BID SPECIFICATION RFB Ref. No: RFB 1931/2019 Description Appointment Of A Service Provider For The Supply, Installation And Configuration Of An Enterprise AV (Anti- Virus) Solution For The Gauteng Department Of Education (GDE) Schools With Maintenance And Support For A Period Of Three (3) Years”. Closing Date for questions / queries Date: 28 May 2019 RFB Closing Details Date: 07 June 2019 Time: 11:00 (South African Time) Place: Tender Office, Pongola in Apollo, 459 Tsitsa Street, Erasmuskloof, Pretoria (Head Office) Public Opening of RFB Responses Date: 07 June 2019 Time: 12:00 (South African Time) Place: Tender Office, Pongola in Apollo, 459 Tsitsa Street, Erasmuskloof, Pretoria (Head Office)
Transcript
BID SPECIFICATION
RFB Ref. No: RFB 1931/2019
Description
Appointment Of A Service Provider For The Supply,
Installation And Configuration Of An Enterprise AV (Anti-
Virus) Solution For The Gauteng Department Of Education
(GDE) Schools With Maintenance And Support For A
Period Of Three (3) Years”.
Closing Date for questions / queries Date: 28 May 2019
3. SCOPE OF WORK............................................................................................................................................. 4
7.1 INSTRUCTION AND EVALUATION CRITERIA.......................................................................................................287.2 TECHNICAL MANDATORY REQUIREMENTS.......................................................................................................287.3 DECLARATION OF COMPLIANCE........................................................................................................................29
ANNEX A.3: SPECIAL CONDITIONS OF CONTRACT (SCC).......................................................................................30
8. SPECIAL CONDITIONS OF CONTRACT............................................................................................................. 30
8.1. INSTRUCTION...............................................................................................................................................308.2. SPECIAL CONDITIONS OF CONTRACT............................................................................................................308.1 DECLARATION OF ACCEPTANCE........................................................................................................................35
ANNEX A.4: COSTING AND PRICING.................................................................................................................... 36
9. COSTING AND PRICING.................................................................................................................................. 37
9.1 COSTING AND PRICING EVALUATION................................................................................................................379.2 COSTING AND PRICING CONDITIONS................................................................................................................379.3 DECLARATION OF ACCEPTANCE........................................................................................................................389.4 BID PRICING SCHEDULE.....................................................................................................................................38
ANNEX A.5: TERMS AND DEFINITIONS................................................................................................................. 44
The purpose of this RFB is to invite Suppliers (hereinafter referred to as “bidders”) to submit bids for the “Supply, install and configure an Enterprise AV (anti-virus) Solution for the Gauteng Department of Education (GDE) schools with maintenance and support for a period of three (3) years”.
2. BACKGROUNDThe Gauteng Department of Education has embarked on a program to implement Information and Communications Technologies (ICTs) in schools to enhance teaching and learning in the classrooms; over and above the existing offering of computers and laptops in existing computer laboratories and administration offices.
The Department does not have a uniform Anti-Malware Solution across all GDE Schools, hence the acquisition of this solution, to ensure the standardization and uniformity. There are Applications that are often rolled out at the schools and the various kinds of AV installed at the schools detect the installations/EXE files as viruses/malwares thereby hindering the successful software installation. The acquired Solution should be able to protect or secure all allocated devices given the architectural design as outlined below.
The devices allocated to these schools run across multiple operating systems most commonly Android and Windows (Microsoft environment) with very few IOS devices. The devices include Laptops, Mobile devices, Smart Boards, C3 and I7 Servers.
The Department consists of 15 District Offices and over 2700 schools and the estimated number of devices is 120 000 with around 90 000 running Windows, 25 000 running Android and 5000 running IOS.
3 of 45CONFIDENTIAL
3. SCOPE OF WORKThe scope of work by the bidders is to –
(a) Supply anti-virus solution for the department with 120 000 estimated number of devices;
(b) Install and configure anti-virus solution including roll out at 15 schools as pilot project and skills transfer for the department at the following schools:
Number District Name Institution Name Street Name Township_Village1 EKURHULENI NORTH BOITUMELONG SECONDARY SCHOOL MIMAS STREET, SEDIBENG SECTION TEMBISA2 EKURHULENI SOUTH SIJABULILE SECONDARY SCHOOL MOLELEKI SECTION KATLEHONG3 GAUTENG EAST ALRAPARK SECONDARY SCHOOL GAZELLE DRIVE ALRA PARK4 GAUTENG NORTH SINENHLANHLA PRIMARY SCHOOL IQWANINGI STREET RETHABISENG5 GAUTENG WEST BADIRILE SECONDARY SCHOOL NXUMALO KHUTSONG6 JOHANNESBURG CENTRAL CURTIS NKONDO SCHOOL OF SPECIALISATION (MULTI-DISCIPLINARY)PHINDWA AND BIYELA STREET EMDENI EXTENTION7 JOHANNESBURG EAST ALEXANDRA SECONDARY SCHOOL 2ND AIVENUE ALEXANDRA8 JOHANNESBURG NORTH BREE PRIMARY SCHOOL AVENUE MAYFAIR WEST9 JOHANNESBURG SOUTH MPHETHI MAHLATSI SECONDARY SCHOOLVINCENT SRTEET EXT 8B ORANGE FARMS
10 JOHANNESBURG WEST MOSES KOTANE PRIMARY SCHOOL CNR UNITY BOULEVARD & FREEDOM DRIVE BRAAMFISCHERVILLE11 SEDIBENG EAST LEKOA SHANDU SECONDARY SCHOOL DUBULA RIVE SHARPVILLE12 SEDIBENG WEST DR MOLEFI OLIPHANT SECONDARY SCHOOLTHOMAS NKOBI STREET BOPHELONG EXT.913 TSHWANE NORTH NEW EERSTERUST SECONDARY SCHOOLEXTENSION 5 NEW EERSTERUST14 TSHWANE SOUTH NELLMAPIUS SECONDARY SCHOOL NELLMAPIUS ROAD NELLMAPIUS EXT 115 TSHWANE WEST HILLVIEW HIGH SCHOOL FRANZINA STREET ROSEVILLE
(c) Provide maintenance and support of the anti-virus solution for a period of three years
(d) Skills transfer to IT school’s technicians
4. REQUIREMENTS(1) Gauteng Department of Education (GDE) requires a solution that will be used for the following:
(a) The Protection of the data hosted on the devices.
(b) The prevention of the data loss and unauthorized access to these devices.
Currently the schools have a mixture of approximately 120 000 types of endpoints as outlined below:
(a) Desktops computers(b) Laptops(c) Mobile Devices(d) Servers
The schools have the following network architecture types:
(a) Fully connected Smart Schools (ICT digital Schools)(b) GBN (Gauteng Broadband Network) Partially Connected Schools(c) Internet connected Schools, either with or without LAN(d) Schools with no LAN or Internet connectivity
4 of 45CONFIDENTIAL
(e) N-Computing Technologies; And four (4) different type of School Architectures
High level requirements:
(a) Anti-malware solution, on and off premise(b) iDLP (data link prevention) to be able to comply with various standards (c) An MDM solution than can protect students tablets when not on the network(d) Antimalware solution for non-internet connected schools(e) Web and email gateways to cater for security on and off network(f) Solution to lock down the smart boards to certain applications(g) Ecryption controls to safeguard teachers laptops(h) Future proof for the journey to the cloud(i) Connected threat defense (j) Support and Skills transfer (Training) for GDE IT Technical team
Detailed Functional Requirements
Overall Solution Requirements
The solution should be able to integrate and be part of a connected threat defence strategyThe Solution should be able to adapt to complex network designsThe Solution should have a centrally managed console across the environment to have a holistic view of security eventsThe solution should be flexible in terms of licensing across multiple technology devicesCentralised ManagementThe Solution should provide centralized, user-centric management for threat and data protection. A single management console that manages, monitors, and reports across multiple layers of security, as well as across on-premises and cloud deployment modelsThe Solution Should Continuously monitor and rapidly understand your security posture, identify threats, and respond to incidents with up-to-the-minute situational awareness across your environment. And when an attack makes its way in, you have the ability to investigate where it has spreadThe Solution should provide Direct links to a Threat Connect database give you access to actionable threat intelligence. This includes rich correlated threat data describing characteristic behaviors like network activities and system modifications, along with global and system- and industry-specific impactsThe Solution should provide Integrate security management and analysis across multiple layers of protection—critical to defending against advanced threats that exploit multiple threat vectors.The Solution should provide Security dashboards allow instant triage by giving administrators the ability to prioritize critical threat types, critical users, or critical endpoints, so they can take action on the most pressing issues firstEndpoint securityOn-Demand and On-Access scanning of files on local and network drives (read or write) and of memory for malicious code.Manual (user-driven & admin-driven) and Scheduled scanning for malicious code.In-Memory Scanning to detect malware packers, and malicious memory-resident processes.What actions are available for scan detections? Separate action settings should be maintained for real-time and manual scanning.
5 of 45CONFIDENTIAL
The product should combine both signature-based and behavior monitoring detection.Scan caching to avoid scanning previously scanned files.Product should check a global approved/safe list for Windows system files, and other signed software from reputable sources, to exclude them from scanning, and avoid false positives.Ability to add scan exclusions based on file name, file path, file type. Separate exclusion lists should be maintained for real-time and manual scanning.Drill down into data in compressed, archived and packed files, down to a configurable limit of compression layers.Repair of infected files, and clean-up functionality after malware detections.Quarantining of infected files in a central location, and the ability to restore files back to their original location.The ability to automatically recognize when a Laptop is running low on battery, and automatically defer a scan until it is on AC power.The ability to detect the download and prevent/warn on the execution of low prevalence (rarely downloaded) files, using cloud-based intelligence that tracks the global prevalence of files.The product must include the ability to detect and remove viral and non-viral threats such as worms, Trojans, spyware, adware, dialers, joke programs, remote access programs and hacking tools including root kits.The ability to detect malicious code in Instant Messaging file transfer.Ability to create a rescue media (CD or USB keys).A CPU utilization threshold mechanism to prevent the product from consuming too much system resources. Please describe.Support for browser protection/sandboxing to detect and block malicious client-side scripts in web pages from running in the users browsers.Product should check a global web reputation database that tracks the credibility of web domains and pages and keeps a safety score, and blocks users from accessing infected or fraudulent pages.The application should contain port blocking / host-firewall or ability to manage the operating system supplied firewall.Detection and blocking of macro virus files.Multi-threading scanning engine to minimize performance degradation across multiple processors.Product should use a File Reputation mechanism to reduce the impact on the endpoint’s performance and resources by offloading the large part of the pattern files and scanning process to the server side.Dedicated Protection against Ransomware:Access Document Control for protecting documents against unauthorized encryption or modification to prevent possible ransomware attacksPreventing ransomware injection by monitoring and hooking processes on endpoints to detect compromised executable files, and terminate process if it meets violation rules.Automatic backup and Recovery of user files when ransomware is detected by Access Document ControlAdvanced Malware Detection and ResponseNext-generation Endpoint functionalities for advanced malware & exploit techniques detection including:• Machine Learning Engine for detecting malwares and exploitation techniques with mathematical modeling• Memory Inspection and Script Analyzer
6 of 45CONFIDENTIAL
Integration option with sandboxing/APT solution to receive dynamic block list (IP’s, URL’s, file hashes) based on behavior analysis that took place on sandbox solution.Support option to submit suspicious files to a sandboxing server for deep behavior analysis. Suspicious files criteria should include:• Downloaded documents via web/email• Downloaded low-prevalence executables via web/email• USB auto-run low-prevalence executablesAbility to isolate infected endpoints based on network-based threat detection.Pattern, engine, and software updates are transparent to the end-user and should run at administrator-set schedule. Option for user-driven manual update from client GUI.Describe your virus definition updates distribution scheme.System should support assigning certain clients as Update Agents responsible for distributing updates to other clients to offload the WAN utilization and the load on the main management server.Update frequency can be controlled by an administrator on the server-side.Normal pattern updates should be small in size (below 1 M).Product should support roll back to a previous set of virus definitions.The Solution should provide advanced endpoint protection (Windows, Mac, and Virtual Desktop Infrastructure)The Solution supported protection points are:o Physical endpointso Virtualized endpointso Windows PCso Mac computerso Point of Sale (POS) and ATM endpointsThe Solution should provide threat protection:o Command and controlo Anti-rootkit, antispyware, anti-ransomware,o antivirus, anti-malwareo Advanced threatso Firewallo Behavior monitoringo Browser exploit protectiono Anti-variant/packer protectiono Data loss prevention (DLP)o Web threat protectiono Sandbox integrationThe Solution should protect endpoints, on or off the corporate network, against viruses, Trojans, worms, spyware, ransomware, and new variants as they emerge.The Solution should provide security optimized for virtual desktop infrastructures (VDI): Isolate control of desktop environments, streamline management, and consolidate and extend the life of existing hardware.The solution should have protection against ransomware attacks to recover files encrypted by ransomware threats, block processes associated with ransomware, and prevent compromised executable files from infecting your network.The solution should have Predictive Machine Learning engine can protect your network from new, previously unidentified, or unknown threats through advanced file feature analysis and heuristic process monitoring. Predictive Machine Learning can ascertain the probability that a
7 of 45CONFIDENTIAL
threat exists in a file or process and the probable threat type, protecting you from zero-day attacks.The solution should have an Edge Relay server that provides greater visibility and increased protection for endpoints that leave the local intranet by providing the following features:o Suspicious Object list synchronizationo Sample submission for sandbox analysiso Log submissiono Agent status information submission, such as current pattern and component versionsThe solution should enhance your integration with a sandbox analysis system, agents can now detect and send suspicious files that may contain previously unknown threats directly to the sandbox analysis systemr for further analysis. After verifying that a threat exists, the Suspicious Object lists are immediately updated and synchronized to all agents, preventing the threat from spreading across your network.The solution should provide real-time Scan allows to detect and block threats using Common Vulnerabilities and Exposures (CVE) exploits.The solution should be able to configure the Suspicious Connections feature to log or block network connections detected by the Global C&C IP list and malware network fingerprinting.The solution should support the following:Microsoft™ Windows™ Server 2016Microsoft™ Edge Web Reputation scanning of HTTPS trafficThe Solution should integrate with a connected threat defense: antimalware integrates with sandbox to deliver rapid response (real-time signature updates) to endpoints when a new threat is detected locally by the sandbox, enabling faster time-to-protection and reducing the spread of malware.The Solution should provide integrated data loss prevention (DLP): Protect your private data with this optional DLP module that secures the most common vectors like cloud storage, USB devices, and email for accidental and intentional data leaks. Policy can be configured to automatically encrypt information being moved to a USB or cloud storage channel.Scans processes are already running on the system when the antivirus service becomes enabled.Scans both HTTP and FTP traffic against viruses and spyware or any other malware.Provides Buffer Overflow Protection.Detection and disinfection of viruses and any other malware in compressed and archived files.Proactive threat protection- Providing protection against unseen threats (zero-day threats).The proposed software should have the ability to alert, clean, delete, quarantine the detected threat.Acceleration of scanning by skipping those objects which have not changed since the previous scan by caching results of last scan.Search and Remove all types of viruses, worms, spyware and malicious software in real time protection.Can exclude specified files/folders from being scanned either in the on-access mode or during on-demand scansUpdate Agent for remote site can be installed on any computers in the siteSupports Windows and MacOn-premise, cloud (SaaS) or hybrid deploymentOptimized for Desktop Visualization.Automatically recognizes whether an agent is on a physical or virtual endpoint to better target protection
8 of 45CONFIDENTIAL
Prevents network, CPU, and storage conflicts by serializing scan and update operations per virtual serverShortens scan times of virtual desktops by white-listing base images and previously scanned contentReduces the impact on the endpoint’s performance and resources by offloading part of the Pattern files and scanning process to the server sideAllows for CPU impact customization (low, medium, high …)The proposed software should allow the following: -Manual scanningOn access scanningOn demand scanningAdware/ Spyware scanningCompressed File ScanningScan Individual file, Folder and DriveScript blocking and ScanningAuto clean, Quarantine infected filesRansomware ProtectionWeb protectionIn-memory scanningProtects endpoints, on or off the corporate network, against viruses, Trojans, worms, spyware, ransomware, advanced persistent threats (APTs), and new variants as they emerge.Reduces the burden of pattern file management and lowers performance impactDetects and removes active and hidden rootkits and ransomwareSafeguards endpoint mail boxes by scanning POP3 email and Outlook folders for threatsIdentifies and blocks botnet and targeted attack command and control (C&C) communications using global and local threat intelligence (both inbound and outbound) Secures users and endpoint systems from accessing malicious web content without relying on updates to assure zero-day protection (browser exploit protection) Proactively detects malware variants, reducing the number of required signatures via anti-variant/packer protectionMonitors for suspicious file encryption activities at the endpoint and terminates malicious activities, for more extensive ransomware preventionSupported Server Operating Systems• Windows Server 2008 (SP2) and 2008 R2 (SP2) (x64) Editions• Windows Storage Server 2008 (x86/x64), Storage Server 2008 R2 (SP1) (x64) Editions• Windows HPC Server 2008 and HPC Server 2008 R2 (x64)• Windows MultiPoint Server 2010 (x64) and 2012 (x64)• Windows Server 2012 and 2012 R2 (x64) Editions• Windows MultiPoint Server 2012 (x64) Editions• Windows Storage Server 2012 (x64) Editions• Windows Server 2016 (x64) EditionsSupported Client Operating Systems• Windows XP (SP3) (x86) Editions• Windows XP (SP2) (x64) (Professional Edition)• Windows Vista (SP1/SP2) (x86/x64) Editions• Windows 7 (with/without SP1) (x86/x64) Editions• Windows 8 and 8.1 (x86/x64) Editions• Windows 10 (32-bit and 64-bit)• Windows 10 IoT Embedded
9 of 45CONFIDENTIAL
• Windows Server 2003 (SP2) and 2003 R2 (x86/x64) Editions• Windows Compute Cluster Server 2003 (Active/Passive)• Windows Storage Server 2003 (SP2), Storage Server 2003 R2 (SP2) (x86/x64) Editions• Windows Server 2008 (SP2) (x86/x64) and 2008 R2 (SP1) (x64) Editions• Windows Storage Server 2008 (SP2) (x86/x64) and Storage Server 2008 R2 (x64) Editions• Windows HPC Server 2008 and HPC Server 2008 R2 (x86/x64) Editions• Windows Server 2008/2008 R2 Failover Clusters (Active/Passive)• Windows MultiPoint Server 2010 and 2011 (x64)• Windows Server 2012 and 2012 R2 (x64) Editions• Windows Storage Server 2012 and 2012 R2 (x64) Editions• Windows MultiPoint Server 2012 (x64) Editions• Windows Server 2012 Failover Clusters (x64)• Windows Server 2016 (x64) Editions• Windows XP Embedded Standard (SP1/SP2/SP3) (x86)• Windows Embedded Standard 2009 (x86)• Windows Embedded POSReady 2009 (x86), Embedded POSReady 7 (x86/x64)• Windows 7 Embedded (x86/x64) (SP1)• Windows 8 and 8.1 Embedded (x86/x64) EditionsVulnerability ProtectionDeep-packet inspection capability responsible for inbound and outbound traffic monitoring, protocol inspection, network exploit blockingThe product should include a Host Intrusion Prevention functionality to shield known and unknown OS and application vulnerabilities, and block any exploit attempts against them.Virtual Patching of known and unknown OS and application vulnerabilities, and blocking any exploit attempts against them.HIPS module provides visibility of protection rules applicable on individual endpoints or groups, categorized by application types, and showing clearly the corresponding CVE’s.HIPS module provides network-layer protection for vulnerabilities once or preferably before a patch is released.HIPS rules can be selectively enabled or disabled on individual endpoints, or groups, and action can individually set to block or monitor only.HIPS can provide recommended rules for assignment for each endpoint based on OS version, applications installed, patch level, etc..Deep Packet Inspection functionality can provide visibility and control over web protocols used on endpoints including IM, P2P, and streaming, regardless of TCP/UDP ports used.The Solution should stop zero-day threats immediately on your physical and virtual desktops and laptops—on and off the network. Using host-level intrusion prevention system (HIPS), Vulnerability Protection shields against known and unknown vulnerabilities before a patch is available or deployable. Extends protection to critical platforms, including legacy operating systems such as Windows XP.Eliminates risk exposure by shielding vulnerabilities with virtual patchingReduces down-time for recovery and emergency patchingAllows patching on your own terms and timelines Identifies security vulnerabilities with reporting based on CVE, MS-ID, severityThe Solution should eliminates risk exposure due to missing patchesThe Solution should extend the life of legacy and end-of-support operating systems like Windows XP
10 of 45CONFIDENTIAL
The Solution should reduce down-time for recovery with incremental protection against zero day attacksThe Solution should allow patching on your own terms and timelinesThe Solution should lower potential legal exposure by improving data security complianceThe Solution should enhance firewall protection for remote and mobile enterprise endpointsBlocks known and unknown vulnerability exploits before patches are deployedThe Solution should automatically assess and recommend required virtual patches for your specific environmentThe Solution should dynamically adjust security configuration based on the location of an endpointThe Solution should protect endpoints with minimal impact on network throughput, performance, or user productivity The Solution should Shield endpoints against unwanted network traffic with multiple protection layersThe Solution should protect systems that hold sensitive data, critical to regulatory and corporate policy compliance The Solution should Apply control filters to alert/block specific traffic such as instant messaging and media streamingThe Solution should use deep packet inspection to identify content that may harm the application layerThe Solution should filter forbidden network traffic and ensures allowed traffic through Stateful inspection· The Solution Should Provide protection before patches are deployed and often before patches are availableThe Solution should shield operating system and common applications from known and unknown attacksThe Solution should detect malicious traffic that hides by using supported protocols over non-standard portsThe Solution should block traffic likely to damage at-risk components using vulnerability-facing network inspectionThe Solution Should Prevent networking backdoors from penetrating into the corporate networkThe Solution should block all known exploits with intrusion prevention signaturesThe Solution should defend custom and legacy applications using custom filters that block user defined parametersThe Solution should preserve endpoint performance with light-weight agent architectureThe Solution should simply and easily deploy with existing endpoint security SolutionThe Solution should increase convenience of implementing granular control with simplified dashboard and user-based visibility with the management consoleThe Solution should organize vulnerability assessments by Microsoft security bulletin numbers, CVE numbers, or other important informationThe Solution should provide logging integration with popular SIEM toolsThe Solution should simplify deployment and management by using (central management console)The Solution should reduce the need to patch and reboot immediately causing unnecessary downtime on systemsThe solution should Centralize management of the firewall policyThe solution should support virtual machine zoning and prevents Denial of Service (DoS) attacks
11 of 45CONFIDENTIAL
The solution should use vulnerability rules to shield known vulnerabilities from an unlimited number of exploitsThe solution should support enforcement of periodic recommendation scans, automatically shields newly discovered vulnerabilities through a deployment of rules to servers without requiring a system restartThe solution should enable compliance with PCI Requirement 6.6 for the protection of web applications and the data that they processThe solution should defend against SQL injection attacks, cross-site scripting attacks, and other web application vulnerabilitiesThe solution should shield vulnerabilities until code fixes are availableThe solution should increase visibility into, or control over, applications accessing the networkThe solution should identify malicious applications accessing the network and reduces the vulnerability exposure of your serversDeep-packet inspection capability responsible for inbound and outbound traffic monitoring, protocol inspection, network exploit blockingThe product should include a Host Intrusion Prevention functionality to shield known and unknown OS and application vulnerabilities, and block any exploit attempts against them.Virtual Patching of known and unknown OS and application vulnerabilities, and blocking any exploit attempts against them.HIPS module provides visibility of protection rules applicable on individual endpoints or groups, categorized by application types, and showing clearly the corresponding CVE’s.HIPS module provides network-layer protection for vulnerabilities once or preferably before a patch is released.HIPS rules can be selectively enabled or disabled on individual endpoints, or groups, and action can individually set to block or monitor only.HIPS can provide recommended rules for assignment for each endpoint based on OS version, applications installed, patch level, etc..Deep Packet Inspection functionality can provide visibility and control over web protocols used on endpoints including IM, P2P, and streaming, regardless of TCP/UDP ports used.Platforms supported: - Microsoft(TM) Windows(TM) Server 2012 (64-bit) - Windows Server 2012 R2 (64-bit) - Windows 10 (32-bit and 64-bit) - Windows 8.1 (32-bit and 64-bit) - Windows 8 (32-bit and 64-bit) - Windows 7 (32-bit and 64-bit) - Windows Server 2008 R2 Service Pack 1 (64-bit) - Windows Server 2008 (32-bit and 64-bit) - Windows Vista(TM) (32-bit and 64-bit) - Windows Server 2003 Service Pack 1 (32-bit and 64-bit) patched with Windows Server 2003 Scalable Networking Pack, Windows Server 2003 Service Pack 2 (32-bit and 64-bit), Windows Server 2003 R2 Service Pack 2 (32-bit and 64-bit) - Windows XP (32-bit and 64-bit)Application ControlThe solution should provide below features:Agent Installation from Windows or the Command PromptAgent Self-Protection
12 of 45CONFIDENTIAL
Agent Windows Interface and Notification ControlsAIR ScoreApplication UsageCertified Safe Software ServiceControl Applications and DLLsDynamic Application ListsKey Performance Indicators Dashboard WidgetManually Update Policy from the AgentProcess BlockingAlso known as kernel-level or driver-level blockingSystem LockdownTrusted Sources for ApplicationsUser-Based and Endpoint-Based Policy ManagementApplication Control functionality that includes device and user policies for application blacklisting, whitelisting, and device lockdown.Application Control policies can use constantly updated comprehensive application-categories supplied by the vendor, for ease of administration.Application Whitelisting policies for prohibiting any unauthorized applications from running, with automatic whitelisting of already existing/running applications.The solution should support integration with breach detection system to apply policies based on-the-fly on-premise created suspicious objects.Application Control functionality that includes device and user policies for application blacklisting, whitelisting, and device lockdown.Application Control policies can use constantly updated comprehensive application-categories supplied by the vendor, for ease of administration.Application Whitelisting policies for prohibiting any unauthorized applications from running, with automatic whitelisting of already existing/running applications.The solution should support integration with breach detection system to apply policies based on-the-fly on-premise created suspicious objects.Integration with Advanced Threat protection system to provide custom defense against identified threatsProtects against users or machines executing malicious softwareThe Solution should further simplify deployment when used with OfficeScanThe Solution should provide advanced features for centralized enforcement of corporate policies with central management consoleThe Solution should utilize extensive categorized application catalog (analyzed and correlated threat data from billions of files in the global threat intelligence network)The Solution should employ dynamic policies to allow users to install valid applications based on many reputation-based variables such as prevalence, regional usage, and maturityPrevents potential damage from unwanted or unknown applications (executables, DLLs, Windows App store apps, device drivers, control panels, and other Portable Executable (PE) files)The Solution should provide global and local real-time threat intelligence based on good file reputation data correlated across a global networkThe Solution should interconnect with additional layers of security to better correlate threat data and stop more threats, more oftenThe Solution should leverage threat data analyzed and correlated from 347 million unique files and 4+ billion good file records global threat intelligence network)
13 of 45CONFIDENTIAL
The Solution should integrate with complete user protection to complement antivirus, host intrusion prevention, data loss prevention, mobile security, and moreThe Solution should increases convenience of implementing granular control with a customizable dashboard and management consoleThe Solution should Use intelligent and dynamic policies that still allow users to install valid applications based on reputation-based variables like the prevalence, regional usage, and maturity of the applicationThe Solution should provide greater insight into threat outbreaks with user-based visibility, policy management, and log aggregation. Enables reporting across multiple layers of security through central management softwareThe Solution should be easily deployed using existing own vendor endpoint security or other third-party deployment toolsThe Solution should Categorize the applications and provides regular updates to simplify administration using Certified Safe Software ServiceThe Solution should use application name, path, regular expression, or certificate for basic application whitelisting and blacklistingThe Solution should Contain broad coverage of pre-categorized applications that can be easily selected from application catalog (with regular updates)The Solution should ensure that patches/updates associated with whitelisted applications can be installed, as well as allowing your update programs to install new patches/updates, with trusted sources of changeThe Solution should support Features to roll-your-own application whitelisting and blacklisting for in-house and unlisted applicationsThe Solution should deliver unparalleled breadth of applications and good file dataThe Solution should limit application usage to a specific list of applications supported by data loss prevention (DLP) products for specific users or endpointsThe Solution should collect and limits application usage for software licensing complianceThe Solution should support Features system to lockdown to harden end-user systems by preventing new applications from being executedEndpoint EncryptionSupport for Full-disk encryption, with pre-boot authentication, and SSO with AD account.Support for file/folder and removable media encryption, with centrally-managed certified and military-grade key management.Support for file/folder encryption with user, group, or enterprise encryption keys, or with a fixed password.File Encryption to integrate with DLP functionality to give the option of enforcing encryption of sensitive files prior to copy to USD or upload to cloud storage.Enforcement policies for encrypting files on removable media drives, or having a folder for encrypted files on any removable media.The Solution should provide comprehensive data protection on Macintosh and PC laptops, desktops, removable media, and mobile devicesThe Solution Should Encrypt private data with fully integrated full disk, file folder, USB, and removable media encryptionThe Solution Should Support and leverage flexible hardware and software-based encryption across mixed environmentsThe Solution Should Support self-encrypting drives from Seagate and emerging TCG OPAL and OPAL 2 SED standardThe Solution Should Enable automatic and transparent encryption without performance
14 of 45CONFIDENTIAL
degradation Save more with an integrated Solution that makes it easy to deploy, configure, and manage encryptionThe Solution Should Gain visibility and control over encryption, monitoring and protection of dataThe Solution Should Manage encryption policy alongside all endpoint security policies with integration to common management console.The Solution Should Simplify operations with a unified data repository with single management server and consoleThe Solution Should Automate policy enforcement with remediation of security eventsThe Solution Should Maintain compliance and protect your data without disrupting users in the event of a lost device or forgotten passwordThe Solution Should Manage policies and protect data on PCs, laptops, USBs, CDs, DVDsThe Solution Should Identify a lost device before it boots so that appropriate policies can be applied using network-aware preboot authenticationThe Solution Should Collect device-specific information such as device attributes, directory listing, and unique device IDs based on device name, MAC address, and CPU identifierThe Solution Should Improve protection for remote devices with tools to remotely lock, reset, or “kill” lost or stolen devicesThe Solution Should Automate enforcement of regulatory compliance with policy-based encryptionThe Solution Should Unify visibility and policy deploymentThe Solution Should Receive detailed auditing and reporting by individual, organizational unit, and deviceThe Solution Should Assist compliance initiatives with audit trail for all administrative actionsThe Solution Should Demonstrate compliance on demand with real-time auditingThe Solution Should Provide remote one-time passwords across all endpoint client applicationsThe Solution Should Leverage Active Directory and existing IT infrastructure for deployment and managementThe Solution Should Take the burden off IT staff by allowing users to change and reset passwords and accountsThe Solution Should Gain access to recovery console in Windows and prebootThe Solution Should Provide management and visibility for Microsoft BitLocker encryption keys, especially useful for employee owned devices where corporate data needs to be protectedThe Solution Should Provide visibility and management of Apple File Vault encryption keys to enforce policies on Macintosh computers, and protect them in case of loss or theftIntegrated Data Loss Prevention (DLP)Product should include Data Loss Prevention functionality, integrated in the endpoint security solution with no additional hardware.Product has the capability to restrict the copy or upload of certain data, based on keywords, regular expressions, or file types to external storage or to the Internet.Speeds audits and enforcement with real-time reporting of integrated DLP violations, and the option of recording forensic data capture of DLP violations.Product should simplify regulatory compliance with out-of-the-box data protection compliance templates.Product must be able to apply granular device control policies to specific endpoints, to control/block access to unauthorized USB storage, 3G modems, and mobile devices.Device Control USB storage control includes the ability to create specific exceptions based on make and serial number of the USB storage device.
15 of 45CONFIDENTIAL
The Solution should not be standalone Solution. It should be integrated in the following security Solution solutions with no additional hardware:o Endpointo Mail Serverso Messaging Gatewayo Web GatewayThe Solution Should Offers granular device control, including the ability to create specific rules based on make and serial number of the deviceThe Solution Should Empowers IT to restrict the use of USB drives, CD/DVD writers, and other removable mediaThe Solution Should Tracks and documents sensitive data flowing through network egress pointsThe Solution Should Detects and reacts to improper data use based on keywords, regular expressions and file attributesThe Solution Should Educates employees on corporate data usage policies through alerts, blocking and reportingThe Solution Should Simplifies regulatory compliance with out-of-the-box compliance templatesThe Solution Should Speeds audits and enforcement with forensic data capture and real-time reportingThe Solution Should Improves visibility and control with a centrally managed software consoleMobile SecurityThe Solution should include:· Mobile Device Management (MDM)· Mobile Application Management· Mobile Application Reputation Services· Device Antivirus (Android)· The Solution Should Supports smartphones and tablets running:o iOSo Androido Windows Phoneo BlackberryThe Solution Should Streamlines management of mobile security, MDM, app management, and data protection in a single Solution shouldThe Solution Should Simplifies deployment by leveraging the Communication Server, an optional cloud-based service that automates communications and reduces complexity of deploymentThe Solution Should Lower operational costs with centralized visibility and control of all endpoint securityThe Solution Should Increases productivity and flexibility with broad platform supportThe Solution Should Enables IT to track, monitor, and manage mobile devices, apps, and data through a single consoleThe Solution Should Provide data on the number, types, and configuration of devices accessing corporate resources, whether they have enrolled or notThe Solution Should Enables centralized policy creation and enforcement across single or multiple serversThe Solution Should Supports a complete user protection strategy by integrating with the central control console to centralize policy and managementThe Solution Should Provide leading antivirus protection and ensures optimal device configurations to reduce malware risk
16 of 45CONFIDENTIAL
The Solution Should Protects corporate data with remote lock and wipe, and selective wipeThe Solution Should Shields private data from unauthorized access and improper use with password and policy enforcementThe Solution Should Allow IT to block the use of risky mobile apps based on up-to-the-minute data from the cloud-based Mobile Application Reputation ServiceMessaging Security GatewaySecure Email Gateway that integrates multiple filters, including antispam, reputation filtering, anti-malware, anti-phishing, content filtering, attachment policies, DLP, and sandbox integration.Scan Inbound and Outbound SMTP and POP3 traffic for Spams, Viruses, Spyware, Phishing, etc..Provides multi-tier Anti-Spam technology that uses content analysis, protocol analysis, and reputation.Provides content filtering to enforce compliance and prevents data leakageUses global Email and IP Reputation service to block spam sources and rogue malware service networks.Heuristic and pattern scanning to detect document exploits and threats used in targeted attacks.Dedicated rule to detect marketing messages, newsletters, social network notifications, also known as graymail.SMTP Traffic Throttling blocks messages from a single IP address or sender for a certain time when the number of connections or messages reaches the specified maximum.Provides Firewall against DHA and bounced mail attacks.Protection against Email DoS by flooding the mail server with large attachments, or sending messages that contain multiple viruses or recursively compressed files, individuals with malicious intent can disrupt mail processing.Granular attachments blocking rules to limit the types of files that are allowed to pass through, with ability of detecting true file type regardless of file extension or compression, and control of script files, HTML links, Java applets, or ActiveX controls.Ability to decrypt and inspect payloads and attachments compressed or archived using a variety of compression techniques.Scans for suspicious behavior in several parts of each email transmission, including the email header, subject line, body, attachments, and the SMTP protocol information, to detect suspicious behavior related to Social Engineering attacks in email messages.Queries web reputation database in real time to check URL’s and embedded links in emails body or within attachment, and block emails containing malicious links.Supports URL Time-of-Click Scanning by rewriting URLs in email messages for further reputation check at the time of end-user click, and block them if they are malicious.Identifies suspicious messages, and attachments, and submits them to external sandboxing server for behavioral analysis in an isolated virtual environment to identify characteristics commonly associated with malware and spear phishing.Whitelisting and blacklisting based on source, destination, subject, or specific content.Simplifies regulatory compliance and data loss prevention through pre-defined and customizable DLP policies and templates.Ability to send log messages to log collectors using syslog protocol.Flexible deployment: Can be deployed as a Software Appliance (bare Metal) or Virtual Appliance (VMware).Ability to increase capacity quickly where needed.Ability to decrease email volumes to gateway by filtering most of the SPAM email in the cloud via a SaaS spam filter, that scans all emails before it reaches the network.
17 of 45CONFIDENTIAL
Optional Email Encryption integrated in the mail gateway to encrypt or decrypt inbound and outbound emails based on policy rules.Centralized HTTPS web-based management console for both cloud-based filter and on-premise gateway.Role-based access control gives the ability to create different access rights to the management console.GUI-based backup, restore, update, and upgrade management.Integration with Active Directory for recipients address validation.Gateway health monitoring and notification delivery through email or SNMP trap when a fault condition threatens to disrupt the mail flow.The Solution should support flexible deployment: Can be deployed as a Software Appliance (bare Metal) or Virtual Appliance (VMware)The Solution should have the Ability to Lower email volumes to gateway by filtering all email in the cloudThe Solution should Deploy new capacity quickly where neededThe Solution should provide Blocking spam sources and rogue “fast flux” service networks, what is the technology to be used?The Solution should Integrate multi-tiered antispam and reputation filtering technologies with anti-malwareThe Solution should have Centralized management from a single console for in the cloud and on-premise virtual applianceThe Solution should Support customizable policies and granular, rule-based filtering with on-premise virtual applianceThe Solution should Maintain privacy and control with on-premise email quarantinesThe Solution should Outbound filtering of sensitive content (encryption optional) supports complianceThe Solution Should Scan Inbound and Outbound SMTP and POP3 traffic for Spams, Viruses, Spyware, Phishing etc.The Solution Should Provide content filtering to enforce compliance and prevents data leakageThe Solution Should Provide multi-tier Anti-Spam technologyThe Solution Should Provide Firewall against DHA and bounced mail attacksThe Solution Should Block Spams before they reach the network (Email reputation capabilities)The Solution Should Detect and block ransomware with malware scanning, anti-spam and file (including executables and macro) scanningThe Solution Should Give you advanced threat protection with sandbox malware analysis integration, social engineering protection, and zero-day and document exploit detectionThe Solution Should Use web reputation to protect against web links in malicious emailsThe Solution should include a SaaS pre-filter option for virtual appliance and software appliance cuts total email volumes up to 95 percent by blocking threats and spam in the cloud. Your data remains private because your emails are never stored in the cloud.The Solution Should Lower impact at the email gateway by filtering email in the cloudThe Solution Should Reduce data center footprint and minimizes IT staff timeThe Solution Should Allow quick deployment of new capacity when neededThe Solution Should Include our Service Level Agreement that guarantees email traffic uptime.Hosted Email Security and Antispam ProtectionThe Solution should be a no-maintenance-required that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach your network. Email Encryption is included in the base offering.
18 of 45CONFIDENTIAL
The Solution should protect Microsoft® Exchange™, Microsoft® Office 365™, Google Apps, and other hosted and on-premises email Solution should s. It protects more than 50,000 companies around the globe.The Solution Should Detect and blocks ransomware with malware scanning, anti-spam and file (including executables and macro) scanningThe Solution Should Give you advanced threat protection with cloud sandbox malware analysis, social engineering protection and zero-day and document exploit detectionThe Solution Should Use web reputation to protect against web links in emails that are maliciousThe Solution should provide 100% service availabilityThe Solution should provide No more than one minute of mail delivery latencyThe Solution should provide Virus protection with Zero email-based virusesThe Solution should provide Spam blocking with 99% or better effectivenessThe Solution should provide No more than .0003% false positivesThe Solution should be a World-class data centers with multiple data privacy certifications including ISO 9001 and 27001The Solution should be Contractually-binding Service Level Agreement (SLA)Microsoft SharePoint SecurityThe Solution should provide Antivirus & Antispywareo Blocks infected files from entering SharePointo Protects data from corruption and thefto Stops high-risk files based on “true file type”o Prevents threats from spreading among usersThe Solution should support Integrated Data Loss Preventiono Incorporates data loss prevention (DLP) technology with pre-set policies to prevent data loss and compliance violationso Searches SharePoint databases to discover sensitive data or block threats in real-timeo Enables granular policies based on Microsoft Active Directory® or SharePoint® users, groups, and sitesThe Solution should provide Advanced Content Filteringo Prevents posting of inappropriate content to forums, blogs, and social siteso Includes pre-built and customizable dictionaries for profanity and different types of harassmentThe Solution should use Web Reputation Technologyo Blocks web links to malicious or compromised websiteso Provides immediate protection using up-to-the-minute threat intelligenceThe Solution should be Cloud and Virtualization ReadyThe Solution should require Low Administrationo Requires half the administration time required by competitive Solution should so Strong group configuration and management with centralized logging and reportingo Central quarantine management across serverso Role-based access control with single sign-ono Integrates with strategic Microsoft tools, including Digital Dashboard, Web Parts, and DRM The Solution should provide supports Enterprise Scalabilityo Used by the largest corporations in the world with hundreds of thousands of userso Optimized with agent-less database inspectiono 206% less latency added than Microsoft Forefront
19 of 45CONFIDENTIAL
o Smart Protection Server technology uses 10X less memory on the SharePoint web servero Supports SharePoint Shredded Storage and Remote BLOB Storage for both real time and scheduled scansCloud App SecurityThe Solution Should Protects Office 365 email and other cloud file-sharing servicesThe Solution Should Enhance built-in security with sandbox malware analysisThe Solution Should Give visibility into sensitive data use with cloud file-sharing servicesThe Solution Should Detect advanced malware hidden in Office 365 or PDF documentsThe Solution Should Support all user functionality, on any device, with simple API integrationThe Solution Should Investigate the behavior of suspect files by detonating in a virtual sandbox, not just through static pattern matchingThe Solution Should Use document-exploit detection to find malware hidden in common Office file formats such as Word, PowerPoint®, and Excel®.The Solution Should Guard against malicious URLs not only within the message body, but also within attachmentsThe Solution Should Offer the only third-party advanced threat-protection Solution should for Office 365 that protects internal email (in addition to external email) to uncover attacks already in progressThe Solution Should Protect hybrid Office 365 and on-premises Exchange architecturesThe Solution Should Provide DLP and advanced malware protection for Box, Dropbox, Google Drive, SharePoint Online, and OneDrive for BusinessThe Solution Should Enable consistent DLP policies across multiple cloud-based applicationsThe Solution Should Simplify setup with more than 200 pre-built compliance templates, user/group policies, and support for Microsoft Rights Management servicesThe Solution Should Seamlessly extend Office 365, Box, Dropbox, and Google Drive securityThe Solution Should Preserve full user and administrator functionality The Solution Should Provide direct cloud-to-cloud integration via vendor APIs for high performance and scalabilityThe Solution Should Minimize latency impact by assessing the risk of files before sandbox malware analysisThe Solution should cloud-to-cloud API integration doesn’t rely on redirecting email or web proxies.The Solution Should Add security without burdening IT with changing devices or user settings, installing software, setting up a web proxy, or changing the MX record to reroute emailThe Solution Should Integrate quickly and automatically with Office 365 and other cloud services The Solution Should Uncover ransomware and other malware in office files: Uses document exploit detection to find hidden malware inside common office file formats like Word, PowerPoint, and Excel as was seen in 60% of targeted attacksWeb Gateway SecurityThe Solution should support flexible deployment: Can be deployed as a Software Appliance (bare Metal) or Virtual Appliance (VMware)The Solution Should Scan inbound and outbound traffic for malwareThe Solution Should Prevent malware from entering your networkThe Solution Should Stop virus and spyware downloads, botnets, malware call back attempts, and tunnelling
20 of 45CONFIDENTIAL
The Solution Should Close the HTTPS security loophole by decrypting and inspecting encrypted content The Solution should support zero-day exploit scanning and detection of advanced persistent threats and botnets, by integration with malware sandbox system using execution analysis to inspect suspicious files offline.The Solution Should Detonate files in customer-defined sandbox environment(s) and monitors for risky behaviourThe Solution Should Use adaptive security updates to block new C&C servers found during analysisThe Solution Should Identifies attacks using continually updated detection intelligence and correlation rules from global threat intelligence network and dedicated threat researchThe Solution should Protect against new threats and suspicious activity in real timeThe Solution should Identify and blocks botnet and targeted attack C&C communications using global threat intelligenceThe Solution Should Leverages real-time URL categorization and reputation to identity inappropriate or malicious sitesThe Solution should Offer six different policy actions for web access control, including: monitor, allow, warn, block, block with password override, enforce time quotaThe Solution should Support object-level blocking within dynamic web pages such as Web 2.0 mashupsThe Solution should Stop drive-by downloads and blocks access to spyware and phishing websitesThe Solution Should Delivers instant updates so you are protected immediatelyThe Solution should offer highly-accurate policy-based URL filtering, further secured by web reputationThe Solution should Provide at least 80 pre-defined URL categories, making it easy to set Internet use policiesThe Solution Should Enables granular policy control with custom categories and exception handlingThe Solution Should Supports application control for managing use of popular IM and P2P appsThe Solution Should Monitors web use as it happens, enabling on-the-spot remediation The Solution Should Offers extensive deployment options for scalability, performance, and reliabilityThe Solution Should Support multiple deployment modes:o Bridge modeo Forward Proxyo Reverse Proxyo Can be integrated with ICAP deviceso Can be integrated with Cisco WCCP enabled devicesThe Solution Should Provide Protection from:o Blended threatso Web threatso Viruses and wormso Botso Spyware & key loggerso Malicious mobile code
21 of 45CONFIDENTIAL
o Rootkitso Phishingo Content threatso Non-business contento ActiveX and Java appletsThe Solution Should Provide web request caching for enhanced performance.The Solution Should Monitors more than 1,000 internet protocols and applications, including instant messaging, peer-to-peer, social networking applications, and streaming mediaThe Solution Should Allow users to access cloud-based applications, while enforcing your policies to mitigate risks and conserve resourcesThe Solution Should Enables policy creation to control all web activities and user online timeThe Solution Should Centralizes logging, reporting, configuration management, and policy synchronization across multiple Web Security servers regardless of their geographic location. Through a single console, administrators can more effectively monitor, manage, and secure their organization’s internet usage.The Solution Should Monitors internet activity as it happens for unprecedented visibilityThe Solution Should Changes reporting to a proactive decision-making tool, enabling on-the-spot remediationThe Solution Should Centralizes the configuration and reporting of multiple instances of the software virtual applianceThe Solution Should Supports creation of custom reportsThe Solution Should Supports anonymous logging and reporting to protect end-user privacyThe Solution Should Offloads reporting and logging from individual servers for higher throughput, lower latency, and historical reportingThe Solution should be part of a multi-layered approach to block ransomware at the gateway level before reaching your users. It provides:The Solution Should support Scanning for zero-day exploits and browser exploitsThe Solution Should support Botnet and C&C call back detection to block ransomware botnet and C&C sitesThe Solution Should Real-time web reputation to determine if a URL is a known delivery vehicle for ransomwareThe Solution should support: Single-click deployment of integrated DLP capabilities built intoWeb Security Virtual Appliance give you visibility and control of data in motion.The Solution Should Tracks and documents sensitive data flowing through network egress pointsThe Solution Should Identifies risky business processes and improves corporate data usage policiesThe Solution Should Detects and reacts to improper data use based on keywords, regular expressions, and file attributesThe Solution Should Reduce administration through central management with central management console along with other endpoint and email DLP modulesThe Solution should Simplifies deployment with an add-on module, requiring no additional hardware or softwareThe Solution should provide Over 200 out-of-the-box DLP templates satisfy major compliance regulations and ensure that Personally Identifiable Information and sensitive data files are protectedWeb Security As A Service
22 of 45CONFIDENTIAL
The Solution should Scans inbound and outbound traffic for malwareThe Solution Should Prevents malware from entering your network, relieving the burden on endpoint securityThe Solution Should Stops virus and spyware downloads, botnets, malware call back attempts, and malware tunnelingThe Solution Should Close the HTTPS security loophole by decrypting and inspecting encrypted contentThe Solution Should be powered by a Global threat intelligence network web reputation technology blocks access to websites with malicious activityThe Solution Should Protects against new threats and suspicious activity in real timeThe Solution Should Identifies and blocks botnet and targeted attack command and control (C&C) communications using global and local threat intelligenceThe Solution Should Uses real-time URL categorization and reputation to identity inappropriate or malicious sitesThe Solution Should Offers three different policy actions for web access control, including: monitor, allow, and blockThe Solution Should Supports object-level blocking within dynamic web pages such as Web 2.0 mashupsThe Solution Should Stops drive-by downloads and blocks access to spyware and phishing related websitesThe Solution Should Monitors and reports on more than 1,000 Internet protocols and applications, including instant messaging, peer-to-peer, social networking applications, and streaming mediaThe Solution Should Enables granular policy creation to control all web activities; for example, allow viewing social media, but not posting to social mediaThe Solution should support Location and schedule-based policy enforcementThe Solution Should Provide flexibility to grow with your business by making the most of high performance and robust cloud infrastructureThe Solution Should Delivers points of presence globally and ISO27001 certified cloud infrastructureThe Solution Should Guarantees 99.99% uptime and near-zero latency with an industry-leading Service Level AgreementIsolated Virus Scan ToolVirus scan should be performed without installing software on scan target devices in advance.By storing the latest pattern file in a USB device, the latest pattern file should be usable for virus scan even when the scan target device does not have an Internet connection.Past virus scan results performed by the same USB device should be viewable on a screen.The USB device should be equipped with a mechanism for protecting the USB device itself against USB worms.Virus scan should be performable by booting an OS stored in the USB device.The time for updating and searching for a pattern file should be specifiable.Scan settings should be configurable when virus scan is started.It should have a virus scan ability to support 40 or more types of compression formats and seven or more types of encoding formats.The action should be configurable based on virus type detectedIt should have functions for recovering falsified registries and setting files and stop running virus processes on the client PC. And, it should have a function for automatically updating those
23 of 45CONFIDENTIAL
related files.It should be able to detect/handle viruses, malicious programs, and rootkits regardless of whether the OS type is 32-bit or 64-bit.It should have 64-bit native support. (It should be able to scan the System32 folder even when running in a 64-bit environment.)It should be able to detect/handle a rootkit that has infected the kernel level.A management program that manages USB devices for virus scan should be usable.The management program should be able to manage multiple USB devices.A list of USB devices to be managed should be displayed to allow users to ascertain the usage situation.Should be able to change scan settings stored in a USB device with the management program.Should be able to manage and view results of virus scan performed using a USB device with the management program.Should be able to output virus scan results to a file.Virus definition files and scan engines should be obtained via the Internet and stored in the management program.Should be able to obtain only differential data that has changed when the management program obtains the latest virus definition file via the Internet.Should be able to periodically obtain virus definition files and scan engines via the Internet.Should be able to view and update license information.Should be able to obtain virus scan settings from the management program on the network.Should be able to obtain the latest virus definition file and scan engine from the management program on the network.Should be able to obtain only differential data that has changed when the latest virus definition file is obtained from the management program on the network.Should be able to send virus scan results to the management program on the network.Should be able to configure virus scan settings for a USB device connected via a USB connection with the management program.Should be able to copy the latest virus definition file and scan engine to a USB device connected via a USB connection with the management program.Should be able to obtain virus scan results stored in a USB device connected via a USB connection with the management program.Should be able to perform a virus scan with a USB device only in an environment where no management program is deployed.Should be able to obtain the latest program update, virus definition file, and scan engine via the Internet with a USB device only in an environment where no management program is deployed.At the time of virus scan using a USB device, should be able to obtain and view event logs of lockdown type security products with the management program.Professional Services, Support, Maintenance & TrainingTraining at Authorized Training CenterPremium Support 24x7 (Direct access to vendor technical expertise, Designated Technical Account Manager, Proactive consultative security advice)
24 of 45CONFIDENTIAL
5. BID EVALUATION STAGES(1) The bid evaluation process consists of several stages that are applicable according to the
nature of the bid as defined in the table below.
Stage Description Applicable for this bid
Stage 1 Administrative pre-qualification verification YESStage 2A Technical Mandatory requirement evaluation YESStage 2B Technical Functionality requirement evaluation NOStage 2C Technical Proof of Concept requirement evaluation NOStage 3 Special Conditions of Contract verification YESStage 4 Price / B-BBEE evaluation YES(2) The bidder must qualify for each stage to be eligible to proceed to the next stage of the
evaluation.
25 of 45CONFIDENTIAL
ANNEX A.1: ADMINISTRATIVE PRE-QUALIFICATION
6. ADMINISTRATIVE PRE-QUALIFICATION REQUIREMENT
6.1 ADMINISTRATIVE PRE-QUALIFICATION VERIFICATION
(1) The bidder must comply with ALL of the bid pre-qualification requirements in order for the bid to be accepted for evaluation.
(2) If the Bidder failed to comply with any of the administrative pre-qualification requirements, or if SITA is unable to verify whether the pre-qualification requirements are met, then SITA reserves the right to –
(a) Reject the bid and not evaluate it, or
(b) Accept the bid for evaluation, on condition that the Bidder must submit within 7 (seven) days any supplementary information to achieve full compliance, provided that the supplementary information is administrative and not substantive in nature.
6.2 ADMINISTRATIVE PRE-QUALIFICATION REQUIREMENTS
(1) Submission of bid response: The bidder has submitted a bid response documentation pack –
(a) that was delivered at the correct physical or postal address and within the stipulated date and time as specified in the “Invitation to Bid” cover page, and;
(b) in the correct format as one original document, two copies and one CD.
Attendance of briefing session: If a briefing session is called, then the bidder has to sign the briefing session attendance register using the same information (bidder company name, bidder representative person name and contact details) as submitted in the bidders response document. The attendance of the briefing session is not compulsory.
Registered Supplier. The bidder is, in terms of National Treasury Instruction Note 3 of 2016/17, registered as a Supplier on National Treasury Central Supplier Database (CSD).
26 of 45CONFIDENTIAL
ANNEX A.2: TECHNICAL MANDATORY, FUNCTIONALITY AND PROOF OF CONCEPT REQUIREMENTS
7. TECHNICAL MANDATORY
7.1 INSTRUCTION AND EVALUATION CRITERIA
(1) The bidder must comply with ALL the requirements by providing substantiating evidence in the form of documentation or information, failing which it will be regarded as “NOT COMPLY”.
(2) The bidder must provide a unique reference number (e.g. binder/folio, chapter, section, page) to locate substantiating evidence in the bid response. During evaluation, SITA reserves the right to treat substantiation evidence that cannot be located in the bid response as “NOT COMPLY”.
(3) The bidder must complete the declaration of compliance as per section 7.3 below by marking with an “X” either “COMPLY”, or “NOT COMPLY” with ALL of the technical mandatory requirements, failing which it will be regarded as “NOT COMPLY”.
The bidder must comply with ALL the TECHNICAL MANDATORY REQUIREMENTS in order for the bid to proceed to the next stage of the evaluation.
7.2 TECHNICAL MANDATORY REQUIREMENTS
TECHNICAL MANDATORY REQUIREMENTS
Substantiating evidence of compliance(used to evaluate bid)
The bidder must be a OSM or a registered OSM partner to supply, install and configure the Enterprise anti-virus solution.
Provide a copy of a valid certificate or letter from OSM indicating:(a) the bidder name,(b) the bidder is a OSM partner to supply,
install and configure the anti-virus solution
(c) date the partnership was established, and
(d) information stating that the partnership is valid at time of bid.
NB: All letters or certificates must be in writing, dated, signed and on a letterhead of the entity that issued it.
<provide unique reference to locate substantiating evidence in the bid response – see Annex A.6>
(2) BIDDER EXPERIENCE AND CAPABILITY REQUIREMENTS
The bidder must have provided successful Enterpris
Provide one (1) letter of affirmation from Business or Government customer to whom the project or service was delivered or a sworn affidavit to this effect.The letter must be dated, signed and on a letterhead of the customer and indicate the following:a) The customer Company name and
physical address;
<provide unique reference to locate substantiating evidence in the bid response – see Annex A.6>
27 of 45CONFIDENTIAL
TECHNICAL MANDATORY REQUIREMENTS
Substantiating evidence of compliance(used to evaluate bid)
Evidence reference(to be completed by bidder)
e anti-virus solution including the installation, configuration enhancement, support and maintenance services to at least one (1) organisations during the past five (5) years.
b) Customer contact person’s name, telephone number and email address;
c) Project scope of work;
d) Product or technology scope; and
e) Project Start and End Date.
NB: SITA reserves the right to verify information provided
28 of 45CONFIDENTIAL
7.3 DECLARATION OF COMPLIANCE
Comply Not Comply
The bidder declares by indicating with an “X” in either the “COMPLY” or “NOT COMPLY” column that –
(a) The bid complies with each and every TECHNICAL MANDATORY REQUIREMENT as specified in SECTION 7.2 above; AND
(b) Each and every requirement specification is substantiated by evidence as proof of compliance.
29 of 45CONFIDENTIAL
ANNEX A.3: SPECIAL CONDITIONS OF CONTRACT (SCC)
8. SPECIAL CONDITIONS OF CONTRACT
8.1. INSTRUCTION
(1) The successful supplier will be bound by Government Procurement: General Conditions of Contract (GCC) as well as this Special Conditions of Contract (SCC), which will form part of the signed contract with the successful Supplier. However, SITA reserves the right to include or waive the condition in the signed contract.
(2) SITA reserves the right to –
(a) Negotiate the conditions, or
(b) Automatically disqualify a bidder for not accepting these conditions.
(3) In the event that the bidder qualifies the proposal with own conditions, and does not specifically withdraw such own conditions when called upon to do so, SITA will invoke the rights reserved in accordance with subsection 8.1(2) above.
(4) The bidder must complete the declaration of acceptance as per section 8.3 below by marking with an “X” either “ACCEPT ALL” or “DO NOT ACCEPT ALL”, failing which the declaration will be regarded as “DO NOT ACCEPT ALL” and the bid will be disqualified.
8.2. SPECIAL CONDITIONS OF CONTRACT
(1) CONTRACTING CONDITIONS
(a) Formal Contract. The Supplier must enter into a formal written Contract (Agreement) with SITA (internal)
(b) Right of Award. SITA reserves the right to award the contract for required goods or services to multiple Suppliers.
(c) Right to Audit. SITA reserves the right, before entering into a contract, to conduct or commission an external service provider to conduct a financial audit or probity to ascertain whether a qualifying bidder has the financial wherewithal or technical capability to provide the goods and services as required by this tender.
(d) Performance Security. In terms of section 8.1 of the General Conditions of Contract, a successful bidder must provide to SITA within 30 days after award of the contract a performance security to the amount of at least 10% of the bid price.
(2) DELIVERY ADDRESS. The supplier must deliver the required products or services at
(a) Gauteng Department of Education, Hollard Building, 17 Simmonds Street, Johannesburg
(3) SERVICES AND PERFORMANCE METRICS
(a) The Supplier is responsible to provide the following services as specified in the Service Breakdown Structure (SBS):
30 of 45CONFIDENTIAL
SBS Service Element Service Grade Service Level1. Call Centre Normal 8h x 5d, 07:30 – 16:30
2. Incident Response Normal Maximum 4 hours
3. Incident Restore Normal Maximum 8 hours
(4) CERTIFICATION, EXPERTISE AND QUALIFICATION
(a) The Supplier represents that,
(i) it has the necessary expertise, skill, qualifications and ability to undertake the work required in terms of the Statement of Work or Service Definition and;
(ii) it is committed to provide the Products or Services; and
(iii) perform all obligations detailed herein without any interruption to the Customer.
(b) The Supplier must provide the service in a good and workmanlike manner and in accordance with the practices and high professional standards used in well-managed operations performing similar Services;
(c) The Supplier must perform the Services in the most cost-effective manner consistent with the level of quality and performance as defined in Statement of Work or Service Definition;
(d) Original Equipment Manufacturer (OEM) or Original Software Manufacturer (OSM) work. The Supplier must ensure that work or service is performed by a person who is certified by Original Equipment Manufacturer or Original Software Manufacturer.
(e) Professional Services. Professional service accreditation and affiliation certifications where applicable
(5) LOGISTICAL CONDITIONS
(a) Hours of work. Normal working hours on normal working days excluding public holidays.
(b) In the event that SITA grants the Supplier permission to access SITA's Environment including hardware, software, internet facilities, data, telecommunication facilities and/or network facilities remotely, the Supplier must adhere to SITA's relevant policies and procedures (which policy and procedures are available to the Supplier on request) or in the absence of such policy and procedures, in terms of, best industry practice.
(6) SKILLS TRANSFER AND TRAINING
(a) The Supplier must provide skills transfer training on the proposed solution or product to management and technical staff to enable GDE to operate and support the product or solution after implementation.
(b) The nature of the training must be informal or hands-on.
(7) REGULATORY, QUALITY AND STANDARDS
(a) The Supplier must for the duration of the contract ensure that the proposed product or solution conform with the Government Minimum Interoperability Standards (MIOS) as follows:
(i) Not applicable to this Bid
31 of 45CONFIDENTIAL
(8) PERSONNEL SECURITY CLEARANCE
(a) The Supplier personnel who are required to work with information related to NATIONAL SECURITY must have a valid South African security clearance or must apply within 30 days of the signed contract for a security clearance to the level of CONFIDENTIAL at the expense of the Supplier from the South African State Security Agency or duly authorised Personnel Security Vetting entity of SA Government.
(b) The Supplier personnel who are required to work with GOVERNMENT CLASSIFIED information or access government RESTRICTED areas must be a South African Citizen and at the expense of the Supplier be security vetted (pre-employment screening, criminal record screening and credit screening).
(c) The Supplier must ensure that the security clearances of all personnel involved in the Contract remains valid for the period of the contract.
(9) CONFIDENTIALITY AND NON-DISCLOSURE CONDITIONS
(a) The Supplier, including its management and staff, must before commencement of the Contract, sign a non-disclosure agreement regarding Confidential Information.
(b) Confidential Information means any information or data, irrespective of the form or medium in which it may be stored, which is not in the public domain and which becomes available or accessible to a Party as a consequence of this Contract, including information or data which is prohibited from disclosure by virtue of:
(i) the Promotion of Access to Information Act, 2000 (Act no. 2 of 2000);
(ii) being clearly marked "Confidential" and which is provided by one Party to another Party in terms of this Contract;
(iii) being information or data, which one Party provides to another Party or to which a Party has access because of Services provided in terms of this Contract and in which a Party would have a reasonable expectation of confidentiality;
(iv) being information provided by one Party to another Party in the course of contractual or other negotiations, which could reasonably be expected to prejudice the right of the non-disclosing Party;
(v) being information, the disclosure of which could reasonably be expected to endanger a life or physical security of a person;
(vi) being technical, scientific, commercial, financial and market-related information, know-how and trade secrets of a Party;
(vii) being financial, commercial, scientific or technical information, other than trade secrets, of a Party, the disclosure of which would be likely to cause harm to the commercial or financial interests of a non-disclosing Party; and
(viii) being information supplied by a Party in confidence, the disclosure of which could reasonably be expected either to put the Party at a disadvantage in contractual or other negotiations or to prejudice the Party in commercial competition; or
(ix) information the disclosure of which would be likely to prejudice or impair the safety and security of a building, structure or system, including, but not limited to, a computer or communication system; a means of transport; or any other property;
32 of 45CONFIDENTIAL
or a person; methods, systems, plans or procedures for the protection of an individual in accordance with a witness protection scheme; the safety of the public or any part of the public; or the security of property; information the disclosure of which could reasonably be expected to cause prejudice to the defence of the Republic; security of the Republic; or international relations of the Republic; or plans, designs, drawings, functional and technical requirements and specifications of a Party, but must not include information which has been made automatically available, in terms of the Promotion of Access to Information Act, 2000; and information which a Party has a statutory or common law duty to disclose or in respect of which there is no reasonable expectation of privacy or confidentiality;
(c) Notwithstanding the provisions of this Contract, no Party is entitled to disclose Confidential Information, except where required to do so in terms of a law, without the prior written consent of any other Party having an interest in the disclosure;
(d) Where a Party discloses Confidential Information which materially damages or could materially damage another Party, the disclosing Party must submit all facts related to the disclosure in writing to the other Party, who must submit information related to such actual or potential material damage to be resolved as a dispute;
(e) Parties may not, except to the extent that a Party is legally required to make a public statement, make any public statement or issue a press release which could affect another Party, without first submitting a written copy of the proposed public statement or press release to the other Party and obtaining the other Party's prior written approval for such public statement or press release, which consent must not unreasonably be withheld.
(10) GUARANTEE AND WARRANTIES. The Supplier warrants that:
(a) The warranty of goods supplied under this contract remains valid for twelve (12) months after the goods, or any portion thereof as the case may be, have been delivered to and accepted at the final destination indicated in the contract, or for eighteen (18) months after the date of shipment from the port or place of loading in the source country, whichever period concludes earlier;
(b) as at Commencement Date, it has the rights, title and interest in and to the Product or Services to deliver such Product or Services in terms of the Contract and that such rights are free from any encumbrances whatsoever;
(c) the Product is in good working order, free from Defects in material and workmanship, and substantially conforms to the Specifications, for the duration of the Warranty period;
(d) during the Warranty period any defective item or part component of the Product be repaired or replaced within 3 (three) days after receiving a written notice from SITA;
(e) the Products is maintained during its Warranty Period at no expense to SITA;
(f) the Product possesses all material functions and features required for SITA’s Operational Requirements;
(g) the Product remains connected or Service is continued during the term of the Contract;
(h) all third-party warranties that the Supplier receives in connection with the Products including the corresponding software and the benefits of all such warranties are ceded to SITA without reducing or limiting the Supplier’s obligations under the Contract;
33 of 45CONFIDENTIAL
(i) no actions, suits, or proceedings, pending or threatened against it or any of its third party suppliers or sub-contractors that have a material adverse effect on the Supplier’s ability to fulfil its obligations under the Contract exist;
(j) SITA is notified immediately if it becomes aware of any action, suit, or proceeding, pending or threatened to have a material adverse effect on the Supplier’s ability to fulfil the obligations under the Contract;
(k) any Product sold to SITA after the Commencement Date of the Contract remains free from any lien, pledge, encumbrance or security interest;
(l) SITA’s use of the Product and Manuals supplied in connection with the Contract does not infringe any Intellectual Property Rights of any third party;
(m) the information disclosed to SITA does not contain any trade secrets of any third party, unless disclosure is permitted by such third party;
(n) it is financially capable of fulfilling all requirements of the Contract and that the Supplier is a validly organized entity that has the authority to enter into the Contract;
(o) it is not prohibited by any loan, contract, financing arrangement, trade covenant, or similar restriction from entering into the Contract;
(p) the prices, charges and fees to SITA as contained in the Contract are at least as favourable as those offered by the Supplier to any of its other customers that are of the same or similar standing and situation as SITA; and
(q) any misrepresentation by the Supplier amounts to a breach of Contract.
(11) INTELLECTUAL PROPERTY RIGHTS
(a) SITA retains all Intellectual Property Rights in and to SITA's Intellectual Property. As of the Effective Date, the Supplier is granted a non-exclusive license, for the continued duration of this Contract, to perform any lawful act including the right to use, copy, maintain, modify, enhance and create derivative works of SITA's Intellectual Property for the sole purpose of providing the Products or Services to SITA pursuant to this Contract; provided that the Supplier must not be permitted to use SITA's Intellectual Property for the benefit of any entities other than SITA without the written consent of SITA, which consent may be withheld in SITA's sole and absolute discretion. Except as otherwise requested or approved by SITA, which approval is in SITA's sole and absolute discretion, the Supplier must cease all use of SITA's Intellectual Property, at of the earliest of:
(i) termination or expiration date of this Contract;
(ii) the date of completion of the Services; and
(iii) the date of rendering of the last of the Deliverables.
(b) If so required by SITA, the Supplier must certify in writing to SITA that it has either returned all SITA Intellectual Property to SITA or destroyed or deleted all other SITA Intellectual Property in its possession or under its control.
(c) SITA, at all times, owns all Intellectual Property Rights in and to all Bespoke Intellectual Property.
34 of 45CONFIDENTIAL
(d) Save for the license granted in terms of this Contract, the Supplier retains all Intellectual Property Rights in and to the Supplier’s pre-existing Intellectual Property that is used or supplied in connection with the Products or Services.
(12) TARGETED PROCUREMENT/TRANSFORMATION
SITA, in terms of the PPPFA Regulation 2017 section 4(1), has an obligation to advance certain designated groups for the supply of certain ICT goods or services. The following criteria applies for this tender/bid/quotation:
(a) This tender/bid/quotation shall be for the participation of both the SMME (EME/QSE) and large entities.
(b) First Preference will be given to SMME (EME/QSE) which are at least 51% black owned with a B -BBEE status Level One (1) or Two (2)
(c) Second Preference will be given to all SMMEs (EME & QSE) irrespective of black ownership percentage.
(d) If no SMMEs qualifies the tender/bid/quotation will be allocated to a qualifying B-BBEE compliant entity that have a B-BBEE status level of at least a Level
8.1 DECLARATION OF ACCEPTANCE
ACCEPT ALL DO NOT ACCEPT ALL(1) The bidder declares to ACCEPT ALL the Special Condition
of Contract as specified in section 8.2 above by indicating with an “X” in the “ACCEPT ALL” column, OR
(2) The bidder declares to NOT ACCEPT ALL the Special Conditions of Contract as specified in section 8.2 above by -
(a) Indicating with an “X” in the “DO NOT ACCEPT ALL” column, and;
(b) Provide reason and proposal for each of the conditions that is not accepted.
Comments by bidder:Provide reason and proposal for each of the conditions not accepted as per the format:Condition Reference:Reason:Proposal:
35 of 45CONFIDENTIAL
ANNEX A.4: COSTING AND PRICING
QUALIFICATION NOTICE
To safeguard the integrity of the bidding process, the technical and financial proposals should be submitted in separate sealed envelopes, as per “National Treasury: Supply Chain Management a guide for Accounting Officers / Authorities, 2004”, section 5.9.4; therefore
All bid Pricing Schedules, as indicated in section 9 COSTING AND PRICING, must be submitted in a
SEPARATE SEALED ENVELOPE, failing which the bid WILL BE DISQUALIFIED.
36 of 45CONFIDENTIAL
9. COSTING AND PRICING
9.1 COSTING AND PRICING EVALUATION
(1) ALL PRICING SCHEDULES MUST BE SUBMITTED IN A SEPARATE SEALED ENVELOPE, failing which the BID will be DISQUALIFIED.
(2) In terms of Preferential Procurement Policy Framework Act (PPPFA), the following preference point system is applicable to all Bids:
(a) the 80/20 system (80 Price, 20 B-BBEE) for requirements with a Rand value of up to R50 000 000 (all applicable taxes included); or
(b) the 90/10 system (90 Price and 10 B-BBEE) for requirements with a Rand value above R50 000 000 (all applicable taxes included).
(3) The bidder must complete the declaration of acceptance as per section 9.3 below by marking with an “X” either “ACCEPT ALL”, or “DO NOT ACCEPT ALL”, failing which the declaration will be regarded as “DO NOT ACCEPT ALL” and the bid will be disqualified.
(4) Bidder will be bound by the following general costing and pricing conditions and SITA reserves the right to negotiate the conditions or automatically disqualify the bidder for not accepting these conditions. These conditions will form part of the Contract between SITA and the bidder. However, SITA reserves the right to include or waive the condition in the Contract.
9.2 COSTING AND PRICING CONDITIONS
(1) The bidder must submit the Pricing Schedule(s) as prescribed in section 9.4 as well as the relevant enclosed Standard Bidding Document SBD 3.1, 3.2 or 3.3.
(2) SOUTH AFRICAN PRICING. The total price must be VAT inclusive and be quoted in South African Rand (ZAR).
(3) TOTAL PRICE
(a) All quoted prices are the total price for the entire scope of required services and deliverables to be provided by the bidder.
(b) The cost of delivery, labour, S&T, overtime, etc. must be included in this bid.
(c) All additional costs must be clearly specified.
(4) BID EXCHANGE RATE CONDITIONS. The bidders must use the exchange rate provided below to enable SITA to compare the prices provided by using the same exchange rate:
Foreign currency South African Rand (ZAR) exchange rate1 US Dollar1 Euro1 Pound
37 of 45CONFIDENTIAL
9.3 DECLARATION OF ACCEPTANCE
ACCEPT ALL DO NOT ACCEPT ALL(1) The bidder declares to ACCEPT ALL the Costing and Pricing
conditions as specified in section 9.2 above by indicating with
an “X” in the “ACCEPT ALL” column, or
(2) The bidder declares to NOT ACCEPT ALL the Costing and Pricing Conditions as specified in section 9.2 above by -
(a) Indicating with an “X” in the “DO NOT ACCEPT ALL” column, and;
(b) Provide reason and proposal for each of the condition not accepted.
Comments by bidder:Provide the condition reference, the reasons for not accepting the condition.
9.4 BID PRICING SCHEDULE
Note:a) Bidder must complete the pricing as per table below (or as per the attached spread sheet if
applicable).
b) Line Prices are all VAT EXCLUDING, and TOTAL PRICE is VAT INCLUSIVE
(1) PRODUCT OR SERVICE PRICING
NoProduct/Service description Price Year 1(VAT excl.)
Price Year 2(VAT excl.)
Price Year 3(VAT excl.)
Total Price
1. Supply anti-virus solution for the department with 120 000 estimated number of devices
2. Install and configure anti-virus solution including roll out at 15 schools as pilot project and skills transfer for the department at the following schools
3. Provide maintenance and support of the anti-virus solution for a period of three years
4. SUBTOTAL (VAT Excl.)5. VAT (15%)6. BID TOTAL (VAT Incl.)
38 of 45CONFIDENTIAL
(2) RATE OF EXCHANGE PRICING INFORMATION
Provide the TOTAL BID PRICE for the duration of Contract and clearly indicate the Local Price and Foreign Price, where –
(a) Local Price means the portion of the TOTAL price that is NOT dependent on the Foreign Rate of Exchange (ROE) and;
(b) Foreign Price means the portion of the TOTAL price that is dependent on the Foreign Rate of Exchange (ROE).
(c) Exchange Rate means the ROE (ZA Rand vs foreign currency) as determined at time of bid.
No Description Price YEAR 1(Vat Excl.)
Price YEAR 2(VAT Excl.)
Price YEAR 3(VAT Excl.)
1. LOCAL Price (ZAR)2. FOREIGN Price (ZAR)3. Exchange Rate4. SUBTOTAL (VAT Excl.)5. VAT (14%)6. TOTAL (VAT Incl.)7. BID TOTAL
National Treasury Procurement: Standard Bidding Document on next pages
*** SELECT APPLICABLE SBD 3.1, 3.2 OR 3.3 FOR THIS BID
39 of 45CONFIDENTIAL
SBD 3.1PRICING SCHEDULE – FIRM PRICES
(PURCHASES)
NOTE: ONLY FIRM PRICES WILL BE ACCEPTED. NON-FIRM PRICES (INCLUDING PRICES SUBJECT TO RATES OF EXCHANGE VARIATIONS) WILL NOT BE CONSIDERED
IN CASES WHERE DIFFERENT DELIVERY POINTS INFLUENCE THE PRICING, A SEPARATE PRICING SCHEDULE MUST BE SUBMITTED FOR EACH DELIVERY POINT
Name of bidder: ………………………………………………………… Bid number:
Closing Time: 11:00 Closing date:
OFFER TO BE VALID FOR ……… DAYS FROM THE CLOSING DATE OF BID._______________________________________________________________________________ITEM QUANTITY DESCRIPTION BID PRICE IN RSA CURRENCYNO. ** (ALL APPLICABLE TAXES INCLUDED)
- Required by: THE STATE INFORMATION TECHNOLOGY AGENCY SOC LTD
- At: …………………………………………………
…………………………………………………
- Brand and model: …………………………………………………
- Country of origin: …………………………………………………
- Does the offer comply with the specification(s)? *YES/NO
- If not to specification, indicate deviation(s) ………………………………….
- Period required for delivery ………………………………….*Delivery: Firm/not firm
- Delivery basis ……………………………………
Note:All delivery costs must be included in the bid price, for delivery at the prescribed destination.
** “all applicable taxes” includes value- added tax, pay as you earn, income tax, unemployment insurance fund contributions and skills development levies.*Delete if not applicable
40 of 45CONFIDENTIAL
SBD 3.2PRICING SCHEDULE – NON-FIRM PRICES
(PURCHASES)
NOTE: PRICE ADJUSTMENTS WILL BE ALLOWED AT THE PERIODS AND TIMES SPECIFIED IN THE BIDDING DOCUMENTS.
IN CASES WHERE DIFFERENT DELIVERY POINTS INFLUENCE THE PRICING, A SEPARATE PRICING SCHEDULE MUST BE SUBMITTED FOR EACH DELIVERY POINT
Name of Bidder: …………………………………………………………… Bid number:
Closing Time 11:00 Closing date:
OFFER TO BE VALID FOR ……… DAYS FROM THE CLOSING DATE OF BID.
- Required by: THE STATE INFORMATION TECHNOLOGY AGENCY SOC LTD
- At: …….…..……………………………….
- Brand and model ……..………………………………….
- Country of origin ……...………………………………….
- Does the offer comply with the specification(s)? *YES/NO
- If not to specification, indicate deviation(s) ………………………………………….
- Period required for delivery ………………………………………….
- Delivery: *Firm/not firm
** “all applicable taxes” includes value- added tax, pay as you earn, income tax, unemployment insurance fund contributions and skills development levies.
*Delete if not applicable
41 of 45CONFIDENTIAL
SBD 3.3PRICING SCHEDULE
(Professional Services)
NAME OF BIDDER: ……………………………………………………………… BID NO:
CLOSING TIME: 11:00 CLOSING DATE:
OFFER TO BE VALID FOR ………… DAYS FROM THE CLOSING DATE OF BID._______________________________________________________________________________________ITEM DESCRIPTION BID PRICE IN RSA CURRENCYNO **(ALL APPLICABLE TAXES INCLUDED)_______________________________________________________________________________________
1. The accompanying information must be used for the formulationof proposals.
2. Bidders are required to indicate a ceiling price based on the totalestimated time for completion of all phases and including allexpenses inclusive of all applicable taxes for the project. R………..…………………………………………………...
3. PERSONS WHO WILL BE INVOLVED IN THE PROJECT AND RATES APPLICABLE (CERTIFIED INVOICES MUST BE RENDERED IN TERMS HEREOF)
5. PHASES ACCORDING TO WHICH THE PROJECT WILL BECOMPLETED, COST PER PHASE AND MAN-DAYS TO BE SPENT
----------------------------------------------------------------- R----------------------- ----------------- days
----------------------------------------------------------------- R----------------------- ----------------- days
----------------------------------------------------------------- R----------------------- ----------------- days
----------------------------------------------------------------- R----------------------- ----------------- days
42 of 45CONFIDENTIAL
5.1 Travel expenses (specify, for example rate/km and total km, classof air-travel, etc). Only actual costs are recoverable. Proof of theexpenses incurred must accompany certified invoices.
DESCRIPTION OF EXPENSE TO BE INCURRED RATE QUANTITY AMOUNT
** ”all applicable taxes” includes value- added tax, pay as you earn, income tax, unemployment insurance fund contributions and skills development levies.
5.2 Other expenses, for example accommodation (specify, eg. Threestar hotel, bed and breakfast, telephone cost, reproduction cost,etc.). On basis of these particulars, certified invoices will be checkedfor correctness. Proof of the expenses must accompany invoices.
DESCRIPTION OF EXPENSE TO BE INCURRED RATE QUANTITY AMOUNT
TOTAL: R………………………….6. Period required for commencement with project after
acceptance of bid ………………………………………………………………
7. Estimated man-days for completion of project ……………………………………………………………….
8. Are the rates quoted firm for the full period of contract? *YES/NO
9. If not firm for the full period, provide details of the basis on whichadjustments will be applied for, for example consumer price index.
……………………………………………………………….
……………………………………………………………….
……………………………………………………………….
……………………………………………………………….
*[DELETE IF NOT APPLICABLE]
43 of 45CONFIDENTIAL
ANNEX A.5: Terms and definitions
1. ABBREVIATIONSICT Information and Communication TechnologyPPPFA Preferential Procurement Policy Framework Act
44 of 45CONFIDENTIAL
ANNEX A.6: BIDDER SUBSTANTIATING EVIDENCE
This section is reserved for the bidder to provide information related to the substantiating evidence or comments in the format as required by the bid specification (e.g. text, graphical representation, diagrams, statistical reports, lists, reference letters, copies of product of solution documentation, certificates, licences, memberships, etc.).
The lines of business (LoB) can provide structured tables/guidelines to be completed by bidders for specific evidence required.
Note: The evidence provided in this section will be used by the bid evaluation committee to evaluate the bid. Therefore, each piece of substantiating evidence must be cross referenced to requirements specification section.
![Untitled-1 [insurem.com.mx]insurem.com.mx/MercadoLibre/Catalogo HardWare.pdfintel CORE i7 intel CORE i7 intel CORE i7 intel CORE i7 inter CORE inside inter CORE inside inter CORE inside](https://static.documents.pub/doc/80x56/5ea5f42d3dcb49308f6ef996/untitled-1-hardwarepdf-intel-core-i7-intel-core-i7-intel-core-i7-intel-core.jpg)
