AGO
Attorney General's Office
IT Managed Services
Invitation to Quote
Attorney General’s Office
Primary Contact:
Roger Hill
Head of ICT
Attorney General's Office
[email protected]
Author:
Roger Hill, Will Haven
Date:
26 August 2011
Product Invitation to Quote
Issue Date 26 Aug 2011
Author Roger Hill, Will Haven
Version History
Version
Date
Author
Comment
0.1 27 July 2011 R Hill
0.2-0.5 23 Aug 2011 W Haven 1.0 26 Aug 2011 R Hill, W Haven
CONTENTS
CONTENTS ...3
1. INTRODUCTION ...6
1.1
Attorney General's Office...6
1.2
Office for Budget Responsibility...6
2. PURPOSE OF THIS DOCUMENT ...6
3. TERMS ...6
3.1
Contract ...6
3.2
Core – Right to Publish...7
4. ITQ PROCESS ...7
4.1
Timescales ...7
4.2
ITQ Further Information ...8
4.3
ITQ Response Requirements ...8
4.4
Format of Requirements ...8
5. ADDITIONAL GUIDELINES...8
5.1
Innovation ...8
5.2
Third Parties ...8
5.3
Acceptance...9
5.4
Confidentiality ...9
6. SCOPE OF THE PROCUREMENT ...9
6.1
Core Services ...9
6.2
Core Packaged Applications...9
6.3
Bespoke Applications ...9
6.4
Locations ...9
6.5
Current Authority IT Assets...10
7. INFRASTRUCTURE SERVICES...10
7.1
Infrastructure Assets...10
7.2
Desktops, laptops, printers. ...11
7.3
Technology Refreshment...11
7.4
Asset Register and Asset Disposal...12
7.5
Software Licences and Contracts ...12
7.6
Desktop Services...12
7.7
Access to Services ...13
7.8
Local Area Network ...13
7.9
Remote Access ...14
7.10 Service Desk and User Support ...14
7.12 Equipment Loan ...15
7.13 Installs, Moves and Changes...15
7.14 Administration of user accounts...16
7.15 Service Downtime...16
7.16 Infrastructure Administration...16
7.17 Capacity management...16
7.18 Performance management ...17
7.19 Back-Up...17
7.20 Disaster Recovery ...17
7.21 Configuration Management ...18
7.22 Minor Infrastructure Enhancements...18
7.23 Service Levels ...18
7.24 Service Availability...18
7.25 IT Strategy ...18
8. SUPPORT REQUIREMENTS...18
8.1
Service Hours ...18
8.2
System Operation and Maintenance ...19
8.3
Resilience and Recovery ...19
8.4
Other Services...19
8.5
Third Party Suppliers ...20
9. EXTERNAL CONNECTIVITY...20
10.
IT SECURITY...20
10.1 IT Compliance Requirements ...21
10.2 Security and Maintenance Patches and Virus Protection ...22
11.
IMPLEMENTATION OF NEW SYSTEMS...22
12.
TRANSITION AND SERVICE HANDOVER ...22
13.
CONTRACT MANAGEMENT ...23
13.1 Governance ...23
13.2 Service Reporting ...23
13.3 Quality Management ...24
13.4 User Satisfaction Monitoring...24
13.5 Managing Change ...24
13.6 Terms and Conditions of Contract ...24
14. PRICE...24
ANNEX A – EXISTING SERVICE LEVELS ...25
ANNEX B – ASSET LIST ...27
ANNEX D - EVALUATION SCORING ...31
TOTAL ...31
1. Introduction
The Attorney General’s Office (“AGO”) is a government department with two ministers which superintends the Crown Prosecution Service, Treasury Solicitor’s Department, the Serious Fraud Office, and HM CPS Inspectorate. The AGO shares its outsourced IT service with another government agency, the Office for Budget Responsibility (“OBR”). The AGO and OBR are collectively referred to as the “Authority” in this document.
The purpose of issuing this Invitation to Quote (“ITQ”) is to procure IT services for a period of three years from 16 January 2012 to 31 March 2015 with the option of two further one year extensions, under OGC Framework RM717 for Managed Services.
1.1 Attorney General's Office
The AGO provides high quality legal and strategic policy advice and support to the Attorney General and the Solicitor General (the Law Officers).
The Attorney General:
Is Chief Legal Adviser to the Crown;
Is a Minister of the Crown with responsibility for superintending the prosecuting departments, and
Has a number of independent public interest functions.
1.2 Office for Budget Responsibility
The OBR was created in 2010 to provide independent and authoritative analysis of the UK’s public finances. It is one of a growing number of official independent fiscal watchdogs around the world. The OBR has four main roles:
Produce forecasts for the economy and public finances Judge progress towards the Government’s fiscal targets Assess the long-term sustainability of the public finances Scrutinise the Treasury’s costing of Budget measures
2. Purpose of this document
This document has been produced by the Authority as part of the Requirements Documentation issued under an ITQ for an IT outsourced service under the OGC Managed Services framework (RM717). This document defines the services required by the Authority. The ITQ forms the second stage in the procurement process and follows the receipt of Capability Assessments from interested suppliers in June 2011.
The document specifies the requirement for the managed services sought by the Authority and describes the context within which the requirement is set. Together with the bidder’s proposal, this document will form the basis of negotiations leading to an agreement with the successful bidder for the provision of the service,
This document should be read in conjunction with the Annexes, which give details of the Authority’s current service.
3. Terms
The Authority is seeking to award a three year contract to March 2015 with the option of a further two one year extensions. The contract will have no annual indexation. Options should be provided for a full-term contract, and for a mid-full-term break without penalty, Day rates should be in line with OGC
framework contracts.
The Authority is prepared to consider variant bids and potential Contractors are encouraged to come up with suggestions on how the Authority can achieve best value for money.
The aim is to use the standard terms and conditions as set out in the OGC Framework Model Contract wherever possible.
3.2 Core – Right to Publish
The parties acknowledge that if a contract is awarded, except for any information which is exempt from disclosure in accordance with the provisions of the FOIA, the content of the Contract is not Confidential Information. The Authority shall be responsible for determining in its absolute discretion whether any of the content of the Contract is exempt from disclosure in accordance with the provisions of the FOIA. Notwithstanding any other term of the Contract, the Provider hereby gives his consent for the Authority to publish the Contract in its entirety, (but with any information which is exempt from disclosure in accordance with the provisions of the FOIA redacted) including from time to time agreed changes to the contract, to the general public.
The Authority may consult with the Provider to inform its decision regarding any exemptions but the Authority shall have the final decision in its absolute discretion. The Provider shall assist and cooperate with the Authority to enable the Authority to publish the Agreement.
4. ITQ Process
4.1 Timescales
The anticipated timings for this stage of the procurement process are summarised below. In the event of any delay, subsequent dates will be put back by the same amount, excepting only the Service Date.
Event Date
ITQ issued 30/08/2011
Deadline for questions 02/09/2011
Deadline for AGO to respond to questions 07/09/2011
Suppliers submit ITQ responses 16/09/2011, 12 noon
Evaluation of responses 27/09/2011
Notification of evaluation results – select two
suppliers to go forward to BAFO 03/10/2011
Suppliers submit BAFO 14/11/2011, 12 noon
BAFO Evaluation 21/11/2011
Notification of BAFO evaluation results 25/11/2011
Complete contract 12/12/2011
Supplier on site 03/01/2012
Service Date 16/01/2012
The AGO Business Support Team will oversee supplier communications and negotiations via
4.2 ITQ Further Information
To ensure you have as much information as possible to complete your submission in as timely a manner as possible we ask that you read all documentation carefully and submit any questions you have no later than the date in 4.1 to the email address in 4.1
4.3 ITQ Response Requirements
The Authority asks that suppliers respond to each of the requirement set out in this ITQ. Responses should evidence how you will provide the service required (not just confirmation that you can provide the service) and should be as succinct as possible.
Bidders should follow these instructions diligently and if in doubt should get in touch with the Authority.
4.4 Format of Requirements
Following sections define the services required from the Supplier during the course of the contract and information required from Bidders. Bidders should be aware that the information provided in response to these requirements will be used in any future contract with the Authority.
Specific requirements always appear in a table. There are three types of requirement identified as follows:
‘M’ means a core mandatory service requirement; ‘O’ means an optional service requirement; ‘I’ means a request for information.
A bidder’s response to this ITQ must include a response to each of these requirements; the information provided will be used to evaluate responses.
Where there are any additional or variable charges associated with any requirement and in particular the mandatory ones this should be clearly identified along with any variable on which the charge is dependent.
5. Additional Guidelines
5.1 Innovation
In preparing this ITQ, the Authority has endeavoured to set out its requirements for this solution in the best possible way. In so doing, it is possible that the Authority has constrained suppliers from offering alternative, innovative approaches. Where suppliers believe this to be the case, they are encouraged to propose these alternative approaches, which should be stated in addition to their responses.
5.2 Third Parties
Where a supplier’s responses to any of the questions assumes the usage of either third party software or functionality that is not yet developed this must be very clearly stated within the relevant response.
5.3 Acceptance
The Authority shall not be bound to accept any of the responses received.
5.4 Confidentiality
The contents of this ITQ, including specification, designs, drawings or other related documents shall be considered confidential and shall not be disclosed by you, your servants or agents to any persons, firm or corporation without the consent of the Authority. Any such specifications, designs, drawings or other documents shall remain the property of the Authority and shall be returnable on demand.
6. Scope of the Procurement
6.1 Core Services
Office infrastructure(Server support, desktop and laptop installation and support, data network management)
Service Desk
Microsoft Windows and Office (or alternatives) operation and support IT security controls and maintenance
Implementation of new systems Asset management
License management Patching voice and data Intranet
GSi and x.GSi connectivity, and via GSi to internet Blackberry or similar device support
6.2 Core Packaged Applications
Software Package Max No of
Licences Microsoft Windows operating system (or alternative) 75
Microsoft Office (or alternative) 75
Wordpress Intranet publishing tool – wordpress.org 10 Stata data analysis software – www.stata.com 15 WinSolve statistics package – winsolve.surrey.ac.uk 15 Ecowin charting and analysis software from Reuters 15 Dragon Naturally Speaking speech recognition software 10
Cardbox database software – www.cardbox.com 20
Becrypt disk encryption software to CESG standard 75
PGP CD/DVD encryption software to CESG standard 30
6.3 Bespoke Applications
None.6.4 Locations
There are presently 65 staff, the majority of which are based in one office in 20 Victoria Street, London, SW1. Many laptop users (including Ministers) are highly mobile, a number of these frequently travel world-wide and require secure remote access if practicable within CESG guidelines. All laptop users also need to be able to work remotely and from home to reduce the footprint of the office in line with government guidelines.
6.5 Current Authority IT Assets
At present, the Authority owns all the hardware and software used on its premises to provide the necessary services – an inventory of Authority assets is supplied in Annex B of this ITQ. These assets are managed by the Current Supplier on the Authority’s behalf, and will be made available to the successful contractor should they so wish. In the interests of brevity, this ITQ has been written as if this arrangement will continue under the new contract.
However, the Authority is keen to explore alternative options, where these are likely to represent value for money, and intends to be open-minded in considering Bidders’ proposals. As an alternative to the current arrangements, there are a range of approaches which could be adopted including the following examples:
Bidders may choose not to use any of the existing hardware and software, and to deliver the
services using their own assets, some of which may be located off-site e.g. in a data centre; Bidders would then have to take responsibility for disposal of existing assets in line with CESG guidelines. As equipment becomes obsolete, Bidders may choose to replace it by equipment which will be
owned by the Supplier, some of which may be located off-site.
Clearly, there are other options; Bidders should use their judgement to propose the best value for money solution to the Authority’s requirements.
Bidders should base their proposal on supporting the existing Authority assets and provide alternative proposals as an option, unless they can offer a completely costed disposal option.
The Authority is committed to trying to get best value for money from its hardware assets. Should the solution retain Authority procurement, Supplier will be required to assist the Authority in maximising the life of assets and assisting in procuring resilient replacement assets as required.
Software is to be replaced to meet the business requirements of the Authority and taking into account the software supplier’s upgrade cycle, and on-going support from the software vendor. Bidder is responsible for ensuring costs are included in their bid for the length of the contract.
7. Infrastructure Services
7.1 Infrastructure Assets
M1 Supplier must maintain and support all Authority infrastructure hardware and equipment as listed in the Annex to this ITQ including but not limited to: Desktop hardware, a mix of laptops and desktop PCs;
IT infrastructure components including servers and firewalls; Network & standalone printers;
Ancillary equipment such as scanners and multi-functional devices Data network components including hubs, routers and switches.
Bidders must describe their proposal for providing or using infrastructure components. This must include the proposed location of servers and the means by which they will ensure the security of Authority information.
M2 Servers must be maintained to ensure effective and efficient operation of the infrastructure in line with CESG security requirements.
M3 The infrastructure must support a range of applications as specified without any degradation in performance.
devices with CESG approved encryption software.
I1 Bidders should describe how they would source new equipment.
I2 Bidders should describe how equipment and software including that inherited from the existing Infrastructure will be integrated into the proposed overall architecture, design and implementation.
7.2 Desktops, laptops, printers.
M5 All network Desktops must be ergonomically designed with a minimum 18.5” TFT screen. All laptops are provided in Authority premises with docking stations, screens as desktops, keyboards and mice. Larger keyboards and other devices must be available for users with special requirements or visual impairment. The number of devices to be supported is listed in Annex B of this ITQ, with future moves tending towards more laptops.
M6 The Supplier must build all new Desktop and Laptop client devices in accordance with the agreed client build documentation set. This will be agreed at the start of the contract.
M7 A4 black and white network printers are required, minimum 40 ppm. In addition, A3 colour networked Multi Functional Devices will be required. All such printers will be based in Victoria Street. All network printers must be able to print a minimum of 1000 DPI or better; must have sufficient internal memory to support all identified Desktop functions, and have a sheet feeder capacity equal to or greater than 500 sheets. The number of network printers is specified in the Asset Annex.
M8 Stand-alone printers must be supported for secure and home working. These should be light weight compact A4 black and white printers capable of 10 ppm.
7.3 Technology Refreshment
M9 Supplier must provide advice on the specification of any new IT asset, hardware or software, in order for the Authority to procure through its preferred IT supplier. The Supplier must, if required, obtain any necessary quotations or purchase said goods on behalf of the Authority.
OR,
If the assets concerned are owned by the Supplier, the Supplier must replace or upgrade any hardware, software or equipment that is not capable of meeting Service Levels.
O1 Bidders are expected to assist the Authority in the choice of software release. Bidders are invited to comment on this policy.
M10 If the Supplier is proposing to supply some or all of the hardware and software, the Supplier must provide proposals that will ensure that the infrastructure technology is refreshed on an on-going basis.
O2 The Authority’s Information Strategy recognises the need to introduce greater mobility, with the gradual move on the client side from a majority of desktops to a mixed
environment of laptops, tablets, mobiles and desktops, with laptops predominating. Supplier should demonstrate how these changes would be accommodated in their solution.
7.4 Asset Register and Asset Disposal
M12 Supplier must maintain an up to date asset register of all items that comprise the Infrastructure, The Supplier must make the asset register available to the Authority, on demand.
M13 Supplier must dispose of unwanted IT equipment in line with CESG standards and in particular ensure all data is removed from any storage.
M14 Supplier must ensure that any assets which are disposed of are recorded on the asset register.
I3 Bidders must describe their proposals for maintaining an up to date asset register and making it available to the Authority. This should include details of any software products used to collect, verify or store information.
7.5 Software Licences and Contracts
M15 Supplier must provide license management to the Authority and work with the Authority to identify and implement the most cost-effective way of licensing software. Supplier may offer the option of a change of ownership if this is cost effective for the Authority.
M16 Supplier must ensure that:
All software installed on the Infrastructure has appropriate licences; Sufficient licences are available to cover all Authority requirements; All licences are current;
All usage is within the terms of the existing licences;
The Authority does not pay more for licences than is necessary; Forecasts are provided on license management costs for future years. M17 Supplier must use automatic software distribution techniques to centrally deploy
managed software, and provide audit records.
M18 Supplier must carry out regular audits of software installed to comply with the Federation Against Software Theft (FAST). Alternatively, the Supplier may indemnify the Authority against this risk.
I4 Bidders should describe their approach to provision and management of software licences and associated contracts. Where due diligence identifies any potential issues associated with the Supplier’s envisaged use of any of the Authority’s existing software, the Supplier must set out its proposed approach for dealing with such issues.
7.6 Desktop Services
M19 Supplier must provide the following core services, using standard products defined jointly with the Authority, to all Authority staff at their normal place of work (including home and mobile workers)
Word-processing, spreadsheet, database and presentation facilities (currently provided using Microsoft Office)
Electronic Diary (currently Microsoft Outlook) Access to the GSi
Explorer);
Access to shared documents and records stored on the network (currently provided using Windows Explorer);
Access to the World Wide Web via GSi;
Internal and external email (currently provided using Microsoft Outlook and Exchange). “Internal” means within the Authority including to and from overseas users, “external” means from outside the Authority;
Printing to network and local printers. Virus protection and local firewalls.
The ability to transfer information and documents between all users as email attachments.
Support for the display and printing of all pre-agreed fonts, symbols and (where printer capabilities permit) colours, including the Euro symbol and all fonts and colours required to comply with the AGO and OBR’s corporate identity guidelines as amended from time to time.
The ability for users, with appropriate access permissions (as granted by the Authority) to work on data that is Restricted on GSi and Confidential on x.GSi networked devices in accordance with HMG security requirements as defined by CESG.
Access to GSi email and calendar via Blackberry or other similar device. At Authority premises only: -
Access to the x.GSi for 5 users from dedicated machines using a dedicated LAN network
M20 Supplier must, on receipt of an authorised request, provide approved additional software to any member of the staff. Any additional or variable charge, such as a percentage on top of the verifiable licence charge, must be identified.
M21 Supplier should provide enhanced Desktop configurations in response to authorised user requests that provide for access to Desktop services for people with disabilities (which may require reasonable adaptations to be made). Any additional or variable charge on top of verifiable hardware or software licence charges must be identified. I5 Suppliers should describe their approach to and previous experience of providing
solutions for of this nature.
7.7 Access to Services
M22 The Supplier must ensure that all users of the IT infrastructure can access their core services from any Desktop or Laptop designated for user access in the Authority’s premises (i.e. support for ‘hot-desking’). Users must not be able to log-on at more than one device concurrently.
M23 Supplier must provide Laptop computers with the agreed configuration from the Authority’s stock upon receipt of an authorised request at no additional charge. I6 Bidders should describe their proposals for providing access to the required IT
services. This should include services to users working away from their office.
7.8 Local Area Network
M24 Supplier must manage and support the Authority’s Local Area Networks and external connections, which include GSi and x.GSi connections. Supplier should explain experience of managing the separation of these networks.
M25 Supplier must manage and maintain internal data links, linking Desktops and Laptops to servers via switches, hubs, routers and cabling to data outlets at each Desktop and Laptop. Links must be monitored to identify performance problems.
M26 Supplier must manage the patching of all network and communication devices from device to floor port and patch port to network switch.
M27 Supplier must maintain network connectivity as the Authority’s accommodation changes in future years.
7.9 Remote Access
M28 Supplier must operate, monitor and manage the Authority’s remote access (including Blackberry and 3G USB modems for Laptops) solution.
M29 Supplier must add and remove devices and or user accounts which have been authorised or denied access to remotely access the Authority’s network. Supplier must maintain any route filtering in place to ensure the integrity of the remote access solution and limit accessibility of remote client devices.
M30 Supplier must log and manage the issuing of remote access authentication tokens to authorised Authority staff.
7.10 Service Desk and User Support
M31 The Supplier must provide and manage a Service Desk service for all users of the IT Infrastructure, that will provide Incident Management in accordance with ITIL best practice, in particular:
Receive and record all problems or enquiries concerning the Authority’s Infrastructure or Applications that run on the Infrastructure;
Manage the resolution of all reported problems, co-ordinating any input required from other Authority staff or approved third parties;
Maintain communication with customers, keeping them informed of progress of their outstanding problems/queries;
Only close a problem or enquiry when it has been resolved with the user, in accordance with standards agreed with the Authority.
The Supplier must maintain statistics on all problems and queries
raised/resolved and incorporate these in monthly service management reports. The Service Desk must be capable of receiving problems and queries by email
and telephone.
M32 There must be a fully manned Service Desk service for all on-site and remote staff between the hours of 08:00 and 18:00 Monday through Friday.
M33 With prior agreement the Supplier must provide access to Service Desk and user support services in the evenings, at weekends and over Bank Holiday periods. Additional cost, if any, should be identified.
M34 The Service Desk must allow users to track the progress of the problem they have raised directly.
M35 The Service Desk staff must be experienced users of MS Office applications. Over 80% of all calls should be resolved at first call.
M36 Supplier must provide Full Service Support for all hardware for both Local and Remote users.
M37 Supplier must provide technical support for both office and remote users.
I7 Bidders should describe their approach to providing support services, during and outside normal working hours, for short periods of extended service and in support of remote and home workers, and their experience of increasing the percentage of calls resolved at first call.
7.11 Problem Severity
M38 Supplier must provide problem management in accordance with ITIL Problem Management best practise to ensure all problems raised are dealt with in a timely and efficient manner. This will include the co-ordination of all problems with 3rd parties and management of different classes of problem in accordance with the SLA. M39 Supplier must assign a severity level to all problems and requests received from
callers and in the case of Severity One and Two agree that severity level with the Authority’s service manager.
Severity One
Total Loss of Service to: a. More than 10% of users OR
b. Degradation of Service of 25%+ to more than 10% of users Severity Two
All other incidents which involve either:
a. Partial Loss of Service to more than 10% of users OR b. Degradation of Service of 25%+ to more than 10% of users. Severity Three
A single user cannot use a Mandatory part of the IT Service Severity Four
A single user from using a part of the IT Service – but the user can continue to operate albeit at a lower level of efficiency.
M40 Supplier must agree a problem escalation process with the Authority and must escalate problems as per contract.
M41 Supplier must analyse all incidents to identify significant trends. They must recommend any work required to secure or improve services that would provide a business advantage to the Authority.
7.12 Equipment Loan
M42 The Supplier must manage the supply of loan equipment to Authority staff. This will include the loan of Desktops, Laptops, portable printers and projection equipment to staff based at Authority or remote premises.
I8 Bidders must describe their approach to providing equipment on a temporary loan, stating any constraints that would apply to the services.
7.13 Installs, Moves and Changes
M43 Supplier must carry out IMAC - minor equipment moves and changes (including network wiring if requested) - for relocated staff and ensure that they have the correct IT services available. IMAC of less than 10 relocations within the Authorities premises performed at the same time must be done at no additional charge.
M44 Supplier must assist in any major accommodation moves undertaken by the Authority. Suppliers must confirm what, if any, additional charges would apply. M45 Supplier must assist in the specification of any environmental considerations for the
provision of IT Services to any new accommodation.
M46 Supplier must move any hardware (desktops, laptops, keyboards, mice, other pointing devices, screens, scanners, KVM switches, USB hubs, printers, servers,
hubs, routers, switches or any other IT equipment as defined by the Authority) at the Authority’s premises.
I9 Suppliers should describe their approach to handling moves, stating the different categories of move anticipated and the arrangements that would be appropriate to each category.
7.14 Administration of user accounts
M47 Supplier must create user accounts for Authority staff, (including temporary staff, consultants and contractors) and, when required to do so, change, augment or diminish user access rights. Supplier should note a variety of email domains may be used.
M48 Supplier must, under Authority direction, manage access permissions for user’s personal and Authority shared data areas, assigning and removing permissions in accordance with the agreed authorisation processes. This must include the management and control of access and of user passwords.
M49 Supplier must actively monitor user accounts to identify unused accounts and take appropriate action.
M50 Supplier must periodically and at the request of the Authority complete a continued business need audit of all active user accounts on all Authority IT systems. This will include accounts owned by Authority staff and also by the Supplier, to ensure redundant accounts are removed from the system at the earliest opportunity.
7.15 Service Downtime
M51 The Supplier must make the Services available for use whenever possible. Any scheduled downtime must be agreed with the Authority 5 working days in advance. M52 The Supplier must notify all impacted users of any planned withdrawal of Service
outside of normal working hours and must also provide users with regular reminders of the planned withdrawal of Service.
M53 In the event of issues affecting performance in normal service hours Supplier must notify users when the normal service will be resumed.
I10 Bidders should describe their approach to making Services available and notifying users of any planned or unplanned disruption.
7.16 Infrastructure Administration
M54 Supplier’s management and support of the infrastructure must include:
Server and client housekeeping (e.g. cleaning up redundant data) in accordance with a policy agreed with the Authority;
Provision of consumables necessary to support any IT equipment but excluding CDs, DVDs and paper. In particular, this means provision at Authority premises of sufficient toner to reduce printer and multi-functional device down-time. M55 Supplier must maintain up-to-date documentation of the infrastructure.
7.17 Capacity management
M56 Supplier must actively monitor the storage capacity and bandwidth availability. The Supplier must inform the Authority of any issues as soon as they become apparent and make recommendations for remedy. Should this require equipment purchased by the Authority, any additional charge above the equipment cost should be
identified.
M57 Supplier must manage the servers to ensure efficient and effective use of these resources to the satisfaction of the Authority. Supplier will be expected to identify opportunities for rationalising the Authority’s capacity requirements.
M58 The Supplier must identify and implement efficient performance standards for file transfer and data storage within CESG guidelines and notify users of these standards.
7.18 Performance management
M59 Performance management must include but not be limited to:
Pro-active monitoring of the infrastructure workloads, response times and throughput to identify changes, patterns and trends.
Detection of conditions which could be detrimental to performance and the taking of corrective action.
Tuning the infrastructure to meet agreed performance levels. Tuning operating systems & shared storage.
Verifying that the system back-up processes work successfully.
Investigation of detected or reported failures to meet performance levels Review of usage trends
Assessing the impact of proposed changes to applications, the user population and organisation upon the performance of the Services.
7.19 Back-Up
M60 Supplier must ensure IT systems are backed up in accordance with the Authority’s backup strategy, and ensure all backup media are held in secure off-site storage. This presently requires daily incremental and weekend full ups, with full back-ups maintained for 7 years.
M61 The Supplier must put procedures in place to ensure that any data lost by Authority staff can be recovered with minimal user intervention. All recovered data must be available within one day of request.
M62 Supplier must ensure that systems and procedures allow for the restoration of data to be in the case of any investigation and audit by the Authority.
I11 Bidders must describe their proposal for backup and recovery of data and systems.
7.20 Disaster Recovery
M63 Within one month of award, Supplier must create and maintain a Disaster Recovery Plan for the Infrastructure that are consistent with the Authority’s overall business continuity plans, and this must be agreed with the Authority within 3 months of contract award. The Plan must permit of early warning of potential disasters as well as the events themselves.
M64 Supplier must initiate annual disaster recovery tests at times to be agreed with the Authority and provide the Authority with the test results.
M65 In the event of a disaster, Supplier must invoke the Disaster Recovery Plan, using all reasonable endeavours in restoring Services.
M66 If an Authority premises is temporarily closed, Supplier must ensure that key services are provided to key staff within 24 hours. The definitions of ‘key services’ and ‘key staff’ will have previously been agreed in the Disaster Recovery Plan. I12 Bidders should describe their approach to business continuity including a menu of
services they would propose.
7.21 Configuration Management
M67 Supplier must maintain proper configuration control over all hardware, software and documented procedures, in line with best practice.
7.22 Minor Infrastructure Enhancements
M68 The Supplier must deliver and carry out minor infrastructure enhancements as required by the Authority at no additional charge. These include
Apply service releases of existing software; Apply emergency fixes and patches Firmware upgrades.
I13 Bidders should describe their approach to applying minor enhancements to the infrastructure. Bidders may describe the types of enhancements they envisage and the staffing, processes, tools, and standards that would be applied.
7.23 Service Levels
M69 By the Service Date, Supplier’s infrastructure services must meet the Service Levels as detailed in the Annex. Bidders must confirm they can comply with these service levels. Service credits will apply to non conformance for business critical service levels and Supplier must propose a service credit regime.
I14 Bidders may comment on the required service levels, suggesting alternatives where appropriate, together with the benefits to the Authority of the proposed alternative service level.
7.24 Service Availability
M70 The Supplier must monitor and maintain system availability of Authority systems to meet the Service Levels, preferably by automated means.
7.25 IT Strategy
M71 The supplier must provide formal IT strategy advice at least once every 6 months.
8. Support Requirements
8.1 Service Hours
M72 The full range of Services covered under this contract must be available during Standard Hours, 08:00 – 18:00, Monday to Friday, excluding Bank Holidays but not privilege holidays.
M73 The infrastructure must normally be available for use outside Standard Hours. Any periods of planned unavailability of services outside Standard Hours must be agreed with the Authority in advance, except in cases of emergency.
M74 The Supplier must provide uninterrupted access to servers, in agreed service hours, for file storage, network printing, access to business application systems, core applications, the Internet and FTP services.
8.2 System Operation and Maintenance
M75 Supplier must accept responsibility for end-to-end performance and availability in accordance with the Service Levels, managing the relationships with
sub-contractors and third party sub-contractors.
M76 Supplier must maintain and repair all components of the infrastructure to ensure that the required Service Levels are met.
M77 Changes to the infrastructure must only be implemented following agreed change management procedures
M78 The infrastructure must be managed and administered in accordance with good IT infrastructure management practices as detailed in ITIL
M79 Supplier must identify its processes & procedures for the following: Managing Service Desk calls.
Managing escalation. Managing problems.
Management of the communications network, both voice and data Managing Service Requests.
Managing Change Requests. Managing security.
Managing email. Asset management. Managing all licenses.
M80 Supplier must co-operate fully with system health checks and security audits to provide continuing assurance as to compliance and to support any investigative or diagnostic activity which the Authority deem necessary.
M81 Supplier must make every effort to maintain the integrity of relevant databases, records and security logs and to keep them in a form, clearly documented. M82 Supplier must change /or reset passwords for Windows Active Directory in
accordance with Service Levels
8.3 Resilience and Recovery
M83 In the event of failure of an individual Desktop or Laptop, data loss must be minimal. Supplier should identify how to achieve this.
8.4 Other Services
M84 Supplier must offer services on a call off basis to develop small applications using MS-Office or similar. Details of availability and charges should be provided in a table with daily and hourly rates.
M85 Supplier must provide a User Guide giving an overview of the infrastructure services, and which provides a key to obtaining further information as necessary about particular services, authorisation procedures, and details of the Service Desk and other contact points, agreed performance standards and escalation procedures. This may be provided on-line if accessible to all Authority users.
M86 Supplier must provide a plan for ensuring all infrastructure equipment is kept in a clean and safe condition, and must implement that plan after its agreement. M87 Supplier must archive data in response to user requests. Archived data must be
stored securely off site. Archived data must be stored for a period specified by the user at the time of archiving, and must be restored to on-line status on request from
the user.
M88 Supplier must keep Desktop cabling in a safe and tidy state using industry standard cable management practice. Frame rooms and patch cabinets must be properly cabled and managed using colour coding to denote the purpose of the cable. This must be fully documented and made available for Authority inspection. Supplier must keep all areas safe in accordance with the Authority’s Health and Safety Policy.
8.5 Third Party Suppliers
M89
Supplier must agree to manage all day-to-day responsibilities with any 3rd party suppliers to the Authority including, but not limited to:-
Problem resolution involving the provision of 2nd and 3rd Line support Purchase and installation of specialist software or hardware
Contingency and disaster planning & tests. Change management.
Security related services. Systems Integration services. Data network services.
Other government departments who provide services to the Authority. M90 Supplier must act as the single liaison point for all dialogue between 3rd party
suppliers and the Authority in the event of any hardware, network, component failure or software failure.
M91 Suppliers must support the applications listed in Section 6.2 “Core Applications.” Bidders should indicate what level of experience they have of these and how they propose to support the systems listed, in particular Cardbox.
9. External Connectivity
M92 Supplier must act as Authority’s point of contact for all matters concerning the GSi and x.GSi connection and the provision of Internet Email and Web Browsing. M93 Supplier must work with the suppliers of the GSi service to maximise system
availability at all times both within and outside of normal working hours. M94 Supplier must provide Internet Web and Email access in accordance with the
Service Levels. Supplier must provide Authority with the ability to transfer data to and from Authority websites.
M95 An Internet connection must be provided to allow email to external, organisations, and permit Internet access.
M96 Connections to the GSi and x.GSi must be provided to enable secure email with other public sector organisations.
M97 Supplier must provide the Authority with the capability to access other government departments (OGD) Intranets, where permission to implement access has been obtained by the Authority.
10. IT Security
Protect Authority information from unauthorised parties
Ensure that all Authority information is completely expunged from equipment before disposal in line with CESG guidance;
Monitor emails, detect and report inappropriate usage
Monitor internet access, detect and report inappropriate usage
Report any security concerns to the Authority’s IT Security Officer, as soon as practicable and to any agreed third party such as UNIRAS;
Log and report all breaches of security to the Authority’s Departmental Security Officer, other than minor previously agreed procedural breaches;
Maintain adequate records and facilitate inspections to enable the investigation of incidents and verification of compliance by the Authority.
M99 All Supplier staff who require access to the Authority’s building or systems must be security cleared to minimum of SC. Supplier is responsible for ensuring that they carry out pre-employment checks on all staff in line with CPNI guidance. Sub-contractors and consultants who are working on the infrastructure will need to be supervised by security cleared Supplier staff at all times.
M100 Whether servers are hosted on or off Authority’s premises, the Supplier must ensure that systems and information are secure and protected against loss. Supplier must deploy suitable physical security measures at least equal to those required by CESG standards.
10.1 IT Compliance Requirements
M101 Supplier must be aware of and comply with CESG and other relevant HMG security guidance. Supplier must actively monitor government security notifications and advise the Authority in a timely manner on a required course of action
M102 Supplier must lead the development of Authority’s IT Security Policy. Whilst the Authority retains overall responsibility, work to ensure compliance to CESG standards will be undertaken by the Supplier.
M103 Supplier must develop, secure all approvals and maintain appropriate Security Operating Procedures (SyOPs) and System Operating Procedures (SOPs), Service Management Procedures, RMADS and other necessary system documentation as required by CESG and the Authority.
M104 Supplier must ensure that all the Authority’s IT equipment, software and networks are supplied, configured, operated and maintained so as to ensure compliance with the Authority’s Security Policy and RMADS.
M105 Supplier must conduct regular reviews of the RMADS to ensure compliance with CESG standards and update if required.
M106 Supplier must ensure that the Authority’s infrastructure is initially accredited for connection to the GSi and x.GSi and maintains this accreditation.
M107 Supplier must maintain compliance with BS7799.
M108 Supplier must ensure that all users are identified and authenticated before being given access to the Authority’s infrastructure.
M109 Data must be protected in accordance with HMG’s Protective Marking regime. This means Confidential information must be maintained with access to the x.GSi network only and Restricted information may be maintained on the x.GSi or the GSi network. No Secret or more highly classified information may be maintained with a connection to any external network.
M110 Supplier must, at regular intervals, undertake a health check of all Authority Servers and Desktops and Laptops to ensure that they meet the agreed security settings. M111 Supplier must ensure that there is a facility for auditing failed log on attempts and
M112 Supplier must ensure that there is a facility that terminates terminal and other processes after a period of inactivity.
M113 Supplier must conduct penetration tests of the infrastructure using trusted 3rd parties. This must occur a minimum of annually.
M114 Supplier must provide technical support for the use of encryption technologies such as PGP, as required and agreed with Authority.
10.2 Security and Maintenance Patches and Virus Protection
M115 Supplier must actively monitor the availability of system critical security andmaintenance patches for all supported software and hardware and install any required on all supported software and hardware within the Service Levels M116 Supplier must provide virus detection and eradication processes for local and
remote devices capable of detecting viruses, which are introduced through any known means, in accordance with prevailing CESG advice.
M117 The Supplier must act as the support interface between Authority and the Anti-Virus Solution provider for the GSi and x.GSi
I15 Bidders should describe their approach to network and information security.
11. Implementation of new systems
M118 The Supplier must assist the Authority in the acceptance testing of any new bespoke applications which are developed by third party suppliers under contract to the Authority.
M119 The Supplier must install any new applications (COTS and bespoke) on the Authority’s infrastructure and make such applications available to authorised Authority users.
M120 The Supplier must interface/integrate new applications with existing Authority systems as required.
12. Transition and Service Handover
M121 The infrastructure (including - hardware network and cables and software) must be delivered (or transferred in ownership), and ready for use by Authority staff by the Service Date. Bidders should explain how this may be accomplished.
M122 A high-speed connection, to the GSi and x.GSi must be ready for use by Authority staff by the Service Date. It is anticipated that the incumbent supplier will assist in transfer, but Bidders should explain how they have accomplished a speedy transfer in previous situations.
M123 All Authority user data, including MS Outlook data (email, address lists, calendar data etc) must be available for immediate use on the Service Date. The current supplier and the Authority will provide assistance in facilitating this transfer. M124 The Supplier must ensure that, during service handover, levels of service do not fall
below those listed in Annex A.
M125 The Transition Plan must be produced within 1 week of contract award, and must detail responsibilities, activities, deliverables, milestones, resources, timescales, dependencies, risks and quality control and assurance activities
M126 The Supplier must identify in his Transition Plan any building work, site services or similar activities the Authority is required to undertake to enable successful
liable for any costs incurred by Authority.
M127 The Supplier must manage the transition and service handover using a recognised project management methodology and identify it here.
M128 During transition and service handover, the Supplier must ensure that: All work is carried out without disruption to users.
Authority is kept informed weekly of progress
I16 Bidders should describe their proposed approach to the maintenance of service quality identifying in particular:
Their overall management approach;
The order of take-on of services, including the transfer of assets and relocation of servers;
What help and assistance would be required from the Authority; How they would minimise the risk of service disruption during service
handover
13. Contract Management
13.1 Governance
M129 Supplier must identify by name: -
Senior Director: to act as a senior escalation point
Account Director: to take full responsibility for the account;
Contract Manager: to take full responsibility for ensuring that the contractual terms remain up to date;
Service Manager: to take day-to-day responsibility for providing the ongoing service, acting as the primary point of contact for all matters relating to the services; the Service Manager, or a nominated deputy, must be available at all times to Authority during normal business hours;
Transition Manager: to manage the transition including the handover of services. M130 Supplier must co-operate proactively with third parties particularly the Authority’s
other suppliers. The Supplier must undertake to provide reasonable information and assistance to such suppliers.
I17 Bidders should provide details of the organisation they would expect to put into place to manage and provide services.
13.2 Service Reporting
M131 Supplier must provide monthly reports on performance against Service Levels and on problems and issues arising during the previous period. These reports must provide sufficient information presented in a structured format to enable easy reconciliation with the Supplier’s invoices and must include, at a minimum, monthly figures (against service levels) and trends for:
Service availability and performance; Capacity;
Problem management including: details of problems resolved;
outstanding problems & steps being taken to effect permanent solutions fix times for the different severity levels of problems;
Progress in all ongoing projects; Future plans and Innovation. Inactive accounts
Security incidents
M132 Supplier must agree to the Authority (or its auditors) auditing the performance reporting and management procedures, systems and records twice annually, or more frequently at the Authority’s request.
I18 Bidders may provide an example of their monthly service report.
13.3 Quality Management
M133 Supplier’s organisation responsible for delivering services to the Authority should hold and maintain certification to ISO 9001 (2000).
M134 Within one month of award, Supplier must provide an outline Quality Plan. Which covers:
The quality organisation and responsibilities; The standards and working methods to be adopted
The monitoring and reviewing service delivery and progress.
13.4 User Satisfaction Monitoring
M135 Supplier must cooperate with the user satisfaction surveys undertaken by the Authority or carry out surveys on behalf of the Authority.
I19 Bidders may provide details on how they could monitor user satisfaction.
13.5 Managing Change
I20 Bidders should describe their proposed organisation and processes for managing change identifying, in particular, the interfaces with the Authority. In describing the change process it would be helpful for bidders to provide examples, based on their experience of three different types and sizes of change and how they would be progressed through to completion, in a comparable organisation.
13.6 Terms and Conditions of Contract
M136 Bidders must confirm that the OGC Model Contract as provided in Buying Solutions RM717 Framework Documentation will form the basis of the agreement
I21 Bidders should identify any part of the OGC Model Contract which is unacceptable to them.
14. Price
M137 Bidders must provide their proposed model pricing schedule which clearly sets out the cost for supplying the services set out in this ITQ to the Authority for each year of the contract.
M138 Bidders must clearly set out any additional or variable charges associated with any requirement and in particular the mandatory requirements. This must be clearly identified along with any variable on which the charge is dependent. Each Optional Requirement must be fully costed.
Annex A – Existing Service Levels
Description Maximum time to
complete
Reset password 1 Hour
Reset access permission 1 Hour
Resolve software access problem 1 Hour
Perform emergency security operation or update patch – virus detection and removal etc
1 Hour
Resolve software data access problem 4 Hours
Provide advice on use or problem software or hardware 4 Hours
Recover file from previous day or period 4 Hours
Perform Virus Checks on single media source e.g. disk or solid state device 4 Hours
Set up new user 4 Hours
Resolve printing problem 1 Day
Resolve save problem 1 Day
Resolve software performance problem 1 Day
Resolve hardware performance problem 1 Day
Provide consumable item and minor equipment from list 1 Day
Add additional software item to desktop/laptop 1 Day
Provide agreed hardware item 1 Day
Provide copy of file on CD or media 1 Day
Commission infrastructure user equipment - up to five users 1 Day
Patch telephone system – up to 10 users 1 Day
Restore user profile and or part of the associated files from last back up 1 Day Resolve user query on advice on use or problem with any item of software or
hardware (includes managing interfaces with any third party who provides second and third level support.
1 Day
Commission infrastructure user equipment between five and twenty users 1 Day
Perform Virus Checks on bulk incoming materials 1 Day
Patch telephone system – between 10 - 20 users 1 Day
Delete user 1 Day - sooner if a
security requirement
Change user access permissions 1 Day - sooner if a
security requirement Perform back up of specific user work space and data files. 1 Day - sooner if
security requirement Provide performance and or storage statistics on a defined component of the
infrastructure
3 Days Receive and recycle (including clear down of data using approved product etc) of
on site location equipment
2 Weeks Decommission and dispose of infrastructure component 2 Weeks
At the request of the authority
Identify unused user accounts
Perform disaster recovery test Perform user satisfaction survey
Develop, support and maintain small applications for users (or support users doing so).
Provide assistance with building or maintaining or recovery of, or faults with specially written databases in software
Forensic recovery of lost file on stand alone storage device Carry out Performance Test(s)
Prepare/set up laptop or desktop for foreign country (not UK) use – including VPN components
Set up hardware for users with special requirements Set up a stand alone device with internet access
Investigate and report on suitability of new or alternative Infrastructure component/s (hardware or software item) including compatibility, security and sources of supply and the cost effectiveness of software licensing arrangements.
No failures permitted
Service Desk only to be manned by qualified personnel All users to be notified of their call reference
All calls raised by individuals can only be closed with the users express agreement or the Authority Service Manager
Advise users of the ETA for desktop visits
Annex B – Asset List
Item Model Number
Desktop HP DC7700 45
Docking station HP2400 65
Docking station HP2510P 4
Docking station HP EN488AA 61
Firewall Cisco 5 Firewall Sidewinder 1 Laptop HP2400 30 Laptop HP2430P 6 Laptop HP2510P 10 Laptop HP2530P 7 Laptop HP Compaq 2510p 20 Laptop HP Compaq 2530p 1 Laptop HP Compaq 2610p 1 Laptop HP Compaq NC8430 12 Laptop HP Elitebook 2530p 8 Monitor Samsung 214T 87 Monitor Samtron 94V 5
Monitor IBM ThinkVision T541 15" Flat Panel LCD 9512-ABO 1 Monitor HP L1940T 16 Monitor HP L1950 2 Monitor NEC LCD2170NX 2 Monitor HP LT1940T 10
Monitor IBM Console monitor 1
Multi-functional printer HP Color Laser Jet 9500mfp 8
Printer HP4350N 13
Rack IBM Enterprise Rack, Mount & Power Cables 1
Server HP DL360-G5 1
Server HP ProLiant DL360 G5 Xeon Server 1
Server X Series 335 8676-21G 1
Server X Series 336 8837-21Y 1
Server X Series 335 8676-41X 2
Server X Series 335 8676-61X 1
Server X Series 345 8670-32X 2
Server X Series 345 8670-61X 1
Server X Series 346 8840-2BG 2
Server X Series 3650 7979-71Y 1
Switch Cisco 2611XN 1
Switch Cisco 878 2
Switch Cisco WS C3750-48PS-S V05 1
Switch Cisco WS-C2960-24TC-L V02 1
Switch Cisco WS-C2960-24TC-L V03 2
Switch ED20M AEP SYSTEMS 1
Switch NOKIA IP 260 2
Switch PROCURVE SWITCH 2324 MODEL J4818A 1
Switch PROCURVE SWITCH 2626 MODEL J4900B 2
Switch Cisco VPN 3000 CONCENTRATOR - VPN3005 1
Tape drive HP MSL2024 SAS Tape Library 1
Tape drive IBM Total Storage 3581-L28 2
UPS IBM 3000 2130-1RU - 2850W 3
UPS APC Smart 3000 3
UPS APC SUA3000RMI2U 1
Annex C – Glossary
AGO Attorney General’s Office BAFO Best and Final Offer
Bidder(s) Those companies bidding to provide services under this ITQ.
CESG Communications-Electronics Security Group, the UK Governments National Technical Authority for Information Assurance
COTS Commercial Off-The-Shelf
CPNI Centre for the Protection of the National Infrastructure Current
Supplier
Capita Secure Information Systems Ltd Desktop A personal computer or network computer First Line
Support
Service Desk call logging and resolution of c. 80% of calls FTP File Transfer Protocol
Full Service Support
Taking total responsibility for an item of equipment or software from the point that it has been purchased through to its disposal in accordance with agreed procedures. For the avoidance of doubt this includes installation, relocation, fault fixing and routine
maintenance, including upgrades
GSi Government Secure Intranet, the UK government’s secure IP managed network for restricted (IL3) information.
IL3 Impact Level 3
IL4 Impact Level 4
IMAC Installations, Moves and Changes of computer equipment ITIL Office of Government Commerce IT Infrastructure Library
ITQ Invitation to Quote
Laptops Portable personal computers in conventional clam shell or tablet form. Local User User based at 20 Victoria Street, London SW1H 0NF
OBR Office for Budget Responsibility Remote
User
Includes staff working at home or abroad, connecting in remotely RMADS Risk Management Accreditation Document Set
SC Vetted personnel to “Security Check” level Second line
support
Where the fault cannot be resolved by first-line support or requires time to be resolved or local attendance.
Service / Services
The service commitments detailed in the requirements Service
Date
The date from which the Supplier will be responsible for delivering all the Services required by this ITQ
Level(s)
SLA Service Level Agreement, part of the contract to be awarded that defines service levels and credits.
Supplier The company which is awarded the contract. Third line
support
Where specialist or sub-contracted third-party support is required. Transition
Plan
An overall plan of the transition and service handover activities and the establishment of all services in accordance with Full Service Levels – created and maintained by the Supplier.
TSol Treasury Solicitors
x.GSi Government Secure Intranet, the UK government’s secure IP managed network for Confidential (IL4) information.