IaaS Request for Proposal Template

(1)

Created by Dimension Data

IaaS Request for Proposal Template

Created by the Dimension Data Cloud Business Unit

(2)

IaaS Request for Proposal (RFP) Template

Release

Version Date released Pages _affected Remarks

(3)

IaaS Request for Proposal (RFP) Template

3.9.

Are all activities on the Networking infrastructure performed by personnel with unique

logins and are logged? ... 12

3.10.

Do you provide two-factor authentication? ... 13

3.11.

Are installation and vendor-default passwords provided with new hardware, system software, etc. reset before they go into production? ... 13

3.12.

Do administrators and remote users have individually-assigned user identities and passwords? ... 13

3.13.

Do systems notify users of their last successful login to their account? ... 13

3.14.

Are all activities on the virtualisation layer performed by personnel with unique logins and are logged? ... 13

3.15.

Are access scripts with embedded passwords prohibited? ... 13

3.16.

Are system administrators the only people who have administrative privileges? ... 13

3.17.

Is access to all program libraries restricted and controlled? ... 13

3.18.

Are your support representatives able to access client data? ... 13

3.19.

Can client support representatives obtain client passwords? ... 13

3.20.

Explain how passwords are created and communicated to clients? (i.e. password requirements and policy). ... 13

3.21.

Are all operator accounts reviewed on a regular basis to ensure that malicious, out-of-date, or unknown accounts do not exist? ... 13

3.22.

Is an automatic computer screen locking facility enabled for system administrators? This would lock the screen when the computer is left unattended for a certain period. ... 13

3.23.

What type of operating system hardening does your company have experience in? ... 14

3.24.

Do you periodically check your network to ensure that no unauthorised equipment has been attached to it? ... 14

3.25.

What type of security procedures/policy is in place to ensure the security of equipment outside of the organisation? (including portable equipment, offsite equipment, hot-site, etc). ... 14

3.26.

Does the company have a formal programme in place to classify, label, handle, and dispose of information? ... 14

3.27.

Does the company have the appropriate controls in place to co-operate with investigations by law enforcement officials? Do collection of evidence policies and procedures exist? ... 14

3.28.

Explain the process and controls in place for SSL key management. ... 14

3.29.

Do you have access to the client’s VM OS admin passwords? ... 14

3.30.

Does your the underlying portal management systems ensure that clients cannot access networks and systems owned by other clients, and does it present no ability to bypass the management interface to the underlying infrastructure? ... 14

4. Monitoring / Request Management ... 14

4.1.

What controls does your company have in place to monitor the cloud infrastructure capacity? ... 15

4.2.

Do your clients have access to a monitoring portal? ... 15

4.3.

Can you monitor the performance of our application? ... 15

4.4.

Can you monitor the performance of our database environment? ... 15

4.5.

Is there an option to receive alerts directly from your monitoring solution? ... 15

4.6.

Do you have the ability to monitor logs for specific event codes or error codes? ... 15

4.7.

What process we would follow to request support assistance? ... 15

4.8.

Can your ticketing system integrate with ours? ... 15

4.9.

Do you provide trending reports on capacity and performance? ... 15

5.

Data backup / business continuity /disaster recovery ... 16

5.1.

Does your company have a formal written business continuity policy? ... 16

5.2.

Is the distance between the backup recovery facility and the primary location adequate to ensure that one incident does not affect both facilities? ... 16

5.3.

Does the recovery location use different power and telecommunications grids from those used by the primary site? ... 16

(5)

IaaS Request for Proposal (RFP) Template

5.4.

Do you have insurance coverage for business interruptions or general service

interruptions, regardless of the reason? ... 16

5.5.

Does your company carry cyber-insurance? Does this cover identity theft, cyber-extortion, cyber-terrorism, information asset network security, web content, errors and omissions, and network business interruptions? ... 16

5.6.

Is there a communication plan in place for notifying clients that a major event has occurred and could potentially impact service delivery? ... 16

5.7.

Do you have established recovery time objectives in the event of a disaster? ... 16

5.8.

What is the retention scheme for standard server backups? ... 16

5.9.

Do you have an auto or self provisioned back up solution for your Public Cloud? If so please describe the features it offers based on previous questions asked about backups. .. 16

5.10.

Would the recovery location use different power and telco grids from those at the primary site? ... 17

6.

Vulnerability /intrusion detection /anti-virus ... 17

6.1.

Please describe your general network security and intrusion detection system (IDS) information? ... 17

6.2.

How does your company prevent Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks? ... 17

6.3.

Are third party vulnerability assessments conducted? ... 17

6.4.

Are penetration tests conducted? ... 17

6.5.

Describe your incident response procedures. ... 17

6.6.

Is anti-virus software utilised on system components? ... 17

6.7.

What information is typically logged? Does a formal network log review process exist? ... 17

6.8.

Are the following general server controls in use? ... 17

6.9.

Are wireless devices utilised in your network? ... 18

6.10.

Are system configuration checking tools (host intrusion detection systems (HIDS) utilised and maintained (e.g. Tripwire, Symantec, ESM)? Please indicate tools and versions. ... 18

6.11.

What host-based intrusion detection system (HIDS) do you use? ... 18

6.12.

Are tools in place to monitor and manage file integrity? ... 18

6.13.

Is vulnerability assessment management in place? ... 18

6.14.

Do routers have defined access control lists to specify access to and from your network? ... 18

6.15.

Is access to network perimeter devices strongly authenticated and/or IP strapped? ... 18

6.16.

Do system standards/procedures include disabling all unneeded or unused services? ... 18

6.17.

Is network address translation or port address translation used to conceal IP addresses from the public domain? ... 18

6.18.

Do firewalls block all IP and port access- and use-defined access control lists or conduits to specify address and port access for known communication into and out of the network? ... 18

6.19.

Are firewall access control lists reviewed as part of either an internal or external audit? ... 18

6.20.

Is network address translation (NAT) or Port Address Translation (PAT) used to conceal IP addresses from the public? ... 18

6.21.

Can clients conduct independent penetration testing of their environment? ... 19

7. Control / incident response processes ... 19

7.1.

Describe your company’s formal change control process. ... 19

7.2.

Describe your company’s patch management procedures. ... 19

7.3.

Are your processes covered under your SSAE16 audit? ... 19

7.4.

Describe your process for security event monitoring and notification/alert/response plans. . 19

8.

Managed services ... 19

8.1.

Do you have managed services options? Please provide an overview of your services. ... 19

8.2.

Do you have experience in supporting Web applications? ... 20

8.3.

Is your support available 24/7/365? ... 20

8.4.

Do you have experience in supporting highly available solutions (i.e. database clustering, load balancing)? ... 20

(6)

IaaS Request for Proposal (RFP) Template

8.5.

Can you support the rollout of application changes and updates to our custom SaaS

application? ... 20

8.6.

How can you help with identifying performance issues with our application? ... 20

8.7.

Do you have experience with implementing and supporting highly available solutions at the database tier? ... 20

8.8.

Do you have a security team that can assist with security audits/certifications, if needed? .. 20

8.9.

Do you support OS patching? ... 20

8.10.

Please describe the support structure you deploy. ... 20

8.11.

Please describe your activation process. ... 20

8.12.

Can you help with application optimisation? Please elaborate. ... 20

9.

Compliance / Certifications ... 20

9.1.

Does the company comply with existing US Dept of Commerce Safe Harbor registrations and certifications and EU Data Privacy regulations? ... 21

9.2.

Does your company comply with HIPAA data privacy and security standards? ... 21

9.3.

Are your facilities and/or environments PCI certified? ... 21

9.4.

When was the most recent SSAE 16 review been performed? ... 21

9.5.

How can you assist me in certifications or comliancy that my company must have but you may not currently hold? ... 21

10.

IaaS / Cloud Features and Functions ... 22

10.1.

General ... 22

10.2.

Network information ... 23

10.3.

Storage information ... 23

(7)

IaaS Request for Proposal (RFP) Template

Introduction – Purpose of Document

The intent of this document is to assist companies in creating of a Request for Proposal

(RFP) document that is focused on cloud or infrastructure-as-a-service (IaaS) solutions and

managed services of the environment. Companies can use this document to ensure they are

covering the most important and relevant questions in assessing cloud vendors, solely from

an infrastructure perspective. Soliciting detailed answers beyond simply ‘yes/no’ will give

you more clarity regarding how the right provider can assist in the growth of your business.

Companies should also make sure to address the following areas as part of the RFP

document format which are not directly addressed by this RFP Template.

1. Project overview

- Introduction to your company

- Project description

- Terms and definitions

- Minimum requirements for selection

- RFP schedule

2. Instructions and procedures

- Communication

- Proposal format

- Proposal pricing

- Proposal submission requirements

- RFP and proposal participation requirements

- Standard terms and conditions

- Evaluation criteria and process

The pen symbol to the left highlights notes for the section or a particular question.

You will see these symbols throughout this document.

(8)

IaaS Request for Proposal (RFP) Template

1. Personnel Security / Auditing

Note:

This section is important in ensuring that you gain a good understanding of the

cloud vendor you’re reviewing. You want to ensure the provider has the proper

processes in place to validate the personnel they employ. This may be particularly

relevant if you are subject to compliance requirements.

1.1. Do you provide background/credit/education/drug screening of

employees involved in the delivery of your service?

1.2. Do your personnel sign non-disclosure and confidentiality agreements?

1.3. Does an internal security awareness policy exist for employees?

1.4. Does the information security programme include a policy on:

• Data encryption:

• Data handling (secure use, storage, and destruction of sensitive data): • Data classification:

• Physical access: • Electronic access: • Data retention:

• Acceptable/authorised use policy (e-mail/Internet/etc.):

• Security configuration standards for networks, operating systems, applications, and

desktops:

• Security patching:

• Vulnerability management: • Password management:

• File directory rights and permissions: • Prevention of computer viruses: • Disaster recovery plans:

1.5. How are employees kept abreast of changes to the security policy?

1.6. Are employees aware of the process for reporting security incidents?

(9)

IaaS Request for Proposal (RFP) Template

1.7. Is there an internal audit group responsible for reviewing the

information security environment?

1.8. Do contracts with your vendors require a minimum level of security

from the vendor?

1.9. When an employee leaves the company, are access privileges

immediately revoked?

(10)

IaaS Request for Proposal (RFP) Template

2. Physical Security / Auditing

Note:

This section looks at the mechanisms, systems, and procedures that the cloud

vendor has in place to address physical security in the environments they use to

provide their services. It’s very important to have a solid understanding of the

facility and how access is controlled to ensure that your data and your business are

adequately protected.

2.1. Are visitors required to sign-in, be issued with identify badges, and be

escorted while on the premises?

2.2. Are access logs from the facility maintained for at least 30 days?

2.3. Does the company have policies on removable media in the data

centre?

2.4. Do third parties have physical access to data center space where your

cloud infrastructure is located?

2.5. Are the facilities premises separated into different control areas such

as data center floor, loading/delivery areas and others?

2.6. What are the hours of operation of the security facilities at the data

center?

2.7. Is there CCTV monitoring data center floor?

2.8. Are loading dock or delivery areas monitored by CCTV?

2.9. What is the retention policy on CCTV feeds?

2.10. How is the cage space for your cloud environment separated from

other data center clients?

(11)

IaaS Request for Proposal (RFP) Template

2.11. Describe the fire suppression solution used in the data center.

2.12. Are temperature and humidity controls in the data centre restricted to

authorised personnel only and separated from the rest of the facility?

2.13. Are there procedures in place to control the removal of property from

the facility?

2.14. Is there a holding area for deliveries at the data centre where internal

doors can be secured while external doors are open?

2.15. How are power and communications cables physically separate?

2.16. Are there locked/alarmed conduit boxes?

2.17. Are intentory records maintained of all hardwar?

2.18. Do you sweep for unauthorised devices attached to cables?

2.19. Does the facility include the following physical security elements?

• electronic access control

• CCTV monitoring

• alarm systems, windows, doors, server areas, etc. • on-site security guards

• building specifications • identity badge procedures • logging of site access

• power and network redundancy • power surge protection

• fire suppression systems • heating/air conditioning

3. Logical Security / Auditing

Note:

This section focuses on access to systems, networks, and overall logical security

practices, allowing you to gain an understanding of how the vendor maintains a

secure environment. It’s critical that the provider has the processes or procedures

(12)

IaaS Request for Proposal (RFP) Template

in place to provide a secure environment and maintain visibility of potential security

breaches. Remember this really pertains to the Cloud Infrastructure that provides the

resources you will consume. This is infrastructure access that YOU will not have access to,

so you want to know the provider has it covered.

3.1. Please provide a copy of your information security policy.

The answer to this question may be that they couldn’t provide a copy of the

security policy, as that is part of the security policy. A write up on what it covers should

be best here.

3.2. Does a separation of duties exist between individuals who authorise

access, personnel who enable access, and personnel who verify

access to your infrastructure?

3.3. Are all critical system clocks and times synchronised, and do logs

include a date and time stamp?

3.4. Is it standard for you to have the development/test systems

segregated from the production systems to ensure segment access

control between diverse envionments?

3.5. Do access control logs contain successful/unsuccessful login

attempts and access to audit logs?

3.6. Do audit trails include a record of individual or process identity, date,

time, function performed and the resource(s) accessed?

3.7. Does a formal log review process exist?

3.8. Are system logs unalterable (e.g. use write-once technology or

equivalent protection)?

3.9. Are all activities on the Networking infrastructure performed by

personnel with unique logins and are logged?

(13)

IaaS Request for Proposal (RFP) Template

3.10. Do you provide two-factor authentication?

3.11. Are installation and vendor-default passwords provided with new

hardware, system software, etc. reset before they go into production?

3.12. Do administrators and remote users have individually-assigned user

identities and passwords?

3.13. Do systems notify users of their last successful login to their

account?

3.14. Are all activities on the virtualisation layer performed by personnel

with unique logins and are logged?

3.15. Are access scripts with embedded passwords prohibited?

3.16. Are system administrators the only people who have administrative

privileges?

3.17. Is access to all program libraries restricted and controlled?

3.18. Are your support representatives able to access client data?

3.19. Can client support representatives obtain client passwords?

3.20. Explain how passwords are created and communicated to clients?

(i.e. password requirements and policy).

3.21. Are all operator accounts reviewed on a regular basis to ensure that

malicious, out-of-date, or unknown accounts do not exist?

3.22. Is an automatic computer screen locking facility enabled for system

administrators? This would lock the screen when the computer is left

unattended for a certain period.

(14)

IaaS Request for Proposal (RFP) Template

3.23. What type of operating system hardening does your company have

experience in?

3.24. Do you periodically check your network to ensure that no

unauthorised equipment has been attached to it?

3.25. What type of security procedures/policy is in place to ensure the

security of equipment outside of the organisation? (including

portable equipment, offsite equipment, hot-site, etc).

3.26. Does the company have a formal programme in place to classify,

label, handle, and dispose of information?

3.27. Does the company have the appropriate controls in place to

co-operate with investigations by law enforcement officials? Do

collection of evidence policies and procedures exist?

3.28. Explain the process and controls in place for SSL key management.

3.29. Do you have access to the client’s VM OS admin passwords?

3.30. Does your the underlying portal management systems ensure that

clients cannot access networks and systems owned by other clients,

and does it present no ability to bypass the management interface to

the underlying infrastructure?

4. Monitoring / Request Management

Note:

Monitoring and ticketing systems are important solutions that a provider should have

in place to monitor the capacity of the underlying cloud infrastructure. There are also

services you can leverage to monitor your cloud environment that may be useful. A

request management or ticketing system is important to ensure proper documenting and

tracking of issues/requests.

(15)

IaaS Request for Proposal (RFP) Template

4.1. What controls does your company have in place to monitor the cloud

infrastructure capacity?

4.2. Do your clients have access to a monitoring portal?

4.3. Can you monitor the performance of our application?

4.4. Can you monitor the performance of our database environment?

4.5. Is there an option to receive alerts directly from your monitoring

solution?

4.6. Do you have the ability to monitor logs for specific event codes or

error codes?

4.7. What process we would follow to request support assistance?

4.8. Can your ticketing system integrate with ours?

(16)

IaaS Request for Proposal (RFP) Template

5. Data backup / business continuity /disaster recovery

Note:

SaaS companies are expected to provide protection for their services and for their

clients’ data, including backups for disaster recovery. A provider’s understanding

of these requirements will give you and your client’s peace of mind. Here you want

to understand what the provider can offer that you can leverage.

5.1. Does your company have a formal written business continuity policy?

5.2. Is the distance between the backup recovery facility and the primary

location adequate to ensure that one incident does not affect both

facilities?

5.3. Does the recovery location use different power and telecommunications

grids from those used by the primary site?

5.4. Do you have insurance coverage for business interruptions or general

service interruptions, regardless of the reason?

5.5. Does your company carry cyber-insurance? Does this cover identity

theft, cyber-extortion, cyber-terrorism, information asset network

security, web content, errors and omissions, and network business

interruptions?

5.6. Is there a communication plan in place for notifying clients that a major

event has occurred and could potentially impact service delivery?

5.7. Do you have established recovery time objectives in the event of a

disaster?

5.8. What is the retention scheme for standard server backups?

5.9. Do you have an auto or self provisioned back up solution for your

Public Cloud? If so please describe the features it offers based on

previous questions asked about backups.

(17)

IaaS Request for Proposal (RFP) Template

5.10. Would the recovery location use different power and telco grids from

those at the primary site?

6. Vulnerability /intrusion detection /anti-virus

Note:

Security and data protection is a concern for organisations using SaaS in

every market segment. Your clients expect you to have systems in place to

address attacks of every type. Your provider can supply you with some of

these solutions and recommend others to address you needs. Attacks

happen every day and in most cases you can’t prevent them but you need to

have the controls in place to mitigate and respond. Ask about the services

the provider has to offer to leverage their best practice in protecting web

applications from malicious attacks.

6.1. Please describe your general network security and intrusion detection

system (IDS) information?

6.2. How does your company prevent Denial of Service (DoS) and

Distributed Denial of Service (DDoS) attacks?

6.3. Are third party vulnerability assessments conducted?

6.4. Are penetration tests conducted?

6.5. Describe your incident response procedures.

6.6. Is anti-virus software utilised on system components?

6.7. What information is typically logged? Does a formal network log review

process exist?

6.8. Are the following general server controls in use?

• restricted access to authorised users only

• regular reviews of access privileges

(18)

IaaS Request for Proposal (RFP) Template

• removal of default/guest passwords and accounts

6.9. Are wireless devices utilised in your network?

6.10. Are system configuration checking tools (host intrusion detection

systems (HIDS) utilised and maintained (e.g. Tripwire, Symantec,

ESM)? Please indicate tools and versions.

6.11. What host-based intrusion detection system (HIDS) do you use?

6.12. Are tools in place to monitor and manage file integrity?

6.13. Is vulnerability assessment management in place?

6.14. Do routers have defined access control lists to specify access to and

from your network?

6.15. Is access to network perimeter devices strongly authenticated and/or

IP strapped?

6.16. Do system standards/procedures include disabling all unneeded or

unused services?

6.17. Is network address translation or port address translation used to

conceal IP addresses from the public domain?

6.18. Do firewalls block all IP and port access- and use-defined access

control lists or conduits to specify address and port access for known

communication into and out of the network?

6.19. Are firewall access control lists reviewed as part of either an internal

or external audit?

6.20. Is network address translation (NAT) or Port Address Translation

(PAT) used to conceal IP addresses from the public?

(19)

IaaS Request for Proposal (RFP) Template

6.21. Can clients conduct independent penetration testing of their

environment?

7. Control / incident response processes

Note:

Your cloud vendor should have experience in these critical processes to ensure

high levels of uptime when they are performing changes to shared infrastructure or

if they are making changes on your behalf. This is something that should be

standard process for providers but not always so make sure to get the 411.

7.1. Describe your company’s formal change control process.

.

7.2. Describe your company’s patch management procedures.

7.3. Are your processes covered under your SSAE16 audit?

7.4. Describe your process for security event monitoring and

notification/alert/response plans.

8. Managed services

Note:

Managed services can help drive down your operational costs. Offloading

the daily care of your Web application environment allows your staff to focus

on development or tasks that require deep domain expertise in your

application. Most businesses prefer to invest in product development or sales

personnel than in operations. System administration is a time-consuming,

low-value task, particularly as environments grow. In addition, running

operations effectively is difficult and few companies wish to invest in making

running operations a core competency.

8.1. Do you have managed services options? Please provide an

(20)

IaaS Request for Proposal (RFP) Template

8.2. Do you have experience in supporting Web applications?

8.3. Is your support available 24/7/365?

8.4. Do you have experience in supporting highly available solutions

(i.e. database clustering, load balancing)?

8.5. Can you support the rollout of application changes and updates to

our custom SaaS application?

8.6. How can you help with identifying performance issues with our

application?

8.7. Do you have experience with implementing and supporting highly

available solutions at the database tier?

8.8. Do you have a security team that can assist with security

audits/certifications, if needed?

8.9. Do you support OS patching?

8.10. Please describe the support structure you deploy.

8.11. Please describe your activation process.

8.12. Can you help with application optimisation? Please elaborate.

9. Compliance / Certifications

Note:

A provider’s understanding of and experience in compliance/certifications

can add significant value, depending on your application and industry.

Leveraging a provider’s certifications or its ability to provide guidance in this

area can save you time and money and ensure that there’s an appropriate

level of focus on security.

(21)

IaaS Request for Proposal (RFP) Template

9.1. Does the company comply with existing US Dept of Commerce Safe

Harbor registrations and certifications and EU Data Privacy

regulations?

9.2. Does your company comply with HIPAA data privacy and security

standards?

9.3. Are your facilities and/or environments PCI certified?

9.4. When was the most recent SSAE 16 review been performed?

9.5. How can you assist me in certifications or comliancy that my

company must have but you may not currently hold?

(22)

IaaS Request for Proposal Template