Proprietary Information Notice

Proprietary Information Notice This document has been developed and created by Central Board of Revenue &/or Pakistan Revenue Automation (Private) Limited. The information contained herein is confidential and proprietary and cannot be used unless specifically permitted in writing by Central Board of Revenue &/or Pakistan Revenue Automation (Private) Limited. The recipient of this document, by its retention and use, agrees to hold this document and its content in strict confidence and to protect the same from loss, theft or unauthorized use. This document shall not be copied or communicated to any third party, in whole or in part by any means without the prior written consent of Central Board of Revenue &/or Pakistan Revenue Automation (Private) Limited. This Proprietary Information Notice is an integral part of this document and shall not be removed or altered. Overview Document Purpose The purpose of this document is to enable commercial vendors to be able to draw up a response to the RFP as contained here with. Intended Audience The intended audience for this document is Central Board of Revenue (Author) and CV (Commercial Vendors) who specialize in HP (Host Providers) in the IP Application & Infrastructure Management space. Overview Central Board of Revenue plans to launch a Client-Server based application that would be used to facilitate tax-payers in Pakistan for the electronic (digital) submission of their tax returns &/or tax related communication in a secure, encrypted, and signed manner. This document covers the system-level overview only. The project will be a single-phase implementation of two database clusters (i) an Oracle® 10g Application Server Cluster and (ii) Microsoft with high-redundancy, and up-time requirements. Eventually only the Oracle 10g cluster will remain, but for undefined period, both clusters would be required. In addition to the clusters, a high-end dedicated server is required for application hosting, coupled with a secure hosting infrastructure that is:  Provider Layer 2-3 security and logging of all traffic with CBR Network team having Access to Security Logs, including but not limited to all traffic logs relevant to our Application Server. Logs should be available in Raw format in realtime. Logs from IDP/IDS are also required. Provides Layer 4-7 security, logging and load-balancing of incoming traffic as well as added port security Provide an accountable manner by which each submission can be traced with respect to time-stamps, traffic/routed hops, Source IP, Mid-Tier IP, Destination IP. Be able to provide internal and external pulses on system and services uptime. CBR Network team will have Direct ICMP access to target systems, for this purpose two management IP’s will be nominated by CBR for security Reasons.     Uptime Requirement & SLA CBR Requires highest level of Uptime due to criticality of its application with the following Basic Requirements, Vendor is required to quote any Equipment necessary to achieve these Requirements.  System Uptime requirement of 99.99 % During 0700 Hrs to 23:00 Hrs as a whole ( Network & Servers included)  System Uptime Requirement of 99.9 % During remaining Hours.  Downtime will be calculated on the above limit on monthly basis,  Service Outage Credits will be granted to CBR by vendor if the System availability falls below the target as defined above. Hours/Minutes calculated based on this acceptable downtime are exempt from Service Outage Credits. For all Service Outage incidents reported by CBR, Service Outage Credits will be granted calculated by dividing the charges by time the System is down. For Service Outages in excess of 20 minutes, a minimum Service Outage Credit of one (1) day will be granted, with a maximum cap for the Service Outage Credit equal to the Monthly Access Charge for one month CBR requires the solution on turnkey basis, Vendor should quote services based on the above mention SLA and Business/Application requirements mentioned below. The details of Platform mentioned below cannot be changed and the equipment mentioned is bare minimum requirement. Any additional equipment needed to fullfil the SLA requirements should be quoted, with justifications of its inclusion. Technology & Platform 1. The System shall be a publicly accessible IP based hosting for Oracle® 10g & MS SQL Server Application Server (duly licensed for the number of processors or users and the number of servers) 2. Web-based multi-tiered enterprise application accessible can be implemented (Web Server - Application Server - Database Server) 3. Any intended use of, or integration with commercial off-the-shelf (COTS) application software components and/or products must be clearly disclosed in the form of a Software Architecture Document and approved by CBR 4. The server components of the hosted application must run on Windows 2003 Servers 5. Mode of communication will be Client-Server architecture that is custom developed as well as regular web-based access. Security 1. Due to the sensitive nature of the information being submitted CBR requires security at the system functional level and in performing data retrieval, network traversal and manipulation 2. System security must include user access rights to system functions, API call restriction based on caller and call sequence, spoof prevention of caller signatures to access system functionality, data packet sniffing or data hacking to access data “in transit” between systems or within the system 3. A third party check for PKI key-management passage must be allowed on the network. Such passages will be defined by CBR and will be provided to the CV/HP in advance for the ability to have then in semi-trusted zones / ACLs 4. Data Retrieval and Manipulation security requires that only those users who have rights to read or write data within the primary system database or other data marts are allowed the particular defined access – logging of such users and accesses must be maintained at debug levels at all times. 5. The system will require a well-defined security software architecture that provides a general framework in which the requirements here are met 6. CBR will require different read and write levels depending on the Client-Server submission policies mandates that CBR is the sole-definer 7. The System must support single sign on using Web Forms, as the application server will be clustered (for high-redundancy), the session enable must be maintained (i.e. sticky sessions), with time-out values (TTL – Time To Live) be customizable – cross assignment of the established sticky sessions is not allowed 8. A System Administrator User’s ability to view and update specific data depends on the user’s role and application privileges assigned to the role by the CBR that the user works for – as with any application, the System User should not be able to perform a valid business function 9. CBR will implement the must use of Secure Sockets Layer (SSL) to secure data being transmitted using the Internet on standard Port 443 10. CBR also reserves the right to arbitrarily assign a port (that is not of a common services) to be implemented in its Client-Server application and that the default communication would be done on this customizable port 11. The CV/HP submission must be designed such that critical and vulnerable components and/or layers of the application (database, business logic), can deployed on hardware that is secured behind a firewall and/or DMZ, while allowing users to access it from an unsecured network or the internet. 12. The applied platform can be requested to be authenticated via RSA Token and the whole system administration facility to be provided in authentication tiers in the form of a published application on Citrix which CBR can then designate to its internal users on accessing. 13. CBR will have the ability to independently administer and maintain the user ID’s, roles and privileges required to provide the institutions user’s access to its server and or various reporting (if any) that available directly from the server itself. 14. SQL-Injection vulnerability assistance will be required periodically to avoid any SQL injection into the system &/or application. 15. Secure replication services will be required for the databases with CBR’s in-house databases. Reliability, Recoverability & Availability 1. The Client-Server models of CBR should avoid single points of failure. If any single component fails or is taken offline, the system should not render inoperable. “It is the responsibility of Vendor to employ hardware for Servers/Storage/SAN/Network to ensure that they meet the SLA requirements mentioned above, if this entails deploying , load balancing, failover servers then vendor should quote these”. 2. Primary database server (Manual “warm failover” process will cause secondary DB to become the active primary) a. OLTP Database b. Data Warehouse c. Reporting Services 3. On the Client-Server models of CBR the backup, restore, disaster recovery and replication functionality of Oracle® Server will be used facilitate backup, recovery, and high availability 4. On the Standalone model functionality to backup to a network drive must be provided 5. The Storage Area Network (SAN) provides the shared storage required for the Database server nodes and the Document / Multimedia file storage nodes. It is connected to all the server nodes via Fibre Channel Interconnects for high input/output (I/O) performance. The SAN should have multiple disks providing multiple physical spindles to optimally allocate database files for higher performance. The SAN should also be configured for RAID operation to improve reliability, availability and performance 6. THE SAN should be supplemented by an second backup device onto which storage from the primary SAN can be backed up 7. The System should have the ability to recover from failure. Database Server Specifications The general requirement mentioned below constitutes a “minimum” requirements and CV/HP who quote anything above the minimum should highlight this in their quote               Branded Server OEM Dual Intel Xeon 3.0 GHz Architecture Minimum: 2GB ECC DDR RAM 73 GB x 4 (RAID 5e Implemented) SCSI III Architecture, with 15,000 RPM Spin for the spindle SCSI III Controller The hard drives must be hot-pluggable and hot-swappable Dual NIC 10/100/1000 Auto-sensing Dual Power Supplies that are hot-pluggable and hot-swappable IP Addresses: Minimum 5 (8 Assigned, 5 Usable, 1 Gateway, 1 Broadcast and 1 Subnet) Microsoft Windows 2003 Enterprise Edition with Full Service Packs Standard Rack mount Configuration Next-Day Warranty for Service &/or Replacement by OEM Enterprise Level Client Agent installed for Antivirus & Worm Protection) Enterprise Level Client Agent installed for Daily, Weekly and Schedule Backups based on incremental and/or whole backup values Oracle® Cluster Specifications The Cluster for Oracle® 10g should consist of the a minimum of two servers (as mentioned in the Server Specification). The following are the general requirements for the Oracle® 10g Cluster:  The cluster should be a minimum of two nodes  The Server Cluster must be based on the server specifications as listed above in the “Server Specification” Section.  The OS on all the Nodes must be Microsoft Windows 2003 Enterprise Server License (25 CALs) to be include in an SPLA environment  The OS portioning should be on a three level approach: C:\OS, D:\Applicaiton, E:\LOGS  The physical storage of the cluster should be a SAN (See “SAN Specification”)  The connectivity of the cluster should be to a Level 4-7 Switch (Intelligent) with GSLB (Global Server Load Balancing) Modules installed  Any form of TRL (Transaction Rate Limiting) on the switch would be preferred for the Cluster  The cluster should be such that the L:4-7 Switch should be able to route queries (for purposes of balancing) outside the cluster node, based on a wide variety of weightages.  CBR development team will have Terminal Services access to this server.  Complete Auditing System should be available to keep track of User activity.  The Server Deployment will be dedicated to CBR and no other client of vendor will have access to this. MS SQL® Cluster Specifications The Cluster for Microsoft SQL 2003 Enterprise should consist of the a minimum of two servers (as mentioned in the Server Specification). The following are the general requirements for the Microsoft SQL 2003 Enterprise Cluster:  The cluster should be a minimum of two nodes.  The Server Cluster must be based on the server specifications as listed above in the “Server Specification” Section.  The OS on all the Nodes must be Microsoft Windows 2003 Enterprise Server License (25 CALs) to be include in an SPLA environment  The OS portioning should be on a three level approach: C:\OS, D:\Applicaiton, E:\LOGS  The physical storage of the cluster should be a SAN (See “SAN Specification”)  The connectivity of the cluster should be to a Level 4-7 Switch (Intelligent) with GSLB (Global Server Load Balancing) Modules installed  Any form of TRL (Transaction Rate Limiting) on the switch would be preferred for the Cluster  The cluster should be such that the L:4-7 Switch should be able to route queries (for purposes of balancing) outside the cluster node, based on a wide variety of weightages Application Server Specifications The general requirement mentioned below constitutes a “minimum” requirements and CV/HP who quote anything above the minimum should highlight this in their quote              Branded Server OEM Dual Intel Xeon 3.2 GHz Architecture Minimum: 2GB ECC DDR RAM 73 GB x 4 (RAID 5e Implemented) SCSI III Architecture, with 15,000 RPM Spin for the spindle SCSI III Controller The hard drives must be hot-pluggable and hot-swappable Dual NIC 10/100/1000 Auto-sensing Dual Power Supplies that are hot-pluggable and hot-swappable IP Addresses: Minimum 5 (8 Assigned, 5 Usable, 1 Gateway, 1 Broadcast and 1 Subnet) Microsoft Windows 2003 Enterprise Edition with Full Service Packs Standard Rack mount Configuration Enterprise Level Client Agent installed for Antivirus & Worm Protection) Enterprise Level Client Agent installed for Daily, Weekly and Schedule Backups based on incremental and/or whole backup values SAN Specifications The general requirements for the SAN are as follows:  SCSI Based (SCSI III Architecture)  Minimum of 100 GB Usable in RAID 5 configuration  Dual controller cards  Fibre Channel Interconnects for high input/output (I/O) performance.  The SAN should have multiple disks providing multiple physical spindles to optimally allocate database files for higher performance  Spin speed should be 15,000 RPM  Microsoft Windows 2003 Enterprise Edition with Full Service Packs  Standard Rack mount Configuration  Same dayWarranty for Service &/or Replacement by OEM  Enterprise Level Client Agent installed for Antivirus & Worm Protection)  Enterprise Level Client Agent installed for Daily, Weekly and Schedule Backups based on incremental and/or whole backup values Network Specifications The general requirements for the network are as follows:                 Multiple connectivity with multiple Gigabit Ethernet connectivity to Tier I carriers (please provide complete Tier I connectivity mix of carriers) Minimum port connectivity to be 100mbps Full DNS Services (High-Traffic) Dedicated IP Addresses (32 IP Addresses to be allotted) 100.00% Network Up-time Guarantee 99.99% Server Up-time Guarantee during 07:00 hrs to 23:00 Hrs PST 99.9 % Server Up-Time Guarentee during remaining Hours SNMP should be enabled Border Router to be a minimum of Cisco 72XX or equivalent that the CV/HP controls Edge Router to be a minimum of Cisco Catalyst 6500 or equivalent that the DC controls Netflow information should be turned on Netflow information to be captured using tools like Scrutinizer or equivalent Ping time from Pakistan should be 500ms or less Ping times from within the US should be 100ms or less Processing speeds in PPS should be approximately 25 million RPF (Reverse Path Forwarding) should be implemented on the Border Router Security Specifications The general requirements for the Security are as follows:                Minimum port connectivity to be 100mbps IPS (Intrusion Prevention System) be in place Vulnerability scanning to be provided at no additional cost on the network from an external source. VA can be requested as many times during the contract period Mitigation Devices against DoS/DDoS attacks be in place Stateful Inspection Firewall to be in place with a minimum of 128,000 concurrent sessions. 50,000 setup per second rate be applicable (as a bare minimum) on all devices in the network security arena DPI (Deep Packet Inspection) be enabled on the Firewall Gateway Level Anti-virus Protection Server Anti-virus Protection SPAM Protection Harmful Attachment Protection Dual In-line Firewall Protection with 100% fail-over mechanism protection (High-Availability) IP/Server Specific Firewall Policies Up to 500 policies on MZ and DMZ (CBR will provide policies) Firewall Logging to be enabled for all accesses, CBR Staff will have realtime access to these logs.         Layer 3 switch filtering Layer 4-7 Switch filtering Mal URI Filtering (List of URI Filtering to be supplied by Client) nIDS & hIDS be installed either directly on the system or as a bundled service on any one of the network security gear Dual in-line checks against viruses, worms, exploits and malicious traffic checks be applicable Same Day Warranty for Service &/or Replacement by OEM Custom defined signatures be in place to thwart any incoming traffic deemed malicious All these devices should be under direct control / operation of the CV/HP Managed Services Requirement The general requirements for managed services are:  Provide Level I, Level II and Level III based customer & technical support to CBR during office hours / time in Pakistan  Local ticket based support  Dedicated Fully Certified System Administrator  Dedicated Fully Certified Network Administrator  Dedicated Fully Certified Oracle Database Administrator for purposes of replication and server side administration.  All Level I thru Level III services with respect to IP infrastructure hosting and management to be provided by the CV/HP  Security analysis with respect to SQL injection  Response time for call to be 15 minutes or less based upon when support tickets are opened  24/7 availability of telephone support to designated personnel  Stress Testing  Load testing  Redesign of submission process if applicable.