11:00 a.m. The closing time will be as per the clock at the RAF reception

RFI: ICT Security Solutions - RAF/2015/ 00019 Page 1 of 9

RFB NUMBER: RAF/2015/00019

DESCRIPTION: Request for Information: ICT Security Solutions

PUBLISH DATE: 18 September 2015

VALIDIY PERIOD: 120 days from the closing date

CLOSING DATE: 20 October 2015

CLOSING TIME: 11:00 a.m. The closing time will be as per the clock at the RAF reception

Non Compulsory Briefing Session

Road Accident Fund (RAF)

420 Witch-Hazel Avenue, Eco Glades Office Park 2, Block F (at reception, on the ground floor) Centurion

Date: 29 September 2015 Time: 10:00

RFI RESPONSES MUST BE HAND DELIVERED /

COURIERED TO:

Road Accident Fund (RAF)

420 Witch-Hazel Avenue, Eco Glades Office Park 2, Block F (at reception, on the ground floor) Centurion

ATTENTION: Noluthando Nyoka

NB: Bidder(s) must ensure that they sign the register at the reception when delivering their bids.

BIDDER NAME:

Bidders should ensure that RFI responses are delivered in time to the correct address. If the RFI is late, it shall not be accepted for consideration. The RAF reception is generally accessible eight (8) hours a day (07h45 to 16h00); five (5) days a week (Monday to Friday). Bidders must ensure that they sign the relevant register at the reception when delivering bids. Bidders must advise their couriers of the instruction above to avoid misplacement of bid response

RFI: ICT Security Solutions - RAF/2015/ 00019 Page 2 of 9

THE FOLLOWING PARTICULARS MUST BE FURNISHED. (FAILURE TO DO SO SHALL RESULT IN YOUR RFI BEING DISQUALIFIED.)

BIDDING STRUCTURE

Indicate the type of bidding structure by marking with an ‘X’: Individual bidder

Joint venture Consortium

Using subcontractors Other

If individual bidder, indicate the following: Name of bidder

Registration number VAT registration number Contact person Telephone number Fax number E-mail address Postal address Physical address

If joint venture or consortium, indicate the following: (To be completed for each joint venture/ consortium member)

Name of joint venture/consortium members Registration number

VAT registration number Contact person

Telephone number Fax number E-mail address

RFI: ICT Security Solutions - RAF/2015/ 00019 Page 3 of 9 Postal address

Physical address

If using subcontractors, indicate the following: Name of prime contractor

Registration number VAT registration number Contact person Telephone number Fax number E-mail address Postal address Physical address

RFI: ICT Security Solutions - RAF/2015/ 00019 Page 4 of 9 If joint venture or consortium, indicate the

following:

Name of prime contractor Registration number VAT registration number Contact person Telephone number Fax number E-mail address Postal address Physical address

If using subcontractors, indicate the following: (To be completed for each subcontractor)

Name of subcontractor Registration number VAT registration number Contact person Telephone number Fax number E-mail address Postal address Physical address

RFI: ICT Security Solutions - RAF/2015/ 00019 Page 5 of 9 ENQUIRIES

Enquiries regarding this Request for Information should be submitted via e-mail to:

Bid enquiries:

Ms. N Nyoka [email protected]

Enquiries should reference specific paragraph numbers, where appropriate.

All questions/ enquiries must be forwarded in writing not later than 11:00 on 30 September 2015

Questions/enquiries received after 11:00 on 30 September 2015 will not be entertained.

RFI: ICT Security Solutions - RAF/2015/ 00019 Page 6 of 9 SCOPE OF WORK: ICT SECURITY SOLUTIONS OR SERVICES

1. The Road Accident Fund

The Road Accident Fund (RAF) is a schedule 3A Public Entity established in terms of the Road Accident Fund Act, 1996 (Act No. 56 of 1996), as amended. Its mandate is the provision of compulsory social insurance cover to all users of South African roads, to rehabilitate and compensate persons injured as a result of the negligent driving of motor vehicles in a timely and caring manner, and to actively promote the safe use of our roads. The customer base of the RAF comprises not only the South African public, but all foreigners within the borders of the country. The RAF has regional offices in Pretoria, Johannesburg, East London, Durban, Nelspruit and Cape Town and a large number of satellite offices and hospital service centres across the country.

2. Background to the Request for Information (RFI)

RAF is improving its Information Security infrastructure to ensure alignment to strategic objectives in both the Information Security & IT Risk Management strategies as well as compliance with legislation such as Protection of Personal Information (PoPI). The purpose of this RFI is to request appropriate best practice industry information that may be used in the drafting and publishing of a future bid process.

3. Scope of work

The RAF is seeking information from bidders to provide ICT Security Solutions or Services for a period of three (3) years. We are specifically looking for information about on-premise, cloud based or hybrid solutions/services. In the event of cloud based solutions, preference is for local bound solutions within the borders of South Africa. Our current IT infrastructure is centralized in Gauteng. Bidders can respond to one or more of the following solutions:

 Identity and Access Management Solution (IAM);

 Personal information Identification and Marking;

 Database Activity Monitoring (DAM) Solution;

 Unstructured Data Solution; and

 Data Loss Prevention (DLP) Solution.

The systems must have the capability to provide reports and analytics.

NB: A Request for Proposal (RFP) will only be issued to the bidders who respond to this RFI. Bidders

RFI: ICT Security Solutions - RAF/2015/ 00019 Page 7 of 9 3.1 The solutions/services scope covers:

3.1.1 Identity and Access Management Solution (IAM) key features:

 Enhanced security for the identification, authentication and authorization of employees.

 Centralization of authentication for easier user lifecycle management.

 Multifactor authentication mechanisms.

 Privileged user management.

3.1.2Personal information Identification and Marking key features:

 Identify information stored on file servers, online portals, document management systems and notebook computers that may be sensitive information but not easily identifiable.

 Identification, alerting and remediation of sensitive information with poor access controls

 Definition of policies for protection, access rules and classification of personal information identified.

 Supports the implementation of legislative requirements e.g. POPI 3.1.3Database Activity Monitoring (DAM) Solution key features:

 Enterprise database auditing and real-time protection.

 Generation of log data for import into log management system.

 Activity monitoring, intrusion prevention and risk management for business applications and databases

 Fingerprinting database and application interactions to protect against threats.

 Enforce information handling rules on databases and SharePoint

 Fraud protection on all systems using backend databases including SAP

 Real time monitoring of unauthorized database access and document management systems

 Detection of unauthorized access by administrators.

 Ability to detect and respond to unauthorized activity by preventing access to data – operates like a database and application firewall

 Ease of compliance reporting 3.1.4Unstructured Data Solution key features:

 The solution has the capability to identify, monitor and access control information that is stored in shared servers and other file storage.

 Authorized access to unstructured data is assured while audit trails are maintained for accessed data

 Information classification implementation is enhanced through identification of data and owners. 3.1.5Data Loss Prevention (DLP) Solution key features:

 Identify RAF Information and implement access control for data in motion and data at rest

 Risk based tracking of data in motion and data at rest

 Addressing of insider threats to organization by enforcing what users are permitted to transfer out of the organization.

RFI: ICT Security Solutions - RAF/2015/ 00019 Page 8 of 9 4. TECHNICAL MANDATORY & TECHNICAL FUNCTIONAL CRITERIA

Technical Mandatory requirements

Bidders must indicate compliance by ticking the relevant box “Comply” or "Not comply”

Note: The following technical mandatory requirement must be met by the bidders and it will be expected of bidders to supply proof or confirm their commitment during the potential RFP.

Mandatory Comply Not Comply

4.1.1 The solutions/services must have been deployed in an enterprise information security environment preferably similar to the RAF industry. Substantiate / Comments

RFI: ICT Security Solutions - RAF/2015/ 00019 Page 9 of 9 5. PRICING SCHEDULE: ICT SECURITY SOLUTIONS

5.1 NOTE: All prices must be VAT inclusive and must be quoted in South African Rand (ZAR), the quoted prices is for budget purposes only and not for award.

5.2 Please provide your total indicative bid price to be used as a guideline R………..……… (compulsory)

a. This price will not be evaluated but will be for noting for budgetary purposes.

b. NOTE: All prices must be VAT inclusive and must be quoted in South African Rand (ZAR). c. This RFI is not a solicitation and that there are no commitments with respect for future

purchases or contracts.

d. The below table is a guideline in terms of costing.

Deliverable Solution cost Services cost

Software cost R

Licensing R R

Hardware R R

Implementation R R

Knowledge, skills and training R R

Support and Maintenance R R

Professional services R R

Any other: (specify) R R

Total VAT exclusive R R

VAT R R