business and planning requirements).

Y

R35. c) Coordinate the aggregation of technical planning information from VITA, Customers, other Service Tower Supplier(s), and other Third Party vendors as directed by Customers.

Y

R36. d) Provide linkage with technology currency requirements that align with technology refresh plans (e.g., software version migrations). Y

R37. 14) Provide an implementation plan with timing and cost impacts, in a format consistent with the Charges, for VITA and Customers. Y

R38. a) The implementation plan will be developed on an annual basis and based on the Technology Plan. Y

R39. b) Provide specific, short-term steps and schedules for projects or changes expected to occur within the first twelve (12) months of the implementation plan.

Y

R40. 15) Track and report on new technology advances applicable to the Services specifying any technical benefits and cost savings that may be achieved by VITA or the Customers.

Y

R41. 16) Track and report on technology evolutions applicable to the Services Y

R42. 17) Identify, evaluate and track opportunities for efficiency in the delivery of Services that the Supplier has observed in the course of delivering the Services Y

R43. 18) For the Supplier-owned assets and Software, the Supplier and VITA will document the appropriate replacement date in the Technology Plan with VITA. Y

R44. a) If Software Changes or additional Software license are required due to replacement of assets, the Supplier, in consultation with the VITA, will review alternatives for making changes to such Software.

Y

R45. b) Such replacement of the assets and Software will be at the Supplier’s expense if the replacement is required to facilitate achievement of the Y




agreed upon Service Levels or because the asset is obsolete (i.e. replacement parts cannot be acquired or the asset has become unserviceable (asset no longer has vendor or equivalent support, including security patches)).

R46. 19) For VITA and Customers owned and leased assets, provide a proposal for refresh of those assets (replacement at VITA’s expense) to VITA. Y

R47. 20) For VITA or Customer owned Software, provide a proposal for upgrade of the Software (replacement at VITA’s expense) to VITA. Y

R48. 21) Adhere to the VITA approved Currency Plan, and execute that plan utilizing established procurement processes, to initiate refresh, software upgrades and retirement activities.

Y

R49. a) Provide monthly reports, starting 180 days prior to lease or license expiration date, showing assets to be refreshed and Software to be upgraded.

Y

R50. b) Notify VITA monthly of all open agreements related to assets that are retired or will retire within 180 days of the report date. Y

R51. 22) Track and report on the completion progress of the Currency Plan. Y

R52. 23) Participate in technical and business planning sessions to establish standards, architecture and project initiatives Y

R53. 24) Develop and document technical design plans and environment configuration for VITA and Customers based on Commonwealth standards, architecture, functional, performance, availability, maintainability, security and IT Service Continuity requirements.

Y

R54. 2.2 Financial Management


R56. Financial Management covers the function and processes responsible for managing all the Suppliers’ budgeting, accounting and charging requirements associated with the delivery of the Services. It provides the Customers with the quantification, in financial terms, of the value of IT services, the value of the assets underlying the provisioning of those services, and the qualification of operational forecasting. Proper IT Financial Management will provide cost-effective stewardship of the IT assets and the financial resources used in providing IT Services, enabling the dissemination of information to feed critical decisions




and activities. R57. 25) Develop, implement, monitor and maintain processes and tools that enable

consistent delivery of Financial Management, in accordance with Exhibit 4 (Pricing and Financial Provisions).

Y

R58. 2.3 Service Portfolio Management


R60. Service Portfolio Management ensures that Customers have the optimum mix of services to meet required business outcomes at an appropriate level of investment. This involves assisting Customers in proactive management of the investment across the service lifecycle, including those services in the concept, design and transition pipeline, as well as live services defined in the various service catalogs and those services that are retired or being sunset.

R61. Programs that are included within Service Portfolio Management are: R62. • Technical Currency: This program produces the annual Currency Plan and

manages the execution of Refresh projects and Software currency projects.

R63. • New Service Introduction: New features that are materially different from the services provided that are requested by VITA.

R64. • New Customer Introduction, Acquisitions and Mergers: From time to time, VITA and other Customers are required to add or divest businesses units (or parts of business units), merge or split.

R65. 1) On a quarterly basis, review the asset inventory and produce a report that lists the assets that are due to be refreshed in the upcoming plan year, and provide such report to Customer’s annual planning process.

Y

R66. 2) Refresh as required in Exhibit 4 (Pricing and Financial Provisions) throughout the Term, for purposes that include meeting VITA’s and Customers’ business requirements; preventing technological obsolescence or failure; and accommodating volume changes, the ability to increase efficiency, the ability to lower costs, or the need to maintain the required Third Party Vendor support.

Y

R67. 3) Deploy Equipment and Software associated with any Refresh in accordance with the standards of the Technology Plan Y

R68. 4) Accommodate the timeframes and other requirements associated with Refresh, as well as the financial responsibility for the underlying assets, as provided in Y




Exhibit 4 (Pricing and Financial Provisions).

R69. a) VITA may modify the Refresh timeframes and requirements during the Term based on the business requirements VITA and Customers, subject to the Change Control procedures.

Y

R70. 5) Provide potential improvement to the portfolio of services for VITA and Customer approval. Y

R71. 2.4 Demand Management


R73. The purpose of Demand Management is to understand and influence customer demand for services and to seek mechanisms to meet these demands. At a strategic level this can involve analysis of patterns of activity and service usage. At a tactical level it can involve resource rationalization mechanisms to encourage shifts in demand.

R74. 1. Actively engage VITA and Customers on demand management planning on a periodic basis. Y

R75. 2. Report patterns of business activity across the Services on a monthly basis and identifying trends and risks that may cause demand to exceed the available capacity of the Services.

Y

R76. 3. Lead Customers with Demand Management activities that encourage Users to make the most efficient use of the Services and to assist Customers in minimizing its costs while maximizing the value they receive from the Services.

Y

R77. 2.5 Business Relationship Management


R79. Business Relationship Management works to maintain a positive relationship with customers. Business Relationship Management identifies the needs of existing and potential customers and ensures that appropriate services and capacity are developed to meet those needs. The process seeks to establish a strong business relationship with the end-user customer by understanding the customer's business and their desired outcomes. The process facilitates the consistent alignment of the Supplier staff to specific customer. The process works closely with Portfolio Management to negotiate service introduction on behalf of customers.

R80. 1) Facilitate access to the Services for Customers. Y




R81. 2) Provide a single point of contact for Customers on the function of the Services and the quality of the delivery of the Services Y

R82. 3) Provide a point of escalation on issues with the delivery of the Services Y

R83. 4) Regularly update documentation on the business objectives and organization of Customers and make documentation and training available for the use of Supplier and VITA.

Y

R84. a) Provide personnel that demonstrate knowledge of the Customer, Customer operating environment and business drivers Y

R85. 3.0 Service Design

R86. The Supplier will undertake Service Design processes in order to support Customers in the design and development of new or changed Tower Services based on Customer’s business requirements for introduction into a Production Environment.

R87. The Service Design processes describe in this section are as follows: R88. • Design Coordination

R89. • Services Catalog Management

R90. • Service Level Management

R91. • Availability Management

R92. • Capacity Management

R93. • IT Service Continuity Management

R94. • Information Security Management

R95. • Risk Management

R96. 3.1 Design Coordination


R98. Design Coordination coordinates all service design activities, processes and resources. Design Coordination ensures the consistent and effective design of new or changed IT services, service management systems, architectures, technology, processes, information and metrics.

R99. 1) Establish, track and manage the definition of Standard Services in the Mainframe environment. Y




R100. 2) Establish, track and manage the definition of Service Catalog items, which will include Standard Service Catalog items and non-standard Service Catalog items. Y

R101. 3) Establish, track and manage Standard Solution Designs in the Mainframe environment. Y

R102. 3.2 Services Catalog Management


R104. Service Catalog Management ensures that a Service Catalog is produced and maintained, containing accurate information on all operational services and those being prepared to be run operationally. The Service Catalog provides vital information for other Service Management processes: service details, current status and the service interdependencies.

R105. 1) Provide Services Catalog electronic content for review and update on a monthly basis. Such content must: Y

R106. a) be accurate Y

R107. b) include relevant pricing, delivery time to User, inventory availability, technical details, differentiation between offerings, notation on specific usage (or limitation of use) for an User to make an informed purchasing choice

Y

R108. c) approved by VITA and complies with applicable requirements (e.g., VITA Rules, different offering choices for different Customers or Users) Y

R109. 2) Assist in development of Service Catalog workflows, processes, etc. as may be required for ordering Supplier’s Services. Y

R110. 3) Where reasonably practicable and approved by VITA, establish electronic integration between Supplier ordering systems and the Service Catalog. Y

R111. 4) Implement all VITA-approved updates to the Service Catalog within the timeframes approved by VITA. Y

R112. 5) Provide access (e.g., online, web service) to self-provisioning tool as may be required for some Customers.

Y

There are no Mainframe Services that have self-provisioning capability, it is HPES intention, working with the selected MSI supplier, to identify the services, dependencies, and self-provisioning requirements related to mainframe service provision, and collaborate with the selected MSI to include this detail within the enterprise-wide service catalog.

R113. 3.3 Service Level Management





R115. Service Level Management establishes and maintains, monitors and reports on service quality through a constant cycle of reviewing IT service achievements based on agreed upon Service Level Agreements (SLAs) and Operating Level Measures (OLMs). Service Level Management establishes Service Level Agreements with the VITA and to monitor and report on service quality and achievement. The Supplier will provide Service Level Management as described in Exhibit 3 (Reporting and Service Level Management).

R116. 1) Develop, implement, monitor and maintain processes and tools that enable consistent delivery of Service Level Management, in accordance with Exhibit 3 (Reporting and Service Level Management).

Y

R117. 2) Document and analyze current performance and business perception of the relevant services (baseline) as a basis for improvements Y

R118. 3) Create proposals for Service Improvement Plans for VITA approval Y

R119. 4) Collect and collate Backing Data relating to the Service Levels to produce the Service Level Management Information and Service Reports as defined in Exhibit 3 (Reporting and Service Level Management). This includes reporting on progress in any Service Improvement Plan implementation

Y

R120. 3.4 Availability Management


R122. Availability Management will ensure that the level of service availability delivered in all Services is matched to or exceeds the current and future agreed needs of the business, in a cost-effective manner. Availability Management will strive to define, analyze, plan, measure and improve all aspects of the availability of IT services. Availability Management provides a point of focus and management for all availability-related issues, relating to both services and resources, ensuring that availability targets are established, measured and achieved.

R123. 1) Report on all key elements of Availability for the Services. Y

R124. 2) Assist Customers to understand Availability requirements for the Services in business terms. Y

R125. 3) Provide Availability trend analyses for all Services. Y

R126. 4) Document and track Vital Business Functions by Customer underpinned by Services. Y




R127. 3.5 Capacity Management


R129. Capacity Management will assess the business requirements (the required service delivery), the organization’s operation (the current service delivery), the IT infrastructure (the means of service delivery), and will ensure that capacity in all areas of IT service provision and support always exists and is matched to the current and future agreed needs of the business, within designated timeframes. Capacity Management will strive to ensure that the capacity of IT services and the IT infrastructure is able to deliver the agreed service level targets in a cost effective and timely manner. Capacity Management considers all resources required to deliver the IT service, and plans for short, medium and long term business requirements.

R130. 1) Provide monthly management reports, including current resource utilization, forecasts, and exceptions and identify trends and potential Capacity issues and risks

Y

R131. 2) Formally review Capacity requirements for the Services as part of Customer’s normal business planning cycle. Y

R132. 3) Test the performance of new Infrastructure and Software to confirm such Systems meet planned performance and utilization expectations and requirements.

Y

R133. 4) Incorporate work schedules and dependencies into Capacity Management planning Y

R134. 5) Define, develop and implement tools that allow for the effective Capacity Management monitoring/trending of IT infrastructure, Systems Software and IT components

Y

R135. 6) Assess capacity impacts when adding, removing or modifying applications Y

R136. 7) Assess Incidents and Problems related to throughput performance Y

R137. 8) Recommend changes to VITA and Customers regarding capacity to improve Service performance Y

R138. 3.6 IT Service Continuity Management





R140. IT Service Continuity Management (ITSCM) ensures that the IT Supplier can always provide the minimum agreed Service Levels, by reducing the risk from disaster events to an acceptable level and planning for the recovery of IT services. ITSCM should be designed to support Business Continuity Management. ITSCM provides for an On-Going Program of Disaster Recovery Preparedness that supports the overall Business Continuity and Disaster Recovery processes. ITSCM provides for the plans that support the rapid and orderly restoral of IT services.

R141. • Disaster Recovery Preparedness: This program produces a Disaster Recovery Test Plan. Disaster Recovery Preparedness verifies through regular scheduled test exercises that the Services provided by the Supplier can be recovered within the required and agreed upon business time frames.

R142. As a Supplier in VITA’s enterprise delivery environment, Supplier is expected to bring its own methodology to establish, maintain, and execute an ITSCM strategy. Y

R143. 1) Building, maintaining, updating, and testing Supplier’s IT Service Continuity Plan (ITSCP) to ensure continued delivery of Services in the event of a Disaster. Y

R144. 2) Supporting the development and testing of VITA’s Enterprise and other Customers’ ITSCPs as applicable to Supplier’s Services. Y

R145. 3) Assisting VITA and other Customers in ITSCP execution and Services restoration during Disasters. Y

R146. 4) Provide visibility, reporting, or documentation to VITA or Customer indicating test results. Y

R147. 5) Meet or exceed VITA’s RPO and RTO objectives listed as Disaster Recovery Tier 2. Y

R148. 6) Document all requirements in agreed to formats (e.g., System specifications, data models, Network design schematics) Y

R149. 7) Recommend best practice IT Service Continuity and DR strategies, policies, and procedures Y

R150. 8) Assist VITA in IT Service Continuity, DR, and emergency management activities, as requested Y

R151. 3.6.1 Optional Supplier IT Service Continuity Management Solution

R152. The Supplier will describe in Exhibit 2.3 (Solution) what optional Disaster Recovery solutions (e.g. High Availability) that they offer that will exceed the Commonwealth requirements.




R153. 3.7 Security Management


R155. Information Security Management ensures the confidentiality, integrity and availability of an organization's information, data and IT services. Security Management will assess that all security risks associated with the delivery of Services are appropriately identified, evaluated, assessed and appropriate controls are implemented and maintained.

R156. Virginia has developed its standards using the National Institute of Standards and Technology (NIST) Special Publication 800-53 rev. 4, Recommended Security Controls for Federal Information Systems and Organizations, as a framework.

R157. • Security Incident Management is a specialized form of Incident Management, the primary purpose of which is the development and execution of well understood and predictable responses to damaging events, computer intrusions, security compromises and inadvertent data disclosure or loss. As part of Security Incident Management, the Supplier will provide the necessary resources to support VITA and Customers in resolving Security Incidents.

R158. 1) Comply with Commonwealth of Virginia ITRM Standard SEC501 (available at http://www.vita.virginia.gov/default.aspx?id=537) and SEC525 (in final review status as of January 2016) and other applicable VITA Rules

Y

R159. 2) Comply with all Customers’ individual Information Security Policies and applicable Federal standards (e.g., FedRAMP, CJIS, FISMA, PCI, ISO27001, FERPA, FTI (IRS PUB-1075), SSA, HIPAA-HITECH).

Y

R160. 3) Provide informed advice on security policy, standards (including national security, international, customer and industry standards), practices, solutions and technologies, and threats.

Y

R161. 4) Implement security management processes, procedures and controls with other service providers to address interdependencies, use of tools and workflows required to operate integrated Security Management across the Services.

Y

R162. 5) Participate in the integrated compliance and Security Management service performance plans and reports for all Service security requirements to meet Customer’s informational reporting requirements and Service Levels in a regular and timely manner.

Y

R163. 6) Track, expedite and report upon actions raised against plans, reports and self- Y

http://www.vita.virginia.gov/default.aspx?id=537




assurance statements.

R164. 7) Respond to security incidents or emerging security requirements (which may arise as a result of changing security standards, threats or industry practices) under direction from Customers.

Y

R165. 8) Provide data feeds or reports to VITA’s security incident and event correlation systems for purposes of deep analytics. Support VITA’s analysis as requested. Y

R166. 9) Utilize security clearance and access control processes to administration tools and environments used to support Customer’s services for all staff. Y

R167. 10) Ensure that access privileges for Supplier personnel are promptly removed upon departure from the program. Y

R168. 11) Ensure that all Commonwealth Data remains in the continental United States and all Sensitive data remains encrypted at all times (both in transit and at rest). COV retains ownership for encryption keys in accordance with VITA Rules.

Y

R169. 12) Establish and maintain mechanisms to safeguard against the unauthorized access, destruction, loss or alteration of Customer’s data. Y

R170. 13) Utilize controls and processes such that the Services are compliant with all VITA Rules for the processing, storage and transmission of information based on its classification and impact categorization (which currently requires all Commonwealth Data to remain in the continental United States and all Sensitive Data to be encrypted at all times (both in transit and at rest)), and ensure that Customers are able to gain assurance and evidence that such compliance is being maintained upon request.

Y

R171. 14) Provide reporting to Customers that highlights emerging threats and the status of known risks. Y

R172. 15) Initiate Corrective Actions in respect of any potential or actual security issues or noncompliance with the procedures. Y

R173. 3.7.1 Optional Supplier Security Encryption Solution(s)

R174. The Supplier will describe in Exhibit 2.3 (Solution) what optional data encryption capabilities including key management that they offer that will exceed the Commonwealth requirements.

R175. 3.8 Risk Management

R176. Supplier will describe its Solution to meet the requirements of this Section in Exhibit 2.3




(Solution). R177. The Supplier is charged with providing Risk Management related to the Mainframe

environment and Services within the context of overall business risks. The goal of Risk Management is to quantify the impact to the business that a loss of service or asset would have (the Impact), to determine the likelihood of a threat or exploitation of a vulnerability to actually occur, and then to manage activity against the identified risks.

R178. 1) Implement risk indicators across the services to monitor risk and assist the detection of emerging trends and control failures. Y

R179. 2) Implement risk escalation and reporting across the services Y

R180. 3) Address known control weaknesses with controls operated within the existing services as notified to the Supplier. Y

R181. 4) Participate in monthly reviews regarding the effectiveness of key controls to ensure compliance with regulations and Customers policies. Y

R182. 4.0 Service Transition

R183. The Supplier will undertake Service Transition processes and the management and coordination of the processes, systems, and functions required for the building, testing and deployment of new and changed Tower Services.

R184. The Service Transition processes describe in this section are as follows: R185. • Change Management

R186. • Change Evaluation

R187. • Project Management Transition Planning and Support

R188. • Release and Deployment Management

R189. • Service Validation and Testing

R190. • Service Asset and Configuration Management

R191. • Knowledge Management

R192. 4.1 Change Management


R194. Change Management seeks to control the lifecycle of all Changes. Change Management comprises an end-to-end process that minimizes risk, cost and business disruption, while protecting the computing and the delivery of related Services. All changes to Configuration




Items must be carried out in a planned and authorized manner. This includes identifying the specific Configuration Items and IT Services affected by the Change, planning the Change, communicating the Change, deploying the Change, testing the Change, and having a back-out plan should the Change result in a disruption of the Service. This also includes tracking and oversight for all Changes.

R195. 1) Participate in Customer Change Management processes, which may include participation in Change Advisory Board meetings as requested. Y

R196. 2) Create, maintain, and communicate a roadmap of all scheduled upcoming Releases and Operational Changes. Y

R197. 3) Notify VITA and Customers of upcoming changes and service evolutions (e.g., upgrading to new versions) in Supplier environment, allowing sufficient time for Customer planning and testing.

Y

R198. 4) Advise and work with VITA and Customers to schedule and manage projects of upcoming changes and service evolutions in Supplier environment. Y

R199. 5) Perform Operational Changes in Customer-designated maintenance windows. Y

R200. 6) Test upcoming changes and service evolutions in a lab environment comparable to Production Environment. Y

R201. 7) Verify that change met objectives and resolve negative impacts Y

R202. 8) Monitor changes and report results of changes and impacts Y

R203. 9) Provide change documentation to VITA and Customers as requested Y

R204. 4.2 Change Evaluation


R206. Change Evaluation seeks to assess major Changes, like the introduction of a new service or a substantial change to an existing service, before those Changes are allowed to proceed to the next phase in their lifecycle.

R207. The Supplier will design, implement, maintain and operate a VITA approved common and shared Change Evaluation Process that completes the following activities for new or changed services:

Y

R208. • Planning of the evaluation based on the Service Design Package Y R209. • Evaluation of intended and unintended impact of the changes Y R210. • Evaluation of risk and predicted performance of the solution against Customer’s

requirements Y




R211. • Evaluation of actual performance post-change Y R212. 1) Conduct the activities to achieve compliance with VITA and Customer’s policies

and standards throughout the process, including the Information Security Policy. Y

R213. 2) Perform an evaluation to analyze the intended and unintended effects of a Change and provide a report of the evaluation to VITA and Customers. Y

R214. 3) Perform a risk assessment based on the required specifications, predicted performance and the acceptance criteria for the proposed Change, and reporting assessment findings to VITA and Customers.

Y

R215. 4) After implementing a Change, provide input to VITA on the actual performance of the Service. Y

R216. 5) Report findings in an Evaluation Report, which will inform the Post Implementation Review (PIR) carried out by Change Management. Y

R217. 6) Identify and report incidents resulting from change and document corrective actions to avoid incidents from similar changes in the future Y

R218. 4.3 Project Management Transition Planning and Support


R220. Project Management (Transition Planning & Support) seeks to plan and coordinate the resources to implement a major deployment or release (project) within the predicted cost, time and quality estimates; and to ensure that issues and risks that inhibit success are managed. Project Management (Transition Planning & Support) will align projects to Customers’ requirements and deliver projects from request through to end solution including turnover to Customers and validation that project requirements were met in terms of timing, quality, and cost.

R221. A list of the major Current and Ongoing Projects are set forth in Exhibit 2.7 (Current and Planned Projects).

R222. As of the Commencement Date, VITA will have the right to update the projects listed in Exhibit 2.7 (Current and Planned Projects) to include any additions to and deletions from such list, which have occurred in the ordinary course of business prior to the Effective Date.

R223. 1) Conduct regularly scheduled Project Management meetings to ensure the successful completion of all projects. Y

R224. 2) Utilize Implement controls and provide reporting to support Project Portfolio Management. Y

R225. 3) Support the Customers in prioritizing and categorizing projects to support Y




Demand Management, and in accordance with Exhibit 3 (Reporting and Service Level Management).

R226. 4) Ensure all projects have a named project manager who owns the success of the execution of the project Y

R227. 5) Ensure that all projects are managing risks, changes, issues, communications and schedules in compliance with VITA policies, processes and procedures Y

R228. 6) Provide project tracking efforts and communications between all parties until project completion. Y

R229. 7) Retain overall responsibility and ownership of projects until project completion is accepted by Customers Y

R230. 8) Provide for reporting on Project Management, which will track and report on the success of projects against such factors as time-commitments, resource utilization, scope and costs

Y

R231. 4.4 Release and Deployment Management


R233. Release and Deployment Management (R&DM) seeks to plan, schedule and control the movement of solutions into test and then into live environments; with the primary goal of ensuring the integrity of that live environment.

R234. Release Management provides for the execution of releases and deployments into the Production environment for changes to the Services and their component Configuration Items (including software, service management processes, hardware and associated documentation).

R235. 1) Utilize controls to manage risks and achieve compliance with regulations, Customer’s policies and standards, including the Information Security Policy, throughout the R&DM process.

Y

R236. 2) Define the Release design, subject to Customers review and approval (such as big bang, phased, push and pull, automated, manual). Y

R237. 3) Produce impact assessments in support of Customer’s Release planning. Y

R238. 4) Develop implementation and back-out plans for approved Changes that will be included in a Release. Y

R239. 5) Design, build, track, and coordinate the testing, implementation, and, if necessary, back-out of all Releases. Y




R240. 6) Assign a Single Point of Contact (SPOC) for each Release Y

R241. 7) Provide updates to Customers regarding Release status Y

R242. 8) Secure master copies of new versions in a software library and update configuration databases Y

R243. 9) Schedule and conduct Change Management and Release Management meetings to include review of planned changes and results of changes made Y

R244. 10) Review Release Management details and alter as appropriate to meet the needs of the Commonwealth (e.g., back out plan, go/no go decision) Y

R245. 4.5 Service Validation and Testing (SV&T)


R247. Service Validation and Testing ensures that deployed Services meet customer expectations, and verifies that IT operations is able to support the Service as implemented (e.g., new services, additional services, projects, releases, and major changes).

R248. 1) Utilize Integration and Testing policies and procedures Y

R249. 2) Manage Integration and Testing environment(s) Y

R250. 3) Maintain software release matrices across development, QA, and production environments Y

R251. 4) Conduct integration, performance, and security testing for all new and upgraded equipment, Networks, Software or Services to include unit, Systems, integration and regression testing

Y

R252. 5) Evaluate all new and upgraded Tower components or Services for compliance with the Commonwealth’s security and IT architecture policies, regulations and procedures

Y

R253. 6) Assess and communicate the overall impact and potential risk to Tower components prior to implementing changes Y

R254. 7) Stage new and upgraded equipment, Software or Services to smoothly transition into existing environment Y

R255. 8) Perform modifications and performance enhancement adjustments to System Software and utilities as needed Y

R256. 9) Test new releases of supported hardware and Software to ensure conformance Y




with the Service Levels

R257. 10) Perform Configuration Management and Change Management activities related to Integration and Testing Y

R258. 4.6 Service Asset and Configuration Management (SACM)


R260. Configuration Management will provide a logical model of the IT infrastructure by identifying, controlling, maintaining, and verifying information related to all Configuration Items that support the Services offered to Customers.

R261. Configuration Management will include the implementation of a Configuration Management System which incorporates information from multiple sources that contains details of the components or configuration items (CIs) that are used in the provision, support and management of its IT services. This is more than just an “asset register,” since it will contain information that relates to the maintenance, movement, and problems experienced with the CI, and their relationships.

R262. Supplier configuration management system will need to have the capability to integrate to a VITA centralized configuration management system. Y

R263. 1) Utilize a Configuration Management System (CMS), comprising one or more Configuration Management Databases (CMDB), which contain details of the Configuration Items and their Attributes used in the provision and management of all of the Services

Y

R264. 2) Provide for electronic interfaces to allow transfer and update of all Configuration Items and their Attributes that are the Suppliers’ responsibility. Y

R265. 3) Maintain asset inventory for all managed assets, such that: Y

R266. a) Enables capture of the individual data elements for each asset as part of the inventory. Y

R267. b) Enables VITA and Customers approval of the asset inventory and changes to the asset inventory. Y

R268. c) Provides for controls, processes and notifications that support the VITA and Customers ability to approve and submit corrections to the asset inventory.

Y

R269. d) Enables a common view in terms of information access and presentation. Y




R270. 4) Conduct reviews and audits to verify the completeness and accuracy of Configuration Items, including operations documents, Equipment, Software, and Applications.

Y

R271. 5) Conduct the Configuration Management process to identify, control, maintain, and verify the Configuration Items (CIs) approved by Customers, as comprising the Equipment, Software, and Applications to provide the Services.

Y

R272. 6) Implement controls to validate that any change to any CI record in the CMS/CMDB is the result of an approved Request for Change (RFC). Y

R273. 7) Maintain a secure audit trail of all CMDB transactions. Y

R274. 8) Provide asset inventory and Services reports as requested Y

R275. 9) Provide ability for VITA to inquire (e.g. ad hoc reports) into the asset database Y

R276. 10) Define or adhere to Configuration Management policies, and procedures Y

R277. 11) Select, install and maintain Configuration Management tools Y

R278. 12) Establish agreed upon process interfaces to Incident and Problem Management, Change Management, technical support, maintenance and asset management processes

Y

R279. 13) Provide VITA Configuration Management reports as required and defined by VITA Y

R280. 4.7 Knowledge Management


R282. Knowledge Management seeks to gather, analyze, store and share knowledge and information within the VITA IT Program to improve efficiency by reducing the need to rediscover knowledge. All documentation maintained by the Supplier will be subject to approval by VITA, or Customers as appropriate, and will conform to the documentation standards and format agreed upon between VITA and the Supplier. The Supplier will develop documentation in accordance with the requirements in Service Management Manual.

R283. 1) Provide Service Knowledge Management System that maintains content in electronic searchable format. Y

R284. 2) Maintain a Service Knowledge Management System that will capture, store, and present information needed to manage the Services. Y




R285. 3) Allow for Customers to contribute their own content for inclusion into the Service Knowledge Management System. Y

R286. 4) Develop and document training and knowledge database requirements and policies Y

R287. 5) Develop and document procedures that meet training requirements and adhere to defined policies Y

R288. 6) Develop program to instruct Commonwealth personnel on the provision of the Services (e.g., “rules of engagement”, requesting Services) Y

R289. 7) Develop, implement and maintain a Commonwealth accessible knowledge database/portal Y

R290. 8) Develop and implement knowledge transfer procedures to ensure that more than one individual understands key components of the business and technical environment

Y

R291. 9) Participate in Commonwealth delivered instruction on the business and technical environment Y

R292. 10) Develop and document training requirements that support the ongoing provision of the Services, including refresher courses as needed and instruction on new functionality

Y

R293. 11) Take training classes as needed to remain current with Systems, Software, features and functions for which Vendor Help Desk support is provided in order to improve Service performance (e.g., First Call Resolution)

Y

R294. 12) Remain up to date with current technology trends pertaining to the technology advances relevant to Service areas Y

R295. 13) Provide training when substantive technological changes as defined by VITA (e.g., new systems or functionality) are introduced into the Commonwealth environment to facilitate full exploitation of all relevant functional features

Y

R296. 14) Provide training materials for Commonwealth technical staff for Level 1 supported applications Y

R297. 15) Define Documentation requirements and formats that are in accordance with mutually agreed-upon Change Management and IT Service Continuity and DR requirements and procedures

Y

R298. 16) Establish, maintain, secure, backup, and update a Documentation library utilizing storage and access methodologies and technology (e.g., online electronic Y




storage, hard copy) appropriate for the document types being stored which supports the agreed upon requirements and formats

R299. 17) Provide output in agreed format for support of Services activities as specified in each Tower throughout the Term Y

R300. 18) Document, update, and provide to VITA System specifications and configurations (e.g., interconnection topology, configurations, Network diagrams) within agreed upon timeframes.

Y

R301. 19) Document standard operating procedures (e.g., boot, failover, spool management, batch processing, backup) Y

R302. 20) Document policies, procedures manual, production and maintenance schedules, and job schedules Y

R303. 21) Update all appropriate Documentation as necessary as a result of any Systems or Services changes in accordance with Change Management procedures Y

R304. 22) Provide VITA-designated and authorized personnel access to all Documentation as required by VITA Y

R305. 5.0 Service Operation

R306. The Supplier will undertake Service Operation processes for providing and managing Service for Customer’s business and Users within the Service Levels for all Tower Services.

R307. The Service Operation processes described in this section are as follows: R308. • Service Desk

R309. • Event Management

R310. • Incident Management

R311. • Problem Management

R312. • Request Management and Fulfillment

R313. • Access Management

R314. • Supplier IT Operations

R315. 5.1 Service Desk


R317. VITA (or a Third Party operating on VITA’s behalf) provides a Level 1 Service Desk as a




strategic central point of contact for Customers regarding the Services. The Service Desk manages information delivery across the environment and leads the processes for Service Operations (e.g., Event Management, Incident Management, Problem Management, Request Management, Access Management) providing an operational single point of contact to manage information, communication and service delivery. The Service Desk provides Level 1 Support for Customers, and Supplier will be responsible for providing Level 2 and Level 3 support as applicable for its Services for the hours of operation as required by VITA.

R318. 1) Support for Users on both a reactive and a proactive basis, and for both in-bound and out-bound support (e.g., contacts to other Levels of Support). Y

R319. 2) Utilize controls and procedures for Level 2 and Level 3 Support groups to contact each other in the most efficient manner (e.g., Service Tower to Service Tower, or Application Support to Service Tower) that meets the objectives of Incident Management.

Y

R320. 3) Develop and document processes regarding interfaces, interaction, and responsibilities between differing support levels (e.g. Level 1 Support personnel, Level 2 Support personnel between Customer organizations and Supplier), and any other internal or external persons or entities that may either submit receive a ticket.

Y

R321. 4) Communicate to Users in English, using terms that are clearly understood by the Users and consistent with those used by VITA. Y

R322. 5) Provide personnel that are trained and can accomplish Level 2 and Level 3 Support. Y

R323. 6) Routinely update a list of Frequently Asked Questions (FAQs) regarding the Services for use by VITA and the Service Desk. Y

R324. 7) Support first-contact resolution and the Level 1 Service Desk by providing knowledgebase updates, training FAQs, etc. as applicable. Y

R325. 8) Notify VITA, Customers, and Level 1 Service Desk as required by VITA Rules when significant service issues occur. Y

R326. 9) Support personnel must be located in the U.S. and must be legally allowed to work in the U.S. Y

R327. 10) Interface with and update VITA’s specified Incident Management tools. Y

R328. 11) Use real-time interfaces or other processes to minimize handoffs and multiple ticket numbers, and to provide end-to-end ticket transparency. Y




R329. 5.2 Incident Management


R331. Incident Management seeks to manage the lifecycle of all Incidents. The Incident Management discipline will encompass Incident Management processes deployed across all Services that are designed to: restore service as quickly as possible, minimize disruption to the Customers or Customers business unit, aim for best levels of availability and service quality, promote completely transparent and auditable delivery of service, promote clear communications and the highest level for user satisfaction.

R332. 1) Define Incident policies and procedures Y

R333. 2) Establish operations and Service management quality assurance and control programs Y

R334. 3) Perform quality assurance and quality control programs Y

R335. 4) Coordinate End-User support activities with the Service Desks Y

R336. 5) Establish Incident workflow, escalation, communication and reporting processes that help to achieve the Service Level requirements Y

R337. 6) Provide, configure, and operate Incident Management system that tracks Incidents Provide VITA with access and input capabilities to Incident Management tracking system to allow for Incident and related Problem monitoring and ad hoc reporting

Y

R338. 7) Manage entire Incident and related Problem Management lifecycle process including detection, diagnosis, status reporting to VITA, repair and recovery Y

R339. 8) Ensure Incident Resolution activities conform to defined change control procedures set forth in the Service Management Manual Y

R340. 9) Perform Root Cause Analysis of Incidents, document findings, and take corrective actions for the Services. Y

R341. 10) Resolve underlying root cause of the problem and/or substantiate that all reasonable actions have been taken to prevent future reoccurrence Y

R342. 11) Manage efficient workflow of Incidents including the involvement of third party providers (e.g., vendors, public carriers, ISP) Y

R343. 12) Participate in Incident Management review sessions and provide listing and status of same categorized by Problem impact Y




R344. 13) Identify and recommend possible enhancement opportunities for improved operational performance and potential cost impact Y

R345. 5.3 Event Management


R347. Events are any detectable or discernible occurrence that has significance to the management of the VITA environment or Customer business. Events are typically notifications from IT services and monitoring tools. Event Management is the process that monitors all events that occur through the infrastructure and detects and appropriately actions and escalates exception conditions.

R348. 1) Perform event management monitoring of the Services to detect abnormal conditions or alarms, log abnormal conditions, analyze the condition and take corrective action

Y

R349. 2) Identify System management tools to monitor the IT Systems infrastructure and Commonwealth Software environment Y

R350. 3) Coordinate with VITA to deploy System management tools to monitor the IT Systems infrastructure and Commonwealth applications Y

R351. 4) Install and configure System management tools in such a fashion that Incidents, issues and events are proactively identified, reported and Resolved according to prescribed Service Levels

Y

R352. 5) Develop and document Performance Management requirements for Services Y

R353. 6) Develop and document Performance Management procedures that meet requirements and adhere to defined policies as specified in the Service Management Manual

Y

R354. 7) Provide regular monitoring and reporting of component performance, utilization and efficiency Y

R355. 8) Proactively evaluate, identify and recommend configurations or changes to configurations which resolve the event. Y

R356. 9) Provide technical advice and support to the Service Customer Business Software maintenance and development staffs of the event as required Y

R357. 10) Develop policies and procedures for Root Cause Analysis (e.g., events, incidents, and problems that trigger an RCA) Y

R358. 11) Conduct proactive trend analysis to identify recurring Problems and predict Y




future Problems and points of failure, where practical, from occurring or developing

R359. 5.4 Problem Management


R361. Problem Management seeks to manage the lifecycle of all Problems. The primary objectives of Problem Management are to prevent Incidents from happening, and to minimize the impact of incidents that cannot be prevented. Proactive Problem Management analyzes Incident Records, and uses data collected by other IT Service Management processes to identify trends or significant Problems. The Problem Management Process will minimize the adverse effect on the business of Incidents and Problems caused by errors in the IT infrastructure, Applications, systems and supporting components, and will proactively prevent the occurrence of Incidents and Problems by identifying and eliminating causes of failure.

R362. 1) Define Problem Management policies and procedures Y

R363. 2) Establish operations and Service management quality assurance and control programs Y

R364. 3) Perform quality assurance and quality control programs Y

R365. 4) Coordinate End-User support activities with the Service Desks Y

R366. 5) Provide, configure, and operate Problem Management system that tracks Incidents Y

R367. 6) Provide VITA and other Customers with access and input capabilities to Problem Management system to allow Problem monitoring and ad hoc reporting Y

R368. 7) Manage entire Problem Management lifecycle process including detection, diagnosis, status reporting to VITA, repair and recovery Y

R369. 8) Perform Root Cause Analysis of Problems, document findings, and take corrective actions for the Services. Resolve underlying root cause of the problem and/or substantiate that all reasonable actions have been taken to prevent future reoccurrence

Y

R370. 9) Participate in Problem Management review sessions and provide listing and status of same categorized by Problem impact Y

R371. 10) Identify and recommend possible enhancement opportunities for improved operational performance and potential cost impact Y




R372. 11) Recommend corrective actions or solutions to address recurring Problems or failures Y

R373. 12) Flag all Incidents that require Root Cause Analysis per the agreed to procedures Y

R374. 13) Identify root cause of Severity 1 and Severity 2 Incidents and recommend appropriate resolution action Y

R375. 14) Provide status report detailing the root cause of and procedure for correcting recurring problems and Severity 1 and Severity 2 Incidents until closure as determined by VITA

Y

R376. 15) Track and report on recurring Problems and trends or failures and identify associated consequences of Problems Y

R377. 5.5 Request Management and Fulfillment


R379. Request Management & Fulfillment seeks to fulfill and manages all requests for program related Services (changes) from Users. Requests are managed from the initial request through fulfillment of such requests via Services from multiple sources, such as other Service Tower Providers, Third Party vendors and Customers.

R380. While the majority of Service Requests are minor (such as standard changes), the Request Management Main Process directs more complicated requests to the solution design process.

R381. 1) Align their ordering process with VITA’s existing ordering processes for services (work request, eVA, TSR, etc.) using the process that logically is best suited for the needs of VITA, the customer, and suppliers.

Y

R382. a) Tools and/or documents associated with the selected ordering process will be incorporated into the vendor’s ordering process. Y

R383. 2) Will provide a technical solution document describing the Supplier’s proposed approach and detailed pricing for individual Customer nonstandard requests for services, solution tailored to meet customer’s specific needs, to review by the Customer and VITA at no additional cost.

Y

R384. 3) Will provide standard solutions where possible that will enable the customer to order new services, modify existing services, and discontinue services with a minimum of approvals and documentation.

Y

R385. 4) Will provide key performance indicators (KPIs) based on timeframes for all Y




activities (ex: solution development, implementation of requests, requests to discontinue service, etc.).

R386. 5.6 Access Management


R388. Access Management (or Identify Management) seeks to grant authorized users the right to use a service, while preventing access to non-authorized users.

R389. 1) Provide Customers with the capability to exercise authority for approval of all data and System access requirements. Y

R390. 2) Create, change, delete, and assign rights to User accounts as requested and approved by VITA or other Customers. Y

R391. 3) Notify the Customers regarding the entities and personnel to be granted access to Supplier-operated Systems and the level of Security access granted to each. Y

R392. 4) Follow Customer’s instructions and procedures regarding such access as designated by Customers. Y

R393. 5) Maintain Security rules and access rights according to VITA Rules and Customer requirements. Y

R394. 6) Provide for policies and processes that prefer a least-privilege approach to granting access. Y

R395. 7) Provide a periodic review of access that has been granted with VITA and Customers at least on a quarterly basis. Y

R396. 8) Monitor, report and address access management exceptions and violations. Y

R397. 9) Establish procedures, forms, and approval levels for assigning, resetting, and disabling access by Users, subject to Customer’s IT Security department review and approval, as directed by the Service Integrator.

Y

R398. 10) Maintain a secure online database of all access requests, access rights, and approval authorities. Y

R399. 11) Ensure that access privileges for Supplier personnel are promptly removed upon departure from the VITA Program (i.e., to another role within Supplier or exit from Supplier altogether).

Y

R400. 12) Enable VITA to authorize Customers to grant or remove access privileges as required for onboarding or offboarding; provide priority in cases of emergency. Y




R401. 6.0 Continual Service Improvement

R402. The Supplier will establish and undertake Continual Service Improvement processes in order to manage improvements to performance by continually measuring, reporting and coordinating service results.

R403. The Continual Service Improvement processes described in this section are as follows: R404. • Service Review and Reporting

R405. • Process Evaluation and Currency

R406. • Service Measurement

R407. 6.1 Service Review and Reporting


R409. The service reports are accompanied by the Supplier’s assessment of risks, issues and opportunities for improvement. Includes reporting for VITA, Customers, and specific Customers business units. Service Level reporting and general reporting requirements are set out in Exhibit 3 (Reporting and Service Level Management). The reports are to be accompanied by the Supplier’s assessment of risks, issues and opportunities for improvement. Example components of a framework include:

R410. 1) Reporting: documents, datasets, and summary reports pertaining to the performance of the Services and Supplier’s other obligations under the Agreement sufficient to permit VITA to monitor and manage Supplier's performance.

Y

R411. a) Develop and provide operational reports (daily, weekly, monthly) that provide status of operational activities, production issues, and key operational metrics

Y

R412. 2) Service Levels: quantitative performance standards to measure Services, which include credits when certain standards are not met or issues are left unresolved. Y

R413. 3) Critical Deliverables: milestone activities and Deliverables for one-time or periodical activities that have associated Deliverable Credits payable to VITA, in the event Supplier fails to successfully and timely complete such milestone activities or deliver such Deliverables.

Y

R414. 4) Customer Satisfaction: qualitative and quantitative measurements of customer experience, including surveys and in-person meetings. Y




R415. 5) Report performance against the Service Levels Y

R416. 6) Develop and implement Customer Satisfaction program for tracking the quality of Service delivery to Customers Y

R417. 7) Implement and conduct the Customer Satisfaction surveys and report results to VITA as per agreed-upon schedules Y

R418. 8) Provide reporting (e.g., statistics, trends, audits) Y

R419. 6.2 Process Evaluation and Currency


R421. Process to evaluate all processes on a regular basis. This includes identifying areas where the targeted process metrics are not reached, and holding regular benchmarks, audits, maturity assessments and reviews.

R422. The Supplier will provide to keep the Service Management Manual and other relevant operational documentation current. The Supplier will ensure all documents of the Service Management Manual e.g., sub-processes, procedures, working documents, desk-level instructions) have a named owner within the Supplier.

Y

R423. 1) Develop and maintain a Service Management Manual that contains the actual operational and procedural standards that will be used in the delivery of the Services to be reviewed and approved by VITA

Y

R424. 2) Participate in developing operations procedures that meet requirements and adhere to defined policies Y

R425. 3) Define and develop operational documentation requirements (run books, contact lists, operations scripts, etc.) Y

R426. 6.3 Service Measurement


R428. Service Measurement provides monitoring and measures for the overall success of IT Service Management within the Customer’s organization.

R429. The Supplier will implement and operate Quality Assurance across the services to improve Business-aligned IT service quality. The Supplier will employ a Quality Assurance (QA) program, tools, and processes to achieve this.

Y

R430. 1) Establish Overall Program Measures, as approved by VITA, within the following Y




guidelines:

R431. a. Design measures that reflect the overall objectives of VITA (e.g., improve service delivery, innovate and evolve service offerings, ensure cost competitiveness and transparency).

Y

R432. b. Design the measures to reflect end-to-end service (i.e. not a single process or program). Y

R433. c. Design the measures to reflect enterprise service (e.g., not a single customer group). Y

R434. d. Design the measures to reflect multiple levels of activity (e.g., not a single functional area or program). Y

R435. e. Design the measures to reflect industry standard metrics where possible. Y

R436. 2) Developing and employing a Quality Assurance program, subject to VITA approval, designed to promote performance of the Services at a level of quality determined by VITA to be acceptable and to focus on measuring and improving reliability, value, speed, cost-effectiveness, and Customers satisfaction.

Y

R437. 3) Provide ongoing management of procedures and measurements for all Quality Assurance activities across the Services. Y

R438. 4) Providing evidence that the quality metrics and procedures employed are consistent with similar standards in Customer’s peer group and/or in the provision of similar professional services.

Y

R439. 5) Conducting assurance to verify compliance with the quality assurance program, procedures and standards. Y

R440. 7.0 Other Processes and Services

R441. This section sets forth the Other Processes and Services that the Supplier will provide, as of the Commencement Date unless otherwise specified, for all Services.

R442. 7.1 Supplier IT Operations

R443. For the Services and systems provided by the Supplier, the Supplier’s responsibilities include:

R444. 7.1.1 Currency, Hardware and Software Maintenance

R445. Supplier will describe its Solution to meet the requirements of this Section in Exhibit 2.3




(Solution). R446. 1) Maintain documentation on Software that reflects the complexity and diversity

of the environment and that enhances the Software support process (e.g., installation, maintenance, interfaces, and active processes).

Y

R447. 2) Maintain a library of documentation that identifies the Software required to support the Services and the operational support procedures associated with the Software by Customer.

Y

R448. 3) Maintain, update and ensure currency in the Configuration Management process for all software. Y

R449. 4) Support all Software, excluding Applications supported by VITA’s and Customers’ staff or other Third Parties, as required and in accordance with VITA’s and Customers’ technical architecture standards.

Y

R450. 5) Support Software at prescribed release levels or as directed by VITA and that is certified by the supplier. Y

R451. 6) Correct and make changes to Software as required. Y

R452. 7) Provide Users with Software support, advice, and assistance. Y

R453. 8) Review all Software conversion, migration, and upgrade plans with VITA and Customer. Y

R454. 7.1.2 Software Support, Installation, Upgrades and Changes


R456. 1) Install, upgrade, and change all Software that is OEM certified and supported by the Supplier, as required and in accordance with VITA technical architecture standards.

Y

R457. 2) Interface with VITA, Customers and other Third Parties to promote the compatibility of Software products. Y

R458. 3) Unless otherwise directed by VITA, install, upgrade, and change Software that is certified and supported by the Supplier to prescribed release levels (i.e. OEM currently supports).

Y

R459. 4) Provide installation of department or User-specific Software that is certified and supported by the Supplier as requested by VITA and Customers. Y

R460. 5) Install Third Party-supplied corrections for Third Party Software problems, which Y




include installation of Third Party-supplied Software patches as required.

R461. 6) Give written notice to VITA and other Customers at least ninety (90) days in advance of all upgrades and Software changes that are planned to occur in the following calendar quarter. The Parties will mutually agree in writing on the timing for the implementation of upgrades.

Y

R462. 7) Coordinate testing, installation, customization, and support of Software with Customer Application Development and Maintenance (ADM) personnel, Users, and other Third Parties as required.

Y

R463. 8) Coordinate with VITA, Customers and Suppliers in the establishment of designated patching windows. Y

R464. 9) Follow VITA Change Management procedures while implementing changes, upgrades, or enhancements. Y

R465. 10) For any changes, upgrades, or enhancements, advise VITA and Customers of any additional Equipment, network, environmental, or other requirements needed during integration testing and/or otherwise known to be necessary for the implementation.

Y

R466. 11) Proactively provide Customer ADM staff, VITA, and other Third Parties with support for Mainframe Equipment and System Software used to support ADM activities.

Y

R467. 12) Provide reports, at least monthly, on software upgrades applied, including patching to VITA and Customer. Y

R468. 13) Provide monthly reports of upcoming software releases, software renewals and end-of-support notices to VITA and affected Customers, at least 180 days prior to expirations date.

Y

R469. 7.1.3 Malicious code or unauthorized code Protection


R471. 1) Install, update, operate, and maintain malware prevention, unauthorized code prevention, Intrusion Detection System (IDS)/Intrusion Prevention System (IPS), Phishing, Spamming, and denial of service Software and tools as applicable to comply with VITA Rules or Customer-specific rules and in accordance with industry best practices on all Equipment used to deliver or support the Services.

Y

Install, update, operate, and maintain Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) used to prevent unauthorized access to HPES assets in the CMDB providing service to VITA (e.g. Denial of Service (DoS, Distributed Denial of Service DDoS). IOS Software and management tools will be configured to support VITA Requirements and/ or Customer-specific rules in accordance




with industry best practices. This practice is applicable to all Equipment used to deliver or support VITA Services.

R472. 2) Maintain subscription to services that proactively announce vulnerability, patch, and pattern updates. Y

R473. 3) Install available updates, in accordance with Change Management, to malicious-prevention Software and services as needed or as directed by VITA, within the timeframes specified by relevant Third Parties, vendors, or industry experts – except as otherwise approved by VITA.

Y

R474. 4) Respond to and resolve malware, unauthorized content, hacking, Phishing, denial of service, and similar Incidents. Upon detection of malware or unauthorized content, take immediate steps to notify VITA, Customer and the Service, as well as to:

Y

Respond to and resolve unauthorized access or unauthorized activity against the VITA resources (e.g. DoS, hacking etc.). Upon detection of unauthorized access or unauthorized activity, take immediate steps to notify VITA, Customer and the Service, as well as to:

R475. a) Assess the scope of damage. Y

R476. b) Report status of the incident and mitigation activities to VITA once every 24-hours until the incident is resolved. Y

R477. c) Arrest the spread and progressive damage from malware or unauthorized code. Y

R478. d) Eradicate malware or unauthorized code. Y

R479. e) Restore all data and Software to its original state. Y

R480. 5) Provide proactive alerts to VITA, the Service Desk, or Customers as appropriate relative to current code threats either specific to VITA’s environment, encountered in Supplier’s environment, or based on industry information.

Y

R481. 6) Provide additional temporary resources in the event of a major computer malware, outbreak, phishing, hacking, denial of service, or similar event so VITA’s and Customers’ performance does not degrade because of an unavailability of Supplier resources.

Y

Provide additional temporary resources in the event of a major service disruption due to unauthorized access or unauthorized activity or similar event so VITA’s and Customers’ performance does not degrade because of an unavailability of Supplier resources.

R482. 7.1.4 Intrusion Systems


R484. 1) Establish processes and procedures in the Service Management Manual with VITA, Suppliers and other designated Third Parties for the management, monitoring, alerting, notifying and reporting for Intrusion Systems.

Y

R485. 2) Provide access to systems, policies and procedures related to intrusion Y




detection, interception and prevention for the purpose of validating and verifying those systems, policies and procedures to VITA and designated Third Parties at the request of VITA.

R486. 3) Monitor all Intrusion Systems from a central logging system, and provide appropriate response to alerts, 24 x 7 x 365, based upon mutually agreed procedures.

Y

R487. 4) Review Intrusion Systems logs and provide appropriate response to messages including, but not limited to, alerts and access denial messages, based upon mutually agreed procedures.

Y

R488. 5) Provide notifications to VITA and Customers relative to current intrusion threats either specific to VITA’s and Customers environment, encountered in the Supplier’ environments, or based upon industry information.

Y

R489. 6) Upon detection of an intrusion alert, take immediate steps to notify VITA and Customers, and to execute the processes for Security Incident Management. Y

R490. 7) Evaluate technology improvements for intrusion detection and prevention and bring forth those improvements to VITA for consideration. Y

R491. 7.1.5 Supplier License Management and Compliance


R493. 1) Manage compliance with all Software licenses by monitoring and validating Software use. Y

R494. 2) Proactively monitor the use of the Software in order to maintain strict compliance, including: Y

R495. a) Immediately notify and advise VITA of all Software license compliance issues. Y

R496. b) Provide the Software and acquire the correct number of the licenses to be compliant with the Supplier’s Third Party Vendor requirements. Y

R497. c) Monitor the Equipment for the presence of any unauthorized or non-standard Software. Y

R498. d) Track license counts and associations. Y

R499. e) Manage and track security certificates used to secure confidential sessions (e.g., SSL) for Internet and Intranet transactions and Y




communications, including processes and procedures for renewals.

R500. 3) To the extent enabled by the Supplier-provided and VITA-approved enterprise management systems, perform the following activities: Y

R501. a) Define and check for particular Software signatures. Y

R502. b) Monitor the use of Software developed by the Supplier application development groups. Y

R503. c) Check the presence and version of Software installed on a particular device and record in the asset management system. Y

R504. d) Provide reporting of license information and compliance to VITA, at least quarterly or as directed by VITA. Y

R505. e) File and track Software license agreements and associated license keys, including processes and procedures for renewals; associate with CI in the CMDB.

Y

R506. 7.1.6 Network Connectivity


R508. 1) Provide that Equipment connected to the networks of VITA is in compliance with the Security Plan and the security policies of VITA. Y

R509. 2) If the Supplier chooses to implement some portion of the Services in facilities outside of the CESC (e.g., disaster recovery sites, service delivery centers, etc.), the Supplier will provide the network connections from those locations to the CESC.

Y

R510. 3) For the network connections provisioned by the Supplier as part of its solution: Y

R511. a) Manage and support the network connections (e.g., WAN circuits). Y

R512. b) Ensure there is adequate bandwidth to support the management of the Services from the Supplier-provided facilities. Y

R513. c) Monitor and report to VITA on bandwidth utilization including trend analysis. Y

R514. d) Coordinate with the Data Center LAN provider to ensure proper connectivity between the Supplier’s transport and the CESC LAN. Y

R515. e) Ensure that connections are secured for the delivery of the Services, and Y




only for the Services, in compliance with the Security Plan.

R516. 8.0 Optional Services

R517. Included in the scope of this Exhibit 2.2 Description of Services: Cross Functional are certain services that, for this requested response, are identified as optional services. A distinct and separate response is requested for the optional service described at 8.1 below. Optional services described at 8.1 below are not to be included within the base charges for Mainframe Services for the term of the agreement. VITA, at its discretion, may elect to include this optional service as New Service.

R518. 8.1 Level 1 Service Desk


R520. Over the next several years, VITA intends to re-procure its Level 1 Service Desk. Until the new Service Desk is established, the Mainframe Supplier may need to provide a Service Desk to respond to Users of Supplier Services.

R521. 1) Provide a single point of contact Service Desk available at all times (i.e. 24 hours a day, 365 days a year). Y

R522. 2) Manage all contacts from Users relating to Services, including the following: Y

R523. a) Open a ticket and log all relevant details in a ticket in the appropriate Service Management Manual (e.g. Incident record in the Incident Management System).

Y

R524. b) Assign categorization and prioritization codes. Y

R525. c) Provide first-line investigation and diagnosis. Y

R526. d) Resolve those as fast as possible (e.g. first call resolution). Y

R527. e) Build and maintain Knowledge Database and FAQs. Y

R528. f) Ensure contacts (e.g., call for an Incident or Service Request) are appropriately routed to the best resolver for the ticket. Y

R529. g) Ensure tickets are serviced in the most expeditious manner possible. Y

R530. h) Monitor performance of service desk and agents using best practice key performance indicators (KPIs). Y

R531. i) Escalate those that cannot be resolved within agreed timescales. Y

R532. j) Communicate with users, keeping them informed of progress, changes Y




(and reasoning for changes) to ticket status (e.g., suspended, resolved, severity changes), notifying them of impending actions, obtaining appropriate agreement, and in all ways engaging and communicating with them about Supplier activities.

R533. k) Close all tickets (e.g., Resolved Incidents, Service Requests) from contacts and retain overall responsibility and ownership of all tickets. Y

R534. l) Facilitate improvements in the environment to mitigate future need for contacts. Y

R535. 3) Provide multiple methods for contacts and tracking of tickets from Users, including phone calls, chat, mobile access, web entry, and other methods as approved by VITA.

Y

R536. 4) Manage the intake of all contacts (e.g., Incidents, Service Requests) in the same manner (i.e., time frames and level of care) regardless of contact method. Y

R537. 5) Provide access to Service Management tools for identified Users (i.e., typically Customer IT personnel). Y

R538. 6) Minimize redundant contacts with the Users. Y

R539. 7) Provide processes, controls and tools to enable identification of Users by a multiple single identifiers, including name, e-mail address and PIN number; and other identifiers as approved by VITA.

Y

R540. 8) Provide processes to support the use of Customer provided Service Desk attendant scripts that include Customer specific scripts as required, for supporting Incidents and Service Requests related to the Services, Customers specific Applications, systems, sites, etc.

Y

R541. 9) Conduct periodic reviews of attendant scripts with Customer. Y

R542. 10) Conduct surveys of Users immediately after they have used the Service Desk (i.e., Customer Satisfaction Survey), consistent with the processes and survey approach at the primary COV Level 1 Service Desk.

Y

R543. 11) Develop and periodically update escalation procedures, and distribute such procedures to designated Users upon VITA approval. Y

R544. 12) Develop and document processes regarding interfaces, interaction, and responsibilities between differing support levels (e.g. Level 1 Support personnel, Level 2 Support personnel), and any other internal or external persons or entities that may either submit receive a ticket.

Y




R545. a) Ensure that the Level 2 Support within Customer organizations (e.g., application support groups) are documented as such an entity. Y

R546. 13) Provide support to Users on both a reactive and a proactive basis, and for both in-bound and out-bound support. Y

R547. a) Provide process to handle designation and establishment of User rights. Y

R548. b) Track and manage the rights associated with individual Users. Y

R549. 14) Provide process for continuous evaluation and improvement of Service Desk support activities (e.g., “shift work left” toward Level 0 self-service and automation technologies).

Y

R550. 15) Provide for correlation of Events and Incidents for proactive actions. Y

R551. a) Investigate related Events from the Event Correlation and Monitoring System. Y

R552. b) Investigate related Incidents from the Incident Management System. Y

R553. c) Provide analysis to create any required Incidents and Problems. Y

R554. d) Provide routing of Incidents and Problems to appropriate resolver groups in a timely fashion. Y

R555. 16) Provide a single, toll-free (in-country) telephone number for external calls to the Service Desk from Users, and provide VITA with an alternative local number. Y

R556. 17) Ensure staffing levels and work allocation remains appropriate to handle the volume of contacts, resulting tickets, and ticket response targets. Y

R557. 18) Ensure that each work shift has a process to update the following work shift regarding status of key incidents, incident hand-offs and general knowledge transfer to ensure that Customer problems are resolved in a timely manner.

Y

R558. 19) Provide an effective means of using industry recognized methods to determine, measure and monitor staffing levels, requirements and allocations. Y

R559. 20) Communicate to Users in English, using terms that are clearly understood by the Users and consistent with those used by VITA. Y

R560. 21) The Service Desk will be located in Supplier facilities (i.e., an off-site location from VITA), approved by VITA. Y

R561. a) Where more than one Supplier facility is approved by VITA, any switching between the sites must be transparent to Users. Y

R562. b) Facilities and personnel must be located in the continental United Y




States.

R563. 22) Provide Service Desk personnel that are trained and at minimum meet the following: Y

R564. a) Possess the appropriate competencies to provide Service Desk Services. Y

R565. b) Understand VITA and Customers’ business, service levels, and respond appropriately. Y

R566. c) Understand VITA’s and Customers’ technology and sourcing arrangements. Y

R567. d) Use recognized customer service and interpersonal skills, such as telephony skills, communication skills, active listening and customer care.

Y

R568. e) Recognize social engineering attempts and follow processes to prevent misuse of password resets Y

R569. f) Demonstrate basic technical skills in end-user computers, desktop applications, web browsers and internet use. Y

R570. g) Use good judgment and show the ability to make appropriate decisions and initiate actions that reflect Customer priorities. Y

R571. h) Understand changes in products and services, as they become part of the Services provided by Suppliers. Y

R572. 23) Provide and maintain instructions for Users to access the Services. Y

R573. a) The instructions will be made available to Users via the Portal and other media as requested by VITA. Y

R574. 24) Facilitate the appropriate management of tickets to ensure timely response. Y

R575. a) Monitor ticket queues and action tickets that are not being addressed Y

R576. b) Report to VITA and other Customers on tickets that cannot be assigned appropriately. Y

R577. 25) Allow VITA to identify very important persons (VIP) Users who will require prioritized and expedited support services. Provide call routing or escalation options to more quickly address issues raised by these VIP Users.

Y

R578. 26) Conduct continual improvement activities to review Service Desk processes and procedures. Y

R579. 27) Provide input and feedback to the Knowledge Database based on analysis of Y




contacts, Incidents and Problems.

R580. 28) Provide regular reports to VITA on Service Desk activities and performance, which at a minimum includes: Y

R581. a) Key issues relating to Service Desk processes, improvements, script development. Y

R582. b) Status as to Service Desk staffing, training, and authorization. Y

R583. c) Integration activities and issues with other Service Desks belonging to VITA, Customers and other Service Tower Providers as directed by VITA. Y

R584. d) Trend analysis. Y

R585. e) Calculate metrics and provide monthly reports to VITA, to at least include: Y

R586. i.) Number of contacts, including electronic, automated or otherwise. Y

R587. ii.) Percentage of calls abandoned, average call duration, average time to answer, average time to abandon. Y

R588. iii.) Number and percentage of contacts resolved. Y

R589. iv.) Number and percentage of contacts passed to other Service Desks. Y

R590. v.) Number and percentage of misrouted tickets. Y

R591. vi.) Other pertinent information regarding Service Desk operation and performance. Y

R592. vii.) Overall service desk availability Y

exhibit 2.2 description of services: cross functional

Documents