1.0 Managed IT Services C1/2

(1)

SECTION C – PART 1 SCOPE OF SERVICES

Project ID: ISD 15/16 SS 25 G C1/ 1 April 2015

Call Off Price Agreement For Managed IT Services (Data Center)

Table of Contents

Statement of Work and Business Requirements ---C1/2 Objective ---C1/2 Technical Requirements ---C1/2 1.0 Managed IT Services --- C1/2 1.1 Solution Architecture --- C1/3 1.2 Data Centre Specifications --- C1/3 2.0 Managed Security Services for Hosted Systems --- C1/6 2.1 Implementation Deliverables --- C1/6 2.2 Advanced Security Monitoring --- C1/6 2.3 Log Management --- C1/8 2.4 Monitoring and Reporting ---C1/8 2.5 Data Management and Auditing --- C1/8 2.6 Log Retention/Storage --- C1/9 2.7 Vulnerability and remediation Management: --- C1/9 2.8 IT Asset Inventory --- C1/9 2.9 Intelligent Prioritization --- C1/10 2.10 Reporting --- C1/10 3.0 Service Level Management --- C1/11 3.1 Service Delivery --- C1/11 3.2 Service Availability Targets --- C1/11 3.3 Support Performance Levels --- C1/11 3.4 Priority Rules --- C1/11 3.5 Reporting and Compliance with Agreement --- C1/12 3.6 In-bound Logging Methods --- C1/12 3.7 Project Team Structure --- C1/12 3.8 Project Duration --- C1/12 3.9 Payment, Penalty and Contract Termination Terms --- C1/13 3.9.1 Service Degradation Penalties --- C1/13 4.0 Managed IT Services Requirements --- C1/13 4.1 ASHGHAL Initial Managed Services Requirements: --- C1/13 4.1.1 VM Specifications --- C1/13 4.1.2 Virtual Servers Package --- C1/14 4.1.3 Minimum Bill of Materials Commitment --- C1/14 4.2 On-Demand Managed Services --- C1/14 4.2.1 Schedule of Rates for On-demand Managed Services --- C1/15 4.3 Project Plan and Similar Projects references --- ---C1/15 5.0 MANAGED SERVICES ---C1/15

(2)

Statement of Work and Business Requirements Objective

The Objective is to provide Managed IT services for Ashghal. The proposal from managed IT Services provider should cover industry leading environment designed to allow provision, recovery, and migration of critical production IT services. In the event of a disaster or disruption of managed IT Services, recovery will take place at Tenderer recovery location.

Provide the necessary hardware infrastructure to allow the production environment and provisioning of new services as well as migration of existing critical services hosted in ASHGHAL Data Centre. Provide expert assistance in preparing for the Ashghal production environment within defined timescales.

Ashghal is seeking proposals for Managed IT Services that will provide greater performance and reliability at the best cost.

Technical Requirements

 Provide Ashghal with a comprehensive IT infrastructure offering core services such as Virtual Infrastructure based upon (Hyper-V & VMware), database engines (Oracle/SQL), and other supporting services. Professional and certified team will look after the infrastructure around the clock using advanced monitoring and management systems.

 Virtual servers will be built on top of Hyper-V or VMWare hypervisors offering an industry-leading virtualized platform and best-of-breed technologies to maximize the reliability and availability of ASHGHAL applications.

 Manage and monitor all hosted components 24x7.

 Manage and monitor security infrastructure to protect hosted IT systems.

 Harden all servers to industry best practices to ensure highest levels of security are achieved.

 As part of the standard server installation managed and monitored Anti-Virus and firewall software will be installed.

 Implement all approved, operating system upgrades, service packs and hot-fixes that may affect the stability and security of the platform.

 Provide Ashghal with storage on an on-demand basis, a service which will help reduce storage costs and deal with the fluctuating demands of the business. The service allows to have the benefits of an automated storage area network without the traditional significant costs associated with storage.

 Backup as a Service will ensure the availability of ASHGHAL data in the event that a restoration is required. Provide an automated backup facility specifically developed for the hosting environment.

 Provide load balancing and application Firewall for required services. 1.0 Managed IT Services

Should be able to provide the following Managed IT Services:-  Managed Backup and Restore

 Managed Hardware – Physical Servers  Managed OS - Windows

 Managed OS Linux  Managed Clustering

(3)

 Managed Storage

 Managed Site-to-Site VPN

 Advanced monitoring services and Utilization reports  Managed SQL Server

 Managed security services for hosted systems

 Migration of Ashghal production servers and virtual machines to Tenderer’s hosting environment

1.1 Solution Architecture

The solution provider will take the burden of day to day support away from ASHGHAL internal IT staff allowing them to focus their time on growing ASHGHAL business. Clear upgrade paths enable a modular hosting solution to grow with needs of ASHGHAL adding capacity and resilience as required.

Responsible to manage the hosted infrastructure and automate operations where possible to improve application availability, and enhance service delivery.

Availability The proposed architecture should provide redundancy to limit system

related faults. Every component has a solution or strategy to achieve high availability.

Scalability All components can be scaled to provide growth to meet user

demands and business requirements.

Security The architecture should provide an end-to-end security model that

protects data and infrastructure for hosted services.

Manageability: Provide an end-to-end solution for deploying, monitoring, alerting, and administering the infrastructure. Ashghal will benefit from on-going health monitoring, and failure detection.

1.2 Data Centre Specifications

The following will provide a high level description of all the components that will make up the hosting of Ashghal infrastructure and services.

Physical Location

The infrastructure will be hosted in Tier III data center located at a highly secure location in a highly-secure location, the datacenter will conforms to the global standard TIA 942 for data centre construction. This ensures that it meets the most stringent requirements for:

 Failsafe operation

 Robust protection against natural or man-made disasters  Long-term reliability & scalability

Network Architecture

Provide and manage all network requirements for the hosted infrastructure. The data centre switches should provide 1Gbps and 10Gbps connectivity between the tiers and devices. Manages all the cabling, routing and switching in the data centre.

Implement virtual local area networks (VLANs) throughout the environment. Implementing VLANs allows maximum isolation of different segments and increases security and

(4)

management of data flow between the different tiers. The proposed network design will provide for the reliable and efficient movement of data between devices and locations. Internet and WAN Architecture

The internet links will be used for all internet services required by the infrastructure and for remote users connecting to any services published to the internet. Our initial request includes 8-10 Mbps of internet connectivity. Responsible for support and maintenance of end to end connectivity of Internet and WAN links for hosted environment.

Security Architecture

Provide and manage security requirements for the hosted IT systems. This includes managed firewalls, IPS, anti-virus.

Firewall infrastructure - a firewall-secured network environment customized to the needs of ASHGHAL environment.

Certified engineers will configure the network, firewall, IPS to support ASHGHAL business need. Once installed and configured, the solution will be monitored to proactively respond to service interruptions.

The firewalls prevent access from the internet to the trusted network and provide filtered access to the trusted network. The firewalls also provide filtered access from the un-trusted network to the un-trusted network.

In addition to the network layer protection the applications will be protected by Application Firewalls in a high-availability configuration to provide comprehensive protection against application layer attacks.

Virtual Servers

Standardized on VMware virtualization and Microsoft Hyper-V technology, to host ASHGHAL virtual machines. The dynamic nature of virtual machines means that the infrastructure can grow and adapt as required.

Hyper-V and VMware infrastructures can facilitate rapid growth, allowing ASHGHAL to leverage the benefits of hosting.

Create Virtual Servers and Virtual machines on demand based upon the request of ASHGHAL requirements.

In addition to this, liaise and work closely with ASHGHAL ISD team to provide a migration strategy to migrate productions virtual machines hosted in ASHGHAL (Hyper-V 2008 R2 / 2012 R2, VMware environment) to managed services including P2V/ V2V of physical and virtual servers.

As part of this service, to provide the following:

Installation  Install virtual infrastructure: Hyper-V and VMware clusters  Install virtual machines

Configuration  Configuration of virtual infrastructure: Hyper-V and VMware  Configuration of virtual machines up to Operating System  Configuration of shared storage

(5)

 Proactive health monitoring of key services required for virtualization

 Capacity monitoring of physical resource utilization

Management  Protection from Unauthorized Access within the constraints of the overall solution and in-line with industry best practice Maintenance  Backup of virtual machine images and configurations

 Installation of security patches to virtual infrastructure  Installation of application patches to virtual infrastructure Operating Systems:

The following operating systems will be installed, configured and managed the following:-

• Windows Server 2008 R2 Enterprise

• Windows Server 2008 R2 Datacenter Edition

• Windows Server 2012 R2 Datacenter Edition

• Windows Server 2012 R2 Standard Edition

• Citrix Licensing (based upon Request)

• Linux distributions (RED HAT Enterprise Linux, Oracle Linux, CentOS, SUSE) Managed Microsoft SQL Server and Oracle database

• Install MS SQL and Oracle database

• Configure MS SQL and Oracle both standalone and clustered version

• Monitor specific databases and clustering services and take corrective actions in the event of a failure of these services Measure capacity of data storage alerting for potential issues

• Management of the clustering services and associated infrastructure

• Management of SA user access

• Respond to failures of the service then apply the appropriate corrective action • Manage appropriate backup and restores of data bases, archive logs, etc. • Maintain appropriate patch levels and security updates

• Perform routine maintenance tasks

• Apply regular checks for database consistency upon client request • Check event logs for expected and unexpected errors

Storage

Managed SAN service will offer ASHGHAL a high performing, highly available storage environment for their mission-critical data. This will minimize reliance on server hard disk as a point of failure, remove the risk of storage capacity management and introduce resilience at the data layer into their business solutions.

Managed SAN service will be powered by an enterprise grade Disk Array designed with full internal redundancy of the disks and SAN switches to provide robust solutions.

All servers will be connected and managed SAN to remove the risks of storage capacity management and provide resilience for all stored data.

(6)

Data Backup

Provide best of breed Backup-as-a-Service that will provide protection for the

environment. The service utilizes leading technologies including but not limited to source and target based De-Duplication, agentless backup and instant restore. The backup service will operates automatically to store data on a scheduled basis, creating comprehensive data images. The size will increase on on-demand basis following the growth of data over the time. For any additional GBs, Ashghal will propose accordingly via a call off order. Note: Tenderer will be replicating the Backup to PWA Symantec NetBackup Appliances located in the DR Site.

Monitoring

Use a monitoring solution which validates critical indicators on a 24/7 basis to ensure that any performance or capacity bottlenecks are captured and reported.

2.0 Managed Security Services for Hosted Systems

Provide Managed Security Services to all hosted systems at Tenderer’s data center. The proposed Managed Security Services to Ashghal are:

 Advanced Security Monitoring (ASM) and Log Management (LM)

 Vulnerability Scanning (VS) and Remediation

2.1 Implementation Deliverables

Perform the following as part of the scope of services to ensure that the implementation deliverables are on high standard provision:

 Liaise with Ashghal technical and project management team to ensure all prerequisites are in place

 Prepare, architect, and design the method of implementation and integration of the proposed security managed services using SIEM technology

 Carry out a backup of the deployed devices

 Event tuning / filters and on boarding – as required

 On-going operation support and 24x7 monitoring, analysis and alerting 2.2 Advanced Security Monitoring

Security Monitoring Service should collect and correlates security events and transforms such data into comprehensible dashboard displays, management reports, and actionable alerts. The service can detect fraud, expose internal and external threats, and identify weaknesses in security enforcement.

The service will utilizes Security Incident and Event Management (SIEM) technology for monitor and alerting. This technology provides the automated collection and analysis of log data from security devices, including firewalls, intrusion detection systems, and critical hosts and applications.

Provide sizing Events per Second (EPS) calculations as per industry best practices. As devices are brought on-board the sizing assumptions will need to be reviewed at regular points within the project.

(7)

Provide detailed approach and methodology for Managed security monitoring using SIEM technology and size solution. Describe in detail traffic flow of network events collection and dissemination of security monitoring services.

Ashghal expects SOC security monitoring services to be delivered by certified SIEM professionals as well as other industry recognized certifications related to information security. Correlation

 Correlation provides the mechanism for detecting known threats that may be happening within the monitored environment.

 In addition to the ready-made correlations available Ashghal has the option to choose from customized correlations that can be created to fit any unique security requirements

 Correlation rules provide the intelligence to the service. Event correlation can be done for a single asset or by a combination of events from multiple sources to provide a holistic view of a particular incident

Analysis

 Based on triggered correlations, the events relating to the correlation rules will be investigated to determine the validity of the event

 Analysis should be done by Tenderer SOC team on real-time event logs to fine-tune correlations in place to reduce false-positives and aid in creating new correlations specific to Ashghal requirements

Alarming and Alerting

 Once a security incident is identified, the Ashghal point of contact will be notified and provided all pertinent details of the incident to help the resolving team to address the incident

 Incident reports will be provided to the Ashghal team via a secure email

communication detailing the security incident, for higher priority security incidents a telephone call will also be made to the Ashghal point of contact.

Reporting

 Daily/Weekly/Monthly monitoring reports, alerts and analysis on security incidents that can potentially affect the business objectives of Ashghal.

 Monthly operational report will be provided to highlight the details of the service  Monthly executive report will be provided to summarize the service provided  Incident and alert reports

(8)

Deliverables Phases

Detailed design document with network event flows and security monitoring workflows

Design phase Detailed use cases for various security

scenarios, anomalies detection

To be defined initially during requirement capturing and planning

phases and subsequently to be refined across BAU execution and

monitoring phases Integration of all devices/assets to ensure all

pertinent logs are sent over by the assets

Onsite – during device on boarding

Event tuning / filters As required

Install and configure the Device profiler(s) As required

Carry out a backup of the deployed devices As per Backup policy

2.3 Log Management:

Log Management Service should provide a critical service for audit trail and regulatory compliance. Industry standards such as ISO 27001 and PCI mandate businesses to archive logs that are forensically sound and readily available for audit reporting. Tenderer should meet log retention policy and compliance adherence for log collection, storage and reporting without the management overhead and capital investment required for an enterprise solution.

Log Management Service assists in application management, usage and user management, change management, network and infrastructure management, troubleshooting, and reporting:

 Ease of integration and collection of logs from various data sources across multiple vendors and products

 Consolidation and normalization of log data to maximum storage efficiency  Correlation and log management of millions of events

 Online short term log retention  Offline long term log retention

 Centralized log management

2.4 Monitoring and Reporting:

Tenderer Security Operations Centre will monitor the devices in scope of the service to ensure the following:

 Verify logs are being received and stored in a forensically secure method

 Provide the agreed reports on a pre-defined regular schedule that will indicate the state of the assets

2.5 Data Management and Auditing

 All stored logs are tamper proof to provide the assurance that the logs acquired from the assets cannot be altered or deleted

(9)

 Periodic audit reports of the logs can be requested by the Ashghal 2.6 Log Retention/Storage

Parameter Setting

Retention Period online 90 days

Retention Period (archived) 1 year

 Tenderer will provide archived logs to Ashghal periodically as mutually agreed 2.7 Vulnerability and remediation Management

Understanding security risks within the enterprise network is crucial to comprehensive IT risk management. However due to the high rate of change within enterprise networks, a constantly changing threat environment made this task increasingly difficult. Ashghal understands this risk introduced as new vulnerabilities are being discovered continuously over a period of time and expects Tenderer’s vulnerability scanning service provides a solution to comprehensively assess the security of critical network, server, application and database assets. This service will help Ashghal to understand the level of threats in the hosted infrastructure.

This service will aid in achieving and staying compliant with regulatory requirements for vulnerability identification and resolution. Reports will be provided as to how threats and vulnerabilities can be mitigated. Trending based on historical scans will identify the current security maturity level of the environment.

This service should be based on the vulnerability score and business-relevant asset value to prioritize the vulnerabilities for remediation.

Vulnerability Management Service key points:

 Security professionals provide recommended measures and actions to address the

identified weaknesses

 Vulnerability Management as per industry best practice

 Regular scanning minimizes the chances of a security breach or intrusion

 Delivers actionable, risk-based insight and analytics aligned with business initiatives  Provides continuous, agentless monitoring of the entire IT infrastructure

 Automates and assures regulatory and policy compliance

Vulnerability scanning service should deliver comprehensive, agentless discovery and profiling of all assets.

2.8 IT Asset Inventory

Vulnerability scanning discovers all network devices, applications, services, vulnerabilities and configurations providing a comprehensive view of the network and building the foundation for effective risk management and compliance processes. Vulnerability scanning provides host and network profiling through an agentless, non-intrusive, and low bandwidth solution.

(10)

2.9 Intelligent Prioritization

Vulnerability scanning discovers an array of data about the hosts that reside on the network. The service prioritizes remediation tasks, enabling users to focus on the items that will most effectively reduce risks on critical systems.

2.10 Reporting

Customized reports are to be generated to provide a comprehensive view of the risks available on the network. Reports can be customized for all audiences, from technically-focused users to executives.

Vulnerability scanning service will provide:

 Centralized Vulnerability management platform for effective tracking and mitigation of identified vulnerabilities

 Automatically agentless discovery of network vulnerabilities  Automatically agentless discovery of system vulnerabilities  Automatically agentless discovery of application vulnerabilities  Automatic auditing of configuration compliance

 Automatic regulatory assurance and policy compliance

 Automatic monitoring of file integrity across the entire network

 Automatic measuring and benchmarking of security performance against internal policies and industry standards

(11)

3.0 Service Level Management 3.1 Service Delivery

• Service Centre availability: Sunday to Thursday excluding national holidays • Service Window: 8hrs per day (08:00 – 16:00)

• Priority 1 incidents will work through 24/7/365 • Priority 2/3/4/5 Normal Business Hours

• Hours of Agreed System Availability: 24/7/365

• Availability SLA %: 99.5% per month except for incidents related to events beyond Tenderer control and planned downtime maintenance periods.

3.2 Service Availability Targets

Hosted Infrastructure Availability SLA %: 99.5% per month except for incidents related to events beyond Tenderer control and planned downtime maintenance periods.

3.3 Support Performance Levels

The following service level packages will be provided by Tenderer for managed services: Priority Table

Priority Response Resolution Service Window

1 1 Hour 4 Hours 24/7/365

2 2 Hours 8 Hours Normal Business Hours

5 12 Hours Reasonable

Endeavors

Normal Business Hours

3.4 Priority Rules

The priority of an Incident is calculated by choosing the appropriate Impact and Urgency values to define a priority. The business rules are contained in the following table:

Impact

High Medium Low

Urgency

High 1 2 3

Medium 2 3 4

Low 3 4 5

(12)

The priority of any Incident is calculated by the apportionment of agreed impact and urgency when the User logs an Interaction. The priority matrix used is as follows:

Impact is defined as:

a) High: Degraded service impacting 50%> of users.

b) Medium: Degraded service impact for multiple users up to 50%. c) Low: Disruption of service to a single User.

Urgency is defined as:

a) High: Service inaccessible or unavailable.

b) Medium: Core managed service functionality degraded c) Low: Degraded service functionality with known workaround

3.5 Reporting and Compliance with Agreement

Provide ASHGHAL with a monthly Service Level Report. The Service Level Report will include information such as:

 Technical availability and capacity related information per server and network device;  Performance of tickets logged with the Service Centre;

 The number of Interactions by type (Incident and Service Request);  Volume of change requests logged and their outcome

3.6 In-bound Logging Methods

The accepted logging methods within the Tenderer’s Service Centre will be Telephone and e-mail.

 E-mail is only supported where the correct logging form is used to supply the required information.

 The customer will log any priority 1 and 2 interactions by phone and email.

 Only pre-authorized named users will be able to contact the Tenderer’s Service Centre.

3.7 Project Team Structure

Project personnel shall be introduced to the ASHGHAL prior to commencement of their deployment. Such introduction will not be a formal review but an opportunity for ASHGHAL to meet the member(s) of the teams.

Clear Team Structure managing overall Project lifecycle. ASHGHAL prefers Technical Lead & Project Manager to be in different roles.

3.8 Project Duration

The duration of this project will be for 5 Years subject to renewal upon further business needs and requirements.

(13)

3.9 Payment, Penalty and Contract Termination Terms

 Total Setup or onetime fee will be billed upon installation and commissioning  Operational Services will be billed monthly for a quarterly payment

 Penalty as per below mentioned service credits

 ASHGHAL reserves the right to terminate the contract anytime upon advanced notification of 90 days

3.9.1 Service Degradation Penalties

If the Service Availability target is not met in any calendar month, the Tenderer is to reimburse to Ashghal an amount calculated using the following table:

Service Availability Service Charges Discount

>99.5 % Service availability is within target service level- Normal charges

apply

99.49 % - 99.00 % 10% discount of total current recurring monthly fee 98.5 % - 98.99 % 20% discount of total current recurring monthly fee 96.5 % - 98.49 % 30% discount of total current recurring monthly fee

95 % - 96.49 % 40% discount of total current recurring monthly fee

< 95 % 50% discount of total current recurring monthly fee

4.0 Managed IT Services Requirements 4.1 Initial Managed Services Requirements:

As per Ashghal’s requirements, the following table depicts the proposed type of virtual servers needed to build the solution. These servers will be installed and configured on a dedicated infrastructure. 4.1.1 VM Specifications VM Specifications VM Types CPU Core Memory OS Disk One time Charges Monthly recurring Charges Server Type A 4 8 100   Server Type B 4 12 100   Server Type C 4 16 100   Server Type D 4 18 100   Server Type E 4 32 100   Server Type F 4 64 100   Server Type G 8 12 100   Server Type H 8 16 100   Server Type I 8 24 100  

(14)

Call Off Price Agreement For Managed IT Services (Data Center) Server Type J 8 32 100   Server Type K ₈ ₆₄ ₁₀₀   Server Type L ₈ ₁₂₈ ₁₀₀   Server Type M 12 24 100   Server Type N ₁₂ ₃₂ ₁₀₀   Server Type O ₁₂ ₆₄ ₁₀₀   Server Type P ₁₆ ₃₂ ₁₀₀   Server Type Q ₁₆ ₆₄ ₁₀₀   Server Type R ₁₆ ₁₂₈ ₁₀₀   Server Type S ₃₂ ₃₂ ₁₀₀   Server Type T ₃₂ ₆₄ ₁₀₀  

4.1.2 Virtual Servers Package

The above table includes the 20 types of virtual servers required by Ashghal’s technical team. Each virtual server includes the following:

 Anti-Virus and firewall License

 Managed Operating System (Windows Server OS, RedHat Linux, Oracle Linux, CENT-OS, SUSE Linux)

 Managed Network – LAN  Managed FC Switch port  Managed SAN Storage  Managed Hardware

 Managed Backup and Restore  Security Services

4.1.3 Minimum Bill of Materials Commitment

Proposed solution includes the following components that Ashghal will commit to as a minimum initial request. Future and additional requests will be sized accordingly.

Minimum Commitment Qty.

Virtual Machine package 10

SAN (TB) Standard 5

Backup as a Service (TB) 5 Internet (8-10 Mbps) 1

4.2 On-Demand Managed Services

On top of the previous essential managed services, Ashghal can request additional services as needed. The following are, but not limited to, managed services that can be added to future infrastructure requirements.

(15)

 Managed Connectivity

 Managed Encrypted Connectivity  Managed Hardware – Physical Servers  Managed Network, LAN

 Managed OS - Windows  Managed OS Linux (RHEL)  Managed OS Linux (Oracle Linux)  Managed OS Linux (Cent OS)  Managed OS Linux (SUSE)  Managed Clustering  Managed Storage

 Managed Site-to-Site VPN  Managed SQL Server / Oracle

 Managed Web Application Firewall- Setup  Managed Application Firewall – Additional Node  Managed client-to-site VPN

 Managed P2V , V2V, V2P migration

(Virtual Machine migration from AHGHAL Data Centre (Hyper-V and VMware) to Tenderers Datacenter environment)

4.2.1 Schedule of Rates for On-demand Managed Services (Refer to Section G/Schedule B) 4.3 Project Plan and Similar projects references

Provide a detailed Project Plan for the various Managed Services provided covering various phases’ right from project kick-off with timelines and detailed SLA (response time, resolution period).

Provide detailed References for delivering similar services to other large enterprises, government sectors in Qatar

5.0 MANAGED SERVICES.

Sr. No. Managed Services / Brief Description of Services

On-Time Charges

Monthly Recurring

Charges 5.1 Managed Services (System, OS & Applications)

Including Monitoring and Backup (Excluding licenses cost)

5.1.1 Managed Hardware Services



Establishing warranty and maintenance agreements - Hardware Installation - Asset Management - Hardware monitoring - Maintenance Management

5.1.2 Managed OS Services (Windows 2008/2012 and later _versions  

Change management - Proactive Health checks - Respond to the failure of Critical OS services and apply corrective actions

(16)

Sr. No. Managed Services / Brief Description of Services On-Time _Charges

Monthly Recurring

Charges

5.1.3 Managed OS Services (Linux: Red Hat – CentOS, SUSE,

Oracle)

 

Change management - Proactive Healthchecks - Respond to the failure of Critical OS services and apply corrective actions

5.1.4 Managed Domain Controller services (MS AD)  

Change management - Proactive Healthchecks -

Respond to the failure of Critical AD services and apply corrective actions

5.1.5 Managed SQL Server Services  

Respond to the failure of Critical SQL services and apply corrective actions

(1 Applications, 1 DB instances)

5.1.6 Managed Oracle Server Services  

(1 Applications, 1 DB instances)

5.1.7 Managed Clustering Services  

Respond to the failure of Critical SQL services and apply corrective actions

(Microsoft OS clustering - SQL clustering)

5.1.8 Managed Hyper-V Node Services  

Change management - Proactive Healthchecks - Respond to the failure of Critical Hyper-V services and apply corrective actions

(1 HyperV node and 1 SCVMM)

5.1.9 Managed VMware Node Services  

Change management - Proactive Healthchecks - Respond to the failure of Critical VMware services and apply corrective actions

(1 ESX and 1 vCenter)

5.1.10 Managed Web Servers (IIS) Services  

Change management - Proactive Healthchecks - Respond to the failure of Critical IIS services and apply corrective actions

(17)

On-Time Charges

Monthly Recurring

Charges

5.1.11 Managed WSUS Services  

Change management - Proactive Healthchecks - Patch management in coordination with the customer

5.1.12 Managed AV Services  

Change management - Proactive Healthchecks - Respond to the failure of Critical services and apply corrective actions

5.1.13 Managed Exchange Services  

5.1.14 Managed SharePoint Services  

5.1.15 Managed Customer Backup Infra Services  

Manage backup infrastructure - Manage tape rotation - Manage and monitor backup jobs - Manage backup policy - Perform regular restore tests

(Per the following setup: 1TB, 1 tape library, 50 clients - s/w: Symantec NBU, 3PAR).

Every 50 servers (Physical or virtual this managed service needs to be reordered, provided the required HW is available.

5.1.16 Managed Storage for physical and Virtual machines 1 TB  

Storage provisioning and management per terabyte 5.1.17 Managed Backup service for physical and Virtual

Machine 1 TB

 

Backup as a service per terabyte

5.2 Managed Services (Network/ Security)

5.2.1 Managed Load Balancing Services (per pair in HA mode)  

Change Management (add, delete, modify web servers entries, ports, monitored URL) - MACDs - Patch/software updates following an incident and as requested by the support - Configuration management (backup,

Healthcheck, configuration review,…)

Per two devices, active – standby/active – active configuration.

(18)

On-Time Charges

Monthly Recurring Charges

5.2.2 Managed Firewall Services  

Change Management - Patch/software updates following an incident and as requested by the support -

Configuration management (policy, backup, Healthcheck, configuration review,…) - MACDs

5.2.3 Managed SAN Switches Services  

Configuration management (backup, Healthcheck, configuration review,…) - MACDs

5.2.4 Managed Network switches Services  

Configuration management (backup, Healthcheck, configuration review,…) - MACDs

5.2.5 Managed IPS Services  

Change Management - Signature updates - Configuration management (policy, backup, Healthcheck, configuration review,…) - MACDs

5.2.6 Managed VPN encryption (Site to Site)  

Change Management - Configuration management (backup, Healthcheck, configuration review,…)

This service is for Site to Site VPN tunnel management

over the Internet. 5.3. Migration Services

5.3.1

3 VMs with Storage space of 500 GB o Physical to Virtual (P2V)

o Virtual to Virtual (V2V)

This will be consisting of Assessment - Pre migration – Migration – Post migration

Migration Support for VMware and Microsoft Hyper-V

 X

5.3.2

5 VMs with Storage space of 1 TB o Physical to Virtual (P2V)

(19)

Sr. No. Managed Services / Brief Description of Services On-Time

Charges

Monthly Recurring

Charges

5.3.3

 X

5.3.4

(20)

SECTION C

SCHEDULE A:

PROJECT BRIEF

(21)

SECTION C PART 2: AUTHORITY’S REQUIREMENTS

Project ID: ISD 15/16 SS 25 G

C2/I @[email protected] Call Off Price Agreement For Managed IT Services April 2015 (Data Center)

Page Number C2 /

1. DEFINITIONS, ABBREVIATIONS AND ACRONYMS... 1

1.1 Interpretation...1

1.2 Defined Terms ...1

1.3 Internal Priority...1

2. OVERALL REQUIREMENTS ... 2

2.1 Resource Requirements Schedule...2

2.2 Schedule of Deployed Employees ...2

2.3 Programming ...2

2.4 Reporting ...3

2.5 Final Transition Strategy and Project Close-out Report...3

2.6 Meetings ...4

2.7 Document Control and Information Management...4

2.8 Technology ...4

2.9 Stakeholder Management and Public Involvement, Communications ...4

2.10 Submissions ...5

2.11 QUALITY ASSURANCE PLAN ...5

3. CONSULTANT’S ORGANISATION... 6

3.1 Personnel Qualifications & Conditions ...6

3.2 Staff Mobilisation Process...6

(22)

C2/1 @[email protected]

Call Off Price Agreement For Managed IT Services April 2015 (Data Center)

1. DEFINITIONS, ABBREVIATIONS AND ACRONYMS

1.1 Interpretation

1.1.1 For the purposes of the Project Brief, defined terms shall have the meaning set out in the General Conditions of Engagement. Additional defined terms necessary for interpretation of the Project Brief are set out below.

1.2 Defined Terms

1.3 Internal Priority

1.3.1 The documents forming Schedule A: Project Brief are to be read and construed as a composite whole and shall be taken as mutually explanatory of one another. In the event of an ambiguity, discrepancy or inconsistency within the documents, the order of precedence shall be as follows:

A. Part 1: Scope of Services;

B. Part 2: Authority’s Requirements; C. Part 3: Project Data.

(23)

C2/ 2 @[email protected] Call Off Price Agreement For Managed IT Services April 2015

(Data Center)

2. OVERALL REQUIREMENTS

2.1 Resource Requirements Schedule

2.1.1 For planning purposes, the programme of the works is described in Key Stages or activities. The Consultant shall plan each Key Stage or activity to ensure the required outcome.

2.1.2 The Consultant shall provide resource schedules in accordance with a Service Delivery Plan in the format required, and non-objected, by the Project Co-ordinator that reflects the requirements of each Key Stage activity.

2.1.3 The Consultant shall provide a look-ahead for the subsequent Key Stage resource schedule to facilitate advanced planning.

2.1.4 The resource schedule, Schedule C: Resource Schedules: Part 2: Resource Allocation is

a detailed statement of the resources estimated to be required to undertake the activities contained in the Service Delivery Plan for each Key Stage or activity. The schedule identifies the duration location and purpose of the assignment for each of the personnel proposed for each Key Stage or activity of the Agreement.

2.1.5 The Project Co-ordinator may require changes to be made to the Services at any stage of the Agreement in response to emerging knowledge, and the Consultant shall provide further forecasts of resources in response to instructions for Changes.

2.2 Schedule of Deployed Employees

2.2.1 The Consultant shall maintain a schedule of all the employees it mobilises for the Services, which shall be available to the Project Co-ordinator upon request.

2.2.2 The schedule shall contain for each person the name, position, grade, qualifications, capabilities and skills and the proposed role.

2.3 Programming

2.3.1 The Consultant shall be responsible for the effective co-ordination of the Agreement and its interdependencies, and the management of risks and issues that arise.

2.3.2 The Consultant shall be responsible for the overall integrity and coherence of all elements of the Agreement schedule. Within fourteen (14) Days of the Commencement Date the Consultant shall submit for the Project Co-ordinator’s non-objection; the Baseline Programme Master Schedule, developed from the level 1 programme in Schedule C: Resource Schedules: Part 1: Master Programme and a detailed first Service Delivery Plan to be used as the primary planning tool for managing the Services. As the Services develop, further detailed Service Delivery Plans for future stages will be submitted for the Project Co-ordinator’s non-objection. These rolling planning activities will be used primarily to plan the activities and the resources necessary to deliver the Project Objectives.

2.3.3 The detailed first Service Delivery Plan shall comprise a comprehensive planning package based on the Key Stages and identifying issue dates and titles for the further detailed Service Delivery Plans. This package shall include full details of the arrangements and methods which the Consultant proposes to adopt for the performance of the Services including planning, progress monitoring, manpower levels and scheduling.

2.3.4 Service Delivery Plans shall not be subject to amendment in any manner whatsoever without the Project Co-ordinator’s non-objection. Any amendments proposed by the Consultant shall be submitted in writing, with supporting justifications, for the Project Co-ordinator’s non-objection.

(24)

Project ID: ISD 15/16 SS 25 G C2/ 3 @[email protected] Call Off Price Agreement For Managed IT Services April 2015 (Data Center)

2.4 Reporting

2.4.1 The Consultant shall monitor the progress of its activities and those of its Sub-contractors in carrying out Services and shall report this progress to the Project Co-ordinator in progress reports as set out below.

2.4.2 The Consultant shall prepare and submit reports throughout the duration of the Agreement at periods identified in Schedule A: Project Brief, Part 1: Scope of Services that cover progress of the Consultant work by reference to the appropriate Service Delivery Plan, including status, issues and risks associated including but not limited to the following items:

 Progress review of the Consultant’s activities, detailing achievements, progress against programme, key issues and risks. Where progress is behind plan recovery plans shall be included;

 Progress against all KPIs (if applicable);

 Progress of the Programme against plan; where progress is behind plan, recovery plans shall be included;

 Proposed changes to the Service Delivery Plans;  Changes to the Agreement, both current and proposed;

 The cost for the Services provided to date and forecasts of the cost to completion measured against plan;

 Proposed personnel changes and other personnel issues;

 Summary report of the performance of other Consultants for whom the Consultant is responsible for managing.

2.4.3 Within three (3) Days from the Commencement Date the Consultant shall submit draft report formats for each type of report required under Schedule A: Project Brief, Part 1: Scope of Services for the Project Co-ordinator’s non-objection.

Once the Project Co-ordinator’s non-objection has been attained the Consultant shall no change the report formats unless otherwise instructed by the Project Co-ordinator.

2.4.4 All reports shall be delivered in accordance with the requirements of the Authority’s reporting periods, and shall be submitted within five (5) Days of the end of the period being reported unless otherwise stated in Schedule A: Project Brief, Part 1: Scope of Services.

2.4.5 As applicable, reporting shall continue until the Consultant has completed the Services, and the Project Co-ordinator was issued the Completion Certificate.

2.5 Final Transition Strategy and Project Close-out Report

2.5.1 Where applicable at least thirty (30) Days prior to the Completion Date, the Consultant shall develop, for the Project Co-ordinator’s non-objection, and implement a ’Final Transition Strategy’.

The Final Transition Strategy shall include inter alia:

a) Plans to transfer to the Authority the management of the Services; b) Transition plans with respect to any business unit personnel;

c) Plans to transfer operations to the Authority or any Authority delegated party;

d) Plans for the transfer to the Authority of master copies for all Deliverables developed in relation to the Services.

(25)

2.5.2 At least thirty (30) Days prior to the Completion Date, the Consultant shall submit for the Project Co-ordinator’s non-objection in the format directed by the Project Co-ordinator an outline Project Close-out Report.

2.5.3 The Project Close-out Report shall report on the execution of the Services and shall include, inter alia, the following information:

 an introduction;

 an Agreement description;

 a summary overall report on the execution of the Services, including consideration of management of stakeholders, completion times, Service Delivery Plans and other relevant matters.

2.5.4 The submission of the detailed Project Close-out Report is a prerequisite to the issue of the Completion Certificate for the Services.

2.6 Meetings

2.6.1 The Consultant shall attend meetings as required by the Project Co-ordinator.

2.6.2 The Consultant shall attend a monthly progress meeting with the Project Co-ordinator to review the progress of the work. This meeting shall consider the report prepared by the Consultant for the period under review. The meeting will be chaired by the Project Co-ordinator. Notes of the meeting shall be prepared by the Consultant for non-objection by the Project Co-ordinator.

The Consultant shall attend other Project related meetings as directed by the Project Co-ordinator.

2.7 Document Control and Information Management

2.7.1 The Consultant shall provide administrative and document control support to the Agreement.

2.7.2 The Consultant shall be responsible for managing all the documentation on the Agreement.

2.7.3 The Consultant shall ensure that a single document control system operates at all Agreement locations.

2.7.4 The Consultant shall develop for the Project Co-ordinator’s non-objection a process for archival and retrieval of data.

2.7.5 All correspondence and communication in connection with the Project shall be in accordance with a comprehensive Communications and Document Management Plan, processes and procedures developed by the Consultant and non-objected by the Project Co-ordinator.

2.8 Technology

2.8.1 The Consultant IT system shall be able to interface seamlessly with the Authority’s corporate IT systems.

2.8.2 The Consultant shall develop for the Project Co-ordinator’s non-objection an IT and Technology System for use in managing the Agreement.

2.8.3 The Consultant shall ensure that its personnel are trained in the use of the technology to the extent required to carry out their duties.

2.9 Stakeholder Management and Public Involvement, Communications

2.9.1 The Consultant shall work closely with the Project Co-ordinator to ensure a coordinated approach is taken to communications during all stages of the Agreement, and shall obtain the Project Co-ordinator’s non-objection for a Communications Plan and Strategy in order

(26)

to address communications with personnel, the public, the media, external stakeholders and potential suppliers.

2.9.2 At all stages of the Agreement the Consultant shall adopt a policy of creating close working relationships with all external stakeholders and the media.

2.9.3 The Consultant shall confer and coordinate with relevant government agencies and departments, the various agencies within the Authority’s organisation and applicable Qatari legal authorities having jurisdiction regarding the delivery of the Agreement.

2.9.4 The Consultant shall manage stakeholder engagement and interfaces arising as a result

of engagement with third parties and interfacing projects.

2.9.5 Throughout the Agreement the Consultant shall:

 Assist the Project Co-ordinator and governance team with the resolution of disputes with stakeholders;

 Support the Authority in communication with the Agreement stakeholders

 Manage the preparation, submittal and approval of the documents required by the Project Co-ordinator for the planning of the Agreement;

2.9.6 The Consultant shall plan for the impacts of the Agreement on existing infrastructure and organisations and shall take active steps to manage these impacts so that the Agreement proceeds as planned. This is specifically applicable for the IT infrastructure. The Consultant needs to study the existing IT infrastructure and work with the Authority IT group to ensure that the SaaS works to the expected levels.

2.9.7 The Consultant shall take account of dependencies from related bodies and projects and work toward minimal disruption to the agreed programme planning.

2.10 Submissions

2.10.1 The Consultant shall submit to the Project Co-ordinator the required number of copies of all deliverables in softcopy format.

2.10.2 Documents shall be checked and approved by appropriate Consultant personnel (non-objected by the Project Co-ordinator)

2.11 QUALITY ASSURANCE PLAN

2.11.1 The Consultant shall prepare the Quality Assurance Plan to define the quality system for the Services to ensure and demonstrate that the Services conform to the requirements specified in the Agreement.

2.11.2 The Quality Assurance Plan shall include all activities associated with the Services. The Consultant shall indicate in the Quality Assurance Plan which quality procedure is applicable to each of the listed activities and Service Delivery Plans.

2.11.3 The Consultant shall produce an organisation chart together with a description of the responsibilities and necessary authority given to the relevant Consultant’s personnel for the implementation of the Quality Assurance Plan.

2.11.4 The Consultant shall report on the implementation, monitoring and performance of the Quality Assurance Plan in each progress report.

(27)

CONSULTANT’S ORGANISATION

2.13 Personnel Qualifications & Conditions

2.13.1 The Consultant shall provide adequately experienced and qualified personnel to carry out the tasks required of it. Personnel qualifications and experience shall be commensurate with the strategic and specific nature of the Agreement.

2.13.2 The Consultant personnel shall be fully capable of representing and acting on behalf of the Authority, to ensure that the Services are carried out to the best quality, most economically advantageous cost and within the specified time to Authority standards and other national and international standards.

2.13.3 Allocated Personnel, as identified in this Project, shall be fully conversant with, and have had, extensive practical experience with the standards, specifications and procedures applicable to the Services.

2.14 Staff Mobilisation Process

2.14.1 All personnel not expressly identified by name in Section D: Appendix I, shall, as a pre-condition to mobilisation, be subject to the Project Co-ordinator’s non-objection of a submitted Authorisation To Mobilise (ATM) application, refer to Attachment #01 to this Part 2: Authority’s Requirements.

2.14.2 The Authority will not make any payments until such personnel have been proposed under an ATM and the ATM has been non-objected by the Project Co-ordinator.

2.14.3 The Authority shall not retain any responsibility in relation to costs incurred for personnel who have not received non-objected ATM.

2.14.4 In the event that the Consultant wishes to provide personnel to fulfil any role that does not comply with the Authority’s personnel grading system he shall obtain the Project Co-ordinator’s non-objection to such variance, prior to the provision of such personnel.

2.14.5 The non-objection by the Project Co-ordinator of any of the Consultant’s personnel does not relieve the Consultant from its obligation to provide whatever personnel, expertise, or other personnel resources which may be required for the full compliance of his duties, obligations and liabilities as defined in this Agreement.

2.14.6 The Project Co-ordinator shall have the right to interview, in person or by video conferencing, and object / non-object any and all personal prior to commencement of their employment on the Project.

2.14.7 The Project Co-ordinator reserves the right to review the performance of all personnel assigned to the Project on a regular basis and reserves, at its absolute discretion, the right to instruct the Consultant to remove and replace personnel.

2.15 Consultant Staff Requirements

2.15.1 Unless otherwise stated in the Agreement all support Personnel seconded to the Authority shall be full time personnel based in Qatar.

2.15.2 Coverage for personnel during period of public holidays and approved sick leave, as per Qatar’s labour law, will be provided by other Project Co-ordinator non-objected similarly qualified personnel without deduction to the remuneration payable to the Consultant in respect of personnel on leave.

2.15.3 The Consultant will not be reimbursed for personnel absence from the Project where no alternative cover has been provided.

2.15.4 Where Consultant personnel are replaced, reimbursement will only be made for one personnel member, i.e. reimbursement will not be made for two overlapping personnel. 2.15.5 The Consultant shall maintain records of all personnel commencement and completion

dates, plus leave periods, and notify the Project Co-ordinator of these intents a minimum of fourteen (14) Days in advance.

(28)

2.15.6 The Consultant shall use reasonable endeavours to employ Qatari nationals who shall be mentored and trained by the Consultant.

2.15.7 Working time

a) Normal working hours of Consultant’s personnel based in Authority offices shall consist of a minimum of nine (9) hour Day, five (5) Day a week for the full duration of the Agreement. Private sector public holidays shall be applicable to the Consultant personnel based in Qatar. Normal working hours of Consultant’s personnel based on site offices, or any other location in Qatar as required or directed by the Project Co-ordinator shall consist of a minimum of eight (8) hour Day, six (6) Day week for the full duration of the Agreement. The team's full time personnel shall work for the normal working hours stated above, and any additional hours as necessary, at no extra cost, in executing their duties and obligations under the Agreement. For the avoidance of doubt no payment shall be made for overtime worked in excess of the normal working hours unless instructed as a Change.

b) Normal working hours for offshore personnel and shall be the standard working time of the relevant office and no payment shall be made for overtime worked in excess of the normal working hours unless instructed as a Change.

c) The Consultant’s personnel shall be available whenever their duties so require. Considering the Programme and the nature of the works, it may be necessary for the Consultant to attend meetings or to do other necessary tasks outside normal hours and at weekends. No additional payments will be allowed for such occurrences, which are fully allowed for in the rates contained in Schedule B: Payment Schedule.

d) The Consultant is required to maintain attendance records for the personnel deployed as directed by the Project Co-ordinator. Refer to Attachment #02 to this Part 2: Authority’s Requirements for specimen record sheets:

 Where Daily Attendance Sheets are applied records shall be submitted weekly to the Project Co-ordinator for non-objection;

 Where Monthly Attendance Sheets are applied records shall be submitted monthly to the Project Co-ordinator for non-objection.

2.15.8 Personnel Qualifications & Conditions

a) The Project Co-ordinator reserves the right to review and non-object all or any personnel assigned to the Project on a regular basis and reserves, at its absolute discretion, the right to instruct the Consultant to remove and replace personnel.

b) Proposed personnel requirements over the Project duration shall be staged in accordance with the resource schedule contained in Schedule C: Resource Schedules: Part 2: Resource Allocation.

c) The non-objection by the Project Co-ordinator of any of the Consultant’s personnel does not relieve the Consultant from its obligation to provide whatever personnel, expertise, or other personnel resources which may be required for the full compliance of his duties, obligations and liabilities as defined in this Agreement.

(29)

C2/ 8 @[email protected]

Call Off Price Agreement For Managed IT Services April 2015

ATTACHMENT #01: AUTHORISATION TO MOBILISE FORM

Department: Project ID: Project Title: Consultant: NAME POSITION / TITLE

SCHEDULE C CODE GRADE

ORGANISATION CHART REFERENCE No

NAME SIGNATURE POSITION DATE

CV ATTACHED YES / NO JOB DESCRIPTION

ATTACHED YES / NO LOCATION DURATION MOBILISATION DATE DEMOBILISATION DATE

NAME SIGNATURE POSITION DATE

APPROVED / REJECTED

BASIS FOR REJECTION

REQUESTED BY:

APPROVAL DETAILS

STATE OF QATAR

PUBLIC WORKS AUTHORITY

AUTHORISATION TO MOBILISE

PERSONNEL DETAILS ASSIGNMENT DETAILS PLANNED ACTUAL PLANNED ACTUAL

(30)

Project ID: ISD 15/16 SS 25 G C2/ 9 @[email protected]

Call Off Price Agreement For Managed IT Services April 2015

(Data Center)

Department:

W

Project ID:

PH

Project Title:

WE

Consultant:

A Day* Initial Start Date 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 1 2 3 4 5 6 7 8 9 10 11 12

*Day - identify day above date ie S = Sunday, M=Monday, T=Tuesday, W=Wednesday, Th=Thursday, F=Friday, St=Saturday

Name Signature Position Date

Position

Name Signature

Notes and RemarksThe initial start date for all personnel must be stated in the initial and all subsequent timesheets. All days worked, including weekend ands public holidays are to be recorded. The original completed time sheet shall be submitted, backed up by the Daily Attendance Sheet for each payment application.

Date A Consultant's Representative WE Worked Days Public Holiday Weekend Absent

Legend

Summary (Days)

No. Code POSITION NAME Claimed

Days

STATE OF QATAR

PUBLIC WORKS AUTHORITY

Engineer's Representative

Personnel Monthly Attendance Sheet From To

PH W

1.0 Managed IT Services C1/2





SECTION C

SCHEDULE A:

PROJECT BRIEF

TABLE OF CONTENTS

1.

DEFINITIONS, ABBREVIATIONS AND ACRONYMS... 1

2.

OVERALL REQUIREMENTS ... 2

3.

CONSULTANT’S ORGANISATION... 6

1.

DEFINITIONS, ABBREVIATIONS AND ACRONYMS

2.

OVERALL REQUIREMENTS

CONSULTANT’S ORGANISATION

ATTACHMENT #01: AUTHORISATION TO MOBILISE FORM

STATE OF QATAR

AUTHORISATION TO MOBILISE

Department:

Project ID:

Project Title:

Consultant:

Legend

STATE OF QATAR

PUBLIC WORKS AUTHORITY