Annex G1. Backup Solution Project. Request for Proposal

Annex G1

Backup Solution Project

Request for Proposal

Version 1.17

Date 16 April 2009

Hong Kong Internet Registration Corporation Limited

Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central, Sheung Wan, Hong Kong.

Tel.: +852 2319 1313 Fax: +852 2319 2626 Email: [email protected] Website:

www.hkirc.hk

Table of Contents

1. Definitions...3

2. About HKIRC ...3

2.1. Request for Proposal ...4

3. Information Security ...4

4. Background of the Project ...5

4.1. Background ...5 4.2. Scope of Work...5 4.2.1 Network Backup ...5 4.2.2 Professional Services ...7 4.2.3 Information Security ...7 4.3. Project Acceptance...8

5. Limitation of Liability and Indemnity ...9

6. Project Schedule...9

7. Payment Schedule...10

8. Elements of a Strong Proposal ...10

9. Service agreement negotiation and signature ... 11

10. HKIRC Contacts ... 11

Appendix A – HKDNR Information Security Policy and Guidelines: An Extract Relevant to Outsourcing ...12

Appendix B – Proposal Requirements ...16

1. Proposal Due Date ...16

2. Proposal Content...16

3. Cover Page ...17

4. Executive Summary ...18

5. Conflict of Interest Declaration ...18

6. Company Background ...18

7. Technical Competency...19

8. Proposed Costs of Service ...19

9. Implementation Time Table ...19

10. Support Arrangement and Services...19

1. Definitions

The following terms are defined as in this section unless otherwise specified. “HKIRC” means Hong Kong Internet Registration Corporation Limited.

“HKDNR” means Hong Kong Domain Name Registration Company Limited, a wholly-owned subsidiary of HKIRC, the company requesting the proposal for “the Project.”

“The Project” means the Backup Solution project with requirements stipulated in Section 5 of this document, the Background of the Project.

“The Contractor” means the company delivering the Project.

2. About HKIRC

Hong Kong Internet Registration Corporation Limited (HKIRC) is a non-profit-making and non-statutory corporation responsible for the administration of Internet domain names under '.hk' country-code top level domain. HKIRC provides registration services through its wholly-owned subsidiary, Hong Kong Domain Name Registration Company Limited (HKDNR), for domain names ending with '.com.hk', '.org.hk', '.gov.hk', '.edu.hk', '.net.hk', '.idv.hk', '.公司.hk', '.組織.hk', '.政府.hk', '.教 育.hk', '.網絡.hk', '.個人.hk' and '.hk'.

HKIRC endeavours to be:

• Cost-conscious but not profit-orientated • Customer-orientated

• Non-discriminatory • Efficient and effective

• Proactive and forward-looking

2.1.

Request for Proposal

HKIRC is going to commission an external system integrator to implement a backup solution for the Company. The solution shall cover new backup servers, a backup management system, and an off-site backup mechanism. It shall also include all services required for the implementation of the Project.

3. Information Security

The company submitting the proposal (“the company”) shall acknowledge and agree that, if the company is selected as the Contractor, it shall be bounded by our Non-Disclosure Agreement (NDA) and Information Security Policy (highlights of the policies illustrated in Appendix A). Customer data and any information supplied to the company by HKIRC shall remain the property of HKIRC. The company shall be obliged to employ the abovementioned data and information for the sole purpose of project delivery. The company shall protect the data of HKIRC customers and shall never allow any person to gain access to the data except for the aforesaid purpose. The company shall comply with the obligations under the Personal Data (Privacy) Ordinance and any other obligations in relation to personal data.

The company shall be provided a set of NDA and Information Security Compliance Statement after HKIRC received the company’s Express-of-Interest before the stipulated time. The NDA and the Information Security Compliance Statement shall be signed and returned to HKIRC attached with documents required by the Compliance Statement before the scheduled deadline. HKIRC will only consider proposals from parties who have signed both the NDA and the Information Security Compliance Statement.

According to the Information Security Policy of HKDNR, proposals submitted shall be classified as Restricted information and the following security measures should be observed:-

1. The documents should be marked “RESTRICTED” at the centre-top of each page in black color;

2. The document, if transmitted electronically, must be encrypted.

Each proposal will be reviewed under the terms of non-disclosure by the HKIRC’s staff and HKIRC’s Board of Directors of HKIRC.

4. Background of the Project

4.1.

Background

Currently, we use a non-coherent backup mechanism for database backup. It is performed by running a backup script to copy the dbf files, control files and redo log files. The files are transferred from the datacenter to the office site every day. The existing tape library lacks the storage capacity and we need to back up those files onto disk instead. In addition to the daily full database backup, the archive log is replicated to the office every 10 minutes. In case we need to recover the database, we need to restore those dbf files and their associated files from the disk, and track back the differences due to the time lag from the dbf files. Since this mechanism is not quite satisfactory in terms of performance, stability, efficiency and manageability, we are seeking a better solution to manage our backup files in the long run.

4.2.

Scope of Work

The backup solution should include:-

4.2.1

Network Backup

1. Provision of one (1) external disk enclosure/cradle connected to a dedicated backup server to serve backup requests over the existing production network from various clients, including the new database servers running Oracle RAC and its storage system. The external disk enclosure/cradle can facilitate the daily rotation of the removable external SATA hard disk including warm swapping without incurring the risk of disk failure or data loss.

2. It should support online backup of Oracle and MySQL database data without shutting down the databases that are up and running. There is a separate project in the pipeline to implement a new Oracle/MySQL database system. For successful integration, the Contractor is required to collaborate with that project team closely.

3. Schedule backup in accordance with HKIRC requirements:-

a. There are more than one physical database servers running Solaris hosting more than one DB instances.

database backup and archive log backup, for delta changes.

c. The full backup runs on daily basis and remotely synchronizes the copy to the office from the datacenter.

d. The full backup files can be stored on the disk as well as on the removable external hard disk in data center and we also need to keep the same copy in the office.

e. In addition to the daily full backup, interval archive log file backups are required and are remotely synchronized to the office. The archive file is required to be stored in disk in both the data center and the office.

f. As the replication of the off-site full backup copy and the archive log file from the data center to the office is required, the speed of the network should be considered.

g. The database will expectedly grow four times larger in three years. h. The suggested replication tool should have features to manage the

synchronized status, having retry capability and SNMP or alarm service if any broken connection exists.

i. There is no production database in the office. The hot data replication such as block level transmitting between the data center and the office is not required. The file level replication between two sites is expected. j. The backup file should be compressed and encrypted when it is stored

and transferred.

k. The backup copy kept in the data center can be recovered with backup solution but the copy kept in the office can be recovered even without backup solution.

l. Backup solution is required to recover partial database such as missing database object or logical files corrupted as well as complete database recovery such as recreation of database instance. Clear guidelines or procedures should be provided in case of recovery.

m. Underlying expected volume manager and clustering layers – the Oracle database system is running with RAC and Oracle’s own volume manager and cluster software. The “online backup” mentioned above should work coherently with these. The backup solution should use the backup agent cooperated with RMan process in Oracle to perform “online backup and restore”

4. The solution should include all backup server(s), databases backup agents and client licenses and the dedicated machine as the backup server and

management hardware requirement (e.g. switch for management port). It should reserve capacity for three (3) more UNIX clients. It should also include sufficient amount of removable external hard disk for a period of 3-year operation.

5. Any leading backup solution in the market can be considered, including CA ARCServe Backup, Symantec Netbackup, EMC Legato Networker, provided that it is proven and stable.

6. Estimate the human effort needed on external hard disk rotation under the backup cycle for HKIRC to further arrange the adequate manpower resources. 7. Suggest the best offsite external hard disk storage strategy, backup window

and the manpower resources thus incurred.

8. Provide as options any additional tools that will streamline the recovery of data.

9. After the NDA is signed, technical details such as backup cycle, data size, network bandwidth will be given.

4.2.2

Professional Services

The professional services in this solution should cover the following: Basic hardware and software installation

Configuration of backup software based upon our requirements Documentation for the configuration and administration

Skill transfers with documents, e.g. procedures for restoring files from removable external hard disk to servers

4.2.3

Information Security

Solution(s) should be provided to protect any information leakage in the event of losing removable external hard disk. If hardware and software encryption is involved, please also specify strength of the encryption algorithm.

Installation, setup and configuration of all new hardware and software. For Solaris, backup server, agent and replication software setup, security hardening should be performed based upon HKIRC baseline security configurations.

Basic security hardening based upon well-accepted security guidelines, e.g. CIS (https://cisecurity.org/)

4.3.

Project Acceptance

The overall project acceptance can be broken down into acceptances at various levels:-

1. Delivery, setup and integration of all systems 2. Functionality of individual products

3. Functionality of the integrated system 4. Performance of the integrated system

5. System stability observed during the nursing period

6. Minimum performance requirement of Backup and Recovery

Assumption:

- Network capacity in data centre: 10/100mb Ethernet - Remote file transfer network speed: 4Mbps

- Full backup file size is 50 GB and run once daily

- Compressed file backup size is 6G before transferring to office - Incremental backup file size is 1M file and run for every 5 minutes - Only data is needed to restore without whole DB instance recovery - Remote file transfer is performed after full and incremental backup - Maximum 4 hours of the backup window is allowed

Minimum Time Requirement Incremental Backup to Backup

server’s local disk Less than 1 minutes Full Backup to Backup server’s

local disk Less than 115 minutes

Remote file transfer for incremental backup file from data centre to

office Less than 1 minutes

Remote file transfer for full backup

file from data centre to office Less than 5 hours Recovery from Backup server’s

local disk Less than 115 minutes

The above minimum requirements must be met in the proposal but final decision of proposal selection will be based on the best performance compared with the setup cost. In addition, under this acceptance framework, interested vendors should propose the

actual acceptance plan in detail in their proposals.

5. Limitation of Liability and Indemnity

The company submitting the proposal agrees that if the company becomes the Contractor of the Project, it shall indemnify HKIRC and HKDNR against any claim, demand, loss, damage, cost, expense or liability which the company may suffer.

6. Project Schedule

2 Express of interest 22 May 2009 3 Sign NDA and InfoSec Compliance

Statement with all interested vendors

29 May 2009

4 Deadline for vendors to submit proposal, quotation

29 May 2009, 5:30pm

5 Selection of vendor by panel 12 June 2009 6 Conclude final decision and appoint

the vendor

23 June 2009

7 Prepare service agreement contract 24 June 2009 8 Sign service agreement contract with

the appointed vendor

26 June 2009

9 Project commencement 29 June 2009 10 System implementation 18 July 2009 11 Nursing Period complete 18 August 2009 12 Overall acceptance and provisioning 19 August 2009

7. Payment Schedule

The following payment schedule is recommended but interested vendors may propose their own in their proposals.

Milestone/Acceptance Expected

duration

Payment

1 (a) Completion of delivery and basic installation of all hardware and software products

(b) Acceptance of functionality of individual products

1 weeks 30%

2 (a) Completion of system integration, functionally ready (b) Acceptance of functionality of the integrated system (c) Migration to production

2 weeks 50%

3 Acceptance of stability after the nursing period 4 weeks 20% TOTAL 7 weeks 100%

8. Elements of a Strong Proposal

All submitted proposal must follow the format as stated in Appendix B - Proposal Requirements.

Successful vendor is the one who submitted a clearly worded proposal that shows the following attributes:

• a persuasive section on the company background

• a strong and flexible product meeting HKIRC requirements with minimum customization

• high level of interaction between HKIRC and the vendor • excellent fit with the capabilities and facilities of HKIRC • strong company and project management team

Proposals are evaluated based on major criteria as follows (the percentages given are the weighting)

• Company Background (15%)

• Technical and project management competency (20%) • Understanding of our requirements (10%)

• Implementation Methodology (10%) • Knowledge and advices on projects (10%)

• Proposed cost of the project and its flexibility (35%)

9. Service agreement negotiation and signature

The service agreement will be drawn up between the selected vendor and HKDNR, the wholly-owned subsidiary of HKIRC. HKIRC welcomes the vendor’s proposal on a suitable service agreement for the project.

The service agreement must be signed by both parties within three weeks from the project award date. If the agreement is not signed within the said period, HKIRC will start the negotiation with the next qualified vendor on the selection list.

10. HKIRC Contacts

HKIRC Contacts information

Contacts

Hong Kong Internet Registration Corporation Limited

Unit 2002-2005, 20/F ING Tower,

308 Des Voeux Road Central, Sheung Wan,

Hong Kong

+852 23191313 ₋ telephone

+852 23192626 ₋ fax

http://www.hkirc.hk

If you are not sure about the appropriate person to call, the receptionist can help you.

IT Manager Ben Lee +852 23193811 [email protected] Project Manager Nelson Lo +852 23193829 [email protected] CEO Jonathan Shea +852 23193821 [email protected]

Appendix A – HKDNR Information Security Policy and

Guidelines: An Extract Relevant to Outsourcing

This document provides an extract of the HKDNR Information Security Policy and Guidelines with the purposes of (a) introducing various measures and controls to be executed by HKDNR regarding outsourcing and (b) setting the expectation of any potential contractors that their participation and conformance in these measures and controls are essential contractual obligations.

The original Policy and Guidelines applies to HKDNR’s employees, contractors and third party users. However, a potential contractor may interpret the clauses up to their roles and responsibilities only. Nonetheless, the keyword “contractors” hereby refers to all relevant staff members of the contractor and those of any other subcontractors under the contractor’s purview.

Herein, HKDNR would also set the expectation of any potential contractors that upon their express-of-interest to the project, they shall be required in the subsequent stages (a) to sign off a non-disclosure agreement (NDA) on all information to be provided and (b) to sign off a Compliance Statement where compliance requirements are specified in more details.

(A) Extract from the HKDNR Information Security Policy

In the following, “the organization” means Hong Kong Domain Name Registration Company Limited, the company requesting the proposal for “the Project.”

8. Human resources security

8.1 Security objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.

8.1.1 Security roles and responsibilities of employees, contractors and third party users shall be defined and documented in accordance with the organization’s information security policy.

and third party users shall be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.

8.1.3 As part of their contractual obligations, employees, contractors and third party users shall agree and sign the terms and conditions of their employment contract, which shall state their and the organization’s responsibilities for information security.

8.2 During employment

Security objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.

8.2.1 Management shall require employees, contractors and third party users to apply security measures in accordance with established policies and procedures of the organization.

8.2.2 All employees of the organization and, where relevant, contractors and third party users shall receive appropriate awareness training and regular updates on organizational policies and procedures, as relevant to their job functions.

8.3 Termination or change of employment

Security objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.

8.3.2 All employees, contractors and third party users shall return all of the organization’s assets in their possession upon termination of their employment, contract or agreement.

8.3.3 The access rights of all employees, contractors and third party users to information and information processing facilities shall either be removed upon termination of their employment, contract or agreement, or adjusted upon change.

12. Information systems acquisition, development and maintenance

12.5.5 Outsourced software development shall be supervised and monitored by the organization

13. Information security incident management

13.1 Reporting information security events and weaknesses

Security objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action.

13.1.2 All employees, contractors and third party users of information systems and services shall be required to note and report any observed or suspected security weaknesses in systems or services.

(B) Extract from the HKDNR Information Security Guidelines 6. ORGANIZING INFORMATION SECURITY

6.2 EXTERNAL PARTIES

6.2.1 Identification of Risks Related to External Parties

The risks to the organization’s information and information processing facilities from business processes involving external parties should be identified and appropriate controls implemented before granting the access.

6.2.3 Addressing Security in Third Party Agreements

Agreements with third parties involving accessing, processing, communicating or managing the organization’s information or information processing facilities, or adding products or services to information processing facilities should cover all relevant security requirements.

7. ASSET MANAGMENT 7.1.3 Acceptable Use of Assets

Rules for the acceptable use of information and assets associated with information processing facilities shall be identified, documented, and implemented.

8. HUMAN RESOURCE SECURITY 8.1.1 Roles and Responsibilities

Security roles and responsibilities of employees, contractors and third party users shall be defined and documented in accordance with the organization’s information security policy.

8.1.2 Screening

third party users shall be conducted in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.

8.1.3 Terms and Conditions of Employment

As part of their contractual obligation, employees, contractors and third party users shall agree and sign the terms and conditions of their employment contract, which shall state their and the organization’s responsibilities for information security.

8.2.1 Management Responsibilities

Management shall require employees, contractors and third party users to apply security measures in accordance with established policies and procedures of the organization.

12. Information systems acquisition, development and maintenance 12.5.5 Outsourced Software Development

Outsourced software development shall be supervised and monitored by the organization.

Appendix B – Proposal Requirements

1. Proposal Due Date

All proposals must reach HKIRC as stated in Section 7, Project Schedule, item no. 4.

2. Proposal Content

The proposal should contain the following: • Cover Page

• Executive Summary

• Conflict of Interest Declaration • Company Background

o Financial Situation

o Company Roadmap and Sustainability o Track Records

o Organization and management team o Project team with credentials o Company credentials

o Staff credentials

• Technical and project management competency related to backup solution project

• Implementation Methodology • Knowledge and Advices on Projects

o Understanding of our requirements o Backup solution expertise

o System integration advice, options and considerations o Certification in the future

• Deliverables • Acceptance Plan

• Proposed Cost of Services and Payment Schedule • Implementation Time Table

• Support Arrangement and Services

3. Cover Page

Prepare a non-confidential cover page with the following information in the order given.

Cover Page

Project Title Backup solution project

Project Manager Name:

Title: Mailing address: Phone: Fax: Email: Proposal requirements

Due date Please refer to Section 7 - Project Schedule, item no. 4 for the proposal

submission deadline..

Delivery address Hong Kong Internet Registration Corporation Limited

Unit 2002-2005, 20/F ING Tower,

308 Des Voeux Road Central, Sheung Wan,

Hong Kong

Hard copies 2 copies of the full proposal are required.

Electronic copy Electronic copy, if available, on disk or by email to [email protected] and

[email protected] ; also cc [email protected] and [email protected].

This is not a substitute for the physical copies mentioned above.

Proposal format Specified in this document

Page count 30 pages or fewer. Stapled. Do not bind.

Company Contact person: Title: Company name: Mailing address: Phone: Fax: Email: Website:

4. Executive Summary

The executive summary provides a brief synopsis of the commercial and technical solution the vendor proposed for the project. This summary must be non-confidential. It should fit on a single page.

The executive summary should be constructed to reflect the merits of the proposal and its feasibility. It should also clearly specify the project’s goals and resource

requirements. It should include:

• Rationale for pursuing the project, the technology needed and the present state of the relevant technology.

• Brief description of the vendor’s financial situation and company roadmap and sustainable development.

• Brief description of the vendor’s technical capability and experience, especially in database and storage system enhancement projects.

5. Conflict of Interest Declaration

Declare any conflict of interest in relation to the backup solution project and the ‘.hk’ ccTLD registry HKIRC.

6. Company Background

The vendor must describe its company background. Major activities, financial situation, company roadmap for future growth, sustainable development, organizational structure, management team and achievements in software development or service outsourcing of the company should be elaborated. Tracked records are preferred.

7. Technical Competency

The vendor should describe the company’s strengths in backup solution projects and how they will be applied to the project. Tracked records are preferred.

List the key technical and management personnel in the proposal. Provide a summary of the qualifications and role for each key member.

8. Proposed Costs of Service

• Fixed project cost

• Labour unit costs for additional requirements. They are typically quoted in unit man day. Quoted in normal working hour, non-working hour and in emergency.

• Equipment that is permanently placed or purchased for HKIRC, if any. • Subsequent support or maintenance service.

• Other direct costs including services, materials, supplies, postage, etc.

9. Implementation Time Table

The vendor should present in this section the implementation schedule of the project. The schedule should be realistic and achievable by the vendor.

10. Support Arrangement and Services

The vendor must provide support to the database and storage system enhancement project with respect to the preparation, implementation, monitoring and review of the new framework. The vendor must describe the support arrangement and services. e.g. availability, local/remote, time to on/off site support, etc.

11. Commercial and Payment Terms

The vendor should describe the commercial and payment terms of the services. E.g. Compensation for the delay of the project.