request for proposal (rfp) - kcb bank group · pdf file1 commercial on confidence it/march...

1 Commercial on Confidence IT/March 2014/ SUPPLY AND IMPLEMENTATION OF A DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION.

REQUEST FOR PROPOSAL (RFP)

Release Date: Wednesday,05th March 2014

Last Date for Receipt of Bids: Wednesday ,26th March 2014 at

3.00p.m (GMT+3) Nairobi (Kenya)

IT/March 2014/ SUPPLY AND IMPLEMENTATION OF A DATABASE AND

WEB APPLICATION SECURITY/FIREWALL SOLUTION.

Commercial in confidence IT/March 2014/ SUPPLY AND IMPLEMENTATION OF A DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION.

ISSUE OF RFP DOCUMENT TO PROSPECTIVE BIDDERS – Database Security and Web

Application Monitoring

This form serves as an acknowledgement of receipt of the tender and

participation. This page is to be completed immediately on download and a

scan copy e-mailed to [email protected]. Firms that do not register their

interest immediately in this manner may not be sent the RFP addenda should

any arise.

Table 1: Registration of Interest to Participate

Item Supplier Details

Name of Person

Organization Name

Postal Address

Tel No

Fax No

Email Address (this e-mail address

should be clearly written as

communication with bidders shall be

through e-mail)

Signature:

Date

Company Stamp

mailto:[email protected]


Table of Contents 1. SECTION 1 - REQUEST FOR PROPOSALS .................................................................................................... 4

1.1.Introduction ............................................................................................................................................. 4

1.2 Background of the Project ................................................................................................................... 4

1.3 Aims and Objectives of the project ................................................................................................. 4

1.4 Format of RFP Response and Other Information for Bidders ........................................................ 5

Financial Evaluation (separate sealed envelope ) .................................................................................. 13

SECTION 2 – SCOPE OF Services ................................................................................................................... 15

2.11 Brief Overview of Technical Systems Environment ........................................................................... 17

Database / Programming Environments ............................................................................................... 17

Web Applications ....................................................................................................................................... 17

2.12 Functional Requirements ....................................................................................................................... 18

Delivery, Testing and Acceptance (On Successful Bidding) .................................................................. 18

SECTION 3 - GENERAL CONDITIONS OF CONTRACT ................................................................................. 19

3.1 Introduction ................................................................................................................................................ 19

3.2 Award of Contract .............................................................................................................................. 19

3.3 Application of General Conditions of Contract ............................................................................ 19

3.4 Ownership ............................................................................................................................................ 19

3.5 Bid Validity Period ............................................................................................................................... 19

3.6 Performance Security......................................................................................................................... 20

3.7 Delays in the Bidder’s Performance ................................................................................................ 21

3.8 Liquidated damages for delay ........................................................................................................ 21

3.9 Governing Language ......................................................................................................................... 21

3.10 Applicable Law ............................................................................................................................... 21

3.11 Bidder’s Obligations ....................................................................................................................... 21

3.12 The Bank’s Obligations .................................................................................................................. 23

3.13 Confidentiality ................................................................................................................................. 23

3.14 Force Majeure ................................................................................................................................. 23

Appendix A – Technical Requirements Matrix........................................................................................... 27

Exhibit A - Reference Sites ............................................................................................................................. 47

Appendix I ........................................................................................................................................................ 48

ANNEX 3 – SUPPLIER QUESTIONNAIRE .......................................................................................................... 49

ANNEX 4 – PERFORMANCE SECURITY FORM (FORMAT)............................................................................. 58

ANNEX 5 – CERTIFICATE OF COMPLIANCE .................................................................................................. 59


1. SECTION 1 - REQUEST FOR PROPOSALS

1.1.Introduction

Kenya Commercial Bank Limited (hereinafter referred to as “the Bank”) is a

leading commercial banking group in the East African region, renowned for its

diversity and growth . In addition to Kenya, it has other subsidiaries namely; KCB

(Tanzania) limited, a banking subsidiary operating in Tanzania, KCB (Uganda)

limited, a banking subsidiary operating in Uganda, KCB (Sudan) limited, a banking

subsidiary operating in Sudan, KCB (Rwanda) limited, a banking subsidiary

operating in Rwanda and KCB Burundi a banking subsidiary operating in Burundi.

The objective of this RFP is to provide the bank with information about their

capability to plan, install, implement and manage this process from end to end

with structured methodologies and skilled personnel on a fixed time schedule

and within budget.

1.2 Background of the Project

The bank operates in a highly computerised environment that includes

maintaining connections to its business partners and to the world at large

through the internet and dedicated point to point connections. Therefore like

similar organisations it is prone to business interruptions as a result of failed or

malfunctioning systems, business data corruption or stolen data.

Computer system holes and vulnerabilities make it possible to exploit unsecure

implementations and may result in system failures and exploits, whether by

malice, mistake or innocently. Further, the bank needs to ensure its systems are

protected and implemented as per best practice and thereby avoid damage

to itself or business partners.

1.3 Aims and Objectives of the project

The KCB Group has decided to implement a Database and Web Application

Firewall solutions to enhance security of Critical Systems that are accessed by

internal as well as external stakeholders, as part of an overall strategy to

implement a more secure, productive, industry standard information technology

(IT) management processes and supporting IT management applications.

This Request for Proposal (RFP) is being released on open tender.Proposals

responses are epected from suppliers of database and web application firewall

solutions.


The information in this document and its appendices and attachments is

confidential and is subject to the provisions of our non-disclosure agreement

and should not be disclosed to any external party without explicit prior written

consent of Kenya Commercial Bank.

The Bank has prepared this Request for Proposal (RFP) to facilitate the selection

of a vendor to provide such a solution.

Objectives

The purpose of the assignment is to acquire, implement and maintain Database

and Web Application Firewall solutions for the KCB Group that will improve KCB

Group‟s security of all public / internet facing applications and reinforce the

defense-in-depth approach in place.

Based on KCB Group strategy, the project will help KCB Group to mitigate the

risks related to web access control operations by:

1.3.1 Automatically learning the web application structure and user behavior

1.3.2 Virtually patching databases and applications through vulnerability

scanner integration.

1.3.3 Updating database and web defenses with research-driven intelligence

on current threats

1.3.4 Delivering high performance business-relevant reporting and alerts

1.4 Format of RFP Response and Other Information for Bidders

1.4.1 The overall summary information regarding the SUPPLY AND

IMPLEMENTATION OF A DATABASE AND WEB APPLICATION

SECURITY/FIREWALL SOLUTION is given in section 2 – Scope of Services and

the summary in 1.3 Aims and Objectives. The bidder shall include in their

offer any additional services considered necessary for the successful

implementation of their proposal.

1.4.2 Proposals from bidders should be submitted in two distinct parts, namely

Technical proposal and financial proposal and these should be in two

separate sealed envelopes, both of which should then be placed in a

common sealed envelope marked:

“IT/March 2014/ SUPPLY AND IMPLEMENTATION OF A DATABASE AND WEB

APPLICATION SECURITY/FIREWALL SOLUTION


DO NOT OPEN BEFORE Wednesday, 26th MARCH 2014 at 3.00 pm (GMT+3)

Nairobi Kenya

The two separate inner envelopes should be clearly marked “Technical

Proposal”, and “Financial Proposal”, respectively, and should bear the

name of the Bidder.

1.4.3 The Technical Proposal should contain the following:

Bidders, willing to be considered for SUPPLY AND IMPLEMENTATION OF A

DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION are

expected to furnish the Bank with among others the following vital

information, which will be treated in strict confidence by the Bank.

Provide a company profile as per supplier questionnaire in Annex 3.

The RFP response document duly signed as per ANNEX 5 – CERTIFICATE

OF COMPLIANCE

Approval licenses, by the various bodies for compliance, MUST be

included where applicable.

Audited financial statements of the company submitting the RFP bid,

for the last three years

Demonstrate capability and capacity to provide technical

requirements functional requirements and functionalities as per KCB

requirements in section 2.0

NOTE: The Financial proposal (MUST BE IN A SEPARATE SEALED ENVELOPE )

CLEARLY MARKED “ FINANCIAl PROPOSAL”

1.4.4 Clearly indicate the total cost of carrying out the solution as follows:-

a. The Supplier shall provide a firm, fixed price for the Original Contract Period.

All costs associated with the required system shall be included in the prices.

Kindly note that the cost should include supply, installation and

commissioning of the system inclusive of all freight charges and applicable

duties and taxes (VAT and withholding Tax).

Provide an itemized list of all items included and summarize your costs as shown

in the table below:-


PRICE BREAK –DOWN (In a separate sealed envelope as per clause 1.4.2)

Item Requirement Description UNIT Of Measure / Rate TAXES TOTAL COST (incl of Taxes)

i. Software/Licencing Costs 1.No of UsersQuoted for

2.Licence model quoted for

ii. Software/Licencing Costs - Third Party Third Party Applications

iii. Annual Support / Maintenance cost AMC model of computation

iv. Implementation, installation and configuration

costs

1. Define 1 man day in hours

2. Rate Per Man day

v. Training costs 1. Define 1 man day in hours

2. Rate Per Man day

vi. Logistics costs and other costs

1. No of room nights for

Accomodation

2.No of Travel Day

3.Define 1 travel Day

vii. Customization and Integration 1. Define 1 man day in hours

2. Rate Per Man day

viii. Modules Confirm and list modules Quoted for in

the Financial proposal

ix Any other cost As applicable

b. Additional Cost to Complete. Provide an itemized list of any items not

included above by the Bank and related costs that Supplier deems

necessary to provide the information to meet the requirements specified in

proposal. Failure to provide said list shall not relieve the Supplier from

providing such items as necessary to meeting all of the requirements

specified in proposal at the Fixed Price Purchase Costs proposed.

1.4.5 Soft Copies for each proposal are to be provided in the standard

Microsoft Office suite of Programs or Adobe Reader and delivered

together with hard copy of the tender.NOTE that only the information on

the Hard copy Bound bid document shall be considered as the MAIN

scource document.

1.4.6 Bidders are requested to hold their proposals valid for ninety (90) days

from the closing date for the submission. The Bank will make its best efforts

to arrive at a decision within this period.


1.4.7 Assuming that the Contract will be satisfactorily concluded, the bidders

shall be expected to commence the assignment after the final

agreement is reached.

1.4.8 The bid documents shall be addressed to the following address and

dropped at the tender box on 5th Floor, Kencom House, Wing B on or

before the closing date.

Head of Procurement

Kenya Commercial Bank

5th Floor Kencom House

P.O. Box 48400, 00100

Nairobi, Kenya

Please note that tenders received by facsimile or electronic mail will be

rejected.

1.4.9 If a bidding firm does not have all the expertise and/or resources for the

assignment, there is no objection to the firm associating with another firm

to enable a full range of expertise and/or resources to be presented. The

request for Joint Venture shall be accompanied with full documented

details of the proposed association.

1.4.10 In the case of a Joint Venture or Association, all the firms constituting the

Joint Venture or Association will be jointly and severally liable and at least

one firm in the Joint Venture or Association shall be financially capable of

meeting the contract requirements and potential liabilities on its own and

shall assume contracting responsibility and liability for satisfactory

execution of the assignment.

1.4.11 The contracting arrangements shall define clearly the responsibilities and

the services to be provided by each firm in the case of a joint venture.

1.4.12 The Bank reserves the right to accept or to reject any bid, and to annul

the bidding process and reject all bids at any time prior to the award of

the contract, without thereby incurring any liability to any Bidder or any

obligation to inform the Bidder of the grounds for its action.

1.4.13 The vendor‟s terms and conditions will not form part of any contract with

KCB in relation to this tender.


Canvassing is prohibited and will lead to automatic disqualification.

1.4.14 Cost of bidding

The Bidder shall bear all costs associated with the preparation and submission of

its bid, and the Bank will in no case be responsible or liable for those costs,

regardless of the conduct or outcome of the bidding process.

1.4.15 Clarification of Bidding Document

i. All correspondence related to the contract shall be made in English.

ii. Should there be any doubt or uncertainty, the Bidder shall seek

clarification in writing addressed to the Head of Procurement through e-mail to: [email protected].

iii. Any clarification sought by the bidder in respect of the RFP shall be

addressed at least nine (9) calendar days before the deadline for

submission of bids, in writing to the Head of Procurement through the

same mail.

iv. It is the responsibility of the Bidder to obtain any further information

required to complete this RFP.

v. Any clarification requests and their associated response will be circulated

to all Bidders.

vi. The last date for receipt of requests for clarifications from bidders is

Wednesday 17th March 2014.

The RFQ Clarification Template is as follows:-

Company Name:

Contact Person: (primary Supplier contact)

E-mail:

Phone:

Fax:

Document Number/Supplier

# Date Section/ Paragraph(2) Question

1

2

3

(1) Question (s) mailing Date.

(2) From the KCB Document.



The queries and replies thereto shall then be circulated to all other prospective

bidders (without divulging the name of the bidder raising the queries) in the form

of an addendum, which shall be acknowledged in writing by the prospective

bidders.

Enquiries for clarifications should be sent by e-mail to: [email protected]

1.4.16 Amendment of Bidding Document

At any time prior to the deadline for submission of bids, the Bank, for any reason,

whether at its own initiative or in response to a clarification requested by a

prospective Bidder, may modify the bidding documents by amendment.

All prospective Bidders that have received the bidding documents will be

notified of the amendment in writing, and it will be binding on them. It is

therefore important that bidders give the correct details in the format given on

page 1 at the time of collecting/receiving the RFP document.

To allow prospective Bidders reasonable time to take any amendments into

account in preparing their bids, the Bank may at its sole discretion extend the

deadline for the submission of bids based on the nature of the amendments.

1.4.17 Deadline for Submission of Bids

Bids should be addressed to the Head of Procurement and sent for receipt on or

Before Wednesday 26th March 2014. Any bid received by the Bank after

This deadline will be rejected.Those submitting tenders or their representatives

may attend the tender opening of date and time of submission.

1.4.18 Responsiveness of Proposals

The responsiveness of the proposals to the requirements of this RFP will be

determined. A responsive proposal is deemed to contain all documents or

information specifically called for in this RFP document. A bid determined not

responsive will be rejected by the Bank and may not subsequently be made

responsive by the Bidder by correction of the non-conforming item(s).

1.4.19 Bid Evaluation and Comparison of Bids

Technical proposals will be evaluated and will form the basis for bids

comparison. Alltender responses will be evaluated in three phases:-

a. Preliminary evaluation that will determine administrative compliance.

b. Detailed technical evaluation to determine technical compliance and

support responsiveness of the vendor



c. Financial evaluation to consider pricing competitiveness and the financial

capability of the vendors

Once the bids are opened, bid evaluation will commence

Sample Preliminary phase evaluation form

Item

No.

Item Description/Required Requirements Notes from

Supplier’s Bid

(Tick if

submitted fully,

cross X if not

submitted or

partial

submission)

1 Certificate of compliance (attached) Must submit

2 Certificate of incorporation or registration. Must submit

3 Copies of VAT, PIN, Ministry of Public

works approval,

Must submit all

4 Copies of Certified NSSF, NHIF returns for

the last recent 3 months

Must submit all

5 Attached copies of relevant technical/CVs

certificates of staff

Must submit relevant

to this project

6 Copies of Audit books of accounts for the

last 3 years i.e. 2010, 2011, 2012

Must submit

7 Complete address (Physical, postal,

telephone, facsimile and e-mail) for the head

office and all other registered offices in

Kenya

Must submit

8 Letter of accreditation by the principles Must submit

9 List of directors and principal officers of the

company

Must submit List of

directors and

shareholding ratio

10 Letter of no Objection from the suppliers and

or reference sites given

Must Submit

Does Supplier qualify to proceed?

(Yes/No)

Failure to submit any

of the above

disqualifies Supplier

from further

evaluation


Technical Evaluation

The technical evaluation will constitute 100% of the overall score and will include

a desktop evaluation and additional detailed evaluations. The desktop

evaluation will be scored as follows:Vendors ability to meet and exceed the

objectives of the RFP together with the functional requirements detailed in

Appendix A

Experience and reliability of the Supplier‟s organization are considered in the

evaluation process. Therefore, the Supplier is advised to submit any information,

which documents successful and reliable experience in past performances,

especially those performances related to the requirements of this RFP.

The Supplier should provide the following information related to previous and

current services/contracts performed by the Supplier‟s organization and any

proposed subcontractors which are similar to the requirements of this RFP (This

information may be shown on the form attached as Exhibit A to this RFP or in a

similar manner):

a. Name, address, and telephone number of client/contracting agency and

a representative of that client/agency who may be contacted for

verification of all information submitted;

b. Dates and locations of the service/contract; and

c. A brief, written description of the specific prior services performed and

requirements thereof.

Proposals will be evaluated based on the Supplier‟s distinctive plan for

performing the requirements of the RFP. Therefore, the Supplier should present a

written narrative, which demonstrates the method or manner in which the

Supplier proposes to satisfy these requirements. The language of the narrative

should be straightforward and limited to facts, solutions to problems, and plans

of action.

Where the words “shall” or “must” are used, they signify a required minimum

function of system capacity that will heavily impact the Bidder‟s final response

rating.

Where the words “may” or “desired” are used, they signify that the feature or

capacity is desirable but not mandatory; therefore, the specifications in

question will possess minimal impact on the Bidder‟s final response rating.

The method by which the proposed method of performance is written will be left

to the discretion of the Supplier. However, the Supplier should address each


specific paragraph and subparagraph of the Specifications by paragraph and

page number as an item for discussion. Immediately below these numbers, write

descriptions of how, when, by whom, with what, to what degree, why, where,

etc, the requirements will be satisfied.

Demo /Proof of Concept

After the desktop evaluation as per RFP response, the prospective supplier will

be required to give further detailed proof of the viability of the solution

highlighting the functionality as represented in the RFP. This may include all or

part of the following:-

Vendor presentations

A solution demo with the actual installed solution

A Proof of Concept installation at the bank‟s premises in a test scenario if

so required

Site visits to current clients of the supplier who have implemented similar

solution as put forward in the RFP response

It should be noted that vendors will be progressively evaluated from one stage

to the other. Only shortlisted vendors will progress to the next stage

Site visits

In the event that the bank may need to visit client site, vendors will be notified in

writing. The bank may also make surprise unannounced visits to the vendors

offices to verify any information contained in the bid document. All visits are at

the discretion of the bank. Vendors may also be called upon to make brief and

short presentations and /or demos on their technical solutions before a panel

constituted by the bank.

Financial Evaluation (separate sealed envelope )

Financial evaluation will constitute 100% of the overall score and will

concentrate on the following.

a. Pricing

All bids in response to this RFP should be expressed in USD or KSH. For those

expressed in USD a Kenya Shilling equivalent MUST be given clearly indicating

the exchange rate. Those who do not indicate the Kenya Shilling equivalent

MAY not be considered further for evaluation.

NOTE : Expressions in other currencies shall not be permitted


i. The Supplier shall provide a firm, fixed price for the Original Contract

Period. All costs associated with the required services/equipment shall be

included in the prices. All deliveries shall be made FOB Destination with

freight charges fully included and prepaid. The Supplier pays and bears

the freight charges.

ii. Costs inclusive of VAT and other applicable taxes where necessary and

Man/Day estimates, where appropriate, broken down by:

1. General supplier costs

2. Training

3. Ongoing fixed costs (Annual maintenance, annual licensing,

etc)

4. Installation costs should include complete installation and

customization of reports, case management and integration

with other systems.

5. Any other costs

The VAT amount must clearly be stipulated and separated from the base costs.

The quoted prices should be valid for a minimum of 90 days.Any other fees

required for deployment and ongoing support must be quoted separately.

Provide an itemized list of any other items and related costs that Supplier deems

necessary to meet the requirements specified in proposal. Failure to provide said

list shall not relieve the Supplier from providing such items as necessary to

meeting all of the requirements specified in proposal at the Fixed Price Purchase

Costs proposed.

KCB SHALL ONLY MAKE PAYMENTS THROUGH A KCB ACCOUNT AND THUS ALL

BIDDERS ARE ENCOURAGED TO OPEN AN ACCOUNT

The Bank will not make any payments in advance. The Bank will issue an LPO for

all the equipment and/or services ordered. The LPO will be paid within 45 days

after delivery, testing installation and acceptance of the equipment and/or

services supplied. The bank will not accept partial deliveries.Payment for

equipment and/or services will only be made once the entire ordered

equipment and/or services are delivered, installed and commissioned.

b. Correction of Errors. Bids determined to be substantially responsive will be checked by the Bank for any arithmetical errors. Errors will be corrected by the Bank as below:

Where there is a discrepancy between the amounts in figures and in words, the amount in words will govern, and


Where there is a discrepancy between the unit rate and the

line total resulting from multiplying the unit rate by the quantity, the unit rate as quoted will govern. The price amount stated in the Bid will be adjusted by the Bank in accordance with the above procedure for the correction of errors.

c. Financial stability

This will involve an assessment of key standard financial ratios and trends for the

last 3 years such as profitability, leverage, debt ratio, gross margins and sales

turnover. However, the Bank is under no obligation to award the tender as per

clause 1.4.12

SECTION 2 – SCOPE OF Services

The security of IT applications has become a mission-critical aspect of the IT

Security strategy. We are not only seeking a supplier for the software and

hardware but also partnership with the provider to help KCB Group in leveraging

this technology through a sound implementation approach with proven

organizational adoption tools. Based on the above, the scope will include the

following:

2.1 Supply, install, configure and maintain Database and Web Application

Firewall solutions (software, hardware) that will meet the functional and

technical requirements.

2.2 Provide Database Firewall solutions with core capabilities for the following

database platforms:

Oracle

MS-SQL

Sybase

DB2

Informix

MySQL

Teradata

PostgresSQL

Netezza


2.3 Provide Web Application Firewall solutions with core capabilities of

supporting Web and portal applications such Outlook Web Access

(OWA), SharePoint and all custom in-house web applications.

2.4 Develop and propose an implementation methodology with

roadmap/schedule with monitoring targets and risks towards the desired

target.

2.5 Provide the implementation services of the solution as stated in the

proposed roadmap from installation, configuration and final deployment

of the solution.

2.6 Deliver training services of the Database and Web Application Firewall

solution during the implementation for technical staff for knowledge

transfer both on the functional and technical aspects

2.7 Deliver documentation of the solution from the installation to deployment

2.8 Provide maintenance service for the solution including software version

upgrade and hardware replacement.

2.9 Provide support and assistance including both remote and local/onsite

assistance for resolution of major technical problems and/or issues.

2.10 Current Installations

This section provides a brief overview of KCB establishment that is relevant to the

proposed solution.The Kenya commercial Bank is incorporated in Kenya. The

bank‟s establishment in Kenya consists of 167 branches.

It has 4 other subsidiaries:

KCB Rwanda – Headquarter + 9 branches

KCB Tanzania - Headquarter + 10 branches

KCB Uganda - Headquarter + 14 branches

KCB Sudan - Headquarter + 20 branches

The Head Office for the group is located in Kencom house Nairobi,

Kenya.Further information about the bank can be obtained from the group‟s

website (http://www.kcbbankgroupgroup.com)

http://www.kcbbankgroupgroup.com/


2.11 Brief Overview of Technical Systems Environment

The bank has several computerised systems, the most relevant (for the purpose

of this project) of which are as summarised below.

Database / Programming Environments

MS SQL Server 2000 /2005 /2008

Oracle; various flavours of the database including but not limited to

versions 8i /9i /10g/11i

Informix

JBOSS

Microsoft .Net 2.0 and above

Sybase Adaptive Enterprise Server database

Client-side applications developed in Visual studio/ .Net and

PowerBuilder 6.0

Web Applications

T24 Core banking system from Temenos. This application runs on HP UX

at the backend while the clients are browser based (firefox and

Internet Explorer version 6.1 and above). The backend system is

programmed using JBOSS and Oracle.

Microsoft SharePoint 2007

Email Applications: MS Exchange 2010. Proxy Servers / firewalls:

Microsoft ISA Server 2006, CISCO PIX, ASA and Checkpoint firewalls. The

Microsoft ISA Server 2006 will be replaced with Microsoft Forefront

Threat Management Gateway during the year

Sybrin clearing system on windows environment

Internet & Mobile banking applications

TranzWare card system


2.12 Functional Requirements

Functional requirements are indicated in (Appendix A – Technical Requirements

Matrix). The section should be completed in its entirety in the vendor response.

Delivery, Testing and Acceptance (On Successful Bidding)

The product will deem to have been:

a) Delivered when

i. The complete machine readable form of the product together with the

product documentation is received at KCB‟s primary location (IT

Division, 7th floor Kencom House, Nairobi); and

b) Tested / POC

ii. The bank will test the proposed solution in a test environment to

ascertain that all the functionality as put forward by the supplier are

met. Incorrect information discovered at this time will constitute grounds

for disqualification. It is the responsibility of the supplier to ensure the

requirement defined in the proposal is achieved. The signed proposal

will be the sole reference document for any discussion issues arising

related to acceptance; and

c) Accepted when

iii. The solution has been successfully installed and configured on the

Production environment by the representative of the Supplier as per

product documentation; and

iv. Acceptance Criteria: the Bank will accept the proposed deliverable

after they have been fully tested by the bank and confirmed to meet

the requirement as specified in the original RFP.

KCB Shall endeavour to provide the Production environment as soon as it is

practically possible. Delivery and performance of the Services shall be made by

the successful Bidder in accordance with the time schedule as per Proposal and

subsequent Agreement.


SECTION 3 - GENERAL CONDITIONS OF CONTRACT

3.1 Introduction

Specific terms of contract shall be discussed with the bidder whose proposal

will be accepted by the Bank. The resulting contract shall include but not be

limited to the general terms of contract as stated below from 3.2 to 3.14.

3.2 Award of Contract

Following the opening and evaluation of proposals, the Bank will award the

Contract to the successful bidder whose bid has been determined to be

substantially responsive and has been determined as the best evaluated bid.

The Bank will communicate to the selected bidder its intention to finalize the

draft conditions of engagement submitted earlier with his proposals.

After agreement has been reached, the successful Bidder shall be invited for

signing of the Contract Agreement to be prepared by the Bank in

consultation with the Bidder.

3.3 Application of General Conditions of Contract

These General Conditions (sections 3.2 to 3.14) shall apply to the extent that

they are not superseded by provisions in other parts of the Contract that shall

be signed.

3.4 Ownership

The proposal should be modelled along the perpetual licensing with

annual maintenance costs which provides the bank the right to continue

using the product „as is‟ on expiry of the maintenance period.

The Supplier should include a 2-year bundled support and indicate (as a

percentage of the product cost where applicable) the cost of continued

support after the two years. The bundled support cost should be clearly

separated from the cost of the product

3.5 Bid Validity Period

Bidders are requested to hold their proposals valid for ninety (90) days from

the closing date for the submission.


3.6 Performance Security

The Bank may at it‟s discretion shall require the successful bidder to furnish it with

Performance Security. The performance bond amount will be one hundred

percent (100%) of the total bid price before the bank can issue any Purchase

Order. The performance bond will be valid for a minimum of 9 months and must

be provided within 14 days from the date of written notification to the Supplier

by the bank to provide the bond. Failure to comply with this requirement will

void the tender award and the bank at its sole discretion may award the tender

to any other Supplier.

3.6.1 The Performance Security shall be in the form of a bank guarantee issued

by a commercial bank operating in Kenya and shall be in a format

prescribed by the Bank. The performance guarantee shall be submitted

within 10 days of notification of award.

3.6.2 The proceeds of the Performance Security shall be payable to the Kenya

Commercial Bank as compensation for any loss resulting from the Bidder‟s

failure to complete its obligations under the Contract.

3.6.3 The Performance Security will be discharged by the Company not later

than two months following the date of completion of the Bidder‟s

performance obligations, and the Bank‟s acceptance of the final report

as specified in the contract.

It is a condition of the bank that the Supplier guarantees the sufficiency, and

effectiveness of the solution proposed to meet the bank requirements as

outlined in this document. The Bank will hold the Supplier solely responsible for

the accuracy and completeness of information supplied in response to this

tender. The bank will hold the Supplier responsible for the completeness of the

solution proposed and that were the Supplier to be awarded the tender, they

would implement the solution without any additional requirements from the

bank


3.7 Delays in the Bidder’s Performance

3.7.1 Delivery and performance of the Supply, installation and Maintenance of

Signage shall be made by the successful Bidder in accordance with the

time schedule as per Agreement.

3.7.2 If at any time during the performance of the Contract, the Bidder should

encounter conditions impeding timely delivery and performance of the

Services, the Bidder shall promptly notifies the Bank in writing of the fact of

the delay, its likely duration and its cause(s). As soon as practicable after

receipt of the Bidder's notice, the Bank shall evaluate the situation and

may at its discretion extend the Bidder's time for performance, with or

without liquidated damages, in which case the extension shall be ratified

by the parties by amendment of the Contract.

3.7.3 Except in the case of “force majeure” as provided in Clause 3.13, a delay

by the Bidder in the performance of its delivery obligations shall render the

Bidder liable to the imposition of liquidated damages pursuant to Clause

3.8 liquidated damages

3.8 Liquidated damages for delay

The contract resulting out of this RFP shall incorporate suitable provisions for

the payment of liquidated damages by the bidders in case of delays in

performance of contract.

3.9 Governing Language

The Contract shall be written in the English Language. All correspondence

and other documents pertaining to the Contract which are exchanged by

the parties shall also be in English.

3.10 Applicable Law

This agreement arising out of this RFP shall be governed by and construed in

accordance with the laws of Kenya and the parties submit to the exclusive

jurisdiction of the Kenyan Courts.

3.11 Bidder’s Obligations


3.11.1 The Bidder is obliged to work closely with the Bank's staff, act within its own

authority, and abide by directives issued by the Bank that are consistent

with the terms of the Contract.

3.11.2 The Bidder will abide by the job safety measures and will indemnify the

Bank from all demands or responsibilities arising from accidents or loss of

life, the cause of which is the Bidder's negligence. The Bidder will pay all

indemnities arising from such incidents and will not hold the Bank

responsible or obligated.

3.11.3 The Bidder is responsible for managing the activities of its personnel, or

subcontracted personnel, and will hold itself responsible for any

misdemeanors.

3.11.4 The Bidder will not disclose the Bank's information it has access to, during

the course of the work, to any other third parties without the prior written

authorization of the Bank. This clause shall survive the expiry or earlier

termination of the contract.

3.11.5 The Bidder shall appoint an experienced counterpart resource to handle

this requirement for the duration of the Contract. The Bank may also

demand a replacement of the manager if it is not satisfied with the

manager‟s work or for any other reason.

3.11.6 The Bidder shall take the lead role and be jointly responsible with the Bank

for producing a finalised project plan and schedule, including

identification of all major milestones and specific resources that the Bank

is required to provide.

3.11.7 The Supplier represents and warrants that it is entitled to respond to this

RFP and that it is fully entitled to the proposed Product by way of reseller

licensing or ownership and has the right to sell and/or licence the Product

as provided in their RFP response and shall hold KCB harmless from action

for infringement of patents and/or copyrights


3.12 The Bank’s Obligations

In addition to providing Bidder with such information as may be required by

the bidder the Bank shall,

(a) Provide the Bidder with specific and detailed relevant information

(b) In general, provide all relevant information and access to Bank's

premises.

3.13 Confidentiality

The parties undertake on behalf of themselves and their employees, agents

and permitted subcontractors that they will keep confidential and will not

use for their own purposes (other than fulfilling their obligations under the

contemplated contract) nor without the prior written consent of the other

disclose to any third party any information of a confidential nature relating to

the other (including, without limitation, any trade secrets, confidential or

proprietary technical information, trading and financial details and any other

information of commercial value) which may become known to them under

or in connection with the contemplated contract. The terms of this Clause

2.15 shall survive the expiry or earlier termination of the contract.

3.14 Force Majeure

(a) Neither Bidder nor Bank shall be liable for failure to meet contractual

obligations due to Force Majeure.

(b) Force Majeure impediment is taken to mean unforeseen events, which

occur after signing the contract with the successful bidder, including but

not limited to strikes, blockade, war, mobilization, revolution or riots,

natural disaster, acts of God, refusal of license by Authorities or other

stipulations or restrictions by authorities, in so far as such an event prevents

or delays the contractual party from fulfilling its obligations, without its

being able to prevent or remove the impediment at reasonable cost.

(c) The party involved in a case of Force Majeure shall immediately take

reasonable steps to limit consequence of such an event.

(d) The party who wishes to plead Force Majeure is under obligation to inform

in writing the other party without delay of the event, of the time it began

and its probable duration. The moment of cessation of the event shall also

be reported in writing.

(e) The party who has pleaded a Force Majeure event is under obligation,

when requested, to prove its effect on the fulfilling of the contemplated

contract.


Form of Tender - (In separate Sealed envelope clearly marked financial

proposal summary)

We, M/S___________________________________________________

Hereby submit our bid for “REQUEST FOR PROPOSAL FOR PROVISION OF A

DATABASE AND WEB APPLICATION FIREWALL SOLUTION “at a total cost of

KES_____________________________________________ or

(in words)

KES___________________________________________________

inclusive of V.A.T and agree to abide by the terms and conditions as stipulated in the Request for

proposal document.

Tenderer’s name ------------------------------------------------------------

P. O BOX -----------------------------------------------------------------

Signature of the tenderer ------------------------------------------------------

Company Stamp/Seal.


Performance Security Form (Format)

Know all men by these presents that we:

1. .....................................................................................

(Full name & address in block letters) PRINCIPAL

2. .....................................................................................

(Full name & address in block letters) SURETY

are held firmly bound, jointly and in severally, unto Kenya Commercial Bank Limited in the

principal sum of United States Dollars

....................................................................................................

for which payment well and truly to be made we bind ourselves firmly by these presents.

The condition of the above obligations being that should the said <name of Bidder>fulfil his

/their obligation/s under an agreement entered into between the Kenya Commercial Bank

Limited, and themselves in respect of <<the requirement>>for Kenya Commercial Bank Ltd.

during the period ending .................................................. and not incur cancellation of the

agreement for any cause whatsoever then the above obligation to be null and void; otherwise to

remain in full force and effect. The validity of this guarantee expires on

............................................................................ which is two months beyond the contract period

(i.e. after submission and acceptance by the Bank of final report).

.......................................................................................

PRINCIPAL (Signature)

.......................................................................................

Principal’s Stamp

SURETY (Signature)………………………………………..

SURETY’s Stamp…………………………………………….

Nairobi this ................. of ..............two thousand and ............................

( The following words should be inserted in the signatory’s own handwriting)

“Good for the sum* of United States Dollars ........................................................”

(*sum to be specified in words & figures)


Certificate of Compliance

All Suppliers should sign the certificate of compliance below and return it together with a copy

of this tender document and their quotation.

We___________________________ have read this tender document and agree with the terms

and conditions stipulated therein.

Signature of tenderer -------------------------------------------

Date………………………………………………………….

Company Stamp/Seal.


Appendix A – Technical Requirements Matrix

Functional Requirements and Specifications

The tables below provide a feature summary for the products under procurement. All products

should be quoted for separately.

Please identify and describe where necessary the levels of support as: Full Support, Partial

Support and No Support:

Database Firewall

Specification Description Level of

support

Supported Database

Platforms

Oracle

MS-SQL

Sybase

DB2 (including LUW, z/OS and DB2/400)

Informix

MySQL

PostgreSQL

Teradata

Netezza

Deployment Modes Network: Non-inline sniffer, transparent bridge

Agentless collection of 3rd party database audit logs

Performance

Overhead

Network monitoring – Zero impact on monitored

servers

Agent based monitoring – 1-3% CPU resources

Centralized

Management across

geographically

dispersed locations

Web User Interface (HTTP/HTTPS)

Command Line Interface (SSH/Console)

Centralized

Administration across

geographically

dispersed locations

MX Server for centralized management

Integrated management option

Hierarchical management

Database Audit SQL operation (raw or parsed)


Details SQL response (raw or parsed)

Database, Schema and Object

User name

Timestamp

Source IP,

Source OS,

Source application

Parameters used

Stored Procedures

DB Server restarts, row level operations

Privileged Activities All privileged activity, DDL and DCL

Schema Changes (CREATE, DROP, ALTER)

Creation, modification of accounts, roles and

privileges (GRANT, REVOKE)

Access to Sensitive

Data

Successful and Failed SELECTs

All data changes

Security Exceptions Failed Logins, Connection Errors, SQL errors

Data Modification INSERTs, UPDATEs, DELETEs (DML activity)

Stored Procedures Creation, Modification, Execution

Triggers Creation and Modification

Tamper-Proof Audit

Trail

Audit trail stored in a tamper-proof repository

encryption or digital signing of audit data

Role based access controls to view audit data (read-

only)

Real-time visibility of audit data

Fraud Identification Unauthorized activity on sensitive data

Abnormal activity hours and source

Unexpected user activity

Unexpected Database growth/shrinkage

Data Leak

Identification

Requests for classified data

Unauthorized/abnormal data extraction


Database Security Dynamic Profile (White List security)

Protocol Validation (SQL and protocol validation)

Real-time alerts

Platform Security Operating system intrusion signatures

Known and zero-day worm security

Network Security Stateful firewall

DoS prevention

Policy Updates Regular Application Defense Center security and

compliance updates

Real-Time Event

Management and

Report distribution

SNMP

Syslog

Email

Incident management ticketing integration

Custom followed action

task workflow

Integrated graphical reporting

Real-time dashboard

Server Discovery Automated discovery of database servers

Data Discovery and

Classification

Database servers

Financial Information

Credit Card Numbers

System and Application Credentials

Personal Identification Information

Custom data types

User Rights

Management (add-on

option)

Audit user rights over database objects

Validate excessive rights over sensitive data

Identify dormant accounts

Track changes to user rights

Vulnerability

Assessment

Operating System vulnerabilities

Database vulnerabilities

Configuration flaws


Risk scoring and mitigation steps

Training Standard product training at an authorized training

center for 5 KCB staff. This should include training

fees, travel and lodging expenses. Logistics and

allowances to be computed at KCB rates.

Support One year standard support on hardware and software

Two year standard support on hardware and software

Three year standard support on hardware and

software

Specification for Database Activity Monitoring:

ID Specification Response

Architecture

1 Is the solution appliance based or virtual appliance based?

2 Does the solution require deployment of agents on the database servers?

3 If So, There should be only one agent to monitor all DB activities including

local DB traffic and network DB traffic

4 All agents regardless of deployment mode should be managed from the

centralized management console

5 Agents should have only minimal overhead for the production DB servers

6 Agent should support AIX,HPUX, LINUX, Solaris and Windows platforms

7 There should not be additional agents required to be installed to monitor and

block DB traffic/attacks traffic if required

8 There should not be any 3rd

party software to be installed for agents

9 Audit trails should be stored within the solution and it should not be stored in

any database

10 Audit trails should be tamperproof and should be stored in encrypted flat files.

11 Solution component should be managed centrally.

12 Solution Should support below DB platforms

Oracle

MS-SQL (Microsoft SQL Server)

DB2 (LUW, z/OS and DB2/400)

Sybase


Informix

MySQL

PostgreSQL

Teradata

Netezza

Database Discovery

1 Solution should discover both new and existing database systems and should

map all on the network.

2 Product should provide automated discovery of both new and existing Database

tables

3 Product should keep the historical information about the systems and their

configuration.

4 Product should show changes since the last scan for DB Discovery and

configuration

5 Solution support identification of rogue or test databases

6 Solution should discover asset management and change management processes

Data Classification

1 The product should perform data discovery and classification

2 Solution should detect sensitive data types, such as credit card numbers, social

security numbers, etc., in database objects

3 The solution should locate custom data types in database objects

Vulnerability Assessments

1 Solution should have Database vulnerability assessment tests for assessing the

vulnerabilities and mis-configurations of database servers, and their OS

platforms. OSs and RDBMSs are tested for known exploits and mis-

configurations.

2 Solution should have a comprehensive list of pre-defined assessment policies

and tests to address PCI-DSS, SOX, and HIPAA requirements. Vulnerabilities

specific for Oracle EBS, and PeopleSoft databases can also be detected. In

addition, the following tests should be included:

- Latest patches and releases installed

- Changes to database files

- Default accounts and passwords

- Newly created/updated logins

- Remote OS authentication enabled

- Escalated user privileges granted

3 Should be able to add custom assessments to the solution?


4 Solution should support user created scripts for assessment tests.

5 The product should identify missing patches

6 The solution should verify that default database accounts do not have a

“default” password

7 The product should be used to measure compliance with industry standards and

regulations

Vulnerability Assessment Result Analysis and Reporting

1 The product should present a view of risk to data – by vulnerability and the

sensitivity of the data

2 Solution should have Database vulnerability assessment tests for assessing the

vulnerabilities and mis-configurations of database servers, and their OS

platforms. OSs and RDBMSs are tested for known exploits and mis-

configurations.

3 Solution should have a comprehensive list of pre-defined assessment policies

and tests to address PCI-DSS, SOX, and HIPAA requirements. Vulnerabilities

specific for SAP, Oracle EBS, and PeopleSoft databases can also be detected.

In addition, the following tests should be included:

- Latest patches and releases installed

- Changes to database files

- Default accounts and passwords

- Newly created/updated logins

- Remote OS authentication enabled

- Escalated user privileges granted

4 The solution should have pre-defined reports.

5 The product should support custom report generation.

6 The product should compare the results of a discovery, classification or

assessment job with a previous run

7 Should have an option to distribute reports on demand and automatically (on

schedule)

Remediation (optional : for future requirement)

1 The product can be upgraded for mitigation of risk to sensitive data stored in

databases?

2 Should have an option to upgrade the product to actively prevent attempts to

exploit known vulnerabilities


3 The solution can be upgraded to offer virtual patching capabilities (protecting

the database from known vulnerabilities without deploying a patch or script on

the system)

Database Activity Monitoring

1 Solution should have Appliance/virtual appliance solution to monitor network

based DataBase activity and should have agents to monitor Local DB activity

2 Should product employ a centralized appliance

3 Solution should provide for centralized control of collected information

4 Should have DBMS product to be used as part of the appliance package to

store configuration and alert logs, not for storing Audit data

5 The solution should support high-availability

6 Product should be able to installed in Sniffing mode or Inline mode.

7 Solution should have built in bypass(fail open) for inline mode

7 Solution should support below DataBases

Oracle, MS SQL, DB2, Informix, Sybase,MySQL, Teradata,Netezza

8 The solution should not use the native database audit functionality.

9 the Solution should not employ transaction log auditing?

10 Should be able to integerate with leading SIEM tools

11 The product should have means to archive and restore data

12 The agent should not require a reboot after installation/configuration

13 The solution should not require any changes to monitored database and/or

application

14 The Solution should not require a database restart after

installation/configuration?

15 The audited data transferred between the agent and the appliance should be

through an Encrypted channel

16 The solution should capture before and after image of data that is being

manipulated

17 Product should identify differences in baseline user activity.

18 The solution should capture Select activity by user/role

19 The solution should capture update, insert, delete (DML) activity by user/role


20 The solution should capture schema/object changes (DDL) activity by user/role

21 The solution should capture manipulation of accounts, roles and privileges

(DCL) by user/role

22 DAM Should monitor privileged operations including both SQL and Protocol

level operations be monitored.

23 DAM Should monitor MS SQL statements where caching is used

24 DAM solution be able to monitor activities at new DB interface/ connector

created by any user/ system without any manual intervention

25 The solution should have automated mechanism for updating security

configurations/policies

Alerting and Blocking Capabilities

1 The solution should provide automated, real-time event alert mechanism

2 The solution should have an option to upgrade to database attack in real-time

3 The solution should monitor privileged users

4 The solution should have an option to upgrade to block privileged users

activity if required

5 the Solution should monitor for all DB attacks like SQL injection and alert

despite the traffic is not audited.

6 The Solution should have an option to upgrade to block DB attacks like SQL

injections in real time.

7 The solution should 100% monitor the DB traffic for all DB violation and

attacks despite the traffic is not being audited

Reporting

1 Solution should have packaged reporting capabilities

2 product should support use of pre-configured policies/reports (PCI, SOX,

HIPAA) for ensuring regulatory compliance

3 Producti should have a functionality to assist with security event forensics


Web Application Firewall

Specification Description Feature

Support

Web Security

Dynamic Profile (White List security)

Web server & application signatures

Reputation based security and IP geolocation

HTTP RFC compliance

Normalization of encoded data

Automated-client detection

Required

Application Attacks

Prevented

Refer to Appendix I Required

HTTPS/SSL Inspection

Passive decryption or termination

Optional HSM for SSL key storage

Required

Web Services Security

XML/SOAP profile enforcement

Web services signatures

XML protocol conformance

Required

Web Fraud Prevention Fraud and malware detection Required

Content Modification

URL rewriting (obfuscation)

Cookie signing

Cookie encryption

Custom error messages

Error code handling

Required

Platform Security

Operating system intrusion signatures

Known and zero-day worm security

Required

Network Security

Stateful firewall

DoS prevention

Required

Advanced Protection

Correlation rules incorporating all security

elements (white list, black list) to detect

complex, multi-stage attacks

Required

Data Leak Prevention

Credit card numbers

PII (personally identifiable information)

Pattern matching

Required


Policy/Signature Updates Frequent security updates Required

Authentication

Support for RSA Access Manager for two-

factor authentication

Support for LDAP (Active Directory)

Support for SSL client certificates

Required

User Awareness

Automated Tracking of Web Application

Users

Required

Deployment Mode

Transparent Bridge (Layer 2)

Reverse Proxy and Transparent Proxy (Layer

7)

Non-inline sniffer

Required

Management

Support for a Web User Interface

(HTTP/HTTPS)


Required

Administration MX Server for centralized management Required

Logging/Monitoring

SNMP

Syslog

Email


Real-time dashboard

Required

High Availability

IMPVHA (Active/Active, Active/Passive)

Fail open interfaces (bridge mode only)

Support for VRRP

Support for STP and RSTP

Required

Solution Delivery Option Physical appliance Required

Web Application

Vulnerability Scanner

Integration

WhiteHat, IBM, Cenzic, NT OBJECTives,

HP, Qualys, and Beyond Security

Required

Enterprise Application

Support

SIEM/SIM tools: ArcSight, RSA enVision,

Prism Microsystems, Q1 Labs, TriGeo, NetIQ

Log Management: CA ELM, SenSage,

Infoscience Corporation

Required


TCP/IP Support IPv4, IPv6 Required

Training

Standard product training at an authorized

training center for 5 KCB staff. This should

include training fees, travel and lodging

expenses. Logistics and allowances to be

computed at KCB rates.

Required

Support

One year standard support on hardware and

software

Required

Specification for Web Access Firewall:

ID Specification Remarks

Policy Management

The WAF shall be able to automatically-build policies

The WAF shall be able to manually accept false positives by simple means

(check box)

The WAF shall be able to define different policies for different applications

The WAF shall be able to create custom attack signatures or events

The WAF shall be able to customize Denial of Service policies

The WAF shall be able to combine detection and prevention techniques

The WAF shall have policy roll-back mechanism

The WAF shall be able to do versioning of polices

The WAF shall have a built-in real-time policy builder with automatic self-

learning and creation of security polices

The WAF shall have prebuilt polices for applications - eg Microsoft

Sharepoint, OWA, SAP, Oracle E-Business, Sieble for fast deployment

Profile Learning Process

The WAF shall be able to recognise trusted hosts

The WAF shall be able to learn about the application without human

intervention

The WAF shall be able to inspect policy (auditing + reporting)

The WAF shall be able to protect new content pages and objects without

policy modifications


Configuration Management

The WAF shall have Role-based management with user authentication

The WAF shall be able to replace/customize error and blocked pages

The WAF shall have configurable security levels

Logs and Monitoring

The WAF shall have ability to identify and notify system faults and loss of

performance (SNMP, syslog, e-mail, …)

The WAF shall have ability to customize logging

The WAF shall have ability to generate service and system statistics

The WAF shall be able to perform time synchronisation (ntp, …)

Miscellaneous

The WAF shall have a robustness and reliable GUI interface

The WAF shall be able to be managed via serial console, SSH or https web

gui

The WAF shall be able to support caching and compression in a single

platform

The WAF shall be able to prevent OS fingerprinting

The WAF shall be able to perform data guard and cloaking (hiding of error

pages and application error pages)

The WAF shall be able to Intergrate with vulnerability testing tools (eg

whitehat sentinel) for automated instant policy tuning

The WAF shall be able to be implemented and installed on application

delivery controller (ADC) hardware platforms and managed from the same

GUI.

SSL capabilities

The WAF shall be capable of terminating https traffic for http websites

The WAF shall be FIPS 140-2 compliant

The WAF shall have SSL accelerators available for SSL offloading

The WAF shall store the certificate private key on the WAF using a secure

mechanism

The WAF shall store the certificate private key on the WAF using a secure

mechanism, and a passphrase


The WAF shall capable of communication to a backend application server

using https

The WAF shall be capable of tuning the SSL parameters, such as SSL

encryption methode used, SSL version

HTTP/HTML & XML

The WAF shall support HTTP 1.0 and 1.1 versions

The WAF shall support application/x-www-form-urlencoded encoding

The WAF shall support v0 cookies

The WAF shall support v1 cookies

The WAF shall enforce cookie types used

The WAF shall support chunked encoding in requests

The WAF shall support chunked encoding in responses

The WAF shall support response compression

The WAF shall support application flows management and manually

define site flow and object policies

The WAF shall support all character sets during validation

The WAF shall restrict methods used eg GET, POST , all other methods

The WAF shall restrict protocols and protocol versions used

The WAF shall support multi-byte language encoding

The WAF shall validate URL-encoded characters

The WAF shall restrict request method length

The WAF shall restrict request line length

The WAF shall restrict request URI length

The WAF shall restrict query string length

The WAF shall restrict protocol (name and version) length

The WAF shall restrict the number of headers

The WAF shall restrict header name length

The WAF shall restrict header value length

The WAF shall restrict request body length

The WAF shall restrict cookie name length

The WAF shall restrict cookie value length

The WAF shall restrict the number of cookies

The WAF shall restrict parameter name length

The WAF shall restrict parameter value length

The WAF shall restrict the number of parameters

The WAF shall restrict combined parameter length (names and values

together)


The WAF shall support protection of XML Web Services

The WAF shall restrict XML Web Services access to methods defined via

Web Services Description Language (WSDL)

The WAF shall be able to perform information display masking/scrubbing

on requests and responses

The WAF shall be able to perform validation for Web Services XML

Documents

The WAF shall be able to monitor latency of Layer 7 (application layer)

traffic to detect the spikes and anomalies in the typical traffic pattern to

detect, report on, and prevent layer 7 DOS attacks.

The WAF shall be able to to detect, report on, and prevent Layer 7

(application layer) brute force attack attempts to break in to secured areas of

a web application by trying exhaustive, systematic permutations of code or

username/password combinations to discover legitimate authentication

credentials.

Detection techniques

The WAF shall be able to support the following detection techniques :

URL-decoding

Null byte string termination

Self-referencing paths (i.e. use of /./ and encoded equivalents)

Path back-references (i.e. use of /../ and encoded equivalents)

Mixed case

Excessive use of whitespace

Comment removal (e.g. convert DELETE/**/FROM to DELETE FROM)

Conversion of (Windows-supported) backslash characters into forward

slash characters.

Conversion of IIS-specific Unicode encoding (%uXXYY)

Decode HTML entities (e.g. c,", ª)

Escaped characters (e.g. \t, \001, \xAA, \uAABB)

Negative security model techniques

Positive security model support - An "allow what's known" policy, blocking

all unknow traffic and data types

Positive security model configuration

Application flow

Dynamic Positive security model configuration maintenance

Built in process engine to detect evasion techniques like cross site scripting

Is there an out of the box rule database available

Automated regular signature updates


Operates in a full Proxy architecture and inline control over all traffic

through the WAF

Ability to hide back-end application serverOS fingerprinting data and

application specific information

Ability to protect agaisnt malicious activity within and hijacking of

embedded client side code (javascript, vbscript, ect…)

Incident Response capabilities

The WAF shall be capable of logging security events with syslog

The WAF shall be capable of logging security events with snmp

The WAF shall be capable of being monitored with snmp for statistical

information

The WAF shall support monitoring using snmp version 3

Support tools

The WAF shall be capable of being restored to factory defaults

The WAF shall support an open api that will be able to fully administer the

WAF.

Redundancy Capabilities

The WAF shall be able to support High Availability Failover via network or

serial

The WAF shall be able to perform application level health check of the

back end servers

Network and Performance

The WAF shall be able to support vlan configuration through built in switch

The WAF shall be able to perform TCP/IP optimization

The WAF shall be able to perform packet filtering

Implemented concepts to cover vulnerabilities (OWASP based)

The WAF shall be able to protect against :

Unvalidated input

Injection flaws

SQL injection


OS injection

Parameter tampering

Cookie poisoning

Hidden field manipulation

Cross site scripting flaws

Buffer overflows

Broken access control

Broken authentication and session management

Improper Error Handling

XML bombs/DOS

Forceful Browsing

Sensitive information leakage

Session hijacking

Denial of service

Request Smuggling

Cookie manipulation

Certification

The WAF shall be an ICSA certified web application firewall

MX Management Server

Specification Description Remarks

Management Intuitive Web User Interface (HTTP/HTTPS)


Provisioning

MX Management Server centrally provisions, manages, and

monitors up to 15 SecureSphere gateways

Supports distributed, heterogeneous deployments of Web

and database gateways

Out-of-Band

Management

Out-of-band management supported via out-of-band

management ports in SecureSphere gateways

Management

Communications

SSL encrypted communications between MX Management

server and SecureSphere gateways

Policy/Signature

Updates

Security updates provided weekly or immediately for

critical threats


Hierarchical

Management

Policies may be defined hierarchically, via a flexible, object

–oriented policy framework.

Role-Based

Administration

Completely customizable roles and privileges

Users can be assigned roles

User inherit all privileges of the group

User authentication supports LDAP and SSL certificate

Alerts

SNMP

Syslog

Email

Incident management ticketing integration

Custom followed action


Real-time dashboard

Workflow Task-oriented workflow engine

Internal Data

Storage

Audit trail stored in tamper-proof repository

Optional encryption or digital signing of audit data

Role-based access controls to view audit data (read-only)

Real-time visibility of audit data

External Data

Storage and

Archiving

SAN (Fibre Channel interfaces) for online access

NAS for online access

NFS*

FTP*

HTTP/S*

SCP*

* Data is compressed and archived

Supported

Products

Database Activity Monitoring

Database Firewall

Discovery and Assessment Server

File Activity Monitoring

File Firewall

SecureSphere for SharePoint

Web Application Firewall

Support One year standard support on hardware and software


Non -Functional Requirements and Specifications

ID Non Functional Requirements

USER INTERFACE

Remarks

Provision of portals/screens

for non-technical stakeholder

usage, suitable for auditors

and security professionals

without detailed knowledge of

database internals.

DOCUMENTATION

-Schematic Remarks

Provision of the Applicaton

Architecture Schematic for

Production and DR Sites and

High Availability (HA)

-System Manual -provides an overview of the system including the system objectives, system

functionality, equipment configuration, software inventory, etc.

Remarks

Documentation of Application

Objectives

Documentation of Application

Functions i.e Function

ID/Name, Function

Description,Mode (e.g.

Online/Batch,Enquiry/Update)

Documentation of Equipment

Configurations i.e. Computer

Manufacturer,Model

Number,Serial Number,IP

Address,OS Version,Database

Version

Documentation of Software

Inventories i.e Program

ID/Name,Functions of the

program,in the case of

client/server application the

location of the program (e.g.

Database Server, Application

Server,Client etc) should be


specified

Documentation in detail of

the system security profiles

and data protecton

measurement on system

functions

Documentation in detail of the

Disaster Recovery Plan and

Procedures of the system

-Location of soft copy of the System

Remarks

The latest version of all the

programs should be kept in

softcopy for future reference

and maintenance on KCB

premises and included in the

documentation

-Data Manual- The Data Manual documents all data captured, processed or produced by the

system

Remarks

Documentation of the

database schema of the

application which shows the

relationship among files/table

and other groups of data e.g

Entity-Relationship Diagram

Screen/Report Description

Documentation i.e. List of

Screens, Screen Layout,List of

Reports, Report Layout

-Application Manual -documents an overview of the system and provides detailed user

instructions and procedures for all functionality provided by the system.

Documenation of user

procedures descriptions and

instructions in detail covering

areas like batching of input

data, control of documents,

actions on specific events,


error amendments, etc

SYSTEM INTERFACING AND INTEGRATION

Remarks

Integration with existing

reporting, workflow, and

trouble-ticketing systems e.g

Synergy Pro Helpdesk, App

Server

Compliance to Service

Oriented Arcitecture

The solution shall support Java

Database Connectivity (JDBC)

and Microsoft connectivity

technology (such as Open

Database Connectivity (ODBC)

or Object Linking and

Embedding Database [OLEDB]).

SECURITY

Remarks

Support Security Using

Database Access Controls. The

solution shall support database

security using the following

database access controls:

GRANT and REVOKE privilege

facilities, the VIEW definition

capabilities, and some

Discretionary Access Control

(DAC) mechanisms.

CONFORMANCE TO INDUSTRY BEST STANDARDS

Remarks

The Web Application Firewall

Solution shall be endorsed by the

Web Application Security

Consortium (WASC) and

OWASP


Deliverables

At the end of the implementation exercise, the solution provider should provide a comprehensive

report with a detail of completed implementation work. The report will consist among others the

following:

1. Fully installed well integrated customized and functioning Database Firewall solutions for

the need of KCB.

2. Fully installed well integrated customized and functioning Web Application Firewall

solutions for the need of KCB.

3. Fully installed well integrated customized and functioning MX Management Server

4. Two fully installed HP TouchSmart IQ816 Computers to facilitate a monitoring center for

this Database and Web Application Firewall solution

5. Presentation of the working solution to the IT management and staff of KCB after

completion of the implementation for review and feedback.

6. An executive summary report for Management of the implemented solutions

Exhibit A - Reference Sites

References of similar implementations/deployment of such product for organizations similar to

KCB in size and complexity done over the past one year.

1. Prior Services Performed for:

Company Name:

Address:

Contact Name:

Telephone Number:

Date of Contract:

Length of Contract:

Description of Prior Services (include dates):

2. Prior Services Performed for:

Company Name:

Address:

Contact Name:

Telephone Number:

Date of Contract:

Length of Contract:

Description of Prior Services (include dates):

(repeat as relevant)


Appendix I

WEB APPLICATION SECURITY & COMMON ATTACKS

The solution must be able to detect and block the following Web application threats:

1. Anonymous Proxy

Vulnerabilities

2. Brute Force Login

3. Buffer Overflow

4. Cookie Injection

5. Cookie Poisoning

6. Corporate Espionage

7. Credit Card Exposure

8. Cross Site Request

Forgery (CSRF)

9. Cross Site Scripting

(XSS)

10. Data Destruction

11. Directory Traversal

12. Drive-by-Downloads

13. Forceful Browsing

14. Form Field Tampering

15. Google Hacking

16. HTTP Distributed

Denial of Service

(DDoS)

17. HTTP Response

Splitting

18. HTTP Verb Tampering

19. Illegal Encoding

1. Known Worms

2. Malicious Encoding

3. Malicious Robots

4. OS Command Injection

5. Parameter Tampering

6. Patient Data Disclosure

7. Phishing Attacks

8. Remote File Inclusion Attacks

9. Sensitive Data Leakage (Social

Security Numbers, Cardholder

Data, PII, HPI)

10. Session Hijacking

11. Site Reconnaissance

12. Site Scraping

13. SQL Injection

14. Web server software and

operating system attacks

15. Web Services (XML) attacks

16. Zero Day Web Worms


ANNEX 3 – SUPPLIER QUESTIONNAIRE

Bidders, willing to be considered for the tender for SUPPLY AND IMPLEMENTATION

OF A DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION are

expected to furnish the Company with among others the following vital

information, which will be treated in strict confidence by the Company.

1.0 CORPORATE INFORMATION

No. PARTICULARS RESPONSE [If space is

insufficient, please use a

separate sheet]

1.1

Full name of organization:

1.2 Is your

organiz

ation

(Please

tick

one)

i) a public limited incorporated

company? attach a copy of

Certificate of incorporation including

any Certificate of Change of Name,

Memorandum & Articles of

Association

ii) a public listed company? If yes,

please attach a copy of Certificate of

incorporation including any

Certificate of Change of Name,


Association

iii) a limited incorporated company?

If yes, please attach a copy of

Certificate of incorporation including

any Certificate of Change of Name,


Association

iv) a partnership? If yes, please

attach certified copy of the

Partnership Deed and business name

certificate

v) a sole trader? If yes, please attach

a certified copy of the business name

certificate


vi) other (please specify)

1.3 Company Registration number (if this applies)-

attach a copy of Certificate of incorporation

including any Certificate of Change of Name or

relevant certificate from country of

incorporation.

1.4 Date and country of Registration:

1.5 Full physical address of principal place of

business:

Full postal address of the business:

1.6 Registered address if different from the above:

Post Code:

1.7

Telephone number:

1.8 Fax number:

1.9 E-mail address:

1.10 Website address (if any):

1.11 Company/Partnership/Sole Trader Tax PIN:

(Please provide a certified copy of the PIN

Certificate)

1.12 VAT Registration number:

(Please provide a certified copy of the VAT

Certificate)

1.13 Period in which you have been in the specific

business for which you wish to bid.

1.14 Current Dealership letter/certification for

Equipment preferably issued in 2012.

1.15 Names of the Shareholders, Directors and

Partners.

If a Kenyan company please provide an

original search report issued by the Registrar of

Companies showing the directors and


shareholders (Companies Form CR 12).

1.16 Associated companies(if any)

1.17 Please provide a copy of the latest annual

returns together with the filing receipt as filed at

the Companies Registry

1.17 Name of (ultimate) parent/holding company (if

this applies):

1.18 Company number of parent/holding company

(if this applies):

1.19 If a consortium is expressing interest, please

give the full name of the other organisation

(the proposed consortium partners should also

complete this questionnaire in its entirety)

1.20 Name and contacts of the Legal

Representative of the company; Name, Title;

Telephone, Fax and Email address.

1.21 Contact person within the organisation to

whom enquiries about this bid should be

directed:

NAME:

TITLE

TEL:

FAX:

EMAIL:

2.0 FINANCIAL INFORMATION

No. PARTICULARS

2.1

What was your turnover in the last

two years?

…………

for year ended

--/--/----

………

for year

ended

--/--/----

2.2

Has your organisation met all its obligations to pay its

creditors and staff during the past year?

Yes / No


If no, please give details:

2.3 Have you had any contracts terminated for poor

performance in the last three years, or any contracts

where damages have been claimed by the

contracting authority?

Yes / No

If yes, please give details:

2.4

What is the name and

branch of your

bankers (who could

provide a reference)?

Name:

Branch:

Telephone Number:

Postal Address:

Contact Person

Name:

Contact Position

Contact E-mail:

2.5

Provide a copy of the following

A copy of your most recent audited accounts (for the last

three years)

A statement of your turnover, profit & loss account and cash

flow for the most recent year of trading (for the last three

years)

A statement of your cash flow forecast for the current year

and a bank letter outlining the current cash and credit

position.

3.0 BUSINESS ACTIVITIES

No. PARTICULARS

3.1

What are the main business activities of your organisation? i.e.

Manufacturer, Assembler, Distributor, service centre, retailer, (please

specify).


3.2

How many staff does your organisation have? ............

Indicate the number under each category

i. Technical (Permanent………, Temporary……)

ii. Semiskilled (Permanent……., Temporary……..)

3.3 Please generally describe the experience and expertise your organization

possesses that will enable you to effectively and efficiently undertake the

work you are bidding for, as required by KCB.

Attach you company organogram (organisation chart) with emphasis

on the job you are bidding for.

Attach CV‟s of key staff

3.4 Please submit a declaration that all staff within your organization that are or

will

Be involved in the project are or will be permitted to work within your

organization under the laws of Kenya or the laws of the country in which it is

established.

4.0 TRADE REFERENCES

4.1 Please provide in the table below details of the projects you have

undertaken relevant to the job you are bidding for performed over the

last three (3) years, or that are relevant to this bid document.

No

Customer

Organization

(name)

Customer

contact

name and

phone

number

Contract

reference

and brief

description:

Date

contract

awarded

Value of businesses

transacted:

(Kshs/USD/Euro)

1

2

3


4

5

6

7

8

5.0 CERTIFICATIONS, ACCREDITATIONS AND APPROVALS

Detail any relevant certifications and accreditations by principals or

accreditation bodies and attach copies of such certification. Such

certifications may be for your company or for your individual staff as

relevant to the work they do and the key skills for the service or goods you

propose to supply.

6.0 AGENCIES AND PARTNERSHIPS

a) Detail any agencies and partnerships that you have that are relevant

to the categories of goods and/or services you are interested in

supplying.

b) List your primary sources of supply for goods that you propose to

supply.

7.0 MANAGEMENT POLICIES

a) Employee Integrity

How does the firm ensure the integrity of staff? Detail any

related policies.

b) Code of Conduct/Ethics

Does your company have a code of conduct? If so, please attach

a copy.

Indicate if your company subscribes to a professional body with a

code of conduct/ethics.

c) Company employment policy

Does the firm have a documented employment policy? What

are key highlights from this policy if in existence?

d) Environmental Policy/Green Agenda Policy


Is your firm ISO 140001 certified or do you have an

environmental policy as an organization?

Are your waste segregated as per different waste streams?

How are wastes from your firm disposed?

e) Customer Service

Does the firm have a documented policy on Customer Service?

Which position in your firm is responsible for customer service and

how is this position supported by other functions?

Does your firm use any performance management techniques,

including customer satisfaction measurement? If so, what are

the key parameters?

8.0 BUSINESS PROBITY AND LITIGATION MANAGEMENT

Please confirm whether any of the following criteria applies to your organisation:

Note that failure to disclose information relevant to this section may result in your

exclusion as a potential KCB supplier.

No. PARTICULARS RESPONSE

8.1

Is the organisation bankrupt or

being wound up, having its

affairs administered by the

court, or have you entered into

an arrangement with creditors,

suspended business activities or

any analogous situation arising

from similar proceedings in

Kenya or the country in which it

is established?

8.2 Please provide a statement of

any material pending or

threatened litigation or other

legal proceedings where the

claim is of a value in excess of

USD 20,000.

8.3 Has any partner, director,

shareholder or employee

whom you would propose to

use to deliver this service been


convicted of an offence

concerning his professional

conduct?

8.4 Has any partner, director or

shareholder been the subject

of corruption or fraud

investigations by the police,

Kenya Anti-Corruption Authority

or similar authority in the

country in which your

organisation is established?

8.6 Has the organisation not fulfilled

obligations relating to the

payment of any statutory

deductions or contributions

including income tax as

required under Kenyan law or

the laws of the country in which

it is established?

8.7 Please state if any Director

shareholder/ Partner and / or

Company Secretary of the

Organisation is currently

employed or has been

employed in the past 3 years

by KCB.

8.8 Please state if any Director /

Partner and / or Company

Secretary of the Organisation

has a close relative who is

employed by KCB and who is in

a position to influence the

award of any supply award. A

“close relative” refers to

spouse, parents, siblings and

children

9.0 INSURANCE

Please provide details of your current insurance cover Value


9.1

Employer‟s Liability:

9.2

Public Liability:

9.3

Professional Indemnity (if applicable)

9.4 Other (specify)

10.0 EVALUATION

(a) Requirements For Evaluation

The following documents should be attached.

i. Certificate of Incorporation/Business Name Certificate

ii. Trading Certificate

iii. Business Permits

iv. Certificate from relevant regulatory authority (where applicable

v. Manufacturers Authorization /or equivalent (where applicable).

vi. TAX PIN Certificate or equivalent

vii. Tax Compliance certificate or equivalent

viii. Current dealership letter/certification of equipment

ix. List of Directors, telephone and their postal address

x. Form CR 12 as issued by the Registrar of Companies (original) or certified

as true copy

xi. Audited Accounts (Three years)

xii. Bank Account Information

xiii. CVs of Senior Staff

xiv. Organogram/Organization Chart


ANNEX 4 – PERFORMANCE SECURITY FORM (FORMAT)

Know all men by these presents that we:

1. .....................................................................................

(Full name & address in block letters) PRINCIPAL

2. .....................................................................................

(Full name & address in block letters) SURETY

are held firmly bound, jointly and in severally, unto Kenya Commercial Bank

Limited in the principal sum of US Dollars

....................................................................................................

for which payment well and truly to be made we bind ourselves firmly by these

presents.

The condition of the above obligations being that should the said <name of

Bidder>

fulfill his /their obligation/s under an agreement entered into between the Kenya

Commercial Bank Limited, and themselves in respect of <<the requirement>>

for Kenya Commercial Bank Ltd. during the period ending

..................................................

and not incur cancellation of the agreement for any cause whatsoever then the

above obligation to be null and void; otherwise to remain in full force and

effect. The validity of this guarantee expires on

............................................................................

which is two months beyond the contract period (i.e. after submission and

acceptance by the Bank of final report).

.......................................................................................

PRINCIPAL (Signature).......................................................................................

Principal‟s Stamp

SURETY (Signature)………………………………………..


SURETY‟s Stamp…………………………………………….

Nairobi this ................. of .............. two thousand and ............................

( The following words should be inserted in the signatory‟s own handwriting)

“Good for the sum* of US Dollars ........................................................”

(*sum to be specified in words & figures)

ANNEX 5 – CERTIFICATE OF COMPLIANCE

All Suppliers should sign the certificate of compliance below and return it

together with the bound tender document.

We___________________________ have read this tender document and agree with

the terms and conditions stipulated therein.

Signature of tenderer -------------------------------------------

Date………………………………………………………….

Company Stamp/Seal.