SIEM RFP 2008-11-03-Nochange

MINNESOTA STATE COLLEGES AND UNIVERSITIES
Office of the Chancellor
REQUEST FOR PROPOSAL (RFP) FOR Security Information and Event Monitoring (SIEM) System
SPECIAL NOTE: This Request for Proposal (RFP) does not obligate the Minnesota State Colleges and Universities (MnSCU) system, its Board of Trustees or Office of the Chancellor to award a contract or complete the proposed project and each reserves the right to cancel this RFP if it is considered to be in its best interest. Proposals must be clear and concise. Proposals that are difficult to follow or that do not conform to the RFP format or binding specifications may be rejected. Responding vendors must include the required information called for in this RFP. MnSCU reserves the right to reject a proposal if required information is not provided or is not organized as directed. MnSCU also reserves the right to change the evaluation criteria or any other provision in this RFP by posting notice of the change(s) on http://its.mnscu.edu/siemrfp/ For this RFP, posting on the captioned web site above constitutes written notification to each vendor. Vendors should check the site daily and are expected to review information on the site carefully before submitting a final proposal.
October 2008
REQUEST FOR PROPOSAL (RFP) FOR
Security Information and Event Monitoring (SIEM) System

Table of Contents 1 General Information.................................................................................................................. 4 1.1 Background ........................................................................................................................ 4 1.2 Nature of RFP .................................................................................................................... 4 1.3 General Selection Criteria.................................................................................................. 4 1.4 Selection Process ............................................................................................................... 5 1.5 Selection and Implementation Timeline ............................................................................ 5 1.6 Contract Term .................................................................................................................... 6 1.7 Parties to the Contract........................................................................................................ 6 1.8 Contract Termination ......................................................................................................... 6 1.9 Project Team ...................................................................................................................... 6 1.10 Definitions........................................................................................................................ 6 1.11 Applicable Law................................................................................................................ 7 1.12 Contract Assignment........................................................................................................ 7 1.13 Entire Agreement ............................................................................................................. 7 1.14 Deviations and Exceptions............................................................................................... 7 1.15 Vendor Questions............................................................................................................. 8 1.16 Duration of Offer ............................................................................................................. 8 1.17 Authorized Signature ....................................................................................................... 8 1.18 Proposal Rejection and Waiver of Informalities.............................................................. 9 1.19 Intellectual Property Indemnification .............................................................................. 9 1.20 Evaluation ........................................................................................................................ 9 1.20.1 Preliminary Evaluation ........................................................................................... 10 1.20.2 Proposal Scoring ..................................................................................................... 10 1.20.3 Evaluation Criteria/Points....................................................................................... 10 1.20.4 Overall Cost ............................................................................................................ 11 1.20.5 Mandatory Items ..................................................................................................... 11 1.20.6 Desirable Items ....................................................................................................... 11 1.20.7 RFP Structural Items............................................................................................... 12 1.20.8 Vendor Solution ...................................................................................................... 12 1.20.9 Right to Reject Proposals and Negotiate Contract Terms ...................................... 12 1.20.10 Award.................................................................................................................... 12 2 Parties to the RFP ................................................................................................................... 12 3 Vendor Requirements ............................................................................................................. 13 4 Requirements .......................................................................................................................... 13 4.1 Background Information.................................................................................................. 13 4.2 Definitions........................................................................................................................ 14 4.3 Cost .................................................................................................................................. 15 4.4 Application Requirements ............................................................................................... 17 4.4.1 Desired Solution........................................................................................................ 17 4.4.2 Agent Elements......................................................................................................... 18 4.4.3 Collector Elements.................................................................................................... 18 4.4.4 Intermediate Elements .............................................................................................. 19
4.4.5 Central Elements....................................................................................................... 20 4.4.6 Architecture Requirements ....................................................................................... 21 4.4.7 Sizing ........................................................................................................................ 22 4.4.8 Agent Element .......................................................................................................... 22 4.4.9 Collector Element ..................................................................................................... 24 4.4.10 Intermediate Element .............................................................................................. 29 4.4.11 Central Element ...................................................................................................... 33 4.4.12 Data Flow................................................................................................................ 35 4.4.13 Correlation .............................................................................................................. 38 4.4.14 Reporting and Visualization ................................................................................... 45 4.4.15 Notifications............................................................................................................ 51 4.4.16 Users and Access .................................................................................................... 52 4.4.17 Installation and Configuration ................................................................................ 56 4.4.18 Architecture and Scaling......................................................................................... 58 4.5 Additional General Terms................................................................................................ 59 4.5.2 General Company Information ................................................................................. 60 4.6 Technical Requirements................................................................................................... 61 4.6.1 General...................................................................................................................... 61 4.6.2 Backup ...................................................................................................................... 63 4.6.3 Browser ..................................................................................................................... 64 4.6.4 Continuity/Availability ............................................................................................. 65 4.6.5 Database.................................................................................................................... 66 4.6.6 Desktop ..................................................................................................................... 67 4.6.7 Facilities.................................................................................................................... 68 4.6.8 Monitoring ................................................................................................................ 69 4.6.9 Network..................................................................................................................... 70 4.6.10 Reporting................................................................................................................. 70 4.6.11 Reporting: Data Export ........................................................................................... 71 4.6.12 Security ................................................................................................................... 72 4.6.13 Servers..................................................................................................................... 74 5 Response Evaluation............................................................................................................... 78 6 Additional RFP Response and General Contract Requirements............................................. 79 6.1 Problem Resolution Process ............................................................................................ 79 6.2 Affidavit of Non-Collusion.............................................................................................. 79 6.3 Human Rights Requirements ........................................................................................... 79 6.4 General Insurance Requirements ..................................................................................... 79 6.4.1 Requirements for the Contract Vendor or Their Subcontractor................................ 80 6.4.2 Notice to the Contract Vendor or Their Subcontractor............................................. 80 6.4.3 Notice to Insurer ....................................................................................................... 80 6.5 State Audit ....................................................................................................................... 82 6.6 Minnesota Government Data Practices Act..................................................................... 82 6.7 Conflict of Interest ........................................................................................................... 83 6.8 Organizational Conflicts of Interest................................................................................. 83 6.9 Physical and Data Security .............................................................................................. 84 6.10 RFP Response Submission ............................................................................................ 85 Exhibit A. Affidavit of Non-Collusion Exhibit B. Human Rights Certification Information and Affirmative Action Data Page
Security Information and Event Monitoring RFP 2008-11-03
Page 4 of 93
1 General Information
1.1 Background
Minnesota State Colleges and Universities is the seventh-largest system of higher education in the United States. It is comprised of 32 two-year and four-year state colleges and universities with 53 campuses located in 46 Minnesota communities. The System serves approximately 240,000 students annually in credit-based courses, an additional 130,000 students in non-credit courses, and produces 32,000 graduates each year. For more information about Minnesota State Colleges and Universities, please view its website at http://www.mnscu.edu.
1.2 Nature of RFP

Office of the Chancellor is requesting proposals to assist in developing a Security Information and Event Monitoring (SIEM) System. This RFP is undertaken by Office of the Chancellor pursuant to the authority contained in provisions of Minnesota Statutes 136F.581 and other applicable laws. Accordingly, Office of the Chancellor shall select the vendor(s) whose proposal(s), and oral presentation(s) if requested, demonstrate in Office of the Chancellors sole opinion, the clear capability to best fulfill the purposes of this RFP in a cost effective manner. Office of the Chancellor reserves the right to accept or reject proposals, in whole or in part, and to negotiate separately as necessary in order to serve the best interests of Office of the Chancellor. This RFP shall not obligate the Office of the Chancellor to award a contract or complete the proposed project and it reserves the right to cancel this RFP if it is considered to be in its best interest. The Office of the Chancellor on behalf of the MnSCU System intends to enter into a master contract with any selected vendor(s), and this contract will contain all the terms and conditions required by this RFP, as well as further terms and conditions negotiated between the Office of the Chancellor and the vendor after the Office of the Chancellor reviews all proposals. Such a master contract will then provide for individual work orders by the use of which the MnSCU Office of the Chancellor and the State of Minnesota Office of Enterprise Technology can order selected products/services provided under the terms of the resulting vendors master contract. It is contemplated that the individual work orders used for specific product/service ordering will define special needs and time limitations on delivery and performance by the vendor. The vendors master contract, as supplemented by work orders, shall constitute the terms and conditions for any vendor of the contract or contracts entered into pursuant to this RFP.
1.3 General Selection Criteria
Page 5 of 93
General criteria upon which proposals will be evaluated include, but are not limited to the responders ability to: Provide a Security Information and Event Monitoring (SIEM) solution with a history and proven track record of successful deployments at higher education institutions and State agencies Provide a standard SIEM technology solution that will enable MnSCU and the State to achieve their business and infrastructure goals. Provide ongoing support and training services needed to ensure program success Provide client references specific to the product and services required Demonstrate vendor capability and history of focus on higher education and state government Provide an acceptable formula for determining overall price/cost for a multi-year term.
1.4 Selection Process

Technical and information security representatives from Minnesota State Colleges & Universities and the Office of Enterprise Technology will evaluate and score the RFP responses and make the final decision.
1.5 Selection and Implementation Timeline

Monday, November 3, 2008 Monday, November 24, 2:00 p.m. CDT1 Wednesday, November 26, 5:00 p.m. CDT2 Friday, December 12, 2:00 p.m. CDT3 These dates are anticipated and subject to change: January 9, 2009 January 12-16, 2009 January 16-February 2, 2009 February 2 27, 2009 March 19, 2009 April 22, 2009 Complete review of RFP proposals select finalists Conduct vendor conferences with finalists Shipping and setup for pre-award testing Conduct pre-award testing Establish contract Award notification Publish RFP notice in State Register Vendor questions due Responses to vendor questions published Deadline for RFP proposal submissions
1 2
This time corresponds to 1:00 p.m. CST, which is the time system that will be in use at the due date. This time corresponds to 4:00 p.m. CST, which is the time system that will be in use at the due date. 3 This time corresponds to 1:00 p.m. CST, which is the time system that will be in use at the due date.
Page 6 of 93
1.6 Contract Term

Office of the Chancellor desires to enter into a master contract with the successful vendor(s). The length of such contract(s) shall be 3 years with an option for up to two, 1-year renewals.
1.7 Parties to the Contract

Parties to this contract shall be the State of Minnesota, acting through its Board of Trustees of the Minnesota State Colleges and Universities on behalf of Office of the Chancellor and the successful vendor(s).
1.8 Contract Termination

The State of Minnesota, acting through its Board of Trustees of the Minnesota State Colleges and Universities, may cancel the contract(s) upon 30 days written notice, with or without cause.
1.9 Project Team

The Project Team for the purposes of this contract shall be State of Minnesota, acting through its Board of Trustees of the Minnesota State Colleges and Universities on behalf of Office of the Chancellor and the State of Minnesota, acting through the Office of Enterprise Technology. Once the contract has been signed, the State of Minnesota, acting through the Office of Enterprise Technology shall be on equal footing with the State of Minnesota, acting through its Board of Trustees of the Minnesota State Colleges and Universities on behalf of Office of the Chancellor for all purchasing, support, and operational purposes.
1.10 Definitions
Wherever and whenever the following words or their pronouns occur in this proposal, they shall have the meaning given here: MnSCU: State of Minnesota, acting through its Board of Trustees of the Minnesota State Colleges and Universities on behalf of Office of the Chancellor, located at Wells Fargo Place, 30 7th Street East, Suite 350, St. Paul, Minnesota.
Page 7 of 93
Office of the Chancellor: The central system office of Minnesota State Colleges and Universities located at Wells Fargo Place, 30 7th Street East, Suite 350, St. Paul, Minnesota. Vendor: The firm selected by Office of the Chancellor as the successful responder(s) responsible to execute the terms of a contract. State asset: hardware, software, licenses, or other property owned by the State of Minnesota itself, any State agency, any part of the Minnesota State Colleges and Universities, the University of Minnesota, or similar organization.
1.11 Applicable Law

A contract entered into as a result of this RFP shall be governed and interpreted under the laws of the State of Minnesota.
1.12 Contract Assignment

A contract or any part hereof entered into as a result of this RFP shall not be assigned, sublet, or transferred directly or indirectly without prior written consent of the Office of the Chancellor.
1.13 Entire Agreement

A written contract and any modifications or addenda thereto, executed in writing by both parties constitutes the entire agreement of the parties to the contract. All previous communications between the parties, whether oral or written, with reference to the subject matter of this contract are void and superseded. The resulting contract may be amended at a future date in writing by mutual agreement of the parties.
1.14 Deviations and Exceptions

Deviations from and exceptions to terms, conditions, specifications or the manner of this RFP shall be described fully on the vendor's letterhead stationery, signed and attached to the proposal submittal page(s) where relevant. In the absence of such statement the vendor shall be deemed to have accepted all such terms, conditions, specifications and the manner of the RFP. A vendor's failure to raise an issue related to the terms, conditions, specifications or manner of this RFP prior to the proposal submission deadline in the manner described shall constitute a full and final waiver of that vendor's right to raise the issue later in any action or proceeding relating to this RFP.
Page 8 of 93
1.15 Vendor Questions

Potential responders may submit questions about this RFP. Questions are due by 2:00 p.m. CDT4 on Monday, November 24 at: Dale Johnson Office Manager, Information Technology Services Wells Fargo Place 30 7th Street East, Suite 350 St. Paul, MN 55101-7804 Phone: 651-201-1428 Fax: 651-917-4731 E-mail: itsadmin@so.mnscu.edu Questions must be submitted on compact disk in PDF, text, or Microsoft Word formats. The compact disc must be accompanied by a cover letter that can be timestamped. Both questions and answers will be published and anonymous questions will not be answered. Questions must include the name of the questioner, as well as a phone number and e-mail address for confirmation. Electronic mail or fax submissions shall not be accepted. Responses to all questions will be published by 5:00 p.m. CDT (4:00 p.m. CST) on Wednesday, November 26 at the web site: http://its.mnscu.edu/siemrfp/
1.16 Duration of Offer

All proposal responses must indicate they are valid for a minimum of two hundred seventy (270) calendar days from December 12, 2008 unless extended by mutual written agreement between Office of the Chancellor and the vendor. Prices and terms of the proposal as stated must be valid for the length of the resulting contract.
1.17 Authorized Signature

The proposal must be completed and signed in the firm's name or corporate name of the vendor, and must be fully and properly executed and signed in blue or black ink by an authorized representative of the vendor. Proof of authority of the person signing must accompany the response.
This time corresponds to 1:00 p.m. CST, which is the time system that will be in use at the due date.
Page 9 of 93
1.18 Proposal Rejection and Waiver of Informalities

This RFP does not obligate the Minnesota State Colleges and Universities (MnSCU) system, its Board of Trustees or Office of the Chancellor to award a contract or complete the proposed project and each reserves the right to cancel this RFP if it is considered to be in its best interest. Office of the Chancellor also reserves the right to waive minor informalities and, not withstanding anything to the contrary, reserves the right to: 1. 2. 3. 4. reject any and all proposals received in response to this RFP; select a proposal for contract negotiation other than the one with the lowest cost; negotiate any aspect of the proposal with any vendor; terminate negotiations and select the next most responsive vendor for contract negotiations; 5. terminate negotiations and prepare and release a new RFP; 6. terminate negotiations and take such action as deemed appropriate.
1.19 Intellectual Property Indemnification

The vendor warrants that any materials or products provided or produced by the vendor or utilized by the vendor in the performance of this contract will not infringe upon or violate any United States patent, copyright, trade secret, or any other proprietary right of any third party. In the event of any such claim by any third party against MnSCU or the State, MnSCU shall promptly notify the vendor. The vendor, at its own expense, shall indemnify; defend to the extent permitted by the Minnesota Attorney General's Office, and hold harmless MnSCU and the State against any loss, cost, expense, or liability (including legal fees) arising out of such a claim, whether or not such claim is successful against MnSCU or the State. If such claim has occurred, or in the vendor's opinion is likely to occur, the vendor shall either procure for MnSCU and the State the right to continue using the materials or products or replacement or modified materials or products. If an option satisfactory to MnSCU and the State is not reasonably available, MnSCU shall return the vendor solution to the vendor, upon written request of the vendor and at the vendors expense for a credit of the depreciated value of the vendor solution, based on a three-year straight line depreciation. This remedy is in addition to any other remedy provided by law.
1.20 Evaluation
The evaluation and selection of a responder(s) and award of the subsequent contract(s) will be based on the information submitted in the responders proposal(s), verification of references, participation in oral interview(s), and experience gained in evaluating vendor solutions. During the evaluation phase, the Project Team reserves the right to seek direct clarifications of responses
Page 10 of 93
from Responders. Failure to respond to any of the requirements in the RFP may be the basis for rejecting a response. In this RFP, terms RFP response, vendor solution, vendor proposal, proposed solution and proposed system are used synonymously.
1.20.1
Preliminary Evaluation
The proposals will be reviewed initially to determine if mandatory requirements are met. Failure to meet mandatory requirements will result in rejection of the proposal. In the event that no Responders meet one or more of the mandatory requirements, the Project Team reserves the right to strike that or those requirements and continue the evaluation of the proposals and to select the proposal that most closely meets the requirements specified in this RFP.
1.20.2
Proposal Scoring
Accepted proposals will be reviewed by an evaluation committee and scored against the stated criteria. The committee may review references and request interviews and/or evaluation versions and use the results in scoring the proposals. The Project Team reserves the right to re-score the evaluation based on the outcome of reference checks, presentations, and evaluations. In particular, this RFP will involve pre-award testing of at least two candidate vendor solutions in Project Team environments. The exact environment will be determined by the time the RFP responses are due and will consist of at least four collector elements, two intermediate elements, and one central element and be subject to a testing agreement. Inclusion of additional details in an easy-to-understand format especially with real life examples is highly encouraged. If a certain feature or some functionality is considered unique in the industry for its benefits to the user requirements, its description may be highlighted for bonus points in the evaluation process. Similarly, any known deficiencies or limitations must be clearly stated in the response. Instances of deficiencies that are not stated in the initial response but are discovered during the evaluation process may lead to substantial penalty points in the evaluation.
1.20.3
Evaluation Criteria/Points
The responses to this RFP shall be evaluated using a point system. Points shall be divided among specific requirements and categories. The evaluation will entail assigning a point score to each response in the respective point categories. Mandatory items will be scored in addition to serving as compliance indicators. Not all requirements carry a non-zero point value. Point values for the requirements will be determined before any responses are opened and will not change once the scoring has begun.
Page 11 of 93
1.20.4
Overall Cost
Points will be assigned with the proposal with the lowest Total Cost of Ownership (TCO) receiving the maximum points in the Overall Cost category. The TCO will include both initial and ongoing cost elements that are part of the proposal, the initial and ongoing costs of additional items required by the proposal but not part of the proposal, and estimated staffing costs in determining costs. A formula will be used to determine the proportionally-lower points for each proposal with a higher TCO than that assigned to the proposal with the lowest TCO.
1.20.5
Mandatory Items
When the Project Team evaluates the responders proposal, mandatory items will be verified for compliance. Allowed responses to mandatory items are compliant, compliant with qualification, and non-compliant. If a proposal has non-compliant checked for any mandatory item or a review determines that the proposal is non-compliant for any mandatory item, the proposal shall be rejected. A proposal may check compliant with qualification if it substantially complies with the requirement, but the responder feels that it does not comply in some minor ways. A complete description of exactly how the vendor solution does not comply must be supplied and the description will be considered in determining compliance. Proposals with compliant with qualification checked but do not have a description for that item will be considered noncompliant. Proposals may contain additional information on any mandatory item, including those that do not explicitly ask for information. All information supplied in the response will be considered when awarding points for mandatory items.
1.20.6
Desirable Items
When the Project Team evaluates the responders proposal, desirable items will be evaluated. Allowed responses are offered and not offered. If a proposal has not offered checked for any desirable item or a review determines that the proposal does not offer that item for any desirable item, no points will be awarded for that item. Proposals may contain additional information on any desirable item, including those that do not explicitly ask for information. All information supplied in the response will be considered when awarding points for desirable items.
Page 12 of 93
Proposals may identify additional items that are not being requested and include such items in the response. When preparing proposals containing such additional items, care should be taken that the additional items do not interfere with understanding the responses to the mandatory or requested desirable items.
1.20.7
RFP Structural Items
The responses to items marked structural indicate whether the vendor solution has functionality in that area. If the vendor solution has functionality in that area, the response should be yes and the section filled in. If the vendor solution does not have functionality in that area, the response should be no and the section left blank.
1.20.8
Vendor Solution
The term vendor solution as used in this RFP covers the items initially supplied as part of this contract as well as any new versions, upgrades, patches, fixes, or other alterations made or offered by the vendor.
1.20.9
Right to Reject Proposals and Negotiate Contract Terms
The Project Team reserves the right to reject any and all proposals. The Project Team may negotiate the terms of the contract, including the award amount, with the selected responder(s) prior to entering into a contract. If contract negotiations cannot be concluded successfully with the highest scoring responder(s), the Project Team may negotiate a contract with the next highest scoring responder(s).
1.20.10
Award
The Project Team will compile the final scores for each proposal. The Project Team reserves the right to make no award, award the contract to a single vendor, or award this contract to more than one vendor, whichever is in the best interest of the Project Team.
2 Parties to the RFP

Office of the Chancellor and the State of Minnesota, Office of Enterprise Technology
Page 13 of 93
3 Vendor Requirements
Information Contact Office of the Chancellors agent for purposes of responding to inquiries about the RFP is: Dale Johnson Office Manager, Information Technology Services Wells Fargo Place 30 7th Street East, Suite 350 St. Paul, MN 55101-7804 Phone: 651-201-1428 Fax: 651-917-4731 E-mail: itsadmin@so.mnscu.edu Other persons are not authorized to discuss RFP requirements before the proposal submission deadline and the Office of the Chancellor shall not be bound by and responders may not rely on information regarding RFP requirements obtained from non-authorized persons. Questions must include the name of the questioner and his/her telephone number, fax number and/or e-mail address. Anonymous inquiries will not be answered.
4 Requirements
4.1 Background Information
Security Information and Event Monitoring (SIEM) is an enterprise solution for aggregating, correlating, and analyzing security event data in real time. SIEM solutions help security professionals identify and promptly respond to threats, demonstrate compliance with regulatory requirements, and perform sophisticated forensic activities. The Project Team desires to build a central SIEM solution to service all government entities. A centralized SIEM solution will collect and centrally manage event log data and provide fullfunction, real time security event monitoring and management capabilities. This solution offers the following benefits: Greatly improved capability to discern complex cyber attacks over current systems. Reduced time and costs to investigate security incidents when compared with existing processes. Uniform security incident communication across the enterprise. Consistent and robust security monitoring capabilities across all agencies, including those with limited resources. Enhanced availability and performance awareness for all government computer systems.
The Project Team needs:
Page 14 of 93
The ability to collect event data from disparate sources in a central repository of event data. A systematic process for correlating event data to identify attacks. Analysis and reporting tools for investigative and compliance purposes.
The desired solution must have three functional levels: log collection, at every remote office and regional datacenters regional log analysis, at each regional datacenter central repository, one or more datacenters all remote offices connect to
The solution must scale to enterprise volume at all functional levels: Ability to easily scale from a small initial implementation to a large enterprise solution Ability to collect and correlate as systems grow and evolve Ability to provide access to log and analysis data at remote locations Ability for central repository to access and analyze log data across all remote locations
The vendor responses may include either appliance or software-only5 solutions in any combination for these elements and may include products from more than one manufacturer. All maintenance and support for products purchased under this RFP shall be provided by one organization. All elements shall work cooperatively and be administered through a single set of administrator and user accounts. It is acceptable for separate logins to be required for each element (i.e., single-sign on is not a requirement), but account creation and administration must operate across the system. 4.1.1.1 Mandatory The vendor understands the requirements in this section. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.2 Definitions
Agent elements are software that is installed on existing State assets. An Anomaly is an event generated by the vendor solution based on the solutions analysis of the data events. Central elements receive the data from intermediate elements
Where the State purchases and maintains the hardware and operating system.
Page 15 of 93
Collector elements are those that accept event data from one or more sources or agents on sources. Data events: a stream of events. Event: a single tuple of data. For example, one SYSLOG packet. Intermediate elements receive the data from collector elements or other intermediate elements and store and process those data. Service: a portion of a source with distinct administrative properties. Source: a device or process that creates data events.
4.3 Cost
All cost information is to be supplied in a separate envelope as per instructions. Inclusion of cost information in the main RFP response will result in disqualification of the response. This section covers the direct monetary costs to purchase the vendor solution. Responses to other parts of this RFP will be used by the Project Team to estimate initial and ongoing staffing costs, and those costs will be part of the total vendor solution cost. Only the first years purchase is a part of this contract. Ongoing maintenance, support and licensing amounts are part of the cost calculations and part of this contract, but will be purchased via separate work order. 4.3.1.1 Mandatory Specify the initial purchase price for the vendor solution at list price. This price should include all purchase, licensing, and installation costs. These costs will include all ongoing maintenance, support, and licensing costs for the first year of operation. Do not include optional items. Do not include installation services. Initial cost: $ __________
4.3.1.2
Mandatory Specify the discount rate: __________ %
4.3.1.3
Mandatory Specify the initial purchase price for the vendor solution after discount. This price should include all purchase, licensing, and installation costs. These costs
Page 16 of 93
will include all ongoing maintenance, support, and licensing costs for the first year of operation. Do not include optional items. Initial cost: $ __________
4.3.1.4
Mandatory Specify all ongoing maintenance, support, and licensing for the second year of operation. These costs are fixed in the master contract: purchases will be by separate work order. These costs are included in the cost calculations. $ __________
4.3.1.5
Mandatory Specify all ongoing maintenance, support, and licensing for the third year of operation. These costs are fixed in the master contract: purchases will be by separate work order. These costs are included in the cost calculations. $ __________
4.3.1.6
Mandatory Add the results from questions 4.3.1.3, 4.3.1.4, and 4.3.1.5 for a 3-year total cost: $ __________
4.3.1.7
Mandatory Specify all ongoing maintenance, support, and licensing for the fourth year of operation. These costs are fixed in the master contract: purchases will be by separate work order. $ __________
4.3.1.8
Mandatory Specify all ongoing maintenance, support, and licensing for the fifth and later years of operation. These costs are fixed in the master contract: purchases will be by separate work order. $ __________
4.3.1.9
Mandatory The Project Team intends to expand the installation over time. Specify the costs or discount rates offered on additional, alternate, or optional products. These costs are fixed in the master contract: purchases will be by separate work order. Important: any product referred to anywhere in this RFP must be listed here!
4.3.1.10
Mandatory RFP responder agrees that, once the initial purchase amount in 4.3.1.3 has been paid, no additional amounts are due from Project Team for the life of the product in order to operate the product as purchased (hardware failures excluded). Compliant _____ Compliant with qualification _____ Non-compliant _____
Page 17 of 93
4.3.1.11
Mandatory Does the vendor solution require any other components to operate? For example, a software-only solution requires a platform to run on. No additional components _____ Additional components _____ If additional components are required, specify them here in enough detail that the Project Team can determine whether the components are available in inventory or what the purchase and support costs of those components are. Project Team may use its existing purchase agreements under other contracts to estimate costs.
4.3.1.12
Desirable Specify the installation services offered and their costs. These costs are fixed in the master contract: purchases will be by separate work order.
4.3.1.13
Desirable Specify the training services offered and their costs. These costs are fixed in the master contract: purchases will be by separate work order.
4.3.1.14
Desirable Specify the consulting services offered and their costs, particularly for system integration, feature enhancements, and multi-vendor integration projects. These costs are fixed in the master contract: purchases will be by separate technical/professional work order.
4.4 Application Requirements

4.4.1 Desired Solution
The Project Team is soliciting vendor responses for solutions that collect and process computer system event data. The envisioned system shall be conceptualized at these levels: agent, collector, intermediate, and central. This section presents the conceptual model used for organizing RFP requirements. Vendor solutions need not follow this model, so long as they provide the equivalent functionality and meet the mandatory requirements. In particular, vendor solutions may combine multiple elements into single physical systems or distribute element functionality across multiple physical systems.
Page 18 of 93
4.4.2 Agent Elements

Agent elements are software that is installed on existing Project Team assets. Their purpose is to facilitate locating data events and forwarding those data events to collector elements. An example of where an agent element would be used is for monitoring log data written to files (e.g., Apache servers logs) instead of being sent via SYSLOG. Assumptions: The agent software used by the vendor solution is provided as part of this RFP response. The agent software will be installed by the maintainer of the Project Team asset with the assistance of the vendor replying to this RFP. The agent software will require only minimal configuration and update effort. The agent software will forward data events to at least one collector element. The agent software will use the time base of the Project Team asset. The agent software may create events of its own in addition to or instead of simply forwarding events created by other parts of the Project Team asset. Mandatory The vendor understands the requirements in this section. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.2.1
4.4.3 Collector Elements

Collector elements are those that accept event data from one or more sources or agents on sources. Assumptions: Collector elements are managed as part of the vendor solution. Collector elements receive time synchronization through the vendor solution.
The data event model: A data event is received. A timestamp is added. The event is decoded as appropriate. Integrity protection of the decoded event and timestamp begins. The event is categorized by source and service. (Desirable) The event is filtered, such that some events may be discarded at this point. The event is retained in a buffer.
The upload model:
Page 19 of 93
At some point, the collector begins uploading buffered events to an intermediate element. (The model does not specify how this upload is initiated.) The data events to be uploaded are marshaled. Filtering can be applied during this marshaling to limit what events are uploaded. Integrity protection is applied to the marshaled events. The events are transferred to the intermediate element using positive acknowledgement and protection from alteration and disclosure. If the upload does not happen, the buffered events are retained and upload re-attempted.
The removal model: 4.4.3.1 At some point, the element removes buffered events from its memory. Mandatory The vendor understands the requirements in this section. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.4 Intermediate Elements

Intermediate elements receive the data from collector elements or other intermediate elements, store it for the required time, answer queries against the data, enforce restricted views of the data, and perform analysis of the data. Intermediate elements may also filter the data and forward it to central elements. Typically, an intermediate element may be located at an agency or campus site. Assumptions: Intermediate elements are managed as part of the vendor solution. Intermediate elements receive time synchronization through the vendor solution. Intermediate elements may be chained, such that one intermediate element forwards events to another intermediate element instead of the central element. Intermediate elements may be installed in a high availability configuration. In some cases, a physical intermediate element may be shared by multiple independent customers. An intermediate element can perform these activities against the data events in its internal storage, taking into account restricted views: o answer queries o produce reports o analyze the data for potential problems When performing these activities, the intermediate element can consider both current and historical data.
The data event model, receiving from a collector element or another intermediate element:
Page 20 of 93
A set of marshaled events are received from a collector element or another intermediate element. Integrity protection is verified. The sender is notified of the result. If the integrity protection fails, the set of marshaled events is discarded. A timestamp may be added. The set of marshaled events is added to the internal storage.
The data event model, sending to the central element or another intermediate element: The data events to be uploaded are marshaled. Filtering can be applied during this marshaling to limit what events are uploaded. Integrity protection is applied to the marshaled events. The events are transferred to the next element using positive acknowledgement and protection from alteration and disclosure. If the upload does not happen, the buffered events are retained and upload re-attempted.
The removal model: At some point, the element removes events from its storage. Part of this removal may involve archiving or transferring events to off-line storage. Mandatory The vendor understands the requirements in this section. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.4.1
4.4.5 Central Elements

Central elements receive the data from intermediate elements, store it for the required time, answer queries against the data, enforce restricted views of the data, and perform analysis of the data. Central elements differ from intermediate elements in conceptual ways only. These conceptual ways are: Central elements are more likely to be replicated for high availability than are intermediate elements. Retention is likely to be longer for central elements than for intermediate elements. The data processed by the central elements are more likely to be security-related than for intermediate elements. Central elements will be the ones expected to detect incidents that are occurring across the organization.
Intermediate elements receive the data from collector elements or other intermediate elements, store it for the required time, answer queries against the data, enforce restricted views of the data, and perform analysis of the data. Intermediate elements may also filter the data and forward it to central elements. Typically, an intermediate element may be located at an agency or campus site.
Security Information and Event Monitoring RFP 2008-11-03 Assumptions:
Page 21 of 93
Central elements are managed as part of the vendor solution. Central elements receive time synchronization through the vendor solution. Central elements shall be installed in a high availability configuration. Central elements shall be shared by multiple independent customers. A central element can perform these activities against the data events in its internal storage, taking into account restricted views: o answer queries o produce reports o analyze the data for potential problems When performing these activities, the central element can consider both current and historical data.
The data event model, receiving from a collector element or an intermediate element: A set of marshaled events are received from a collector element or an intermediate element. Integrity protection is verified. The sender is notified of the result. If the integrity protection fails, the set of marshaled events is discarded. A timestamp may be added. The set of marshaled events is added to the internal storage.
The removal model: At some point, the element removes events from its storage. Part of this removal may involve archiving or transferring events to off-line storage. Mandatory The vendor understands the requirements in this section. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.5.1
4.4.6 Architecture Requirements

The items in this section are listed as desirable. However, vendor responses are strongly encouraged to address them as they both demonstrate the vendors understanding of our desired solution and aid the Project Team in evaluating the rest of the response. 4.4.6.1 Desirable The vendor response shall include an overall description of the proposed solution: what is actually included in the proposed solution. Offered ____ Not offered _____
Page 22 of 93
4.4.6.2
Desirable The vendor response shall include a description of how the architecture scales from the initial deployment to support the entire Project Team enterprise. Offered ____ Not offered _____
4.4.6.3
Desirable The vendor response shall include a description of how the elements of the vendor solution match up with the data model outlined above. Offered ____ Not offered _____
4.4.7 Sizing
4.4.7.1 Mandatory The vendor response shall assume the following configuration when calculating cost. The actual cost figures must be included only in the separate cost section. Compliant _____ Compliant with qualification _____ Non-compliant _____ Adequate collectors for: o Network devices (routers, switches, firewalls): 2,000 o Windows servers: 1,500 o Windows desktops: 3,000 o Unix servers and desktops: 2,000 Intermediate elements: 6 Central elements: 2 (primary and alternate) Unlimited user accounts and simultaneous access (for licensing purposes: simultaneous access may be limited by performance) An enterprise-wide software licenses required for operation.
4.4.7.2
Mandatory The vendor response shall describe how licensing compliance is enforced. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.8 Agent Element

4.4.8.1 Structural The vendor solution deliverable makes use of agent element. Yes _____ No _____ If the yes item is checked, continue responding to the items under this section. If the no item is checked, skip all entries in the 4.4.8 section.
Page 23 of 93
4.4.8.2
Mandatory The vendor response shall include a description of the environments (operating systems, application or other software) supported. Each distinct environment will be referred to in this section as a type of agent. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.8.3
Mandatory The vendor response shall include a description of the actions that the agent element can perform for each type of agent offered. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.8.4
Mandatory The vendor solution shall encrypt all data transferred between the agent and a collector element. Compliant _____ Compliant with qualification _____ Noncompliant _____ If complying, specify the type of encryption used:
4.4.8.5
Mandatory The vendor response shall include a description of the installation process for each type of agent offered. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.8.6
Desirable The agent software can be installed without physical access to the target computer. Offered _____ Not offered _____
4.4.8.7
Mandatory The vendor response shall include a description of the maintenance and update procedure(s) for each type of agent software offered. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.8.8
Desirable The agent software can be maintained and updated without physical access to the target computer. Offered _____ Not offered _____
Security Information and Event Monitoring RFP 2008-11-03 4.4.8.9
Page 24 of 93
Desirable The vendor shall provide complete support for the agent, even if functionality is affected as a result of an Operating System, Web Server, or a Database software patches and updates. Offered _____ Not offered _____
4.4.9 Collector Element

4.4.9.1 Mandatory The vendor solution shall include collector element functionality. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the protocols supported (check all that apply): SNMP Trap _____ SYSLOG _____ Windows event log _____ Specify all types of protocols that the collector can use and the systems the collector can accept data from. The Project Teams systems include Windows-based clients and servers, Unix-based clients and servers, Cisco devices, Checkpoint devices, and many other). The collector element shall permit the same SYSLOG level on different sources to be assigned to different meanings during collection: Identify the limits on the rate of data collection, including both the number of systems that can be collected from by a single collector element and the number of events per second: Note that there is no requirement to process netflow data, as that is being handled by a separate system.
4.4.9.2
Mandatory The vendor response shall be able to collect and process data from Windows servers, clients, and desktops. The description shall include information on the supported versions of Windows. The description shall also include a description of how it transforms the Windows log entries into data events. Compliant _____ Compliant with qualification _____ Non-compliant _____ If compliant, describe the collection and processing:
Page 25 of 93
Mandatory The vendor response shall be able to synthesize additional data events from the data in the Windows event logs. At a minimum, the vendor solution shall be able to synthesize single data events for all high-level file system log entries into events that combine the date and time, user performing the action, the type of action, and the affected object. Compliant _____ Compliant with qualification _____ Noncompliant _____ If compliant, describe this operation and identify other synthesis operations that can be performed:
4.4.9.4
Mandatory The vendor response shall retain the original Windows log entries when performing synthesis. Compliant _____ Compliant with qualification _____ Noncompliant _____
4.4.9.5
Mandatory The vendor response shall be able to collect and process data from Unixbased servers, clients, and desktops. The term Unix refers to the general class of systems and not to the trademark. Unix-based systems include Linux. The description shall include information on the supported systems. Compliant _____ Compliant with qualification _____ Non-compliant _____ If compliant, describe the collection and processing:
4.4.9.6
Mandatory The vendor response shall be able to collect and process data from Cisco network devices, including routers, switches, PIX devices, and ASA based devices. Compliant _____ Compliant with qualification _____ Non-compliant _____ If compliant, describe the collection and processing:
4.4.9.7
Mandatory The vendor response shall be able to collect and process data from Checkpoint firewalls. Compliant _____ Compliant with qualification _____ Noncompliant _____ If compliant, describe the collection and processing:
4.4.9.8
Desirable The vendor response shall be able to collect and process data from other sources. Offered _____ Not offered _____ If offered, describe the other sources and the collection and processing available:
Page 26 of 93
Mandatory The vendor response shall be able to collect and process data from web servers. The description shall include description of support for each of the following web server platforms. Compliant _____ Compliant with qualification _____ Noncompliant _____ If complying, specify the web servers supported (check all that apply): Apache _____ IIS _____ Other supported web servers _____ Provide a detailed description for the log collection method for each supported web server
4.4.9.10
Mandatory The vendor response shall be able to collect and process data from database servers. The description shall include description for support for each of the following database server platforms. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the databases supported (check all that apply): DB2 _____ MS SQL _____ MySQL _____ Oracle _____ Other supported databases _____ Provide a detailed description for the log collection method for each supported database:
4.4.9.11
Desirable The vendor response shall be able to collect and process data from other services. Offered _____ Not offered _____ If offered, describe the other services and the collection and processing available:
4.4.9.12
Mandatory The vendor solution shall include the ability to add a time stamp to each collected event. Compliant _____ Compliant with qualification _____ Noncompliant _____
4.4.9.13
Mandatory The vendor solution shall include the ability to automatically synchronize its timestamp clock to external servers using NTP. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.9.14
Mandatory The vendor solution shall ensure the integrity of the data events against inadvertent changes. At a minimum, the vendor solution shall be able to identify that
Page 27 of 93
stored data events have been altered, removed, or had events inserted. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, describe the mechanism used:
4.4.9.15
Desirable The vendor solution shall include a description of how it ensures the integrity of the data events against malicious changes. Offered ____ Not offered _____ If offered, describe the mechanism used:
4.4.9.16
Mandatory The vendor solution source shall include the ability to classify the data events according to their originators, as identified by their IP addresses. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify how the classification is configured and/or performed:
4.4.9.17
Desirable The vendor solution source shall offer the ability to automatically identify the kind of source for normalization analysis purposes. Offered _____ Not offered _____ If offered, specify how the identification is performed. Also, include a description of how the automated identification can be overridden in case of a mis-identification:
4.4.9.18
Desirable The vendor solution source shall include the ability to classify the data events according to their service type within a source. Offered _____ Not offered _____ If offered, specify how the classification by service type is configured and/or performed:
4.4.9.19
Desirable The vendor solution source shall provide a mechanism for the Project Team to add support for new source types. Offered _____ Not offered _____ If offered, describe what the mechanism is and representative examples:
4.4.9.20
Desirable The vendor solution shall include the ability to specify filters to include or exclude data events from being retained. Offered _____ Not offered _____ If offered, specify what filters are available and how they are configured:
Page 28 of 93
Mandatory The vendor solution shall include the ability to specify when the data events are forwarded to intermediate elements. (The initiation may be performed by either the collector or the intermediate element.) Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify what criteria including time intervals are available and how they are configured:
4.4.9.22
Mandatory The vendor solution shall include the ability to specify the intermediate elements to receive the forwarded data events. (This specification may be performed by either the collector or the intermediate element.) Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.9.23
Mandatory The vendor solution shall encrypt all data transferred between the collector element and an intermediate element. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the type of encryption used:
4.4.9.24
Mandatory The vendor solution shall include the ability to retain at data events for at least 24 hours of normal operation in the case of loss of contact with the intermediate element. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the any other on retaining data:
4.4.9.25
Mandatory The vendor solution shall include the ability to specify when data events are deleted. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the available options:
4.4.9.26
Mandatory The vendor solution shall include the ability to specify that the data event forwarding is performed in a reliable, secure manner with integrity preserved. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify how the integrity of the data is preserved, how the reliable forwarding is assured, and how the data are protected from disclosure:
Page 29 of 93
Mandatory The vendor solution shall include the ability to specify filters to include or exclude data events from being forwarded to the intermediate element. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify what filters are available and how they are configured:
4.4.9.28
Mandatory The vendor solution shall handle surges in data events lasting up to 12 hours without interfering with its ability to operate. Any gaps in data events shall be noted along with the reason (for example, data events are missing from 10:23:47 to 10:25:23 due to packet buffer overflow). Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.10
4.4.10.1
Intermediate Element
Mandatory The vendor solution shall include intermediate element functionality. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.10.2
Mandatory The vendor solution shall include the ability to automatically synchronize its clock to external servers using NTP. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.10.3
Mandatory The vendor response shall be able to accept data events from collector elements. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the number of collector elements that can transfer data events to an intermediate and any constraints on the process such as number of data events per second. If the vendor solution includes more than one type of intermediate elements, specify the constraints for each type:
4.4.10.4
Mandatory The vendor response shall be able to accept data events from other intermediate elements. Compliant _____ Compliant with qualification _____ Noncompliant _____ If complying, specify the number of intermediate elements that can transfer data events to an intermediate and any constraints on the process such as number of data events per second. If the vendor solution includes more than one type of intermediate elements, specify the constraints for each type:
Page 30 of 93
4.4.10.5
Desirable The vendor solution shall include the ability to record when the data events were received from another element in addition to all other time stamps. Offered _____ Not offered _____
4.4.10.6
Desirable The vendor solution shall include the ability to specify filters to include or exclude data events from being retained. Offered _____ Not offered _____ If complying, specify what filters are available and how they are configured:
4.4.10.7
Desirable The vendor solution shall include the ability to specify when the data events are to be forwarded to other elements. (The initiation may be performed by either element.) Offered _____ Not offered _____ If offered, specify what criteria including time intervals are available and how they are configured:
4.4.10.8
Mandatory The vendor solution shall include the ability to specify another intermediate element or a central element for this intermediate element to forward data events to. (The specification may be performed by either element.) Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, describe how this configuration is performed:
4.4.10.9
Desirable The vendor solution shall include the ability to specify more than one other intermediate element or a central element for this intermediate element to forward data events to. Offered _____ Not offered _____
4.4.10.10 Mandatory The vendor solution shall encrypt all data transferred between an intermediate element and another intermediate element and a central element. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the type of encryption used:
Page 31 of 93
4.4.10.11 Mandatory The vendor solution shall be able to store data events for at least 90 days. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.10.12 Desirable If the vendor solution stores data events internally, describe how the data events are stored and the options for configuring storage (any pricing information must be included in the separate cost section). Offered _____ Not offered _____
4.4.10.13 Desirable If the vendor solution uses Project Team storage, describe how to calculate the required storage amount and performance required. Offered _____ Not offered _____
4.4.10.14 Mandatory The vendor solution shall include the ability to specify when data events are deleted. This ability shall include the capability of specifying different retention periods for different services and sources of data events. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the available options:
4.4.10.15 Mandatory The vendor solution shall permit different user-defined categories of data events to be retained for different durations. For example, vendor solution accountrelated data events can be retained for 90 days while CPU performance-related data events be retained only 30 days. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the available options:
4.4.10.16 Mandatory The vendor solution shall positively delete data events. Positive deletion refers to being unable to retrieve data via normal operating system methods: secure deletion such as overwriting is not a requirement. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, describe the steps taken:
Page 32 of 93
4.4.10.17 Mandatory The vendor solution shall include the ability to specify that the data events are to be forwarded in a reliable, secure manner with integrity preserved. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify how the integrity of the data is preserved, how the reliable forwarding is assured, and how the data are protected from disclosure:
4.4.10.18 Mandatory The vendor solution shall include the ability to specify filters to include or exclude data events from being forwarded. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify what filters are available and how they are configured:
4.4.10.19 Mandatory The vendor solution shall store data events at the intermediate element in a format that enables efficient searching and data export. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify what data storage technology is used, and how efficient access is facilitated:
4.4.10.20 Mandatory The vendor solution shall handle surges in data events lasting up to 12 hours without interfering with its ability to operate. Any gaps in data events shall be noted along with the reason (for example, transfer of 1,245 events from collector element <collector id> at 10:23:47 is missing due to disk full). Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.10.21 Mandatory The vendor solution shall ensure the integrity of the data events against inadvertent changes. At a minimum, the vendor solution shall be able to identify that stored data events have been altered, removed, or had events inserted. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, describe the mechanism used:
4.4.10.22 Desirable The vendor solution shall include a description of how it ensures the integrity of the data events against malicious changes. Offered ____ Not offered _____ If offered, describe the mechanism used:
Page 33 of 93
4.4.10.23 Desirable The vendor solution shall include the ability to archive data events to offline storage. Offered _____ Not offered _____ If offered, describe the options available for specifying what data events are archived, how the raw log records can be archived, the medium (or media) available for archive, the mechanisms for tracking the contents of the archive, the options for compression, and any other relevant information:
4.4.11
4.4.11.1
Central Element
Mandatory The vendor solution shall include central element functionality. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.11.2
Mandatory The vendor solution shall include the ability to automatically synchronize its clock to external servers using NTP. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.11.3
Desirable The vendor response shall be able to accept data events from collector elements. Offered _____ Not offered _____ If offered, specify the number of collector elements that can transfer data events to an intermediate and any constraints on the process such as number of data events per second. If the vendor solution includes more than one type of intermediate elements, specify the constraints for each type:
4.4.11.4
Mandatory The vendor response shall be able to accept data events from intermediate elements. Compliant _____ Compliant with qualification _____ Noncompliant _____ If complying, specify the number of intermediate elements that can transfer data events to an intermediate and any constraints on the process such as number of data events per second. If the vendor solution includes more than one type of intermediate elements, specify the constraints for each type:
4.4.11.5
Desirable The vendor solution shall include the ability to record when the data events were received from another element in addition to all other time stamps. Offered _____ Not offered _____
Page 34 of 93
4.4.11.6
Desirable The vendor solution shall include the ability to specify filters to include or exclude data events from being retained. Offered _____ Not offered _____ If offered, specify what filters are available and how they are configured:
4.4.11.7
Mandatory The vendor solution shall be able to store data events for at least 120 days. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.11.8
Desirable If the vendor solution stores data events internally, describe how the data events are stored and the options for configuring storage (any pricing information must be included in the separate cost section). Offered _____ Not offered _____
4.4.11.9
Desirable If the vendor solution uses Project Team storage, describe how to calculate the required storage amount and performance required. Offered _____ Not offered _____
4.4.11.10 Mandatory The vendor solution shall permit different user-defined categories of data events to be retained for different durations. For example, account-related data events can be retained for 90 days while CPU performance-related data events be retained only 30 days. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the available options:
4.4.11.11 Mandatory The vendor solution shall positively delete data events. Positive deletion refers to being unable to retrieve data via normal operating system methods: secure deletion such as overwriting is not a requirement. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, describe the steps taken:
Page 35 of 93
4.4.11.12 Mandatory The vendor solution shall store log data at the central element in a format that enables efficient searching and data export. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify what data storage technology is used, and how efficient access is facilitated:
4.4.11.13 Mandatory The vendor solution shall handle surges in data events lasting up to 12 hours without interfering with its ability to operate. Any gaps in data events shall be noted along with the reason (for example, transfer of 1,245 events from intermediate element <intermediate id> at 10:23:47 is missing due to disk full). Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.11.14 Mandatory The vendor solution shall ensure the integrity of the data events against inadvertent changes. At a minimum, the vendor solution shall be able to identify that stored data events have been altered, removed, or had events inserted. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, describe the mechanism used:
4.4.11.15 Desirable The vendor solution shall include a description of how it ensures the integrity of the data events against malicious changes. Offered ____ Not offered _____ If offered, describe the mechanism used:
4.4.11.16 Desirable The vendor solution shall include the ability to archive data events to offline storage. Offered _____ Not offered _____ If offered, describe the options available for specifying what data events are archived, how the raw log records can be archived, the medium (or media) available for archive, the mechanisms for tracking the contents of the archive, the options for compression, and any other relevant information:
4.4.12
Data Flow
Page 36 of 93
Mandatory The vendor solution shall provide a uniform data model across all sources and services for specifying filters, queries, and reporting. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the list of fields in the data model. For each field, include the name, the data type, and a description or definition of the contents. The list may include source kindspecific fields in those cases where only one kind of source provides the data:
4.4.12.2
Mandatory The vendor solution shall provide filtering capabilities that use the uniform data model. Compliant _____ Compliant with qualification _____ Noncompliant _____ If complying, specify the filter capabilities that are available at these points: collector element retention collector element forwarding intermediate element retention intermediate element forwarding central element retention In addition, describe how filters are created and include representative examples of filter capabilities:
4.4.12.3
Mandatory The vendor solution shall permit queries against the collected and retained data events using the uniform data model. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the list of fields that can be queried at all and the types of queries, specifically describing any wild card or regular expression capabilities. Also, identify fields and query types that may be inefficient:
4.4.12.4
Mandatory The vendor solution shall permit reports from the collected and retained data events using the uniform data model. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the list of fields that can be reported on:
4.4.12.5
Mandatory The vendor solution shall include the ability to preserve the original data events in their original form. Original form is defined to be after conversion into ASCII or UTF-8 text, with binary-encoded fields converted to printable numeric form and optionally labeled. Out-of-range and illegal field codings shall be displayed. The intent of this provision is to support forensic and evidentiary uses of the data events. Compliant _____ Compliant with qualification _____ Non-compliant _____
Page 37 of 93
4.4.12.6
Mandatory The vendor solution shall protect the integrity of the data events from loss or alteration throughout the entire vendor solution. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the steps taken at each part of the vendor solution:
4.4.12.7
Mandatory The vendor solution shall handle excessive flows of data events in a way that preserves the smooth operation of the solution. In some cases, it may be appropriate to drop excessive data events. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, describe how excessive flows are handled:
4.4.12.8
Mandatory The vendor solution shall have the capability of readily (1) identifying data events that meet all of the criteria of (1a) received on or after a specified date and time, (1b) received before a second specified date and time, (1c) received from any of a list of sources, and (1d) are for any of a list of services; (2) electronically exporting those events; and (3) providing audit trail and chain-of-custody information for evidential and forensic purposes. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the process followed; the options for exporting, including how large numbers of data events are handled; and what audit trail and chain-of-custody information is available: 4.4.12.9 Desirable The vendor solution shall use and maintain its store of forensic-grade copies of received log messages using file system files, e.g., external from DBMS tables if used otherwise. Offered _____ Not offered _____ If offered, describe:
4.4.12.10 Desirable The vendor solution shall use and maintain its store of forensic-grade copies of received log messages at the intermediate element. Offered _____ Not offered _____ If offered, describe:
Page 38 of 93
4.4.12.11 Desirable The vendor solution shall use and maintain its store of forensic-grade copies of received log messages at the central element. Offered _____ Not offered _____ If offered, describe:
4.4.13
4.4.13.1
Correlation
Mandatory The vendor solution shall have the ability to correlate data events. This function shall be available in both intermediate and central elements. Correlation capabilities shall be similar between intermediate and central elements and the vendor response shall include a list of all differences. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.13.2
Mandatory The vendor response shall describe how the correlation engine works. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, the description should include the basic algorithm, what data events can be considered, how possible anomalies are identified, the timeframe of data events considered, and how the final determination has been made:
4.4.13.3
Mandatory The vendor response shall enable anomalies to be grouped by service or customer. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.13.4
Mandatory The vendor response shall enable selective suppression of anomaly generation (in the case of those that generate false positives). Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.13.5
Desirable The vendor solution shall offer other configuration options. Offered _____ Not offered _____ If offered, describe:
Page 39 of 93
Desirable The vendor solution shall have the ability to accept vulnerability scan and/or configuration data and incorporate that information into its correlations. Offered _____ Not offered _____ If offered, specify what scan or configuration data can be accepted and how it affects the correlation:
4.4.13.7
Desirable The vendor solution shall have the ability to consider data from the Project Teams existing nCircle tool when performing correlations. Offered _____ Not offered _____
4.4.13.8
Desirable The vendor solution shall have the ability to consider data from intrusion detection systems (e.g., Snort)when performing correlations. Offered _____ Not offered _____
4.4.13.9
Desirable The vendor solution shall have the ability to consider source system type when performing correlations. Offered _____ Not offered _____
4.4.13.10 Desirable The vendor solution shall have the ability to consider source system versions or patch levels when performing correlations. Offered _____ Not offered _____
4.4.13.11 Desirable The vendor solution shall have the ability to consider the number of sources affected or involved when performing correlations. Offered _____ Not offered _____
4.4.13.12 Desirable The vendor solution shall have the ability to consider whether the source systems timestamps may have been altered when performing correlations. Offered _____ Not offered _____
Page 40 of 93
4.4.13.13 Desirable The vendor solution shall have the ability to consider whether the source has stopped logging events or whether there has been a significant interruption in logging when performing correlations. Offered _____ Not offered _____
4.4.13.14 Desirable The vendor solution shall have the ability to consider logins, unsuccessful login, and logouts when performing correlations. Offered _____ Not offered _____
4.4.13.15 Desirable The vendor solution shall have the ability to consider privileged user actions, connections, and requests when performing correlations. Offered _____ Not offered _____
4.4.13.16 Desirable The vendor solution shall have the ability to consider changes to security policies in monitored devices and operating systems when performing correlations. Offered _____ Not offered _____
4.4.13.17 Desirable The vendor solution shall have the ability to consider changes to security and/or audit logging services when performing correlations. Offered _____ Not offered _____
4.4.13.18 Desirable The vendor solution shall have the ability to consider changes to user accounts and permissions (on the source system) when performing correlations. Offered _____ Not offered _____
4.4.13.19 Desirable The vendor solution shall have the ability to consider escalation of privileges when performing correlations. Offered _____ Not offered _____
4.4.13.20 Desirable The vendor solution shall have the ability to consider changes to file system objects when performing correlations. Offered _____ Not offered _____
Page 41 of 93
4.4.13.21 Desirable The vendor solution shall have the ability to consider failed file or resource access attempts when performing correlations. Offered _____ Not offered _____
4.4.13.22 Desirable The vendor solution shall have the ability to consider web server unauthorized or not found failures when performing correlations. Offered _____ Not offered _____
4.4.13.23 Desirable The vendor solution shall have the ability to consider startup and shutdown of systems and services when performing correlations. Offered _____ Not offered _____
4.4.13.24 Desirable The vendor solution shall have the ability to consider operating system, database, and applications changes when performing correlations. Offered _____ Not offered _____
4.4.13.25 Desirable The vendor solution shall have the ability to consider SANS top 5 log report coverage when performing correlations. Offered _____ Not offered _____
4.4.13.26 Desirable The vendor solution shall have the ability to consider suspicious or unauthorized network traffic patterns when performing correlations. Offered _____ Not offered _____
4.4.13.27 Desirable The vendor solution shall have the ability to consider correlation of IPbased events with users when performing correlations. Offered _____ Not offered _____
4.4.13.28 Desirable The vendor solution shall have the ability to consider client(s) generating excessive DHCP requests when performing correlations. Offered _____ Not offered _____
Page 42 of 93
4.4.13.29 Desirable The vendor solution shall have the ability to consider server(s) generating large numbers of authentication failures when performing correlations. Offered _____ Not offered _____
4.4.13.30 Desirable The vendor solution shall have the ability to consider a single machine receiving authentication failures from multiple servers when performing correlations. Offered _____ Not offered _____
4.4.13.31 Desirable The vendor solution shall have the ability to consider a single machine receiving authentication failures when trying different usernames when performing correlations. Offered _____ Not offered _____
4.4.13.32 Desirable The vendor solution shall have the ability to consider recognition of related events when performing correlations. Offered _____ Not offered _____
4.4.13.33 Desirable The vendor response shall describe any other correlation considerations. Offered _____ Not offered _____
4.4.13.34 Desirable The vendor response shall describe how the correlation engine can be extended by the Project Team. Offered _____ Not offered _____ If offered, the description should include a description of what capabilities are available and how they are accessed. This item includes user-defined correlation rules:
4.4.13.35 Mandatory The vendor solution shall be updated on a regular basis. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, the description should include a description of what how frequently the correlation engine has been updated over the last 18 months and the nature of the updates:
Page 43 of 93
4.4.13.36 Mandatory The vendor solution shall be require at least one manual step to be taken before each correlation engine update is applied (multiple elements may be updated by the one step). Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, describe the manual steps required:
4.4.13.37 Mandatory The vendor solution update shall identify all aspects of user customization that may be affected by the update. The identification may be automated or via documentation. Compliant _____ Compliant with qualification _____ Noncompliant _____
4.4.13.38 Desirable The vendor solution shall be able to automate the identification and revision of user customizations that are affected by the update. Offered _____ Not offered _____
4.4.13.39 Mandatory The vendor solution update shall provide an automated process for updating the correlation signatures. Compliant _____ Compliant with qualification _____ Non-compliant _____ 4.4.13.40 Mandatory The vendor response shall support auditing and forensic analysis processes by collecting all relevant data events for an incident into a single report. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.13.41 Mandatory The vendor response shall support auditing and forensic analysis processes by providing for examining of the relevant source data events outside of the correlation. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.13.42 Mandatory The vendor response shall support auditing and forensic analysis processes by providing the ability to export the correlation report with all supporting data events. Compliant _____ Compliant with qualification _____ Non-compliant _____
Page 44 of 93
4.4.13.43 Mandatory The vendor response shall support auditing and forensic analysis processes by providing the ability to export a designated subset of the correlation report with all supporting data events. Compliant _____ Compliant with qualification _____ Non-compliant _____ 4.4.13.44 Mandatory The vendor response shall support auditing and forensic analysis processes by providing the ability to verify the integrity of the exported correlation report and subset reports. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.13.45 Mandatory The vendor response shall support auditing and forensic analysis processes by providing the ability to export a designated subset of the correlation report with all supporting data events. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.13.46 Mandatory The vendor response shall support auditing and forensic analysis processes by providing the ability to export a designated subset of the correlation report with all supporting data events. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.13.47 Desirable The vendor solution shall have the capability of determining that multiple anomalies are related and consolidating them into one. Offered _____ Not offered _____ If offered, specify what capabilities are available:
4.4.13.48 Desirable The vendor solution shall have the capability of performing passive vulnerability monitoring. Offered _____ Not offered _____ If offered, specify what capabilities are available:
4.4.13.49 Desirable The vendor solution shall have the capability of detecting already compromised systems. Offered _____ Not offered _____ If offered, specify what capabilities are available:
Page 45 of 93
4.4.13.50 Desirable The vendor solution allows Project Team to modify or tune correlation rule definitions or signatures. Offered _____ Not offered _____ If offered, specify what capabilities are available:
4.4.14
4.4.14.1
Reporting and Visualization

Mandatory The vendor solution shall have the ability to report on the data events, including trending. The vendor response shall contain list of all included reports and a representative sample of those reports. Reporting capabilities shall be similar between intermediate and central elements and the vendor response shall include a list of all differences. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.14.2
Desirable The vendor solution shall have the ability to produce an incident report with all supporting data leading up to an identification of the incident. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
4.4.14.3
Desirable The vendor solution shall have the ability to produce a list of incidents sorted by applications, systems, locations, date, time, etc. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
4.4.14.4
Desirable The vendor solution shall have the ability to produce a list of systems logging in each device group. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
4.4.14.5
Desirable The vendor solution shall have the ability to produce a list of users within each security role. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
Page 46 of 93
4.4.14.6
Desirable The vendor solution shall have the ability to produce a list of users with access to data from specific device / device group. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
4.4.14.7
Desirable The vendor solution shall have the ability to produce a list of events logged from each device over a specific period of time. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
4.4.14.8
Desirable The vendor solution shall have the ability to produce a count of failed login events filtered and sorted by applications, systems, locations, etc. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
4.4.14.9
Desirable The vendor solution shall have the ability to produce a count of web application error (404, 302) events filtered and sorted by applications, systems, locations, etc. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
4.4.14.10 Desirable The vendor solution shall have the ability to produce a list of system changes with dates, times, and usernames. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
4.4.14.11 Desirable The vendor solution shall have the ability to produce event trending reports. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
Page 47 of 93
4.4.14.12 Desirable The vendor solution shall have the ability to produce a summary of security events by event category filtered and sorted by applications, systems, locations, etc. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
4.4.14.13 Desirable The vendor solution shall have the ability to produce a list of systems that may be considered high risk (i.e., list of devices where there is a high likelihood of an incident). Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
4.4.14.14 Desirable The vendor solution shall have the ability to produce a list of executed incident alerts. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
4.4.14.15 Desirable The vendor solution shall have the ability to produce a list of the top 10 / 20 incidents or incident types filtered and sorted by applications, systems, locations, etc. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
4.4.14.16 Desirable The vendor solution shall have the ability to produce a list of the top 10 / 20 event categories filtered and sorted by applications, systems, locations, etc. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
4.4.14.17 Desirable The vendor solution shall have the ability to produce a compliance report covering Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g; 34 CFR Part 99) issues. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
Page 48 of 93
4.4.14.18 Desirable The vendor solution shall have the ability to produce the standard range of compliance reports, including HIPAA, SOX, GLBT, PCI, and others. Offered _____ Not offered _____ If offered, specify the name of the report as used by the vendor solution, how to access the report, and a representative sample of the reports output:
4.4.14.19 Desirable The vendor solution shall to produce reports other than those listed above. Offered _____ Not offered _____
4.4.14.20 Mandatory The vendor shall support a real-time dashboard of its status. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.14.21 Mandatory The vendor solution shall support at least two of the following report formats. Compliant _____ Compliant with qualification _____ Non-compliant _____ PDF _____ HTML _____ comma-separated value _____ plain text _____ For HTML reports, specify whether they are stand-alone (i.e., can be mailed or otherwise transferred) or web-based (i.e., served dynamically), or both: Specify the transfer mechanisms available (check all that apply): SOAP SMTP scp initiated from external host FTP initiated from external host scp initiated from vendor solution FTP initiated from vendor solution
_____ _____ _____ _____ _____ _____
Describe what options are available for automating the transfer from outside the vendor solution: Describe the steps required to configure a standard report and the available options:
Page 49 of 93
4.4.14.22 Mandatory The vendor solution shall offer the ability to export the raw data events including the original form. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the formats available (check all that apply): comma-separated value _____ XML _____ OpenDocument spreadsheet (.ods) _____ Excel spreadsheet (.xls) _____ specify version(s) _____ 4.4.14.23 Desirable The vendor solution shall offer the ability for the Project Team to create custom reports. Offered _____ Not offered _____ If offered, describe the process of creating a custom report and the available options and tools:
4.4.14.24 Desirable The data events can be stored in a Project Team-provided database. Offered _____ Not offered _____ If offered, specify the database and the data dictionary:
4.4.14.25 Desirable If vendor solution stored the data events in a database within the vendor solution, it provides database-level access to the data. Offered _____ Not offered _____ If offered, specify the database, how it is accessed, and the data dictionary:
4.4.14.26 Mandatory The vendor solution shall offer the ability to schedule reports on both reoccurring and one-time basis. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, describe the process of scheduling a report and the available options, including delivery mechanisms and access to the reports is protected:
4.4.14.27 Mandatory The vendor solution shall provide the capability for a user to monitor the health of the overall vendor solution and each element in real time. Real time means that events that affect the health of any element should be visible within 30 seconds of their occurrence. Compliant _____ Compliant with qualification _____ Noncompliant _____ If complying, include a description of this capability and relevant screen shots:
Page 50 of 93
4.4.14.28 Mandatory The vendor solution shall provide the capability for a user to review the data events occurring, control how they are propagated, whether they are turned into notifications, and the priority and content of the notifications. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, include a description of this capability and relevant screen shots:
4.4.14.29 Mandatory The vendor solution shall provide the capability for a user to view data events for further iterative filtering and relationship investigation. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, include a description of this capability and relevant screen shots:
4.4.14.30 Mandatory The vendor solution shall provide a drill-down capability that starts from anomaly and its display and continues to the intermediate and raw data that generated the anomaly. Compliant _____ Compliant with qualification _____ Non-compliant _____ Sample capabilities include (this list is an example only): The ability to drill-down a specific incident through all systems that contributed to the incidents identification. The ability to list all events across different systems originating from a specific username. The ability to list all systems with a specific error code or message. The ability to specify regular expression syntax in queries. The ability to export data, filtered by any field within the normalized data set. The ability to export data, filtered by any field within the original (raw) data set. If complying, include a description of this capability and relevant screen shots: 4.4.14.31 Desirable The vendor solution shall offer suggestions for corrective actions germane to a classified data event. Offered _____ Not offered _____
4.4.14.32 Desirable The vendor solution shall allow local extension of the database of suggestions for corrective actions germane to classified data events. Offered _____ Not offered _____
4.4.14.33 Desirable The vendor solution should allow export of the database of suggestions for corrective actions germane to classified data events. Offered _____ Not offered _____ If offered, specify input format types accepted (XML, CSV) and user account attributes supported:
Page 51 of 93
4.4.14.34 Desirable If vendor solution supports archiving or off-line storage, describe what reporting is available against that data. Offered _____ Not offered _____
4.4.15
4.4.15.1
Notifications
Mandatory The vendor solution shall have the ability to initiate notifications based on data events or anomalies. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.15.2
Mandatory The vendor solution shall be able to initiate notifications using SNMP traps. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, include a description of this capability and relevant event-related trap messages:
4.4.15.3
Mandatory The vendor solution shall be able to initiate notifications using SMTP message (electronic mail). Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, include a description of this capability and relevant event-related SMTP messages:
4.4.15.4
Desirable The vendor solution shall be able to initiate notifications using the other mechanisms. Offered ____ Not offered _____ If offered, describe the other mechanisms, and the event-related notifications:
4.4.15.5
Desirable The vendor solution shall be able to initiate multiple notifications to different destinations. Offered _____ Not offered _____ If offered, describe the capabilities, including any that relate to differing text or priority levels between destinations:
4.4.15.6
Describe The vendor solution shall offer users the ability to configure notifications that apply to the data events that they have access to, including priority. Offered _____ Not offered _____ If offered, describe the capabilities:
Page 52 of 93
4.4.15.7
Desirable The vendor solution shall support case management or ticketing functionality within the intermediate element. Offered _____ Not offered _____ If offered, describe:
4.4.16
4.4.16.1
Users and Access

Mandatory The vendor solution shall have the ability to provide at least 1,000 user accounts. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.16.2
Desirable The vendor solution shall support user account creation by bulk import. Offered _____ Not offered _____ If offered, specify the input format types accepted (e.g., XML, CSV) and the user account attributes supported:
4.4.16.3
Desirable The vendor solution shall support LDAP for authentication. Offered _____ Not offered _____
4.4.16.4
Mandatory The vendor solution shall have the ability to provision granular access permissions and roles to different accounts. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the types of permissions that can be applied and the process for applying the permissions. If the vendor solution offers group- or role-based permissions, include their descriptions here:
4.4.16.5
Desirable The vendor solution shall have the ability to provision different access permissions and roles to different accounts. Offered _____ Not offered _____
Page 53 of 93
Desirable The vendor solution shall have the ability to separately enable the ability to access log data for standard and custom reports on a per-account or per-group basis. Offered _____ Not offered _____ If offered, describe the offering:
4.4.16.7
Desirable The vendor solution shall have the ability to separately enable the ability to create custom reports on a per-account or per-group basis. Offered _____ Not offered _____ If offered, describe the offering:
4.4.16.8
Desirable The vendor solution shall have the ability to separately enable the ability to schedule automated reports on a per-account or per-group basis. Offered _____ Not offered _____ If offered, describe the offering:
4.4.16.9
Desirable The vendor solution shall have the ability to separately enable the ability to add logging devices on a per-account or per-group basis. Offered _____ Not offered _____ If offered, describe the offering:
4.4.16.10 Desirable The vendor solution shall have the ability to separately enable the ability to change system configuration on a per-account or per-group basis. Offered _____ Not offered _____ If offered, describe the offering:
4.4.16.11 Desirable The vendor solution shall have the ability to separately enable the ability to modify security incident notification and escalation configuration on a per-account or per-group basis. Offered _____ Not offered _____ If offered, describe the offering:
4.4.16.12 Desirable The vendor solution shall have the ability to separately enable the ability to archive log data (archiving large amounts of data offsite)on a per-account or per-group basis. Offered _____ Not offered _____ If offered, describe the offering:
Page 54 of 93
4.4.16.13 Desirable The vendor solution shall have the ability to separately enable the ability to perform system configuration backup or restore on a per-account or per-group basis. Offered _____ Not offered _____ If offered, describe the offering:
4.4.16.14 Desirable The vendor solution shall have the ability to separately enable the ability to export log data export (custom reports, data exports)on a per-account or per-group basis. Offered _____ Not offered _____ If offered, describe the offering:
4.4.16.15 Desirable The vendor solution shall have the ability to separately enable the ability to manage users (create, delete, role assignment, etc)on a per-account or per-group basis. Offered _____ Not offered _____ If offered, describe the offering:
4.4.16.16 Desirable The vendor solution shall have the ability to separately enable the ability to manage source groups on a per-account or per-group basis. Offered _____ Not offered _____ If offered, describe the offering:
4.4.16.17 Desirable The vendor solution shall have the ability to separately enable the ability to access internal audit data (system logs, user activity logs, system configuration change logs, etc)on a per-account or per-group basis. Offered _____ Not offered _____ If offered, describe the offering:
4.4.16.18 Desirable The vendor solution shall have the ability to separately enable the ability to clear internal audit logs on a per-account or per-group basis. Offered _____ Not offered _____ If offered, describe the offering:
Page 55 of 93
4.4.16.19 Desirable The vendor solution shall describe any other account attributes not otherwise included. Offered _____ Not offered _____
4.4.16.20 Mandatory The vendor solution shall have a single interface for creating and managing user accounts and roles on all elements. If the vendor solution is provisioned to use external authentication, the vendor solution remains compliant even if additional operations are required on that external authentication system. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.16.21 Mandatory The vendor solution shall retain a log of all user account and role activity, including accesses and account management operations. Compliant _____ Compliant with qualification _____ Non-compliant _____ If compliant, describe the logging performed and the methods of securing access to those logs:
4.4.16.22 Mandatory The vendor solution shall provide the ability to restrict user accounts and roles to only access data events from one or more designated collector elements. When such restrictions are in place, they constrain all queries, reports, and views performed by that user and role. Compliant _____ Compliant with qualification _____ Noncompliant _____ If compliant, specify the restrictions available and describe how they are configured:
4.4.16.23 Desirable The vendor solution shall provide the ability to restrict user accounts and roles to only access data events from one or more designated services on one or more collector elements. An example would be user X may only access log information related to database systems on servers Y and Z. When such restrictions are in place, they constrain all queries, reports, and views performed by that user and roles. Offered _____ Not offered _____ If offered, specify the restrictions available and describe how they are configured:
4.4.16.24 Mandatory The vendor solution shall provide the ability to restrict user accounts and roles to only access data events from one or more designated intermediate and central elements. When such restrictions are in place, they constrain all queries, reports, and views performed by that user and role. Compliant _____ Compliant with qualification _____ Non-compliant _____ If compliant, specify the restrictions available and describe how they are configured:
Page 56 of 93
4.4.16.25 Mandatory The vendor solution shall provide the ability to restrict user accounts and roles to only access data events from one or more designated services on one or more intermediate and central elements. When such restrictions are in place, they constrain all queries, reports, and views performed by that user and roles. Compliant _____ Compliant with qualification _____ Non-compliant _____ If compliant, specify the restrictions available and describe how they are configured:
4.4.17
Installation and Configuration
For all items in this section, the time and skill level requirements shall be used to weight the total cost of ownership when determining cost. 4.4.17.1 Mandatory The vendor solution shall include a description of the steps required to install and configure an agent element. The description shall include the time and skill level required. Compliant _____ Compliant with qualification _____ Noncompliant _____
4.4.17.2
Mandatory The vendor solution shall include a description of the steps required to install and configure a collector element. The description shall include the time and skill level required. Compliant _____ Compliant with qualification _____ Noncompliant _____
4.4.17.3
Mandatory The vendor solution shall include a description of the steps required to install and configure an intermediate element. The description shall include the time and skill level required. Compliant _____ Compliant with qualification _____ Noncompliant _____
4.4.17.4
Mandatory The vendor solution shall include a description of the steps required to install and configure a central element. The description shall include the time and skill level required. Compliant _____ Compliant with qualification _____ Noncompliant _____
Page 57 of 93
Desirable The vendor solution shall a mechanism for initial bulk loading of asset and configuration data. Offered _____ Not offered _____ If offered, describe the mechanism:
4.4.17.6
Desirable The vendor solution shall a mechanism for continuing automated updating of the asset and configuration data. Offered _____ Not offered _____ If offered, describe the mechanism:
4.4.17.7
Mandatory The vendor solution shall include a description of the steps required to maintain an agent element. The description shall include the schedule and steps required. The description shall include the time and skill level required. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.17.8
Mandatory The vendor solution shall include a description of the steps required to maintain a collector element. The description shall include the schedule and steps required. The description shall include the time and skill level required. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.17.9
Mandatory The vendor solution shall include a description of the steps required to maintain an intermediate element. The description shall include the schedule and steps required. The description shall include the time and skill level required. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.17.10 Mandatory The vendor solution shall include a description of the steps required to maintain a central element. The description shall include the schedule and steps required. The description shall include the time and skill level required. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.17.11 Mandatory The vendor solution shall include a description of the steps required to install updates and patches on an agent element. The description shall include the schedule and steps required. The description shall include the time and skill level required. Compliant _____ Compliant with qualification _____ Non-compliant _____
Page 58 of 93
4.4.17.12 Mandatory The vendor solution shall include a description of the steps required to install updates and patches a collector element. The description shall include a statement of how many times updates or patches have been provided in the last 18 months and the steps required. The description shall include the time and skill level required. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.17.13 Mandatory The vendor solution shall include a description of the steps required to install updates and patches an intermediate element. The description shall include a statement of how many times updates or patches have been provided in the last 18 months and the steps required. The description shall include the time and skill level required. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.17.14 Mandatory The vendor solution shall include a description of the steps required to install updates and patches a central element. The description shall include a statement of how many times updates or patches have been provided in the last 18 months and the steps required. The description shall include the time and skill level required. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.18
4.4.18.1
Architecture and Scaling

Mandatory The vendor response shall include a discussion of the steps required for the Project Team to replace a failed collector element. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.18.2
Mandatory The vendor response shall include a discussion of the steps required for the Project Team to replace a failed intermediate element. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.18.3
Mandatory The Project Team anticipates that vendor solutions be responsive. The vendor response shall identify those areas where response time will exceed 5 seconds
Page 59 of 93
per user interaction. The 5 second time is measured from when the vendor solution has received the last of the request until it has finished transmitting the last of the response. Computations shall assume that the system has been fully configured and running for some time. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.4.18.4
Desirable The vendor response shall provide high availability options for the intermediate elements. Offered _____ Not offered _____ If offered, describe the options:
4.4.18.5
Mandatory The vendor response shall include a discussion of the high availability options for the central elements. The minimal requirements are two central elements at physically separate sites, and manual switching of collector and intermediate elements that report directly to the central element. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.5 Additional General Terms

These requirements are in addition to the general terms and conditions in other sections. 4.5.1.1 Mandatory The costs in section 4.3 include licensing for an unlimited number of users accessing the vendor solution for all purposes simultaneously. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.5.1.2
Mandatory RFP responder shall supply three references from customers of comparable size. Include contact name, postal address, telephone number, email address, organization name, and a brief (1-3 sentence) description of why they are similar to the State Minnesota. Compliant _____ Compliant with qualification _____ Non-compliant _____
Reference #1
Reference #2
Page 60 of 93
Reference #3
4.5.1.3
Mandatory RFP responder shall describe their industry experience in supplying solutions in this area. Compliant _____ Compliant with qualification _____ Noncompliant _____ Experience description:
4.5.1.4
Mandatory RFP responder shall describe their financial record as it affects their ability to support the purchased solution for a minimum of five years. Compliant _____ Compliant with qualification _____ Non-compliant _____ Financial description:
4.5.1.5
Mandatory RFP responder shall describe their technical support. The description will include hours, average wait times, location of call center(s), skill and experience levels of support personnel, number of support personnel, types of technical support available, testing and troubleshooting capabilities at the center, process flow for technical support at various escalation levels, and similar information. The technical support shall be 24 x 7, provide for escalation within 24 hours, and provide for resolution within one week. Compliant _____ Compliant with qualification _____ Non-compliant _____ Technical support description:
4.5.1.6
Desirable The vendor response shall include a description of any service tier offerings available. Cost information must be provided only in the separate cost section. Offered _____ Not offered _____
4.5.2 General Company Information

4.5.2.1 Mandatory The respondent must answer each of the following questions. If the answer to any question is in the affirmative, all relevant circumstances must be explained in detail, including the current status and ultimate disposition of each matter. Compliant _____ Compliant with qualification _____ Non-compliant _____
Page 61 of 93
1. Has the respondent been declared in default of any contract? 2. Has the respondent forfeited any payment of a performance bond issued by a surety company on any contract? 3. Has an uncompleted contract been assigned by the respondents surety company on any payment of performance bond issued to the respondent arising from its failure to fully discharge all contractual obligations hereunder? 4. Within the past three (3) years has the respondent filed for reorganization, protection from creditors, or dissolution under bankruptcy statutes? 5. Is the respondent now the subject of any litigation in which an adverse decision might result in material change in the companys financial position or future viability? Identify any current or pending litigation in which the respondent is involved that has a significant effect on its ability to provide products or services through any contract resulting from this solicitation, respondent will be required to supplement this information if additional litigation arises during the term of this contract.
4.6 Technical Requirements

This section contains technical requirements that pertain to compatibility with the Project Teams supported infrastructure.
4.6.1 General
4.6.1.1 Mandatory The vendor response shall include system diagrams. The response complies with this requirement by including the diagrams identified below. Compliant _____ Compliant with qualification _____ Non-compliant _____ The diagrams shall include the: overall data flow; process; logical connections between elements (the logical data model); firewall zone structure; physical connections between elements (the physical data model); network bandwidth and latency requirements; backup architecture and performance requirements; development, staging/text, and production environment infrastructure; scaling and growth estimates for at least 3 years; and all other diagrams or elements necessary for the Project Team to understand the response.
Page 62 of 93
Mandatory The vendor response shall include a description of the vendor solutions service levels and how they are measured. This description shall also include discussion of how the vendor solution can interface with service level management tools, including the Project Teams existing BMC tools. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.1.3
Mandatory The vendor shall have a documented quality assurance process. The vendor response shall comply by including a copy of that process. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.1.4
Desirable The vendor shall have ISO 9000 certification in all relevant areas. Offered _____ Not offered _____
4.6.1.5
Mandatory The vendor shall have a documented process to ensure that the reliability and performance claimed in this response is actually delivered. The vendor response shall comply by including a copy of that process. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.1.6
Desirable Describe what features the vendor solution has that support the Project Teams ability to perform charge back. Offered _____ Not offered _____
4.6.1.7
Mandatory The vendor shall have a documented security vulnerability notification and patch process. The vendor response shall comply by including a copy of that process. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.1.8
Mandatory The vendor shall have a documented mechanism for notifying customers within 72 hours of discovering a security vulnerability in the vendor solution. The vendor response shall comply by including a copy of that mechanisms documentation. Compliant _____ Compliant with qualification _____ Non-compliant _____
Page 63 of 93
Mandatory For vendor solutions that use Project Team-supplied server hardware, the vendor shall have a documented policy of supporting operating system security patches within 30 days of the operating system vendors release of a patch. The vendor response shall comply by including a copy of that policy. Compliant _____ Compliant with qualification _____ Non-compliant _____ Mandatory For vendor solutions that use OET-supplied database systems, the vendor shall have a documented policy of supporting database security patches within 30 days of the database vendors release of a patch. The vendor response shall comply by including a copy of that policy. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.1.10
4.6.1.11
Mandatory For vendor solutions that use third party components, the vendor shall have a documented policy of supporting third party component vendor security patches within 30 days of the third party component vendors release of a patch. The vendor response shall comply by including a copy of that policy. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.1.12
Desirable The vendor shall have an automated patch installation process. Offered _____ Not offered _____ Regardless of whether an automated process is available, describe the patching process:
4.6.1.13
Mandatory The vendor shall have a documented patch and release policy. The vendor response shall comply by including a copy of that policy. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.2 Backup
4.6.2.1 Mandatory The vendor solution shall permit backups of configuration data, account, report structure and similar data, separate from backing up historical data, log data, generated reports, or other application data. The intent here is for the Project Team to be able to back up and recover the structure of the installation. Vendor solutions that store all configuration data in files that may be backed up and restored by standard operating system mechanisms should be marked Compliant. To be compliant, the vendor solution shall enable backups to be initiated by automated processes: solutions
Page 64 of 93
that require interactive operation (e.g., entry of a password) shall not be compliant. Compliant _____ Compliant with qualification _____ Non-compliant _____ 4.6.2.2 Mandatory The vendor solution shall be able to be backed up without interfering with functionality or operations. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.2.3
Desirable The vendor solution shall be able to take advantage of our existing TSM and/or Avamar backup solutions. Offered _____ Not offered _____
4.6.3 Browser
4.6.3.1 Mandatory The vendor solution shall permit access to some functionality by means of a web browser. Compliant _____ Compliant with qualification _____ Noncompliant _____ If complying, specify what functionality is not available by means of a web browser (i.e., what functionality would require a client or other access):
4.6.3.2
Mandatory The vendor will describe the ways in which the solutions user interface is ADA (U.S. Americans with Disabilities Act of 1990, 42 U.S.C. 12101) compliant. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying,include description:
4.6.3.3
Desirable The vendor solution shall make all functionality available using only W3C standard protocols. These protocols include HTTP 1.0, HTTP 1.1, HTML 4.0, XHTML, CSS 2.1, CSS3, PNG, JPEG, and GIF. Offered _____ Not offered _____
4.6.3.4
Desirable The vendor solution shall offer all unencrypted web access using port 80 and all encrypted web access using port 443. Offered _____ Not offered _____ If not offered, specify the port usage:
Page 65 of 93
Desirable The vendor solution shall avoid using persistent cookies. Offered _____ Not offered _____ If not offered, describe the cookie usage. The description should include the domain(s), the nature of the information encoded in the cookie, and the effects on interaction if cookies are disabled in the browser:
4.6.3.6
Desirable The vendor solution shall be able to be accessed through a reverse proxy. Offered _____ Not offered _____ If not offered, specify the protocol usage that interferes with reverse proxy access:
4.6.3.7
Desirable The vendor solution shall require only the functionality included with stock browser distributions and not require plug-ins or downloads. ActiveX controls, Flash, Java, and JavaScript (or ECMAScript) are not considered part of stock browser distribution. Offered _____ Not offered _____ If not offered, specify the plug-in and/or download requirements: requires ActiveX controls (list which) _____ requires Flash (specify version) _____ requires Java (specify version) _____ requires JavaScript/ECMAScript (specify version) _____ requires other (specify) _____
4.6.3.8
Mandatory The vendor solution shall be able to operate with a listed web browser. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, identify all browsers that the vendor solution operates with (check all that apply and indicate version number(s)): Chrome _____ version(s): _____ Firefox _____ version(s): _____ Internet Explorer _____ version(s): _____ Lynx (non-graphical functionality only) _____ version(s): _____ Opera _____ version(s): _____ Safari _____ version(s): _____ other _____
4.6.4 Continuity/Availability
4.6.4.1 Mandatory The vendor response shall include a description of the level of continuity of operations provided by the solution. The response complies with this requirement by
Page 66 of 93
including a discussion of the elements identified below. The availability and recovery time requirements are specified elsewhere in this RFP. Compliant _____ Compliant with qualification _____ Non-compliant _____ The description shall include: a list of the items and components required by the vendor solution for operation that are not provided by the vendor solution (examples: power, DNS server), the nature of availability offered by the vendor solution, detailed recovery strategy and recovery plan including recovery procedures which meets the recovery time objective assigned to this system (examples: redundant system with either automatic or manual failover, hot site recovery, warm site recovery, cold site recovery, purchase at time of need), in the case of a hot failover solution, the mechanism used to identify when the system has failed over and the process to restore synchronized operation; and any options offered to increase the level of availability and recoverability.
4.6.4.2
Desirable The vendor response shall include a description of how the vendor supports customers when the customers are activating their business continuity plans. Offered ____ Not offered _____ If offered, the response should include how the vendor sets priorities, the response time for drop shipping, any technical or professional services offered, and any other pertinent information (cost information must be included in the separate cost section):
4.6.4.3
Mandatory The vendor response shall include a description of the vendors license key assignment and activation process. Vendor solutions that do not require license keys or an activation process are considered compliant and the description should be none required. Compliant _____ Compliant with qualification _____ Noncompliant _____ The description shall include: The process for obtaining an initial license key or activation. What changes the Project Team can make before a new license key or reactivation are required, with particular reference to continuity of operations recovery situations. What the process for obtaining a license key reissue or reactivation is, including the time required to complete the process, both during normal business days and during the remainder of the 24 x 7 time.
4.6.5 Database
Page 67 of 93
Structural The vendor solution deliverable makes use of an external relational database management system. Yes _____ No _____ If the yes item is checked, continue responding to the items under this section. If the no item is checked, skip all entries in the 4.6.5 section. 4.6.5.2 Mandatory The vendor solution shall be able to use Project Teams existing database environment. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the environments supported (check all that apply): Oracle 10g or higher _____ o Oracle RAC on Linux _____ o Oracle on distributed Linux _____ SQL Server 2005 (Windows only) _____ SQL Server 2008, single or clustered servers _____ DB2 V8 or higher _____ o DB2 for z/OS _____ o DB2 LUW for distributed Linux or z/Linux _____ If complying, specify the database connector types supported (check all that apply): DB2 Connect _____ JDBC _____ ODBC _____ other (describe) _____
4.6.5.3
Desirable The vendor shall be able to use one of Project Teams existing Oracle database implementations. Offered _____ Not offered _____ Mandatory The vendor shall commit to supporting new database releases within one year of the databases release to manufacturing. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.5.4
4.6.6 Desktop
4.6.6.1 Structural The vendor solution deliverable makes use of client software installed on desktop workstations. Yes _____ No _____ If the yes item is checked, continue responding to the items under this section. If the no item is checked, skip all entries in the 4.6.6 section.
Page 68 of 93
Mandatory The clients shall be available for some platform. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the supported platforms (check all that apply): Windows XP _____ other (describe) _____ Specify details of requirements and options:
4.6.6.3
Mandatory The vendor will describe the ways in which the solutions user interface is ADA (U.S. Americans with Disabilities Act of 1990, 42 U.S.C. 12101) compliant. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, describe the ways in which the vendor solution is ADA-compliant:
4.6.6.4
Mandatory The clients shall be able to operate with only layer 3 (IP) connectivity to the server. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.7 Facilities
4.6.7.1 Mandatory The vendor solution hardware shall fit within the existing Chatsworth racks. Vendor solutions that are shipped pre-installed in racks shall be considered compliant if those racks are visually identical to and mechanically compatible the existing Chatsworth racks. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.7.2
Mandatory The vendor solution hardware can accept power in the range 200V-240V or 100V-130V. Compliant _____ Compliant with qualification _____ Noncompliant _____
4.6.7.3
Desirable The vendor solution hardware can accept power in the range 200V-240V. Offered _____ Not offered _____
Page 69 of 93
Mandatory The vendor solution hardware can be connected to the existing Project Team KVM switches using Project Team-provided cables. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.7.5
Desirable The vendor solution hardware to be installed in data centers has dual power supplies, each with its own cord and can operate with just one cord/power supply active. Offered _____ Not offered _____
4.6.8 Monitoring
4.6.8.1 Mandatory The vendor solution elements are monitorable by using SNMPv1. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.8.2
Mandatory The vendor response shall include a list of all public MIBs supported. The response may use RFC numbers or URLs in the list. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.8.3
Desirable The vendor solution elements are monitorable by using SNMPv2 or SNMPv3. Offered _____ Not offered _____
4.6.8.4
Mandatory The vendor response shall identify all non-public MIBs supported by the vendor solution. Electronic copies of those MIBs for incorporation into the Project Teams network monitoring systems shall be delivered as part of the installation process. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.8.5
Mandatory The vendor solution elements shall be able to generate notifications using SNMP Traps. Compliant _____ Compliant with qualification _____ Noncompliant _____
Page 70 of 93
Desirable The vendor solution elements shall be able to generate notifications using other mechanisms. Offered _____ Not offered _____ If complying, specify the supported platforms (check all that apply): electronic mail message _____ Remedy ticket _____ other (describe) _____
4.6.9 Network
4.6.9.1 Mandatory The vendor solution shall use only GigabitEthernet or FastEthernet copper connections for any physical network connections. Note: connections to SAN storage are covered in section 4.6.13. If the vendor solution proposes other physical connection types, it can be considered to be compliant only if the proposal receives approval from Project Team Network Services before the RFP due date. Compliant _____ Compliant with qualification _____ Non-compliant _____ Mandatory The vendor solution shall use IPv4 for its network protocol. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.9.2
4.6.9.3
Desirable The vendor solution fully supports the IPv6 protocol. Offered _____ Not offered _____ If offered, describe the specifics, including current limitations that are planned for removal in future implementation. IPv6 support is desired both for communication with and between vendor solution elements and as content of events handled by the vendor solution:
4.6.10
4.6.10.1
Reporting
Mandatory The vendor solution shall support plain text reports. Compliant _____ Compliant with qualification _____ Non-compliant _____
If complying, indicate any additional report formats available (check all that apply): PDF _____ stand-alone HTML page (i.e., can be mailed or transferred) _____ web-based (i.e., send out a link) _____ other _____
Page 71 of 93
If either of the stand-alone HTML page or web-based items are checked, browser requirements must be part of the detail specified in section 4.6.3. If the other item is checked, specify details:
4.6.11
4.6.11.1
Reporting: Data Export
Desirable The vendor solution shall offer the ability to export all the raw data. Vendor solutions that store data in an external Project Team database are considered offered. Offered _____ Not offered _____ If offered, specify the formats available (check all that apply): data are stored in an external Project Team database _____ comma-separated value _____ XML _____ OpenDocument spreadsheet (.ods) _____ Excel spreadsheet (.xls) _____ specify version(s) _____ direct database access from other computers _____ other _____ If either of the direct database access from other computers or other items are checked, specify details (include database driver requirements for direct access):
4.6.11.2
Desirable The vendor solution shall enable the automation of the raw data export. Offered _____ Not offered _____ If complying, specify the mechanisms available (check all that apply, these are examples only): SOAP _____ REST _____ scp initiated from external host _____ FTP initiated from external host _____ scp initiated from vendor solution _____ FTP initiated from vendor solution _____ other _____ If the other item is checked, specify details: If either of the from external host items is checked, specify what options are available for specifying the start date/time and either duration or end date/time of the data to be transferred: If either of the initiated from vendor solution items is checked, specify which of these parameters can be configured: date/time of initial transfer _____ repetition interval _____
Page 72 of 93
destination host _____ destination username _____ destination password _____ Specify what other configuration parameters are available and what options are available for automated transfer:
4.6.12
4.6.12.1
Security
Mandatory As part of the installation process, the vendor solution will be scanned for security vulnerabilities after installation and before acceptance. Vendor and Project Team shall agree on a joint plan to address any vulnerabilities identified and the vulnerabilities shall be addressed before acceptance. Vendor solutions comply with this requirement by agreeing to the scan and addressing. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.12.2
Mandatory The vendor solution shall record and retain logs of all significant system events. The vendor solution shall also be able to automatically export the log data to an external system with a frequency of at least daily. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify what events are logged, the degree of control over the level of detail in logging, formats for exporting the log data, and details of how to configure export. At a minimum, the logging should include all successful and unsuccessful login attempts, all logouts, and all account creation, removal, and change activity, including permission changes:
4.6.12.3
Mandatory The vendor solution shall be able to export log data. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the log protocols supported (check all that apply): SYSLOG _____ Windows event log _____
4.6.12.4
Mandatory The vendor response shall contain a description of the overall security plan for the vendor system. The response complies with this requirement by including the plan. Compliant _____ Compliant with qualification _____ Non-compliant _____
Page 73 of 93
Desirable The vendor solution shall be able to use existing Project Team authentication mechanisms. Vendor solutions that do not require user accounts are considered not offered. Offered _____ Not offered _____ If offering, specify the supported mechanisms (check all that apply): CA SiteMinder _____ CA Identity Manager _____ CA e-Trust Admin (CA Admin) _____ CA ACF2 (Mainframe) _____ LDAPv3 (RFC 2252) _____ Microsoft Active Directory _____ RSA token _____ If offering, specify any relevant details:
4.6.12.6
Mandatory The vendor response shall include a description of how all non-public data are handled and how they are protected against disclosure and alteration during processing, transmission, and storage. This plan should also cover how administrative operations are protected. Compliant _____ Compliant with qualification _____ Noncompliant _____
4.6.12.7
Mandatory The vendor shall have a documented security test process for new releases and patches. This process shall include testing for SQL injection, HTML injection, cross-site scripting (XSS), and cross site request forgery (XSRF) attacks against the products operational, user and administrative interfaces. The vendor response shall comply by including a copy of that policy. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.12.8
Desirable The vendor solution should be able to support a SAS 70 style controls analysis when in production.The vendor response shall comply by including a copy of that policy. Offered _____ Not offered _____ If offering, describe the means of support, and include sample reports of product solution installations, if available: 4.6.12.9 Mandatory RFP responder agrees that all information managed or collected by the vendor solution, including configuration information, collected data, and derived information including graphs, displays, and reports is the property of the State of Minnesota. Compliant _____ Compliant with qualification _____ Non-compliant _____
Page 74 of 93
4.6.12.10 Mandatory RFP responders agrees that no configuration information, collected data, or derived information will leave the direct control of the Minnesota State Colleges and Universities or the State of Minnesota unless either (1) the information has been clearly identified as so leaving in this RFP response or (2) it is released under the direction of State of Minnesota staff. Compliant _____ Compliant with qualification _____ Noncompliant _____ If information is to be released under (1), specify that information:
4.6.12.11 Mandatory The vendor solution shall have no mechanisms that will interfere with its operation after it has been installed. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.12.12 Mandatory The vendor solution shall only provide avenues for access by the vendor that are identified in this RFP response. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify all avenues for access that are provided:
4.6.13
4.6.13.1
Servers
Structural The vendor solution makes use of general-purpose server hardware. Vendor solutions that require no server hardware and vendor solutions that are provided only as integrated hardware/software platforms (appliances) should check no. Yes _____ No _____ If the yes item is checked, continue responding to the items under this section. If the no item is checked, skip all entries in the 4.6.13 section. 4.6.13.2 Mandatory The vendor solution elements are on the Project Team current support list. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, specify the supported operating system platforms (check all that apply): Linux o all _____ o RedHat _____ o Unbreakable _____ Novell Groupwise Messaging _____ Solaris _____ Windows 2008 Server _____ Specify any version or configuration requirements:
Page 75 of 93
If complying, specify the supported hardware platforms (check all that apply): Dell _____ IBM Pseries _____ Sun, current product list _____ Specify all configuration requirements, including processor performance, memory, network, and disk. When specifying requirements, take into account responses to the next two points: Also, specify all storage and backup requirements, including capacities, transfer rates, and transaction rates:
4.6.13.3
Desirable The vendor solution shall support current Project Team virtualization platforms. Offered ____ Not offered _____ If offered, specify the supported platforms (check all that apply): ESX / VMWARE _____ Hyper-V _____ Sun Solaris Containers _____ Virtual Linux on Dell using VM _____ Virtual Linux on zVM _____ Specify any version or configuration requirements:
4.6.13.4
Desirable The vendor solution shall avoid requiring a custom or tailored operating system installation. Offered _____ Not offered _____ If not offered, specify the customization or tailoring required:
4.6.13.5
Desirable The vendor solution shall avoid requiring a custom or tailored kernel or driver installation. Offered _____ Not offered _____ If not offered, specify the customization or tailoring required:
4.6.13.6
Desirable The vendor solution shall avoid requiring a custom or tailored operating system paramaterization. Offered _____ Not offered _____ If not offered, specify the customization or tailoring required:
Page 76 of 93
Mandatory The vendor shall commit to supporting new operating system releases within one year of the operating systems release to manufacturing. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.13.8
Mandatory The vendor solution shall use Project Teams SAN storage system for bulk data storage. Contact Project Team for specific support information for SAN storage. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.13.9
Mandatory The vendor response shall specify the SAN storage requirements in MBytes/sec and IO/sec along with any transactional requirements. Compliant _____ Compliant with qualification _____ Non-compliant _____
4.6.13.10 Mandatory The vendor response shall support multiple (i.e., redundant) connections to SAN storage. Compliant _____ Compliant with qualification _____ Noncompliant _____
4.6.13.11 Mandatory The vendor solution shall support and use multiple core processor functionality. Compliant _____ Compliant with qualification _____ Non-compliant _____ 4.6.13.12 Desirable The vendor solution shall support and use 64-bit processor functionality. Offered _____ Not offered _____
4.6.13.13 Mandatory The vendor solution shall be compatible with current Project Team tool platforms. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, check all compatible tools; if compatibility with a particular tool is not applicable to the vendor solution, indicate N/A: Captaris Rightfax _____ Checkpoint PointSec encryption _____ Dell I/T Assistant _____ Enterprise Exchange messaging _____ Fore anti-virus/malware _____ IBM Director _____
Security Information and Event Monitoring RFP 2008-11-03 HP Insight SCOM WSUS 3.0 Specify any version or configuration requirements: _____ _____ _____
Page 77 of 93
4.6.13.14 Mandatory The vendor response shall document account and privilege information. Compliant _____ Compliant with qualification _____ Non-compliant _____ If complying, document the following: identify the required operating system accounts identify the required application accounts to be added identify the required database access identify the minimum file system permissions for each application account identify the minimum database permissions for each account certify that the minimum file system permissions follow the least privilege model certify that the minimum database permissions follow the least privilege model certify that the application uses different application accounts for each function with different database security requirements certify that the application uses different application accounts for each function with different file system security requirements identify what operations, if any, require root or administrator accounts identify what operations, if any, require database administrator access
Page 78 of 93
5 Response Evaluation
The following criteria and their identified weight will be used by Office of the Chancellor to evaluate the responses: technical capabilities (60.0%); cost (40.0%);
In some instances, an interview will also be part of the evaluation process. Office of the Chancellor reserves the right to name a date at which all responding vendors will be invited to present demonstrations or participate in an interview. Office of the Chancellor does not agree to reach a decision by any certain date although it is hoped the evaluation and selection will be completed by the date identified in the Selection and Implementation Timeline above. A proposal may be rejected if it is determined that a vendors ability to work with the existing infrastructure will be too limited or difficult to manage.
Page 79 of 93
6 Additional RFP Response and General Contract Requirements

6.1 Problem Resolution Process
A formal problem resolution process will be established in the contract to address issues raised by either Office of the Chancellor or the vendor.
6.2 Affidavit of Non-Collusion

All responding vendors are required to complete Exhibit A, the Affidavit of Non-Collusion, and submit it with the response.
6.3 Human Rights Requirements

For all contracts estimated to be in excess of $100,000, all responding vendors are required to complete Exhibit B, the Human Rights Certification Information and Affirmative Action Data Page, and submit it with the response. As required by Minnesota Rule 5000.3600, "It is hereby agreed between the parties that Minnesota Statutes 363A.36 and Minnesota Rule 5000.3600 are incorporated into any contract between these parties based upon this specification or any modification of it. Copies of Minnesota Statutes 363A.36 and Minnesota Rules 5000.3400 5000.3600 are available from the Minnesota Bookstore, 680 Olive Street, St. Paul, MN 55155. All responding vendors shall comply with the applicable provisions of the Minnesota Affirmative Action law, Minnesota Statutes 363.A36. Failure to comply shall be grounds for rejection.
6.4 General Insurance Requirements

The Contract Vendor (Contract Vendor), and/or their authorized distributor, dealer, reseller, subcontractor (Subcontractor), shall maintain insurance to cover claims which may arise from operations under this Contract, whether such operations are by the Contract Vendor, their Subcontractor, or by anyone directly or indirectly employed under this Contract. The State will determine whether the Contract Vendor or the Contract Vendors Subcontractor insurance will be filed with the State. The Contract Vendor, or their Subcontractor, shall not commence work under the Contract until they have obtained all the insurance described below and the State of Minnesota has approved such insurance. The Contract Vendor, or their Subcontractor, under this Contract can provide applicable services to the State of Minnesota and/or CPV members, hereinafter referred to as Owner.
Page 80 of 93
All policies and certificates shall provide that the policies shall remain in force and effect throughout the term of the Contract.
6.4.1 Requirements for the Contract Vendor or Their Subcontractor

The Contract Vendors policy(ies), or their Subcontractors policy(ies), shall be primary insurance to any other valid and collectible insurance available to the state of Minnesota with respect to any claim arising out of this Contract. The Contract Vendors policy(ies), or their Subcontractors policy(ies), shall contain a provision that coverage afforded under the policy(ies) will not be cancelled or non-renewed without at least thirty (30) days advance written notice to the State of Minnesota. The Contract Vendor, or their Subcontractor, is responsible for payment of Contract related insurance premiums and deductibles. If the Contract Vendor, or their Subcontractor, is self-insured, a Certificate of Self-Insurance must be attached. The Insurance Companies used must have an AM Best rating of A- (minus), Financial Size Category (FSC) VII or better, and be authorized to do business in the State of Minnesota. 6.4.2 Notice to the Contract Vendor or Their Subcontractor
The failure of the State of Minnesota to obtain Certificate of Insurance, for the policies required under this Contract or renewals thereof or failure of the insurance company to notify the State of the cancellation or nonrenewal of policies required under this Contract shall not constitute a waiver by the Owner to the Contract Vendor, or their Subcontractor, to provide such insurance. The Owner will reserve the right to immediately terminate the Contract if the Contract Vendor, or their Subcontractor, is not in compliance with the insurance requirements and the Owner retains all rights to pursue any legal remedies against the Contract Vendor or their Subcontractor. All insurance policies must be open to inspection by the state, and copies of policies must be submitted to states authorized agent upon written request.
6.4.3 Notice to Insurer

The Contract Vendors insurance company, or their Subcontractors insurance company, waives its right to assert the immunity of the State as a defense to any claims made under said insurance. Policy Requirements
Security Information and Event Monitoring RFP 2008-11-03 1. Workers Compensation Insurance:
Page 81 of 93
A. Statutory Compensation Coverage. If MN Statute 176.041 exempts the Contract Vendor, or their Subcontractor, from Workers Compensation insurance or if the Contract Vendor, or their Subcontractor, has no employees in the State of Minnesota, the Contract Vendor, or their Subcontractor, must provide a written statement, signed by the authorized signer of the Contract, stating the qualifying exemption that excluded the Contract Vendor, or their Subcontractor, from MN Workers Compensation requirements. If during the course of the Contract the Contract Vendor, or their Subcontractor, becomes eligible for Workers Compensation, the Contract Vendor, or their Subcontractor, must comply with the Workers Compensation Insurance requirements included herein and provide the State of Minnesota with a certificate of insurance. B. Coverage B Employers Liability with limits of not less than: $100,000 Bodily Injury by Disease per Employee $500,000 Bodily Injury by Disease Aggregate $100,000 Bodily Injury by Accident Evidence of Subcontractor insurance shall be filed with the Contract Vendor or as directed by the State. 2. Automobile Liability Insurance: The Contract Vendor, or their Subcontractor, shall maintain insurance to cover liability arising out of the operations, use, or maintenance of all owned, non-owned and hired automobiles. A. Minimum Limits of Liability: $2,000,000 - Per Occurrence Bodily Injury and Property Damage Combined Single Limit B. Coverages: o Owned Automobile o Non-owned Automobile o Hired Automobile Evidence of Subcontractor insurance shall be filed with the Contract Vendor or as directed by the State. 3. General Liability: The Contract Vendor, or their Subcontractor, shall maintain insurance protecting it from claims for damages for bodily injury, including sickness or disease, death, and for care
Page 82 of 93
and loss of services as well as from claims for property damage, including loss of use which may arise from operations under the Contract. A. Minimum Limits of Liability: $2,000,000 - Per Occurrence $2,000,000 - Annual Aggregate $2,000,000 - Annual Aggregate applying to Products/Completed Operations B. Coverages Premises and Operations Bodily Injury and Property Damage Personal & Advertising Injury Blanket Contractual Products and Completed Operations State of Minnesota named as an Additional Insured
6.5 State Audit

The books, records, documents and accounting practices and procedures of the vendor relevant to the contract(s) must be available for audit purposes to MnSCU and the Legislative Auditors Office for six (6) years after the termination/expiration of the contract.
6.6 Minnesota Government Data Practices Act

The vendor must comply with the Minnesota Government Data Practices Act, Minnesota Statutes Chapter 13, as it applies to all data provided by MnSCU, its schools and the Office of the Chancellor in accordance with the contract and as it applies to all data created, gathered, generated or acquired in accordance with the contract. All materials submitted in response to this RFP will become property of the State of Minnesota and will become public record after the evaluation process is completed and an award decision made unless any material submitted meets the definition of trade secret under Minnesota Statute Section 13.37. If the vendor submits information in response to this RFP that it believes to be trade secret materials as defined by the Minnesota Government Data Practices Act, the vendor must: mark clearly all trade secret materials in its response at the time the response is submitted; include a statement with its response justifying the trade secret designation for each item; defend any action seeking release of the materials it believes to be trade secret, and indemnify and hold harmless the State of Minnesota, MnSCU, its agents and employees, from any judgments or damages awarded against the State or MnSCU in favor of the party requesting the materials, and any and all costs connected with that defense.
Page 83 of 93
This indemnification survives MnSCUs award of a contract. In submitting a response to this RFP, the responder agrees this indemnification survives as long as the trade secret materials are in possession of MnSCU. All materials submitted in response to this RFP will become property of the State of Minnesota and will become public record after the evaluation process is completed unless Trade Secret Information as defined by Minnesota Statute Section 13.37 is submitted in the response to the RFP. From Section 13.37: If the vendor submits information in response to this RFP that it believes to be Trade Secret Information as defined by Minnesota Statute Section 13.37, the vendor must: Include Trad Secret, i.e., mark clearly all Trade Secret Information.
6.7 Conflict of Interest

The vendor must provide a list of all entities with which it has relationships that create, or appear to create, a conflict of interest with the work that it is contemplated in this Request for Proposal. The list should indicate the names of the entity, the relationship, and a discussion of the conflict.
6.8 Organizational Conflicts of Interest

The responder warrants that, to the best of its knowledge and belief, and except as otherwise disclosed, there are no relevant facts or circumstances that could give rise to organizational conflicts of interest. An organizational conflict of interest exists when, because of existing or planned activities or because of relationships with other persons, a vendor is unable or potentially unable to render impartial assistance or advice, or the vendors objectivity in performing the contract work is or might be otherwise impaired, or the vendor has an unfair competitive advantage. The responder agrees that, if after award, an organizational conflict of interest is discovered, an immediate and full disclosure in writing must be made to the respective schools chief financial officer or the Office of the Chancellors Business Manager that must include a description of the action which the vendor has taken or proposes to take to avoid or mitigate such conflicts. If an organizational conflict of interest is determined to exist, the school or Office of the Chancellor may, at its discretion, cancel the contract. In the event the responder was aware of an organizational conflict of interest prior to the award of the contract and did not disclose the conflict to the contracting officer, the school or Office of the Chancellor may terminate the contract for default. The provisions of this clause must be included in all subcontracts for work to be performed similar to the service provided by the prime contractor, and the terms contract, contractor, and contracting officer modified appropriately to preserve MnSCUs rights.
Page 84 of 93
6.9 Physical and Data Security

The vendor is required to recognize that on the performance of the contract the vendor will become a holder of and have access to private data on individuals and nonpublic data as defined in the Minnesota Government Data Practices Act, Minnesota Statutes Chapter 13, section 270B.02, subdivision 1, and other applicable laws. In performance of the contract, the vendor agrees it will comply with all applicable state, federal and local laws and regulations, including but not limited to the laws under Minnesota Statutes Chapters 270B and 13 relating to confidentiality of information received as a result of the contract. The vendor agrees that it, its officers, employees and agents will be bound by the above confidentiality laws and that it will establish procedures for safeguarding the information. The vendor agrees to notify its officers, employees and agents of the requirements of confidentiality and of the possible penalties imposed by violation of these laws. The vendor agrees that neither it, nor its officers, employees or agents will disclose or make public any information received by the vendor on behalf of MnSCU and Office of the Chancellor. The vendor shall recognize MnSCUs sole and exclusive right to control the use of this information. The vendor further agrees it shall make no use of any of the described information, for either internal or external purposes, other than that which is directly related to the performance of the contract. The vendor agrees to indemnify and hold harmless the State of Minnesota, MnSCU and Office of the Chancellor from any and all liabilities and claims resulting from the unauthorized disclosure by the vendor, its officers, employees or agents of any information required to be held confidential under the provisions of the contract. The vendor must return all source data to the Authorized Representative to be identified in the contract.
Page 85 of 93
6.10 RFP Response Submission

Sealed proposals must be received at the following address not later than 1:00 p.m. CT on Friday, December 12, 2008: Dale Johnson Office Manager, Information Technology Services Wells Fargo Place 30 7th Street East, Suite 350 St. Paul, MN 55101-7804 Phone: 651-201-1428 Fax: 651-917-4731 E-mail: itsadmin@so.mnscu.edu All formal addenda to this RFP as to the deadline for submission of proposals or any other matters will be posted on the MnSCU SIEM RFP web site: http://its.mnscu.edu/siemrfp/ The responder shall submit 6 printed and bound copies of its RFP response and a compact disc with the RFP response in PDF, plain text, or Microsoft Word format. Proposals are to be sealed in mailing envelopes or packages with the responders name and address clearly written on the outside. One copy of the proposal must be unbound and signed in blue or black ink by an authorized representative of the vendor. Proof of authority of the person signing must accompany the response. Within the response, cost and company financials information shall be in a separate, sealed envelope. Cost information may not be included on the compact disc and proposals with cost information on the compact disc will be disqualified. If the response contains any trade secret information, that information shall be in a separate, sealed envelope. Trade secret information may not be included on the compact disc: no information on the compact disc will be treated as trade secret information. Proposals received after this date and time will be returned to the responder unopened. Fax and e-mail responses will not be considered. Proposals made in pencil will be rejected. Alterations in cost figures used to determine the lowest priced proposal will be rejected unless initialed in ink by the person responsible for or authorized to make decisions as to price quoted. The use of white out is considered an alteration.
Page 86 of 93
Exhibit A. Affidavit of Non-Collusion

STATE OF MINNESOTA AFFIDAVIT OF NON-COLLUSION I swear (or affirm) under the penalty of perjury: 1. That I am the Responder (if the Responder is an individual), a partner in the company (if the Responder is a partnership), or an officer or employee of the responding corporation having authority to sign on its behalf (if the Responder is a corporation); 2. That the attached proposal submitted in response to the ________________________ Request for Proposal has been arrived at by the Responder independently and has been submitted without collusion with and without any agreement, understanding or planned common course of action with, any other Responder of materials, supplies, equipment or services described in the Request for Proposal, designed to limit fair and open competition; 3. That the contents of the proposal have not been communicated by the Responder or its employees or agents to any person not an employee or agent of the Responder and will not be communicated to any such persons prior to the official opening of the proposals; and 4. That I am fully informed regarding the accuracy of the statements made in this affidavit.
Responders Firm Name: __________________________________________ Authorized Signature: _____________________________________________ Date: __________________
Subscribed and sworn to me this ________ day of ___________
Notary Public: _________________________________________ My commission expires: ______ ________
Page 87 of 93
Exhibit B. Human Rights Certification Information and Affirmative Action Data Page
NOTICE TO CONTRACTORS AFFIRMATIVE ACTION CERTIFICATION OF COMPLIANCE It is hereby agreed between the parties that MnSCU will require that affirmative action requirements be met by contractors in relation to Minnesota Statutes 363A.36 and Minnesota Rules, 5000.3400 to 5000.3600. Failure by a contractor to implement an affirmative action plan or make a good faith effort shall result in revocation of its certificate or revocation of the contract (Minnesota Statutes 363A.36, subdivisions 3 and 4). Under the Minnesota Human Rights Act, 363A.36, businesses or firms entering into a contract over $100,000 which have more than forty (40) full-time employees within the state of Minnesota on a single working day during the previous twelve (12) months, or businesses or firms employing more than forty (40) full-time employees on a single working day during the previous twelve (12) months in a state in which its primary place of business is domiciled and that primary place of business is outside of the State of Minnesota but within the United States, must have submitted an affirmative action plan that was received by the Commissioner of Human Rights for approval prior to the date and time the responses are due. A contract over $100,000 will not be executed unless the firm or business having more than forty (40) full-time employees, either within or outside the State of Minnesota, has received a certificate of compliance signifying it has an affirmative action plan approved by the Commissioner of Human Rights. The Certificate is valid for two (2) years. For additional information, contact the Department of Human Rights, Compliance Services Unit, 190 East 5th Street, Suite 700, St. Paul, Minnesota 55101. AFFIRMATIVE ACTION DATA PAGE FOR RESPONSES IN EXCESS OF $100,000 ONLY If a response to this solicitation is in excess of $100,000, complete the information below to determine whether the business or firm is subject to the Minnesota Human Rights Act (Minnesota Statutes 363A.36) certification requirement and to provide documentation of compliance if necessary. It is the sole responsibility of the business or firm to provide this information and, if required, to apply for Human Rights certification prior to the due date and time of the response and to obtain Human Rights certification prior to the execution of the contract. Effective July 1, 2003. The Minnesota Department of Human Rights is authorized to charge a $75.00 fee for each Certificate of Compliance issued. A business or firm must submit its affirmative action plan along with a cashier's check or money order in the amount of $75.00 to the Minnesota Department of Human Rights or you may contact the
Page 88 of 93
Department for additional information at the Compliance Services Unit, 190 East 5th Street, Suite 700, St. Paul, MN 55101. How to determine which boxes to complete on this form: Then you must complete Box A Box C Box D Box B these boxes On any single working day within the previous 12 months, the company employed more than 40 full-time employees in Minnesota. did not employ more than 40 full-time employees in Minnesota but did employ more than 40 full-time employees in the state where the company is domiciled. did not employ more than 40 full-time employees in Minnesota or the state where the company is domiciled.
BOX A For a company which has employed more than 40 full-time employees within Minnesota on any single working day during the previous 12 months, Its response will be rejected unless the company: has a current Certificate of Compliance issued by the Minnesota Department of Human Rights (MDHR) -orhas submitted an affirmative action plan to the MDHR, which the Department received prior to the date and time the responses are due. Check one of the following statements if the company has employed more than 40 full-time employees in Minnesota on any single working day during the previous 12 months: We have a current Certificate of Compliance issued by the MDHR. Include a copy of your certificate with your response. Proceed to BOX D. We do not have a current Certificate of Compliance but we have submitted an affirmative action plan to the MDHR for approval which the Department received on __________________(date) at __________(time). [If you do not know when the Department received your plan, contact the Department.] We acknowledge that the plan must be approved by the MDHR before any contract can be executed. Proceed to BOX D. We do not have a Certificate of Compliance and have not submitted an affirmative action plan to the MDHR. We acknowledge our response will be rejected. Proceed to BOX D. Note: A Certificate of Compliance must be issued by the Minnesota Department of Human Rights.
Page 89 of 93
Affirmative action plans approved by the federal government, a county or a municipality must still be reviewed and approved by the Minnesota Department of Human Rights before a certificate can be issued. BOX B - For a company which has not had more than 40 full-time employees in Minnesota but has employed more than 40 full-time employees on any single working day during the previous 12 months in the state where its primary place of business is domiciled, the company may achieve compliance with the Minnesota Human Rights Act by certifying it is in compliance with applicable federal affirmative action requirements. Check one of the following statements if the company has not employed more than 40 full-time employees in Minnesota but has employed more than 40 full-time employees on any single working day during the previous 12 months in the state where its primary place of business is located: We are not subject to federal affirmative acton requirements. Proceed to BOX D. We are subject to federal affirmative action requirements and are in compliance with those requirements. Proceed to BOX D.
BOX C For a company not described in BOX A or BOX B, The company is not subject to the Minnesota Human Rights Act certification requirement. We have not employed more than 40 full-time employees on a single working day in Minnesota or in the state of our primary place of business within the previous 12 months. Proceed to BOX D. BOX D For all companies By signing this statement, you certify the information provided is accurate and that you are authorized to sign on behalf of the responder. Name of Company:________________________________________________________________ Authorized Signature:______________________________________________________________ Printed Name:____________________________________________________________________ Title:___________________________________________________________________________ Date: _________________ Telephone number:__________________________________________
Page 90 of 93
For further information regarding Minnesota Human Rights Act requirements, contact: Minnesota Department of Human Rights, Compliance Services Unit Mail: 190 East 5th Street, Suite 700 Metro: 651.296.5663 St. Paul, MN 55101 Toll Free: 800.657.3704 Website: www.humanrights.state.mn.us Fax: 651.296.9042 Email: employerinfo@therightsplace.net TTY: 651.296.1283
Page 91 of 93
MINNESOTA STATE COLLEGES AND UNIVERSITIES NOTICE TO VENDORS AFFIRMATIVE ACTION CERTIFICATION OF COMPLIANCE The amended Minnesota Human Rights Act (Minnesota Statutes 363A.36) divides the contract compliance program into two categories. Both categories apply to any contracts for goods or services in excess of $100,000. The first category applies to businesses that have had more than 40 full-time employees within Minnesota on a single working day during the previous 12 months. The businesses in this category must have submitted an affirmative action plan to the Commissioner of the Department of Human Rights prior to the due date and time of the response and must have received a Certificate of Compliance prior to execution of the contract or agreement. The secondary category applies to businesses that have had more than 40 full-time employees on a single working day in the previous 12 months in the state in which its primary place of business is domiciled. The businesses in this category must certify to MnSCU that it is in compliance with federal affirmative action requirements before execution of the contract. For further information, contact the Department of Human Rights, Compliance Services Unit, 190 East 5th Street, Suite 700, St. Paul, MN 55101; Voice: 651.296.5663; Toll Free: 800.657.3704; TTY: 651.296.1283. MnSCU is under no obligation to delay the award or the execution of a contract until a vendor has completed the Human Rights certification process. It is the sole responsibility of the vendor to apply for and obtain a Human Rights certificate prior to contract execution. It is hereby agreed between the parties that MnSCU will require affirmative action requirements be met by vendors in relation to Minnesota Statutes 363A.36 and Minnesota Rules, 5000.3400 to 5000.3600. Under the Minnesota Human Rights Act, 363A.36, subdivision 1, no department or agency of the state shall execute an order in excess of $100,000 with any business within the State of Minnesota having more than 40 full-time employees in a single working day during the previous 12 months unless the firm or business has an affirmative action plan for the employment of minority persons, women, and the disabled that has been approved the Commissioner of Human Rights. Receipt of a Certificate of Compliance issued by the Commissioner shall signify that a firm or business has an affirmative action plan approved by the Commissioner. Failure by the vendor to implement an affirmative action plan or make a good faith effort shall result in revocation of its certificate or revocation of the order (Minnesota Statutes 363A.36, subdivisions 3 and 4). A certificate is valid for a period of two (2) years.
Security Information and Event Monitoring RFP 2008-11-03 DISABLED INDIVIDUAL CLAUSE
Page 92 of 93
A. A vendor shall not discriminate against any employee or applicant for employment because of physical or mental disability in regard to any position for which the employee or applicant for employment is qualified. The vendor agrees to take disabled individuals without discrimination based on their physical or mental disability in all employment practices such as the following: employment, upgrading, demotion or transfer, recruitment, advertising, layoff or termination, rates of pay or other forms of compensation, and selection of training, including apprenticeship. B. The vendor agrees to comply with the rules and relevant order of the Minnesota Department of Human Rights issued pursuant to the Minnesota Human Rights Act. C. In the event of a vendors noncompliance with the requirements of this clause, actions for noncompliance may be taken by the Minnesota Department of Human Rights pursuant to the Minnesota Human Rights Act. D. The vendor agrees to post in conspicuous places, available to employees and applicants for employment, notices in a form to be prescribed by the Commissioner of the Minnesota Department of Human Rights. Such notices shall state the vendor obligation under the law to take affirmative action to employ and advance in employment qualified disabled employees and applicants for employment and the rights of applicants and employees. E. The vendor shall notify each labor union or representative of workers with which it has a collective bargaining agreement or other order understanding, that the vendor is bound by the terms of Minnesota Statutes 363A.36 of the Minnesota Human Rights Act and is committed to take affirmative action to employ and advance in employment physically and mentally disabled individuals. It is hereby agreed between the parties that Minnesota Statutes 363A.36 and Minnesota Rules 5000.3400 to 5000.3600 are incorporated into any order of Minnesota Statutes 363A.36 and Minnesota Rules, 5000.3400 to 5000.3600 are available from Minnesota Bookstore, 660 Olive Street, St. Paul, Minnesota 55155. By signing this statement the vendor certifies that the information provided is accurate.
NAME OF COMPANY: ____________________________________________________________________ AUTHORIZED SIGNATURE: ____________________________________________________________________ TITLE: _____________________________________________________________
Page 93 of 93
DATE: _____________________________________________________________

SIEM RFP 2008-11-03-Nochange

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

SIEM RFP 2008-11-03-Nochange

Загружено:

Авторское право:

Доступные форматы

MINNESOTA STATE COLLEGES AND UNIVERSITIES

Office of the Chancellor

REQUEST FOR PROPOSAL (RFP) FOR

Security Information and Event Monitoring (SIEM) System

Security Information and Event Monitoring RFP 2008-11-03

1.2 Nature of RFP

1.3 General Selection Criteria

Security Information and Event Monitoring RFP 2008-11-03

1.4 Selection Process

1.5 Selection and Implementation Timeline

Security Information and Event Monitoring RFP 2008-11-03

1.6 Contract Term

1.7 Parties to the Contract

1.8 Contract Termination

1.9 Project Team

Security Information and Event Monitoring RFP 2008-11-03

1.11 Applicable Law

1.12 Contract Assignment

1.13 Entire Agreement

1.14 Deviations and Exceptions

Security Information and Event Monitoring RFP 2008-11-03

1.15 Vendor Questions

1.16 Duration of Offer

1.17 Authorized Signature

Security Information and Event Monitoring RFP 2008-11-03

1.18 Proposal Rejection and Waiver of Informalities

1.19 Intellectual Property Indemnification

Security Information and Event Monitoring RFP 2008-11-03

Security Information and Event Monitoring RFP 2008-11-03

Security Information and Event Monitoring RFP 2008-11-03

RFP Structural Items

Right to Reject Proposals and Negotiate Contract Terms

2 Parties to the RFP

Security Information and Event Monitoring RFP 2008-11-03

The Project Team needs:

Security Information and Event Monitoring RFP 2008-11-03

Security Information and Event Monitoring RFP 2008-11-03

Mandatory Specify the discount rate: __________ %

Security Information and Event Monitoring RFP 2008-11-03

Security Information and Event Monitoring RFP 2008-11-03

4.4 Application Requirements

Security Information and Event Monitoring RFP 2008-11-03

4.4.2 Agent Elements

4.4.3 Collector Elements

The upload model:

Security Information and Event Monitoring RFP 2008-11-03

4.4.4 Intermediate Elements

Security Information and Event Monitoring RFP 2008-11-03

4.4.5 Central Elements

Security Information and Event Monitoring RFP 2008-11-03 Assumptions:

4.4.6 Architecture Requirements

Security Information and Event Monitoring RFP 2008-11-03

4.4.8 Agent Element

Security Information and Event Monitoring RFP 2008-11-03

Security Information and Event Monitoring RFP 2008-11-03 4.4.8.9

4.4.9 Collector Element

Security Information and Event Monitoring RFP 2008-11-03 4.4.9.3

Security Information and Event Monitoring RFP 2008-11-03 4.4.9.9

Security Information and Event Monitoring RFP 2008-11-03

Security Information and Event Monitoring RFP 2008-11-03 4.4.9.21

Security Information and Event Monitoring RFP 2008-11-03 4.4.9.27

Security Information and Event Monitoring RFP 2008-11-03

Security Information and Event Monitoring RFP 2008-11-03

___ _ _ _ _ ___