Request for Proposals for Data Center/Mainframe Hosting Solution

(1)

Request for Proposals for Data Center/Mainframe Hosting

Solution

PROPOSALS DUE:

June 4, 2013 @ 5:00PM (PST)

Provided to (Company):

Accepted by (Representative):

(2)

Request for Proposals for Data Center/Mainframe Hosting Solution Page 1

Table

of

XyberNET Inc. ‐ Data Center RFP

Instructions

Deadline for submission of questions by candidates – 05/24/2013 EOD (PST)

Responses to questions to be returned no later than – 05/28/2013 10:00am (PST)

An original proposal must be signed and delivered to the address below by 5:00pm (PST)

on 06/04/2013.

An electronic copy must also be emailed to: Sales@Xyber.net

Respondents may mail or deliver three (3) printed copies of their proposals to:

XyberNET

10640 Scripps Ranch Blvd

San Diego, CA 92131

XyberNET will review completed RFP responses during the week of June 4th and contact

selected candidate companies on June 10th or June 11th to schedule interviews.

Interviews will be completed by June 21st and final candidates will be selected by June

28th. Contract negotiations will be conducted during the month of July.

XyberNET will not be responsible for any Proposal(s) that is (are) lost in the mail or not delivered by the stated deadline for any reason.

XyberNET is not held liable for any costs incurred by any respondents to this RFP, during

the preparation or delivery of their responses. Costs incurred are the sole responsibility

of the vendor.

XyberNET reserves the right, at its sole discretion, to reject any/all Proposals or to

cancel this RFP in entirety as determined to be in XyberNET’s best interests. Any

Proposal received which does not meet the requirements of this RFP, may be

considered to be non‐responsive, and the Proposal may be rejected. Proposers must

comply with all of the terms of this RFP and all applicable Federal, State and Local laws

and regulations.

XyberNET reserves the right, at its sole discretion, to waive any technicality in Proposals

provided such action is in XyberNETs best interest. Where XyberNET waives minor

technicalities in Proposals, such waiver does not modify the RFP requirements or excuse

the proposing Firm from full compliance with the RFP. Notwithstanding any minor

technicalities, XyberNET may hold any Firm to strict compliance with the RFP.

(4)

Overview

XyberNET is looking for the ideal outsourcing data center to meet both our current and

future needs. XyberNET has been in business for over 30 years and is the leading

provider of software and services to the insurance vertical. We specialize in, but are not

limited to, products and support for credit insurance, debt protection and P&C business.

Our client base is split between companies that license and install our software products

in their own environments and those that utilize our software products through our

Application Service Provider (ASP) services. XyberNET’s business model includes

licensing software, ASP services, annual maintenance agreements and a variety of

professional services such as custom programming, training and consultation. We

maintain a full staff of professionals that are available to do the various support work.

For our ASP clients, we provide Production Control services as well.

Overall, XyberNET has approximately 20 clients located throughout North America, with

potential for additional international clients. We are looking for a business partner that

can support us in both a production environment, servicing several clients, as well as a

full development environment. Security and connectivity reliability are both crucial to

our business as ours is a 24/7 environment.

Our core software products run on an IBM mainframe, using Cobol, VSAM and DB2. We

also have products that are run on SQL Server as well as ASP.NET web products. We are

at a crossroads and are looking for a data center that wants to move forward with us.

With less than 20 employees we are a small shop, but our client base includes some of

the biggest names in the industries we support. We are currently on older releases of

many of the software products we use, which is holding us back from some of the

projects we have on our docket. We are looking for a well‐staffed, forward thinking,

reliable and proven data center to support our needs.

Purpose

The purpose of this RFP is to determine whether or not the ideal business partner is out

there and available to us. It is our desire to move to completion on this process within a

3‐4 week timeframe, so, if you are interested in participating, we ask for quick

turnaround from you. If you choose not to participate, please email that information to

us and return the RFP to our attention.

Requirements

XyberNet has long relied upon mainframe processors to conduct business for itself as

well as its client base. Current mainframe processing is performed on an IBM z9

processor running OS release 1.7 in a single 100 MIP LPAR with a total memory of

(5)

is no longer adequate for our needs, we are looking for a larger, faster environment

closer to the 150 MIP range.

XyberNet supports multiple ASP clients with client access to multiple CICS v2.3 regions,

as well as TSO. In total there are 25 active CICS regions with another 16 regions which

may be activated for special release level activities at any time.

Clients access the system through secured VPN connections and/or TN3270 over the

internet using SSL. XyberNet provides FTPS services to its client base and it is imperative

that any new data center relationship provide this and other secured protocols to the

mainframe.

Client connectivity and online availability is critical to the success of this company. One

critical aspect of this relates to the processing of client batch cycles during off hours. As

such, XyberNet requires 24 hour production control and technical support from its

vendor of choice. This includes the monitoring and notification of batch processing

activities during second and third shifts to insure that all cycle activities and online

systems are available to our clients by their specified time.

XyberNET’s DASD farm is approximately 2TB in size, this includes volumes specifically

allocated for system services (HSM, VTS, SYSRES), development and client production

environments. These environments are SMS managed. The tape farm consists of

approximately 18,000 in‐house tapes, with the vast majority allocated to HSM and for

offsite storage. XyberNET is very interested in pursuing a tapeless environment and the

selected vendor must be able to accomplish the transition to this environment within 1

year. This would also involve the expansion of the current DASD farms for VTS, HSM

and others to conform to the new structure. As part of this transition, XyberNET is also

interested in the electronic transmission of critical production and system related files

to a secured offsite storage location.

Annually, XyberNET performs its Business Continuity testing. This testing includes not

only validating our ability to perform functions in support of our development needs,

but also functions related to the production support of our clients. We also invite our

clients to participate in the testing of their environment during this period as well. This

test normally occurs during the September to October timeframe (for a period of 2

days). It is preferable that the selected vendor have an established B.C. site to perform

this testing.

Respondents

Business

overview

Please provide an overview of your business and the solutions you provide. Include all

lines of business and a short description of each.

(6)

Questionaire

(We request that vendor candidates’ answers be as detailed as possible)

1. Define your corporate structure to include:

a. Ownership structure of your company, including any parent companies.

b. How many data centers to you have?

c. Where are the data centers located?

d. Where are your corporate headquarters located?

2. How long have you been in business as a data center?

3. How long has your data center, or data centers, been in their current locations?

4. How many data center related clients do you service?

a. Please provide a breakdown of how long your clients have been utilizing

your data center services.

5. What contract terms, in years, do you offer your clients?

6. What percentage of your clients renew their contracts for your services?

7. What percentage of your renewals are multiple year contract renewals?

8. How many clients do you provide combination mainframe and server based

hosting services for; meaning they themselves are service providers to their

clients?

9. Do you have existing clients that, in addition to developing mainframe

applications, host these production applications and data for their client base on

your systems?

10.What kinds of businesses do you support?

11.To what professional organizations do you belong?

12.How do you stay abreast of new ideas and current trends?

13.Are you an IBM business partner?

a. If yes:

i. What level?

ii. Explain how your company complies with IBM standards

iii. What requirements does your company fulfill in order to maintain

its partner status, and how often?

iv. How long has your company held “Business Partner” status?

b. If no:

i. Explain how your company complies with IBM standards?

ii. Explain how your company leverages 3rd party IBM partners in

support of your clients?

iii. What SLAs are in place to govern the relationship with your 3rd

party IBM partner(s)?

iv. Does your company contact IBM directly for assistance or work

solely through business partner(s)?

14.What technical certifications do you require your staff to obtain and maintain?

15.Please provide an overview of your current staff that would be supporting our

business, broken down by primary functions.

16.What is your Full Time Employee to Contractor ratio?

(7)

18.What data management and datacenter environment certifications does your

company have?

19.Does your facility meet SAS70/SSAE16 requirements?

a. Please explain

b. How often do you complete SAS70/SSAE16 audits?

20.Does your facility meet ISO9000 requirements?

a. Please explain

21.Is your facility PCI compliant?

a. Please explain

22.Is your facility HIPPA compliant?

a. Please explain.

23.Will you allow XyberNET or a XyberNET specified third party vendor to perform

regularly scheduled audits for the purposes of validating adherence to mutually

agreed upon SLAs for hardware, software, mainframe and network topology

configurations and updates?

24.Are your facilities completely redundant?

Hardware

1. Please describe your hardware maintenance philosophy related to mainframe,

server and network appliances.

2. Please describe your mainframe processing capabilities

a. How many and what type of mainframe computers are installed at your

facility?

b. How many of these systems are shared, versus client specific?

3. Describe your peripheral environment

4. For shared mainframe systems, please describe your methodology for dividing

up the system and ensuring enough processing power for normal, peak and

excessive processing demands.

5. Can you provide, and support, a XyberNET specific LPAR with multiple

development and production regions?

6. Do you allow clients to perform regularly scheduled audits to confirm hardware

maintenance, updates and configurations meet the agreed to SLA requirements?

7. Can you provide Network Time Server services on the mainframe and NTP? Software

1. Please describe your software maintenance philosophy as it relates to:

a. Mainframe, network, peripheral, data center firmware

b. IBM operating system updates

c. Mainframe utilities

d. All other programs running on the mainframe.

2. Do you have currently installed security certificates issued based on 2048 bit

(8)

3. What is the highest level of security encryption and what algorithms are

supported for SSL certificates?

4. Do you notify clients when software applications such as operating systems,

system utilities and other “data center managed” applications are due for

upgrades?

5. Will you allow XyberNET or a XyberNET specified third party vendor to perform

regularly schedule audits to validate software applications meet agreed to SLA

requirements?

6. How would you structure XyberNET access to enterprise software licenses?

7. How do you manage recommendations for software; i.e. if there is a software

package that could perform better or better suit our needs, how would you bring

this to our attention?

8. How do you manage software inventory in production and dormant and provide

consultation on the usage of these applications?

Support

1. Do you provide on‐site 24X7 support?

a. If yes, please explain your existing support structure for

i. Mainframe services

ii. Hosted server services

iii. Network services

iv. Monitoring of operating system consoles

v. Monitoring of jobs and critical applications

vi. Supporting scheduled processing of batch jobs and backups

inclusive of re‐run/re‐start procedures and problem resolution

vii. Documenting cause and nature of both scheduled and

unscheduled outages

viii. Responding to system messages and requests for resources as

required

ix. Reporting equipment malfunctions and contacting client when

appropriate

x. Daily incremental backups and full volume backups.

2. Will you provide on‐site operational support for our production cycles 24/7?

3. What are your standard response commitments to system administration and

ongoing engineering change requests?

4. Please provide an example of your standard SLA’s for hosting services to include:

a. Response times on issues resolution

b. System availability

c. Change requests, such as port assignments

d. Updating network settings on the mainframe, including but not limited

to:

i. DNS server settings

(9)

iii. IP addresses/subnet mask

iv. Gateway

5. Do you support “Defense in Depth”, mainframe security through host‐based

firewall, credentialing and permissions?

6. Will you respond to regular security questionnaires submitted by XyberNET?

7. Do you provide SSL Services utilizing security certificates issued by commercial

Certificate Authorities to support:

a. FTPS (Port 992)

b. TN3270 (Port 990)

c. HTTPS for web and CICS

d. Other services

8. Can your company support:

a. Taking custody of XyberNET’s equipment in the current datacenter and

spearhead its migration to your facility?

b. Ongoing shipping and packaging, on request, of network appliances,

peripherals and servers?

c. Provide, as needed, installation of XyberNET owned servers, network

appliances, power management and peripherals and comply with and

maintain a documented network topology?

d. Provide power cycles to XyberNET hardware 24x7 upon request?

e. Supplying rack systems for Dell rapid rails, standard racks and rack

support for XyberNET appliances?

9. Do you foresee the need to add staff to support our business?

10.What metrics do you provide to your customers for monitoring system

performance and processing times for both mainframe and non‐mainframe

applications and hardware?

11.Provide a list of performance monitoring tools used at your data center.

12.Describe the reporting that can be generated and provided to your clients and

on what frequency.

13.Describe your process for validating fixes, prior to implementation into your

clients production environments.

14.Do you have an on‐site test lab which would enable your engineers to trouble‐

shoot outside of the production environments?

15.Please explain your change management process.

ClientManagement

1. What is your overall approach to managing your clients?

2. What are your overall goals of Client Management?

3. Do you assign an Account Manager to each client? If so, please elaborate on the

role of this individual. Migration

1. Describe how your company would manage the migration of XyberNET’s

(10)

Request for Proposals for Data Center/Mainframe Hosting Solution Page 9 a. Hardware b. Software c. DASD farm d. Tape silo e. Servers f. Network equipment

2. If the migration includes any form of electronic data transmission, how would

you ensure the security of the data during transmission?

3. What security measures would be invoked for the physical transfer of data

contained on tape or other medium, between facilities?

4. When was your last client migration?

a. What was involved?

b. How how long did the exercise take to complete?

c. Was the migration completed as scheduled?

d. What were some of the challenges faced?

e. Please describe the team your company assembled to handle the

migration (Please include number of team members, roles and

responsibilities).

DisasterRecovery

1. Please provide an overview of your disaster recovery capabilities to include:

a. Do you provide 24 hours disaster recovery response?

i. Please describe.

b. What disaster recovery certifications are in place?

c. Where is your disaster recovery facility located?

d. Type of mainframe and server hardware located at your disaster recovery

facility.

e. Staffing

2. Does your disaster recovery facility maintain mirror images of production

systems and data, or just backup data?

3. If mirror images are maintained, how often are the images refreshed from

production?

4. In the event of a disaster, can full production services be switched over to the

disaster recovery systems, and how quickly?

5. Does your company have a documented disaster recovery and business

continuity plan?

a. Please provide a summary of how applications/system functionality and

data would be restored for XyberNET Inc. and its clients according to this

plan.

6. How do you determine priority order for bringing your client base up?

7. How often are your disaster recovery procedures tested and what is your test

execution success criteria?

(11)

Facility

1. Does your facility provide direct fiber connection from the hosted mainframe to

XyberNET’s firewall and from XyberNET’s firewall to a supplied ISP?

2. Please provide an overview of your facilities electrical power capabilities in

relationship to power consumption needs, including emergency backup power

resources.

3. Will you supply dedicated power circuits to XyberNET’s equipment and maintain

IBM standards for clean and sufficient power to the mainframe?

4. Please explain how your facility complies with (ESD) Electro Static Dissipation

standards.

5. Describe your fire suppression systems in detail.

6. What are the standard room temperature and humidity operating levels of your

facility?

7. What tier level is your data center?

8. Is your facility a “bunker” or “silo”?

Security

1. Describe how your facility protects stored data (data‐at‐rest) from unauthorized

access?

a. Is this protection enabled by default, or is it optional?

b. If encryption is used, please describe the algorithm or bit strength.

2. What methods are employed to protect data being transferred between systems

installed within your facility (i.e. mainframe data being transferred to a database

server).

3. Do you have clients that generate data requiring physical storage, outside of

their active systems, in excess of one year (i.e. tape, disk, reporting, feeds)?

4. Does your company have a formal, written information security policy and

program? If so, please provide a copy of any supporting documentation.

a. Please provide a brief summary of what is covered in the policy and

program.

b. How is this policy communicated to employees and contractors?

c. How often is the policy updated?

5. Does your company use the following Information Security Technologies on all

platforms that will host, process, transmit or store XyberNET’s or its clients data:

a. Network Firewalls

b. Network Intrusion Detection/Intrusion Protection Systems

c. Host Intrusion Detection/Intrusion Protection Systems

d. Anti‐virus software

6. Does your company employ or contract with external auditors and/or external

security companies to perform regular information security tests (penetration

tests)?

(12)

7. Has your company undergone a third party audit of its IT control policies and

procedures such as a SAS70/SSAE16?

a. If yes please attach a summary of the findings and any relevant

documentation.

8. Are you PCI compliant?

9. Does your company have a formal process for tracking and remediation of

security vulnerabilities and security patches?

a. Please describe.

10.Provide the methods that would be used to physically, or logically, segregate

XyberNET or its clients’ data from other clients data.

11.Provide frequency and rotation schedule for backups of your customers data,

including offsite storage procedures and controls used to ensure media is

accounted for during transport and storage.

12.Provide the method by which you would perform a data breach notification as it

relates to your customers.

13.Does your company have a tool that enables you to create a discrete data

snapshot for archived storage if needed? Snapshot should only contain

identified data; it should not be a full server backup that includes unneeded

data.

14.Do you have a procedure in place for complying with legal or audit hold requests

to suspend data destruction? Provide the procedure or describe the process for

notifying you of a hold and for monitoring items placed on hold.

15.Do you have a documented procedure to destroy or securely delete confidential

or sensitive data and the media types on which they reside at the end of their

lifecycle?

a. If yes, describe or attach or attach your information and media

destruction policies

16.List all physical locations where XyberNET Inc. and its clients’ data will be

processed or stored, and controls that secure against unauthorized access and

removal from those facilities (card readers, palm readers, electronic gates, video

surveillance, iris/retina scanners, etc.).

Software

applications

currently

in

use:

Detail Do you

Currently

Own (Y/N)

Interprise

License (Y/N) ASG‐TMON for CICS/ESA

ASG‐TMON for MVS (z/OS) ASG‐OASIS

ASG‐ZEBB ASG‐ZEKE ASG‐SmartScope

(13)

BMC MAINVIEW SRM (STOPX37) CA ADVANTAGE CA‐DADS PLUS for CICS CA ALLFUSION CA‐OPTIMIZER/II

CA BRIGHTSTOR CA – 1 TAPE MGMT

CA BRIGHTSTOR CA – ISM CA‐EXTEND/DASD VSAM Compression

CA BRIGHTSTOR CA – ISM‐FAVER VSAM Protection CA BRIGHTSTOR CA – ISM CA MASTERCAT VSAM Catalog Management – N/A

CA BRIGHTSTOR CA – ISM CA‐VSAMAID VSAM Tools CA Common Services (CA90s)

CA UNICENTER CA – EASYTRIEVE PLUS REPORT

GENERATOR

CA – JCLCHECK CA – View CA – Vtape

Chicago Soft MVS Quick Ref Compuware File – AID/MVS Compuware – Xpediter/TSO Compuware – Xpediter/CICS CSI fka BIMoyle BIMEDIT Mackinney VtamSwitch PKWare – PKZIP SAS Institute Base SAS SEA $avers

Innovation Data Processing – IAM VSAM performance enhancement tool.

For the above listed software applications; if you currently do not have licensed copies

available, what would your proposal be for obtaining them to meet our business needs?

Pricing

1. Please provide your standard pricing models and terms with lists of included

products and services.

2. Please provide your detailed solution proposal for our unique data center needs.

Request for Proposals for Data Center/Mainframe Hosting Solution