Security and Web Application Monitoring

KENYA COMMERCIAL BANK LIMITED
REQUEST FOR PROPOSAL
IT/AUGUST 2014/SUPPLY AND IMPLEMENTATION OF A DATABASE AND

WEB APPLICATION SECURITY/FIREWALL SOLUTION (RE-TENDER)
Release Date:
Friday, 22nd August 2014
Last Date for Receipt of bids:
Friday, 5th September 2014 at 3.00pm

(GMT+3) Nairobi, Kenya
ISSUE OF RFP DOCUMENT TO PROSPECTIVE BIDDERS

TENDER FOR SUPPLY AND IMPLEMENTATION OF A DATABASE AND WEB
APPLICATION SECURITY/FIREWALL SOLUTION (RE-TENDER)
This form serves as an acknowledgement of receipt of the tender and
participation. This page is to be completed immediately on download and a
scan copy e-mailed to procurement@kcb.co.ke. Firms that do not register their
interest immediately in this manner may not be sent the RFP addenda should
any arise.
Table 1: Registration of Interest to Participate
Item
Supplier Details
Name of Person
Organization Name
Postal Address
Tel No
Fax No
Email Address (this e-mail address

should be clearly written as
communication with bidders shall be
through e-mail)
Signature:
Date
Company Stamp
Commercial in confidence
IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

Page 2 of 58
Table of Contents
IT/AUGUST 2014/SUPPLY AND IMPLEMENTATION OF A DATABASE AND WEB
APPLICATION SECURITY/FIREWALL SOLUTION (RE-TENDER) ............................................. 1
DEFINITIONS ................................................................................................................................. 4
1.1
INTRODUCTION ................................................................................................................ 5
1.2 Background of the Project ........................................................................................... 5

1.3 Aims and Objectives of the project ........................................................................ 5
1.4
Format of RFP Response and Other Information for Bidders .............................. 6
SECTION 2 SCOPE OF WORK.............................................................................................. 16

SECTION 3 - GENERAL CONDITIONS OF CONTRACT ...................................................... 20
3.1 Introduction......................................................................................................................... 20
3.2
Award of Contract ........................................................................................................ 20
3.3
Application of General Conditions of Contract ................................................... 20
3.4
Ownership ....................................................................................................................... 20
3.5
Bid Validity Period ......................................................................................................... 20
3.6
Performance Security .................................................................................................. 21
3.7
Delays in the Bidders Performance ........................................................................ 21
3.8
Liquidated damages for delay ................................................................................. 22
3.9
Governing Language .................................................................................................. 22
3.10
Applicable Law.......................................................................................................... 22
3.11
Bidders Obligations ................................................................................................. 22
3.12
The Banks Obligations ............................................................................................ 23
3.13
Confidentiality ............................................................................................................ 24
3.14
Force Majeure ............................................................................................................ 24
SECTION 4 : APPENDIXES ........................................................................................................ 25

Appendix 1 Technical Requirements Matrix ................................................................. 25
APPENDIX 2 REFERENCE SITES ............................................................................................ 46
APPENDIX 3 - WEB APPLICATION SECURITY & COMMON ATTACKS ........................... 47
APPENDIX 4 : LIST OF DATABASES ......................................................................................... 48
APPENDIX 5 SUPPLIER QUESTIONNAIRE ........................................................................... 49
APPENDIX 6 PERFORMANCE SECURITY FORM (FORMAT) ........................................... 57
APPENDIX 7 CERTIFICATE OF COMPLIANCE .................................................................. 58

Page 3 of 58
DEFINITIONS
For purposes of this document, the following definitions shall apply:
The Bank
KCB Ltd
Bid
The Quotation or Response to this RFP submitted by prospective

Suppliers for fulfilment of the Contract.
Supplier
The Company awarded the task of supplying all the items

described in this document installing and commissioning them.
Contract
Supply, installation and commissioning of all the works, equipment

and/or services that are described in this document, which will
contribute towards meeting the objective of the RFP
Warranty
Period from the time installation and testing is completed, during

which the Contractor undertakes to replace/rectify equipment
and/or installation failures at no cost to the Bank

Page 4 of 58
1.1
INTRODUCTION
The Kenya Commercial Bank Limited (hereinafter referred to as the Bank) is

incorporated in Kenya and is a leading Commercial banking group in the East
African region, renowned for its diversity and growth. In addition to Kenya, it has
other subsidiaries namely; KCB (Tanzania) limited, a banking subsidiary operating
in Tanzania, KCB (Uganda) limited, a banking subsidiary operating in Uganda,
KCB (Sudan) limited, a banking subsidiary operating in Sudan, KCB (Rwanda)
limited, a banking subsidiary operating in Rwanda and KCB Burundi a banking
subsidiary operating in Burundi. The Head Office for the group is located in
KENCOM House Nairobi. The Banks vision is to be the preferred financial
solutions provider in Africa with a global reach.
The platform is anchored on consolidation across our existing business,
expanding and modernizing delivery channels, improving operational
efficiencies, turning in returns commensurate with level of investment and
compliance with all regulatory and internal policy guidelines.
This document therefore constitutes the formal Request for Proposals (RFP) for
Supply and Implementation of a Database and Web Application
Security/Firewall solution and is being availed on a open tender basis.
1.2 Background of the Project
The bank operates in a highly computerised environment that includes
maintaining connections to its business partners and to the world at large
through the internet and dedicated point to point connections. Therefore like
similar organisations it is prone to business interruptions as a result of failed or
malfunctioning systems, business data corruption or stolen data.
Computer system holes and vulnerabilities make it possible to exploit unsecure
implementations and may result in system failures and exploits, whether by
malice, mistake or innocently. Further, the bank needs to ensure its systems are
protected and implemented as per best practice and thereby avoid damage
to itself or business partners.
1.3 Aims and Objectives of the project
The KCB Group has decided to implement a Database and Web Application
Firewall solutions to enhance security of Critical Systems that are accessed by
internal as well as external stakeholders, as part of an overall strategy to

Page 5 of 58
implement a more secure, productive, industry standard information technology

(IT) management processes and supporting IT management applications.
Proposals responses are epected
application firewall solutions.
from suppliers of database and web
The information in this document and its appendices and attachments is

confidential and is subject to the provisions of our non-disclosure agreement
and should not be disclosed to any external party without explicit prior written
consent of Kenya Commercial Bank.
Objectives
The purpose of the assignment is to acquire, implement and maintain Database
and Web Application Firewall solutions for the KCB Group that will improve KCB
Groups security of all public / internet facing applications and reinforce the
defense-in-depth approach in place.
Based on KCB Group strategy, the project will help KCB Group to mitigate the
risks related to web access control operations by:
Automatically learning the web application structure and user behavior

Virtually patching databases and applications through vulnerability
scanner integration.
Updating database and web defenses with research-driven intelligence
on current threats
Delivering high performance business-relevant reporting and alerts
1.4
Format of RFP Response and Other Information for Bidders
1.4.1 The overall summary information regarding the SUPPLY AND

IMPLEMENTATION
OF
A
DATABASE
AND
WEB
APPLICATION
SECURITY/FIREWALL SOLUTION is given in section 2 Scope of Services and
the summary in 1.3 Aims and Objectives. The bidder shall include in their
offer any additional services considered necessary for the successful
implementation of their proposal.
1.4.2 Proposals from bidders should be submitted in two distinct parts, namely
Technical proposal and financial proposal and these should be in two
separate sealed envelopes, both of which should then be placed in a
common sealed envelope marked:

Page 6 of 58
IT/AUG 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL

SOLUTION
th
DO NOT OPEN BEFORE Friday, 5 September 2014 at 3.00 pm (GMT+3) Nairobi
Kenya
The two separate inner envelopes should be clearly marked Technical
Proposal, and Financial Proposal, respectively, and should bear the
name of the Bidder.
1.4.3 The Technical Proposal should contain the following:
Bidders, willing to be considered for SUPPLY AND IMPLEMENTATION OF A
DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION are
expected to furnish the Bank with among others the following vital
information, which will be treated in strict confidence by the Bank.
Provide a company profile as per supplier questionnaire in Appendix 5.
The RFP response document duly signed as per Appendix 7
CERTIFICATE OF COMPLIANCE
Approval licenses, by the various bodies for compliance/manufacturer
authorization, MUST be included where applicable.
Audited financial statements of the company submitting the RFP bid,
for the last two years
Demonstrate capability and capacity to provide technical and
functional requirements and functionalities as per KCB requirements in
section 2.0 Scope of work.
All copies of any certificates included in the bid response should be
certified as true copy of original else the bank may not use them
in the evaluation process.
1.4.4 The Financial Proposal should be clearly indicate the total cost of carrying
out the solution as follows:a. The Supplier shall provide a firm, fixed price for the Original Contract Period.
All costs associated with the required system shall be included in the prices.
Kindly note that the cost should include supply, installation and
commissioning of the system inclusive of all freight charges and applicable
duties and taxes (VAT and withholding Tax).
Provide an itemized list of all items included and summarize your costs as shown
in the table below:-

Page 7 of 58
Description
Unit
Qty
n/a
n/a
n/a
n/a
n/a
n/a
No.
1
2
3
4
5
6
7
8
10
11
12
13
14
Sub
Unit
Total
Cost
Costs
(USD)
(USD)
Taxes
(USD)
Grand
Total Cost
(USD)
Software/ License Cost

Hardware/Appliance
Costs
Installation and
Implementation costs
Training
Annual Maintenance
Cost for software
licences Year
Annual Maintenance
Cost for
Hardware/Appliance
Year 1
Annual Local Vendor
Support Year 1 (where
applicable)
Logistics costs and
other costs
Software,
implementation,
Training cost inclusive
of all taxes
Annual Maintenance
Cost for software
licences Year 2
Annual Maintenance
Cost for software
licences Year 3
Annual Maintenance
Cost for
Hardware/Appliance
Year 2
Annual Maintenance
Cost for
Hardware/Appliance
Year 3
Annual Local Vendor
Support Year 2
Annual Local Vendor
Support Year 3
Total Recurrent costs
(Year 2&3)

Page 8 of 58
Total cost of ownership

over 3 years inclusive
of all taxes (USD)
Total cost of ownership
over 3 years inclusive
of all taxes (KSHS)
n/a
n/a
n/a
n/a
n/a
n/a
Notes
The total cost above should be inclusive of all taxes and duties (VAT, duties, freight
costs and Witholding tax)
b. Additional Cost to Complete. Provide an itemized list of any items not

included above by the Bank and related costs that Supplier deems
necessary to provide the information to meet the requirements specified in
proposal. Failure to provide said list shall not relieve the Supplier from
providing such items as necessary to meeting all of the requirements
specified in proposal at the Fixed Price Purchase Costs proposed.
NOTE: The Financial proposal (MUST BE IN A SEPARATE SEALED ENVELOPE )
CLEARLY MARKED FINANCIAl PROPOSAL
1.4.5 Soft Copies for each proposal are to be provided in the standard
Microsoft Office suite of Programs or Adobe Reader and delivered
together with hard copy of the tender.NOTE that only the information on
the Hard copy Bound bid document shall be considered as the MAIN
scource document.
1.4.6 Bidders are requested to hold their proposals valid for ninety (90) days
from the closing date for the submission. The Bank will make its best efforts
to arrive at a decision within this period.
1.4.7 Assuming that the Contract will be satisfactorily concluded, the bidders
shall be expected to commence the assignment after the final
agreement is reached.
1.4.8 The bid documents shall be addressed to the following address and
dropped at the tender box on 5th Floor, Kencom House, Wing B on or
before the closing date.
Head of Procurement
Kenya Commercial Bank
5th Floor Kencom House
P.O. Box 48400, 00100
Nairobi, Kenya

Page 9 of 58
Please note that tenders received by facsimile or electronic mail will be

rejected.
1.4.9 If a bidding firm does not have all the expertise and/or resources for the
assignment, there is no objection to the firm associating with another firm
to enable a full range of expertise and/or resources to be presented. The
request for Joint Venture shall be accompanied with full documented
details of the proposed association.
1.4.10 In the case of a Joint Venture or Association, all the firms constituting the
Joint Venture or Association will be jointly and severally liable and at least
one firm in the Joint Venture or Association shall be financially capable of
meeting the contract requirements and potential liabilities on its own and
shall assume contracting responsibility and liability for satisfactory
execution of the assignment.
1.4.11 The contracting arrangements shall define clearly the responsibilities and
the services to be provided by each firm in the case of a joint venture.
1.4.12 The Bank reserves the right to accept or to reject any bid, and to annul
the bidding process and reject all bids at any time prior to the award of
the contract, without thereby incurring any liability to any Bidder or any
obligation to inform the Bidder of the grounds for its action.
1.4.13 The vendors terms and conditions will not form part of any contract with
KCB in relation to this tender.
Canvassing is prohibited and will lead to automatic disqualification.
1.4.14 Cost of bidding
The Bidder shall bear all costs associated with the preparation and submission of
its bid, and the Bank will in no case be responsible or liable for those costs,
regardless of the conduct or outcome of the bidding process.
1.4.15 Clarification of Bidding Document
i.
ii.
All correspondence related to the contract shall be made in English.

Should there be any doubt or uncertainty, the Bidder shall seek
clarification in writing addressed to the Head of Procurement through email to: procurement@kcb.co.ke.

Page 10 of 58
iii.
iv.
v.
vi.
vii.
Any clarification sought by the bidder in respect of the RFP shall be

addressed at least five (5) calendar days before the deadline for
submission of bids, in writing to the Head of Procurement through the
same mail.
It is the responsibility of the Bidder to obtain any further information
required to complete this RFP.
Any clarification requests and their associated response will be circulated
to all Bidders.
The last date for receipt of requests for clarifications from bidders is
Thursday, 28th August 2014.
The RFQ Clarification Template is as follows:-
Company Name:
Contact Person: (primary Supplier contact)
E-mail:
Phone:
Fax:
Document Number/Supplier
# Date
Section/ Paragraph(2)
Question
1
2
3
(1) Question (s) mailing Date.
(2) From the KCB Document.
The queries and replies thereto shall then be circulated to all other prospective
bidders (without divulging the name of the bidder raising the queries) in the form
of an addendum, which shall be acknowledged in writing by the prospective
bidders.
Enquiries for clarifications should be sent by e-mail to: procurement@kcb.co.ke
1.4.16 Amendment of Bidding Document
At any time prior to the deadline for submission of bids, the Bank, for any reason,
whether at its own initiative or in response to a clarification requested by a
prospective Bidder, may modify the bidding documents by amendment.
All prospective Bidders that have received the bidding documents will be
notified of the amendment in writing, and it will be binding on them. It is

Page 11 of 58
therefore important that bidders give the correct details in the format given on
page 1 at the time of collecting/receiving the RFP document.
To allow prospective Bidders reasonable time to take any amendments into
account in preparing their bids, the Bank may at its sole discretion extend the
deadline for the submission of bids based on the nature of the amendments.
1.4.17 Deadline for Submission of Bids
Bids should be addressed to the Head of Procurement and sent for receipt on or
Before Friday, 5th September 2014. Any bid received by the Bank after
This deadline will be rejected.Those submitting tenders or their representatives
may attend the tender opening of date and time of submission.
1.4.18 Responsiveness of Proposals
The responsiveness of the proposals to the requirements of this RFP will be
determined. A responsive proposal is deemed to contain all documents or
information specifically called for in this RFP document. A bid determined not
responsive will be rejected by the Bank and may not subsequently be made
responsive by the Bidder by correction of the non-conforming item(s).
1.4.19 Bid Evaluation and Comparison of Bids
Technical proposals will be evaluated and will form the basis for bids
comparison. Alltender responses will be evaluated in three phases:a.
Detailed technical evaluation to determine technical compliance and
support responsiveness of the vendor
c.
Financial evaluation to consider pricing competitiveness and the financial
capability of the vendors
Once the bids are opened, bid evaluation will commence
1.4.19.1
Technical Evaluation
The technical evaluation will include a desktop evaluation and additional

detailed evaluations. The desktop evaluation will be scored as follows:
i.
Vendors ability to meet and exceed the objectives of the RFP together
with the functional requirements detailed in Appendix 1 and Appendix 4.
ii.
Experience and reliability of the Suppliers organization. Therefore, the
Supplier is advised to submit any information, which documents successful
and reliable experience in past performances, especially those
performances related to the requirements of this RFP.

Page 12 of 58
iii.
iv.
The Supplier should provide the following information related to previous

and current services/contracts performed by the Suppliers organization
and any proposed subcontractors which are similar to the requirements of
this RFP (This information may be shown on the form attached as Exhibit A
to this RFP or in a similar manner):
a. Name, address, and telephone number of client/contracting
agency and a representative of that client/agency who may be
contacted for verification of all information submitted;
b. Dates and locations of the service/contract; and
c. A brief, written description of the specific prior services performed
and requirements thereof.
Proposals will be evaluated based on the Suppliers distinctive plan for
performing the requirements of the RFP. Therefore, the Supplier should
present a written narrative, which demonstrates the method or manner in
which the Supplier proposes to satisfy these requirements. The language of
the narrative should be straightforward and limited to facts, solutions to
problems, and plans of action.
Where the words shall or must are used, they signify a required minimum
function of system capacity that will heavily impact the Bidders final response
rating.
Where the words may or desired are used, they signify that the feature or
capacity is desirable but not mandatory; therefore, the specifications in
question will possess minimal impact on the Bidders final response rating.
The method by which the proposed method of performance is written will be left
to the discretion of the Supplier. However, the Supplier should address each
specific paragraph and subparagraph of the Specifications by paragraph and
page number as an item for discussion. Immediately below these numbers, write
descriptions of how, when, by whom, with what, to what degree, why, where,
etc, the requirements will be satisfied.
1.4.19.2
Demo /Proof of Concept
After the desktop evaluation as per RFP response, the prospective supplier may
be required to give further detailed proof of the viability of the solution
highlighting the functionality as represented in the RFP. This may include all or
part of the following:-

Page 13 of 58
Vendor presentations
A solution demo with the actual installed solution
A Proof of Concept installation at the banks premises in a test scenario if
so required
Site visits to current clients of the supplier who have implemented similar
solution as put forward in the RFP response
It should be noted that vendors will be progressively evaluated from one stage
to the other. Only shortlisted vendors will progress to the next stage
1.4.19.3
Site visits
In the event that the bank may need to visit client site, vendors will be notified in
writing. The bank may also make surprise unannounced visits to the vendors
offices to verify any information contained in the bid document. All visits are at
the discretion of the bank. Vendors may also be called upon to make brief and
short presentations and /or demos on their technical solutions before a panel
constituted by the bank.
1.4.19.4
Financial Evaluation (separate sealed envelope )
Financial evaluation will concentrate on the Costs inclusive of VAT and other
applicable taxes where necessary and Man/Day estimates, where appropriate,
broken down as per table in 1.4.4. Kindly also note the following as regard
financial evaluation.
a. Pricing
All bids in response to this RFP should be expressed in USD or KSH. For those
expressed in USD a Kenya Shilling equivalent MUST be given clearly indicating
the exchange rate. Those who do not indicate the Kenya Shilling equivalent
MAY not be considered further for evaluation.
NOTE : Expressions in other currencies shall not be permitted
The VAT amount must clearly be stipulated and separated from the base costs.
The quoted prices should be valid for a minimum of 90 days.Any other fees
required for deployment and ongoing support must be quoted separately.
Provide an itemized list of any other items and related costs that Supplier deems
necessary to meet the requirements specified in proposal. Failure to provide said
list shall not relieve the Supplier from providing such items as necessary to
meeting all of the requirements specified in proposal at the Fixed Price Purchase
Costs proposed.

Page 14 of 58
KCB SHALL ONLY MAKE PAYMENTS THROUGH A KCB ACCOUNT AND THUS ALL
BIDDERS ARE ENCOURAGED TO OPEN AN ACCOUNT
The Bank will not make any payments in advance. The Bank will issue an LPO for
all the equipment and/or services ordered. The LPO will be paid within 45 days
after delivery, testing installation and acceptance of the equipment and/or
services supplied. The bank will not accept partial deliveries.Payment for
equipment and/or services will only be made once the entire ordered
equipment and/or services are delivered, installed and commissioned.
b. Correction of Errors.
Bids determined to be substantially responsive will be checked
by the Bank for any arithmetical errors. Errors will be corrected
by the Bank as below:
Where there is a discrepancy between the amounts in

figures and in words, the amount in words will govern,
and
Where there is a discrepancy between the unit rate and

the line total resulting from multiplying the unit rate by the
quantity, the unit rate as quoted will govern.
The price amount stated in the Bid will be adjusted by the Bank in
accordance with the above procedure for the correction of errors.
c. Financial stability
This will involve an assessment of key standard financial ratios and trends for the
last 2 years such as profitability, leverage, debt ratio, gross margins and sales
turnover.
However, the Bank is under no obligation to award the tender as per clause
1.4.12

Page 15 of 58
SECTION 2 SCOPE OF WORK

The security of IT applications has become a mission-critical aspect of the IT
Security strategy. We are not only seeking a supplier for the software and
hardware but also partnership with the provider to help KCB Group in leveraging
this technology through a sound implementation approach with proven
organizational adoption tools. Based on the above, the scope will include the
following:
2.1
2.2
Supply, install, configure and maintain Database and Web Application

Firewall solutions (software, hardware) that will meet the functional and
technical requirements.
Provide Database Firewall solutions with core capabilities for the following
database platforms:
Oracle
MS-SQL
Sybase
DB2
Informix
MySQL
Teradata
PostgresSQL
Netezza
2.3
Provide Web Application Firewall solutions with core capabilities of

supporting Web and portal applications such Outlook Web Access
(OWA), SharePoint and all custom in-house web applications.
2.4
Develop and propose an implementation methodology with

roadmap/schedule with monitoring targets and risks towards the desired
target.
2.5
Provide the implementation services of the solution as stated in the

proposed roadmap from installation, configuration and final deployment
of the solution.
2.6
Deliver training services of the Database and Web Application Firewall

solution during the implementation for technical staff for knowledge
transfer both on the functional and technical aspects

Page 16 of 58
2.7
Deliver documentation of the solution from the installation to deployment
2.8
Provide maintenance service for the solution including software version

upgrade and hardware replacement.
2.9
Provide support and assistance including both remote and local/onsite

assistance for resolution of major technical problems and/or issues.
2.10
Current Installations
This section provides a brief overview of KCB establishment that is relevant to the
proposed solution.The Kenya commercial Bank is incorporated in Kenya. The
banks establishment in Kenya consists of 167 branches.
It has 4 other subsidiaries:
KCB Rwanda Headquarter + 9 branches

KCB Tanzania - Headquarter + 10 branches
KCB Uganda - Headquarter + 14 branches
KCB Sudan - Headquarter + 20 branches
The Head Office for the group is located in Kencom house Nairobi,
Kenya.Further information about the bank can be obtained from the groups
website (http://www.kcbbankgroupgroup.com)
2.11 Brief Overview of Technical Systems Environment
The bank has several computerised systems, the most relevant (for the purpose
of this project) of which are as summarised below.
Database / Programming Environments
MS SQL Server 2000 /2005 /2008
Oracle; various flavours of the database including but not limited to
versions 8i /9i /10g/11i
Informix
JBOSS
Microsoft .Net 2.0 and above
Sybase Adaptive Enterprise Server database
Client-side applications developed in Visual studio/ .Net and
PowerBuilder 6.0

Page 17 of 58
Web Applications
T24 Core banking system from Temenos. This application runs on HP UX
at the backend while the clients are browser based (firefox and
Internet Explorer version 6.1 and above). The backend system is
programmed using JBOSS and Oracle.
Microsoft SharePoint 2007
Email Applications: MS Exchange 2010. Proxy Servers / firewalls:
Microsoft ISA Server 2006, CISCO PIX, ASA and Checkpoint firewalls. The
Microsoft ISA Server 2006 will be replaced with Microsoft Forefront
Threat Management Gateway during the year
Sybrin clearing system on windows environment
Internet & Mobile banking applications
TranzWare card system
2.12 Functional Requirements
Functional requirements are indicated in (Appendix 1 Technical Requirements
Matrix). The section should be completed in its entirety in the vendor response.
Delivery, Testing and Acceptance (On Successful Bidding)
The product will deem to have been:
a) Delivered when
i.
The complete machine readable form of the product together with the
product documentation is received at KCBs primary location (IT
Division, 7th floor Kencom House, Nairobi); and
b) Tested / POC
ii.
The bank will test the proposed solution in a test environment to
ascertain that all the functionality as put forward by the supplier are
met. Incorrect information discovered at this time will constitute grounds
for disqualification. It is the responsibility of the supplier to ensure the
requirement defined in the proposal is achieved. The signed proposal
will be the sole reference document for any discussion issues arising
related to acceptance; and
c) Accepted when
iii.
The solution has been successfully installed and configured on the
Production environment by the representative of the Supplier as per
product documentation; and
iv.
Acceptance Criteria: the Bank will accept the proposed deliverable
after they have been fully tested by the bank and confirmed to meet
the requirement as specified in the original RFP.

Page 18 of 58
KCB Shall endeavour to provide the Production environment as soon as it is

practically possible. Delivery and performance of the Services shall be made by
the successful Bidder in accordance with the time schedule as per Proposal and
subsequent Agreement.

Page 19 of 58
SECTION 3 - GENERAL CONDITIONS OF CONTRACT

3.1 Introduction
Specific terms of contract shall be discussed with the bidder whose proposal
will be accepted by the Bank. The resulting contract shall include but not be
limited to the general terms of contract as stated below from 3.2 to 3.14.
3.2 Award of Contract
Following the opening and evaluation of proposals, the Bank will award the
Contract to the successful bidder whose bid has been determined to be
substantially responsive and has been determined as the best evaluated bid.
The Bank will communicate to the selected bidder its intention to finalize the
draft conditions of engagement submitted earlier with his proposals.
After agreement has been reached, the successful Bidder shall be invited for
signing of the Contract Agreement to be prepared by the Bank in
consultation with the Bidder.
3.3 Application of General Conditions of Contract
These General Conditions (sections 3.2 to 3.14) shall apply to the extent that
they are not superseded by provisions in other parts of the Contract that shall
be signed.
3.4
Ownership
The proposal should be modelled along the perpetual licensing with
annual maintenance costs which provides the bank the right to continue
using the product as is on expiry of the maintenance period.
The Supplier should include a 2-year bundled support and indicate (as a
percentage of the product cost where applicable) the cost of continued
support after the two years. The bundled support cost should be clearly
separated from the cost of the product
3.5 Bid Validity Period

Bidders are requested to hold their proposals valid for ninety (90) days from
the closing date for the submission.

Page 20 of 58
3.6 Performance Security

The Bank may at its discretion shall require the successful bidder to furnish it with
Performance Security. The performance bond amount will be one hundred
percent (100%) of the total bid price before the bank can issue any Purchase
Order. The performance bond will be valid for a minimum of 9 months and must
be provided within 14 days from the date of written notification to the Supplier
by the bank to provide the bond. Failure to comply with this requirement will
void the tender award and the bank at its sole discretion may award the tender
to any other Supplier.
3.6.1 The Performance Security shall be in the form of a bank guarantee issued
by a commercial bank operating in Kenya and shall be in a format
prescribed by the Bank. The performance guarantee shall be submitted
within 10 days of notification of award.
3.6.2 The proceeds of the Performance Security shall be payable to the Kenya
Commercial Bank as compensation for any loss resulting from the Bidders
failure to complete its obligations under the Contract.
3.6.3 The Performance Security will be discharged by the Company not later
than two months following the date of completion of the Bidders
performance obligations, and the Banks acceptance of the final report
as specified in the contract.
It is a condition of the bank that the Supplier guarantees the sufficiency, and
effectiveness of the solution proposed to meet the bank requirements as
outlined in this document. The Bank will hold the Supplier solely responsible for
the accuracy and completeness of information supplied in response to this
tender. The bank will hold the Supplier responsible for the completeness of the
solution proposed and that were the Supplier to be awarded the tender, they
would implement the solution without any additional requirements from the
bank
3.7 Delays in the Bidders Performance
3.7.1 Delivery and performance of the Supply, installation and Maintenance of
Signage shall be made by the successful Bidder in accordance with the
time schedule as per Agreement.

Page 21 of 58
3.7.2 If at any time during the performance of the Contract, the Bidder should
encounter conditions impeding timely delivery and performance of the
Services, the Bidder shall promptly notifies the Bank in writing of the fact of
the delay, its likely duration and its cause(s). As soon as practicable after
receipt of the Bidder's notice, the Bank shall evaluate the situation and
may at its discretion extend the Bidder's time for performance, with or
without liquidated damages, in which case the extension shall be ratified
by the parties by amendment of the Contract.
3.7.3 Except in the case of force majeure as provided in Clause 3.13, a delay
by the Bidder in the performance of its delivery obligations shall render the
Bidder liable to the imposition of liquidated damages pursuant to Clause
3.8 liquidated damages
3.8 Liquidated damages for delay
The contract resulting out of this RFP shall incorporate suitable provisions for
the payment of liquidated damages by the bidders in case of delays in
performance of contract.
3.9 Governing Language
The Contract shall be written in the English Language. All correspondence
and other documents pertaining to the Contract which are exchanged by
the parties shall also be in English.
3.10
Applicable Law
This agreement arising out of this RFP shall be governed by and construed in
accordance with the laws of Kenya and the parties submit to the exclusive
jurisdiction of the Kenyan Courts.
3.11
Bidders Obligations
3.11.1 The Bidder is obliged to work closely with the Bank's staff, act within its own
authority, and abide by directives issued by the Bank that are consistent
with the terms of the Contract.
3.11.2 The Bidder will abide by the job safety measures and will indemnify the
Bank from all demands or responsibilities arising from accidents or loss of
life, the cause of which is the Bidder's negligence. The Bidder will pay all

Page 22 of 58
indemnities arising from such incidents and will not hold the Bank
responsible or obligated.
3.11.3 The Bidder is responsible for managing the activities of its personnel, or
subcontracted personnel, and will hold itself responsible for any
misdemeanors.
3.11.4 The Bidder will not disclose the Bank's information it has access to, during
the course of the work, to any other third parties without the prior written
authorization of the Bank. This clause shall survive the expiry or earlier
termination of the contract.
3.11.5 The Bidder shall appoint an experienced counterpart resource to handle
this requirement for the duration of the Contract. The Bank may also
demand a replacement of the manager if it is not satisfied with the
managers work or for any other reason.
3.11.6 The Bidder shall take the lead role and be jointly responsible with the Bank
for producing a finalised project plan and schedule, including
identification of all major milestones and specific resources that the Bank
is required to provide.
3.11.7 The Supplier represents and warrants that it is entitled to respond to this
RFP and that it is fully entitled to the proposed Product by way of reseller
licensing or ownership and has the right to sell and/or licence the Product
as provided in their RFP response and shall hold KCB harmless from action
for infringement of patents and/or copyrights
3.12
The Banks Obligations
In addition to providing Bidder with such information as may be required by

the bidder the Bank shall,
(a) Provide the Bidder with specific and detailed relevant information
(b) In general, provide all relevant information and access to Bank's
premises.

Page 23 of 58
3.13 Confidentiality
The parties undertake on behalf of themselves and their employees, agents
and permitted subcontractors that they will keep confidential and will not
use for their own purposes (other than fulfilling their obligations under the
contemplated contract) nor without the prior written consent of the other
disclose to any third party any information of a confidential nature relating to
the other (including, without limitation, any trade secrets, confidential or
proprietary technical information, trading and financial details and any other
information of commercial value) which may become known to them under
or in connection with the contemplated contract. The terms of this Clause
2.15 shall survive the expiry or earlier termination of the contract.
3.14
Force Majeure
(a) Neither Bidder nor Bank shall be liable for failure to meet contractual
obligations due to Force Majeure.
(b) Force Majeure impediment is taken to mean unforeseen events, which
occur after signing the contract with the successful bidder, including but
not limited to strikes, blockade, war, mobilization, revolution or riots,
natural disaster, acts of God, refusal of license by Authorities or other
stipulations or restrictions by authorities, in so far as such an event prevents
or delays the contractual party from fulfilling its obligations, without its
being able to prevent or remove the impediment at reasonable cost.
(c) The party involved in a case of Force Majeure shall immediately take
reasonable steps to limit consequence of such an event.
(d) The party who wishes to plead Force Majeure is under obligation to inform
in writing the other party without delay of the event, of the time it began
and its probable duration. The moment of cessation of the event shall also
be reported in writing.
(e) The party who has pleaded a Force Majeure event is under obligation,
when requested, to prove its effect on the fulfilling of the contemplated
contract.

Page 24 of 58
SECTION 4 : APPENDIXES
Appendix 1 Technical Requirements Matrix
Functional Requirements and Specifications
The tables below provide a feature summary for the products under
procurement. All products should be quoted for separately.
Please identify and describe where necessary the levels of support as: Full
Support, Partial Support and No Support:
Database Firewall
Specification
Description
Supported
Database Platforms
Oracle
Sybase
DB2 (including LUW, z/OS and DB2/400)
Informix
MySQL
PostgreSQL
Teradata
Netezza
Deployment Modes
Performance
Overhead
Centralized
Management
across
geographically
Level of
support
MS-SQL
Network: Non-inline sniffer, transparent

bridge
Agentless collection of 3rd party database

audit logs
Network monitoring Zero impact on

monitored servers
Agent based monitoring 1-3% CPU

resources
Web User Interface (HTTP/HTTPS)
Command Line Interface (SSH/Console)

Page 25 of 58
dispersed locations
Centralized
Administration
across
geographically
dispersed locations
MX Server for centralized management
Database Audit
Details
SQL operation (raw or parsed)
SQL response (raw or parsed)
Database, Schema and Object
User name
Timestamp
Source IP,
Source OS,
Source application
Parameters used
Stored Procedures
DB Server restarts, row level operations
Privileged Activities
Integrated management option

Hierarchical management
All privileged activity, DDL and DCL
Schema Changes (CREATE, DROP, ALTER)
Creation, modification of accounts, roles

and privileges (GRANT, REVOKE)
Access to Sensitive
Data
Successful and Failed SELECTs
Security Exceptions
Failed Logins, Connection Errors, SQL errors
Data Modification
INSERTs, UPDATEs, DELETEs (DML activity)
All data changes
Stored Procedures
Creation, Modification, Execution
Triggers
Creation and Modification
Tamper-Proof Audit
Trail
Audit trail stored in a tamper-proof

repository
encryption or digital signing of audit data
Role based access controls to view audit

data (read-only)
Page 26 of 58

Fraud Identification
Data Leak
Identification
Network Security
Policy Updates
Abnormal activity hours and source
Unexpected user activity
Unexpected Database growth/shrinkage
Requests for classified data
Unauthorized/abnormal data extraction
Protocol Validation (SQL and protocol

validation)
Real-time alerts
Operating system intrusion signatures
Known and zero-day worm security
Stateful firewall
DoS prevention
Regular Application Defense Center security

and compliance updates
SNMP
Syslog
Email
Incident management ticketing integration
Custom followed action
task workflow
Integrated graphical reporting
Real-time dashboard
Automated discovery of database servers
Data Discovery and

Classification
Dynamic Profile (White List security)
Real-Time Event
Management and
Report distribution
Server Discovery
Unauthorized activity on sensitive data
Database Security
Platform Security
Real-time visibility of audit data
Database servers
Financial Information
Credit Card Numbers
System and Application Credentials

Page 27 of 58
Personal Identification Information
Custom data types
User Rights
Management (add-
on option)
Audit user rights over database objects

Validate excessive rights over sensitive data
Identify dormant accounts
Track changes to user rights
Operating System vulnerabilities
Database vulnerabilities
Configuration flaws
Risk scoring and mitigation steps
Training
Standard product training at an authorized

training center for 5 KCB staff. This should
include training fees, travel and lodging
expenses. Logistics and allowances to be
computed at KCB rates.
Support
One year standard support on hardware

and software
Two year standard support on hardware

and software
Three year standard support on hardware

and software
Vulnerability
Assessment
Specification for Database Activity Monitoring:

ID Specification
Architecture
1
2
3
4
5
Response
Is the solution appliance based or virtual appliance based?

Does the solution require deployment of agents on the database
servers?
If So, There should be only one agent to monitor all DB activities
including local DB traffic and network DB traffic
All agents regardless of deployment mode should be managed
from the centralized management console
Agents should have only minimal overhead for the production DB
servers

Page 28 of 58
6
7
8
9
10
Agent should support AIX,HPUX, LINUX, Solaris and Windows

platforms
There should not be additional agents required to be installed to
monitor and block DB traffic/attacks traffic if required
There should not be any 3rd party software to be installed for
agents
Audit trails should be stored within the solution and it should not
be stored in any database
Audit trails should be tamperproof and should be stored in
encrypted flat files.
11
12
Solution component should be managed centrally.

Solution Should support below DB platforms
Oracle
MS-SQL (Microsoft SQL Server)
DB2 (LUW, z/OS and DB2/400)
Sybase
Informix
MySQL
PostgreSQL
Teradata
Netezza
Database Discovery
1
Solution should discover both new and existing database systems
and should map all on the network.
2
Product should provide automated discovery of both new and
existing Database tables
3
Product should keep the historical information about the systems
and their configuration.
4
Product should show changes since the last scan for DB Discovery
and configuration
5
Solution support identification of rogue or test databases
6
Solution should discover asset management and change
management processes
Data Classification
1
The product should perform data discovery and classification
2
Solution should detect sensitive data types, such as credit card
numbers, social security numbers, etc., in database objects
3
The solution should locate custom data types in database objects
Vulnerability Assessments

Page 29 of 58
Solution should have Database vulnerability assessment tests for

assessing the vulnerabilities and mis-configurations of database
servers, and their OS platforms. OSs and RDBMSs are tested for
known exploits and mis-configurations.
Solution should have a comprehensive list of pre-defined
assessment policies and tests to address PCI-DSS, SOX, and HIPAA
requirements. Vulnerabilities specific for Oracle EBS, and
PeopleSoft databases can also be detected. In addition, the
following tests should be included:
- Latest patches and releases installed

- Changes to database files
- Default accounts and passwords
- Newly created/updated logins
- Remote OS authentication enabled
- Escalated user privileges granted
Should be able to add custom assessments to the solution?
4
5
Solution should support user created scripts for assessment tests.

The product should identify missing patches
The solution should verify that default database accounts do not

have a default password
The product should be used to measure compliance with industry
standards and regulations
Vulnerability Assessment Result Analysis and Reporting

1
The product should present a view of risk to data by vulnerability
and the sensitivity of the data
2
Solution should have Database vulnerability assessment tests for

assessing the vulnerabilities and mis-configurations of database
servers, and their OS platforms. OSs and RDBMSs are tested for
known exploits and mis-configurations.
Solution should have a comprehensive list of pre-defined

assessment policies and tests to address PCI-DSS, SOX, and HIPAA
requirements. Vulnerabilities specific for SAP, Oracle EBS, and
PeopleSoft databases can also be detected. In addition, the
following tests should be included:
- Latest patches and releases installed
- Changes to database files
- Default accounts and passwords
- Newly created/updated logins
- Remote OS authentication enabled

Page 30 of 58
- Escalated user privileges granted

The solution should have pre-defined reports.
The product should support custom report generation.
The product should compare the results of a discovery,

classification or assessment job with a previous run
Should have an option to distribute reports on demand and

automatically (on schedule)
Remediation (optional : for future requirement)

1
The product can be upgraded for mitigation of risk to sensitive
data stored in databases?
2
Should have an option to upgrade the product to actively

prevent attempts to exploit known vulnerabilities
The solution can be upgraded to offer virtual patching

capabilities (protecting the database from known vulnerabilities
without deploying a patch or script on the system)
Database Activity Monitoring

1
Solution should have Appliance/virtual appliance solution to
monitor network based DataBase activity and should have agents
to monitor Local DB activity
2
Should product employ a centralized appliance
3
Solution should provide for centralized control of collected
information
4
Should have DBMS product to be used as part of the appliance
package to store configuration and alert logs, not for storing Audit
data
5
The solution should support high-availability
6
Product should be able to installed in Sniffing mode or Inline
mode.
7
Solution should have built in bypass(fail open) for inline mode
7
8
9
10
11
Solution should support below DataBases

Oracle, MS SQL, DB2, Informix, Sybase,MySQL, Teradata,Netezza
The solution should not use the native database audit
functionality.
the Solution should not employ transaction log auditing?
Should be able to integerate with leading SIEM tools
The product should have means to archive and restore data

Page 31 of 58
12
The agent should not require a reboot after

installation/configuration
13
The solution should not require any changes to monitored

database and/or application
14 The Solution should not require a database restart after
installation/configuration?
15 The audited data transferred between the agent and the
appliance should be through an Encrypted channel
16 The solution should capture before and after image of data that is
being manipulated
17 Product should identify differences in baseline user activity.
18 The solution should capture Select activity by user/role
19 The solution should capture update, insert, delete (DML) activity
by user/role
20 The solution should capture schema/object changes (DDL)
activity by user/role
21 The solution should capture manipulation of accounts, roles and
privileges (DCL) by user/role
22 DAM Should monitor privileged operations including both SQL and
Protocol level operations be monitored.
23 DAM Should monitor MS SQL statements where caching is used
24 DAM solution be able to monitor activities at new DB interface/
connector created by any user/ system without any manual
intervention
25 The solution should have automated mechanism for updating
security configurations/policies
Alerting and Blocking Capabilities
1
The solution should provide automated, real-time event alert
mechanism
2
The solution should have an option to upgrade to database
attack in real-time
3
4
5
6
The solution should monitor privileged users

The solution should have an option to upgrade to block
privileged users activity if required
the Solution should monitor for all DB attacks like SQL injection and
alert despite the traffic is not audited.
The Solution should have an option to upgrade to block DB
attacks like SQL injections in real time.

Page 32 of 58
The solution should 100% monitor the DB traffic for all DB violation
and attacks despite the traffic is not being audited
Reporting
1
Solution should have packaged reporting capabilities
2
product should support use of pre-configured policies/reports
(PCI, SOX, HIPAA) for ensuring regulatory compliance
3
Producti should have a functionality to assist with security event
forensics
Web Application Firewall
Specification
Description
Dynamic Profile (White List security)

Web server & application signatures
Reputation based security and IP
geolocation
HTTP RFC compliance
Normalization of encoded data
Automated-client detection
Refer to Appendix I
Required
Passive decryption or termination

Optional HSM for SSL key storage
Required
XML/SOAP profile enforcement

Web services signatures
XML protocol conformance
Required
Fraud and malware detection
Required
URL rewriting (obfuscation)

Cookie signing
Cookie encryption
Custom error messages
Error code handling
Required
Operating system intrusion signatures

Known and zero-day worm security
Required
Web Security
Application Attacks
Prevented
HTTPS/SSL Inspection
Web Services Security
Web Fraud Prevention
Content Modification
Platform Security
Feature
Support
Required

Page 33 of 58
Network Security
Stateful firewall
DoS prevention
Correlation rules incorporating all

Required
security elements (white list, black list)
to detect complex, multi-stage
attacks
Credit card numbers

Required
PII (personally identifiable information)
Pattern matching
Frequent security updates
Required
Support for RSA Access Manager for

two-factor authentication
Support for LDAP (Active Directory)
Support for SSL client certificates
Required
Automated Tracking of Web

Application Users
Required
Transparent Bridge (Layer 2)

Reverse Proxy and Transparent Proxy
(Layer 7)
Non-inline sniffer
Required
Support for a Web User Interface

(HTTP/HTTPS)
Command Line Interface
(SSH/Console)
Required
MX Server for centralized

management
Required
SNMP
Syslog
Email
Real-time dashboard
Required
Advanced Protection
Data Leak Prevention

Policy/Signature
Updates
Authentication
User Awareness
Deployment Mode
Management
Administration
Logging/Monitoring
Required

Page 34 of 58
Required
IMPVHA (Active/Active,
Active/Passive)
Fail open interfaces (bridge mode
only)
Support for VRRP
Support for STP and RSTP
Physical appliance
Required
WhiteHat, IBM, Cenzic, NT OBJECTives, Required

HP, Qualys, and Beyond Security
SIEM/SIM tools: ArcSight, RSA enVision, Required

Prism Microsystems, Q1 Labs, TriGeo,
NetIQ
Log Management: CA ELM, SenSage,
Infoscience Corporation
High Availability
Solution Delivery Option

Web Application
Vulnerability Scanner
Integration
Enterprise Application
Support
TCP/IP Support
IPv4, IPv6
Standard product training at an

Required
authorized training center for 5 KCB
staff. This should include training fees,
travel and lodging expenses. Logistics
and allowances to be computed at
KCB rates.
One year standard support on

hardware and software
Training
Support
Required
Required
Specification for Web Access Firewall:

ID
Policy Management
Specification
Remarks
The WAF shall be able to automatically-build policies

The WAF shall be able to manually accept false positives by
simple means (check box)
The WAF shall be able to define different policies for different
applications

Page 35 of 58
The WAF shall be able to create custom attack signatures or

events
The WAF shall be able to customize Denial of Service policies
The WAF shall be able to combine detection and prevention
techniques
The WAF shall have policy roll-back mechanism
The WAF shall be able to do versioning of polices
The WAF shall have a built-in real-time policy builder with
automatic self-learning and creation of security polices
The WAF shall have prebuilt polices for applications - eg
Microsoft Sharepoint, OWA, SAP, Oracle E-Business, Sieble for
fast deployment
Profile Learning Process
The WAF shall be able to recognise trusted hosts
The WAF shall be able to learn about the application without
human intervention
The WAF shall be able to inspect policy (auditing + reporting)
The WAF shall be able to protect new content pages and
objects without policy modifications
Configuration Management
The WAF shall have Role-based management with user
authentication
The WAF shall be able to replace/customize error and blocked
pages
The WAF shall have configurable security levels
Logs and Monitoring
The WAF shall have ability to identify and notify system faults
and loss of performance (SNMP, syslog, e-mail, )
The WAF shall have ability to customize logging
The WAF shall have ability to generate service and system
statistics
The WAF shall be able to perform time synchronisation (ntp, )
Miscellaneous
The WAF shall have a robustness and reliable GUI interface

Page 36 of 58
The WAF shall be able to be managed via serial console, SSH

or https web gui
The WAF shall be able to support caching and compression in
a single platform
The WAF shall be able to prevent OS fingerprinting
The WAF shall be able to perform data guard and cloaking
(hiding of error pages and application error pages)
The WAF shall be able to Intergrate with vulnerability testing
tools (eg whitehat sentinel) for automated instant policy
tuning
The WAF shall be able to be implemented and installed on
application delivery controller (ADC) hardware platforms and
managed from the same GUI.
SSL capabilities
The WAF shall be capable of terminating https traffic for http
websites
The WAF shall be FIPS 140-2 compliant
The WAF shall have SSL accelerators available for SSL
offloading
The WAF shall store the certificate private key on the WAF
using a secure mechanism
The WAF shall store the certificate private key on the WAF
using a secure mechanism, and a passphrase
The WAF shall capable of communication to a backend
application server using https
The WAF shall be capable of tuning the SSL parameters, such
as SSL encryption methode used, SSL version
HTTP/HTML & XML
The WAF shall support HTTP 1.0 and 1.1 versions
The WAF shall support application/x-www-form-urlencoded
encoding
The WAF shall support v0 cookies
The WAF shall support v1 cookies
The WAF shall enforce cookie types used
The WAF shall support chunked encoding in requests
The WAF shall support chunked encoding in responses

Page 37 of 58
The WAF shall support response compression

The WAF shall support application flows management and
manually define site flow and object policies
The WAF shall support all character sets during validation
The WAF shall restrict methods used eg GET, POST , all other
methods
The WAF shall restrict protocols and protocol versions used
The WAF shall support multi-byte language encoding
The WAF shall validate URL-encoded characters
The WAF shall restrict request method length
The WAF shall restrict request line length
The WAF shall restrict request URI length
The WAF shall restrict query string length
The WAF shall restrict protocol (name and version) length
The WAF shall restrict the number of headers
The WAF shall restrict header name length
The WAF shall restrict header value length
The WAF shall restrict request body length
The WAF shall restrict cookie name length
The WAF shall restrict cookie value length
The WAF shall restrict the number of cookies
The WAF shall restrict parameter name length
The WAF shall restrict parameter value length
The WAF shall restrict the number of parameters
The WAF shall restrict combined parameter length (names and
values together)
The WAF shall support protection of XML Web Services
The WAF shall restrict XML Web Services access to methods
defined via Web Services Description Language (WSDL)
The WAF shall be able to perform information display
masking/scrubbing on requests and responses
The WAF shall be able to perform validation for Web Services
XML Documents
The WAF shall be able to monitor latency of Layer 7
(application layer) traffic to detect the spikes and anomalies
in the typical traffic pattern to detect, report on, and prevent
layer 7 DOS attacks.

Page 38 of 58
The WAF shall be able to to detect, report on, and prevent

Layer 7 (application layer) brute force attack attempts to
break in to secured areas of a web application by trying
exhaustive, systematic permutations of code or
username/password combinations to discover legitimate
authentication credentials.
Detection techniques
The WAF shall be able to support the following detection
techniques :
URL-decoding
Null byte string termination
Self-referencing paths (i.e. use of /./ and encoded
equivalents)
Path back-references (i.e. use of /../ and encoded
equivalents)
Mixed case
Excessive use of whitespace
Comment removal (e.g. convert DELETE/**/FROM to DELETE
FROM)
Conversion of (Windows-supported) backslash characters into
forward slash characters.
Conversion of IIS-specific Unicode encoding (%uXXYY)
Decode HTML entities (e.g. c,", ª)
Escaped characters (e.g. \t, \001, \xAA, \uAABB)
Negative security model techniques
Positive security model support - An "allow what's known"
policy, blocking all unknow traffic and data types
Positive security model configuration
Application flow
Dynamic Positive security model configuration maintenance
Built in process engine to detect evasion techniques like cross
site scripting
Is there an out of the box rule database available
Automated regular signature updates
Operates in a full Proxy architecture and inline control over all
traffic through the WAF
Ability to hide back-end application serverOS fingerprinting
data and application specific information

Page 39 of 58
Ability to protect agaisnt malicious activity within and

hijacking of embedded client side code (javascript, vbscript,
ect)
Incident Response capabilities
The WAF shall be capable of logging security events with
syslog
The WAF shall be capable of logging security events with
snmp
The WAF shall be capable of being monitored with snmp for
statistical information
The WAF shall support monitoring using snmp version 3
Support tools
The WAF shall be capable of being restored to factory
defaults
The WAF shall support an open api that will be able to fully
administer the WAF.
Redundancy Capabilities
The WAF shall be able to support High Availability Failover via
network or serial
The WAF shall be able to perform application level health
check of the back end servers
Network and Performance
The WAF shall be able to support vlan configuration through
built in switch
The WAF shall be able to perform TCP/IP optimization
The WAF shall be able to perform packet filtering
Implemented concepts to cover vulnerabilities (OWASP based)
The WAF shall be able to protect against :
Unvalidated input
Injection flaws
SQL injection
OS injection
Parameter tampering
Cookie poisoning
Hidden field manipulation
Cross site scripting flaws
Buffer overflows
Broken access control
Broken authentication and session management
Improper Error Handling

Page 40 of 58
XML bombs/DOS
Forceful Browsing
Sensitive information leakage
Session hijacking
Denial of service
Request Smuggling
Cookie manipulation
Certification
The WAF shall be an ICSA certified web application firewall
MX Management Server
Specification
Description
Intuitive Web User Interface (HTTP/HTTPS)
Command Line Interface (SSH/Console)
MX Management Server centrally provisions,

manages, and monitors up to 15 SecureSphere
gateways
Supports distributed, heterogeneous

deployments of Web and database gateways
Out-of-band management supported via outof-band management ports in SecureSphere

gateways
SSL encrypted communications between MX

Management server and SecureSphere
gateways
Policy/Signature
Updates
Security updates provided weekly or

immediately for critical threats
Hierarchical
Management
Policies may be defined hierarchically, via a

flexible, object oriented policy framework.
Completely customizable roles and privileges
Users can be assigned roles
User inherit all privileges of the group
User authentication supports LDAP and SSL

certificate
Management
Provisioning
Out-of-Band
Management
Management
Communications
Role-Based
Administration
Remarks

Page 41 of 58
Alerts
Workflow
Internal Data
Storage
External Data
Storage and
Archiving
Supported
Products
Support
SNMP
Syslog
Email
Incident management ticketing integration
Custom followed action
Real-time dashboard
Task-oriented workflow engine
Audit trail stored in tamper-proof repository
Optional encryption or digital signing of audit

data
Role-based access controls to view audit data

(read-only)
Real-time visibility of audit data
SAN (Fibre Channel interfaces) for online

access
NAS for online access
NFS*
FTP*
HTTP/S*
SCP*
* Data is compressed and archived
Database Activity Monitoring

Database Firewall
Discovery and Assessment Server
File Activity Monitoring
File Firewall
SecureSphere for SharePoint
Web Application Firewall
One year standard support on hardware and

software

Page 42 of 58
Non -Functional Requirements and Specifications

ID
Non Functional Requirements
USER INTERFACE
Remarks
Provision of portals/screens for nontechnical stakeholder usage, suitable for
auditors and security professionals without
detailed knowledge of database internals.
DOCUMENTATION
-Schematic
Remarks
Provision of the Applicaton Architecture
Schematic for Production and DR Sites and
High Availability (HA)
-System Manual -provides an overview of the system including the system objectives,
system functionality, equipment configuration, software inventory, etc.
Remarks
Documentation of Application Objectives
Documentation of Application Functions i.e
Function ID/Name, Function
Description,Mode (e.g.
Online/Batch,Enquiry/Update)
Documentation of Equipment
Configurations i.e. Computer
Manufacturer,Model Number,Serial
Number,IP Address,OS Version,Database
Version
Documentation of Software Inventories i.e
Program ID/Name,Functions of the
program,in the case of client/server
application the location of the program
(e.g. Database Server, Application
Server,Client etc) should be specified
Documentation in detail of the system
security profiles and data protecton
measurement on system functions
Documentation in detail of the Disaster

Page 43 of 58
Recovery Plan and Procedures of the

system
-Location of soft copy of the System
Remarks
The latest version of all the programs should
be kept in softcopy for future reference
and maintenance on KCB premises and
included in the documentation
-Data Manual- The Data Manual documents all data captured, processed or
produced by the system
Remarks
Documentation of the database schema of
the application which shows the relationship
among files/table and other groups of data
e.g Entity-Relationship Diagram
Screen/Report Description Documentation
i.e. List of Screens, Screen Layout,List of
Reports, Report Layout
-Application Manual -documents an overview of the system and provides detailed

user instructions and procedures for all functionality provided by the system.
Documenation of user procedures
descriptions and instructions in detail
covering areas like batching of input data,
control of documents, actions on specific
events, error amendments, etc
SYSTEM INTERFACING AND INTEGRATION
Remarks
Integration with existing reporting, workflow,
and trouble-ticketing systems e.g Synergy
Pro Helpdesk, App Server
Compliance to Service Oriented Arcitecture
The solution shall support Java Database
Connectivity (JDBC) and Microsoft connectivity
technology (such as Open Database
Connectivity (ODBC) or Object Linking and
Embedding Database [OLEDB]).

Page 44 of 58
SECURITY
Remarks
Support Security Using Database Access
Controls. The solution shall support database
security using the following database access
controls: GRANT and REVOKE privilege facilities,
the VIEW definition capabilities, and some
Discretionary Access Control (DAC)
mechanisms.
CONFORMANCE TO INDUSTRY BEST STANDARDS

Remarks
The Web Application Firewall Solution shall be
endorsed by the Web Application Security
Consortium (WASC) and OWASP
Deliverables
At the end of the implementation exercise, the solution provider should provide
a comprehensive report with a detail of completed implementation work. The
report will consist among others the following:
1. Fully installed well integrated customized and functioning Database Firewall
solutions for the need of KCB.
2. Fully installed well integrated customized and functioning Web Application
Firewall solutions for the need of KCB.
3. Fully installed well integrated customized and functioning MX Management
Server
4. Two fully installed HP TouchSmart IQ816 Computers to facilitate a monitoring
center for this Database and Web Application Firewall solution
5. Presentation of the working solution to the IT management and staff of KCB
after completion of the implementation for review and feedback.
6. An executive summary report for Management of the implemented solutions

Page 45 of 58
APPENDIX 2 REFERENCE SITES

References of similar implementations/deployment of such product for
organizations similar to KCB in size and complexity done over the past one year.
1. Prior Services Performed for:
Company Name:
Address:
Contact Name:
Telephone Number:
Date of Contract:
Length of Contract:
Description of Prior Services (include dates):
Company Name:
Address:
Contact Name:
Telephone Number:
Date of Contract:
Length of Contract:
Company Name:
Address:
Contact Name:
Telephone Number:
Date of Contract:
Length of Contract:
(repeat as relevant)

Page 46 of 58
APPENDIX 3 - WEB APPLICATION SECURITY & COMMON ATTACKS

The solution must be able to detect and block the following Web application
threats:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
Anonymous Proxy
Vulnerabilities
Brute Force Login
Buffer Overflow
Cookie Injection
Cookie Poisoning
Corporate
Espionage
Credit Card
Exposure
Cross Site Request
Forgery (CSRF)
Cross Site Scripting
(XSS)
Data Destruction
Directory Traversal
Drive-by-Downloads
Forceful Browsing
Form Field
Tampering
Google Hacking
HTTP Distributed
Denial of Service
(DDoS)
HTTP Response
Splitting
HTTP Verb
Tampering
Illegal Encoding
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Known Worms
Malicious Encoding
Malicious Robots
OS Command Injection
Parameter Tampering
Patient Data Disclosure
Phishing Attacks
Remote File Inclusion
Attacks
Sensitive Data Leakage
(Social Security Numbers,
Cardholder Data, PII, HPI)
Session Hijacking
Site Reconnaissance
Site Scraping
SQL Injection
Web server software and
operating system attacks
Web Services (XML) attacks
Zero Day Web Worms

Page 47 of 58
APPENDIX 4 : LIST OF DATABASES
No.
1
2
3
4
5
6
7
8
9
10
Server
Database Machine
Application
Type
Type
CPU cores
HP
superdome
T24
Oracle
1
32
HP BLade
NetTeller
Oracle
685c
32
2
HP BLade
processors(8
CQ
MsSQL
685c
CPU's)
HP BLade
Mobi
Oracle
685c
32
HP BLade
Mobiloan
PosgreSQL 685c
32
2
HP BLade
processors(8
sybrin
MsSQL
685c
CPU's)
HP BLade
kondor+
Sybase
685c
32
Channel
HP BLade
Manager/NOBS MySQL
685c
32
HP BLade
QuickPay
MsSQL
685c
32
TransWare Oracle
TWO
TWCMS
TWI
TWFA
HP BLade
TWCF
685c
32
Processor
Type
Total
processor
Cores
itanium
32
intel xeon
32
AMD
optron
16
intel xeon
32
intel xeon
32
AMD
optron
16
intel xeon
32
intel xeon
32
intel xeon
32
intel xeon
32 each

Page 48 of 58
APPENDIX 5 SUPPLIER QUESTIONNAIRE

Bidders, willing to be considered for the tender for SUPPLY AND IMPLEMENTATION
OF A DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION are
expected to furnish the Company with among others the following vital
information, which will be treated in strict confidence by the Company.
1.0
CORPORATE INFORMATION
No.
PARTICULARS
1.1
Full name of organization:
1.2
Is your
organiz
ation
(Please
tick
one)
RESPONSE [If space is

insufficient, please use a
separate sheet]
i) a public limited incorporated

company? attach a copy of
Certificate of incorporation including
any Certificate of Change of Name,
Memorandum & Articles of
Association
ii) a public listed company? If yes,
please attach a copy of Certificate of
incorporation including any
Certificate of Change of Name,
Association
iii) a limited incorporated company?
If yes, please attach a copy of
Certificate of incorporation including
any Certificate of Change of Name,
Association
iv) a partnership? If yes, please
attach certified copy of the
Partnership Deed and business name
certificate
v) a sole trader? If yes, please attach
a certified copy of the business name
certificate
vi) other (please specify)

Page 49 of 58
1.3
Company Registration number (if this applies)attach a copy of Certificate of incorporation

including any Certificate of Change of Name or
relevant certificate from country of
incorporation.
1.4
Date and country of Registration:
1.5
Full physical address of principal place of

business:
Full postal address of the business:
1.6
Registered address if different from the above:

Post Code:
1.7
Telephone number:
1.8
Fax number:
1.9
E-mail address:
1.10
Website address (if any):
1.11
Company/Partnership/Sole Trader Tax PIN:

(Please provide a certified copy of the PIN
Certificate)
1.12
VAT Registration number:

(Please provide a certified copy of the VAT
Certificate)
1.13
Period in which you have been in the specific

business for which you wish to bid.
1.14
Current Dealership letter/certification for

Equipment preferably issued in 2012.
1.15
Names of the Shareholders, Directors and

Partners.
If a Kenyan company please provide an
original search report issued by the Registrar of
Companies showing the directors and
shareholders (Companies Form CR 12).

Page 50 of 58
1.16
Associated companies(if any)
1.17
Please provide a copy of the latest annual

returns together with the filing receipt as filed at
the Companies Registry
1.17
Name of (ultimate) parent/holding company (if

this applies):
1.18
Company number of parent/holding company

(if this applies):
1.19
If a consortium is expressing interest, please

give the full name of the other organisation
(the proposed consortium partners should also
complete this questionnaire in its entirety)
1.20
Name and contacts of the Legal

Representative of the company; Name, Title;
Telephone, Fax and Email address.
1.21
Contact person within the organisation to

whom enquiries about this bid should be
directed:
NAME:
TITLE
TEL:
FAX:
EMAIL:
2.0
No.
2.1
FINANCIAL INFORMATION
PARTICULARS
What was your turnover in the last
two years?
for year ended
--/--/----
for year
ended
--/--/----
2.2
Has your organisation met all its obligations to pay its

creditors and staff during the past year?
Yes / No
If no, please give details:


Page 51 of 58
2.3
Have you had any contracts terminated for poor

performance in the last three years, or any contracts
where damages have been claimed by the
contracting authority?
Yes / No
If yes, please give details:
2.4
What is the name and

branch of your
bankers (who could
provide a reference)?
Name:
Branch:
Telephone Number:
Postal Address:
Contact Person
Name:
Contact Position
Contact E-mail:
2.5
Provide a copy of the following
3.0
A copy of your most recent audited accounts (for the last

three years)
A statement of your turnover, profit & loss account and cash

flow for the most recent year of trading (for the last three
years)
A statement of your cash flow forecast for the current year

and a bank letter outlining the current cash and credit
position.
BUSINESS ACTIVITIES
No. PARTICULARS
3.1
What are the main business activities of your organisation? i.e.

Manufacturer, Assembler, Distributor, service centre, retailer, (please
specify).

Page 52 of 58
3.2
How many staff does your organisation have? ............

Indicate the number under each category
3.3
i.
Technical (Permanent, Temporary)
ii.
Semiskilled (Permanent., Temporary..)
Please generally describe the experience and expertise your organization

possesses that will enable you to effectively and efficiently undertake the
work you are bidding for, as required by KCB.
3.4
Attach you company organogram (organisation chart) with emphasis

on the job you are bidding for.
Attach CVs of key staff
Please submit a declaration that all staff within your organization that are or
will
Be involved in the project are or will be permitted to work within your
organization under the laws of Kenya or the laws of the country in which it is
established.
4.0
TRADE REFERENCES
4.1
Please provide in the table below details of the projects you have
undertaken relevant to the job you are bidding for performed over the
last three (3) years, or that are relevant to this bid document.
No
Customer
Organization
(name)
Customer
contact
name and
phone
number
Contract
Date
reference
contract
and brief
awarded
description:
Value of businesses
transacted:
(Kshs/USD/Euro)
1
2
3
4
5

Page 53 of 58
6
7
8
5.0
CERTIFICATIONS, ACCREDITATIONS AND APPROVALS

Detail any relevant certifications and accreditations by principals or
accreditation bodies and attach copies of such certification. Such
certifications may be for your company or for your individual staff as
relevant to the work they do and the key skills for the service or goods you
propose to supply.
6.0
AGENCIES AND PARTNERSHIPS

a) Detail any agencies and partnerships that you have that are relevant
to the categories of goods and/or services you are interested in
supplying.
b) List your primary sources of supply for goods that you propose to
supply.
7.0
MANAGEMENT POLICIES
a) Employee Integrity
How does the firm ensure the integrity of staff? Detail any
related policies.
b) Code of Conduct/Ethics
Does your company have a code of conduct? If so, please attach

a copy.
Indicate if your company subscribes to a professional body with a

code of conduct/ethics.
c) Company employment policy

Does the firm have a documented employment policy? What
are key highlights from this policy if in existence?
d) Environmental Policy/Green Agenda Policy
Is your firm ISO 140001 certified or do you have an

environmental policy as an organization?
Are your waste segregated as per different waste streams?

Page 54 of 58
How are wastes from your firm disposed?

e) Customer Service
Does the firm have a documented policy on Customer Service?
Which position in your firm is responsible for customer service and

how is this position supported by other functions?
Does your firm use any performance management techniques,

including customer satisfaction measurement? If so, what are
the key parameters?
8.0
BUSINESS PROBITY AND LITIGATION MANAGEMENT
Please confirm whether any of the following criteria applies to your organisation:
Note that failure to disclose information relevant to this section may result in your
exclusion as a potential KCB supplier.
No.
PARTICULARS
8.1
Is the organisation bankrupt or being wound up,

having its affairs administered by the court, or have
you entered into an arrangement with creditors,
suspended business activities or any analogous
situation arising from similar proceedings in Kenya or
the country in which it is established?
Please provide a statement of any material
pending or threatened litigation or other legal
proceedings where the claim is of a value in excess
of USD 20,000.
8.2
RESPONSE
8.3
Has any partner, director, shareholder or employee

whom you would propose to use to deliver this
service been convicted of an offence concerning
his professional conduct?
8.4
Has any partner, director or shareholder been the

subject of corruption or fraud investigations by the
police, Kenya Anti-Corruption Authority or similar
authority in the country in which your organisation is
established?
8.6
Has the organisation not fulfilled obligations relating

to the payment of any statutory deductions or
contributions including income tax as required
under Kenyan law or the laws of the country in

Page 55 of 58
which it is established?
8.7
Please state if any Director shareholder/ Partner

and / or Company Secretary of the Organisation is
currently employed or has been employed in the
past 3 years by KCB.
8.8
Please state if any Director / Partner and / or

Company Secretary of the Organisation has a close
relative who is employed by KCB and who is in a
position to influence the award of any supply
award. A close relative refers to spouse, parents,
siblings and children
9.0
INSURANCE
Please provide details of your current insurance cover

9.1
Employers Liability:
9.2
Public Liability:
9.3
Professional Indemnity (if applicable)
9.4
Other (specify)
10.0
Value
EVALUATION
(a) Requirements For Evaluation

The following documents should be attached.
i.
Certificate of Incorporation/Business Name Certificate
ii.
Trading Certificate
iii.
Business Permits
iv.
Certificate from relevant regulatory authority (where applicable
v.
Manufacturers Authorization /or equivalent (where applicable).
vi.
TAX PIN Certificate or equivalent
vii.
Tax Compliance certificate or equivalent
viii.
Current dealership letter/certification of equipment
ix.
List of Directors, telephone and their postal address
x.
Form CR 12 as issued by the Registrar of Companies (original) or certified
as true copy
xi.
Audited Accounts (Three years)
xii.
Bank Account Information
xiii.
CVs of Senior Staff
xiv.
Organogram/Organization Chart

Page 56 of 58
APPENDIX 6 PERFORMANCE SECURITY FORM (FORMAT)
Know all men by these presents that we:

1. .....................................................................................
(Full name & address in block letters) PRINCIPAL
2. .....................................................................................
(Full name & address in block letters) SURETY
are held firmly bound, jointly and in severally, unto Kenya Commercial Bank
Limited in the principal sum of US Dollars
....................................................................................................
for which payment well and truly to be made we bind ourselves firmly by these
presents.
The condition of the above obligations being that should the said <name of
Bidder>
fulfill his /their obligation/s under an agreement entered into between the Kenya
Commercial Bank Limited, and themselves in respect of <<the requirement>>
for Kenya Commercial Bank Ltd. during the period ending
..................................................
and not incur cancellation of the agreement for any cause whatsoever then the
above obligation to be null and void; otherwise to remain in full force and
effect. The validity of this guarantee expires on
............................................................................
which is two months beyond the contract period (i.e. after submission and
acceptance by the Bank of final report).
.......................................................................................
PRINCIPAL (Signature).......................................................................................
Principals Stamp
SURETY (Signature)..
SURETYs Stamp.
Nairobi this ................. of .............. two thousand and ............................
( The following words should be inserted in the signatorys own handwriting)
Good for the sum* of US Dollars ........................................................
(*sum to be specified in words & figures)

Page 57 of 58
APPENDIX 7 CERTIFICATE OF COMPLIANCE

All Suppliers should sign the certificate of compliance below and return it
together with the bound tender document.
We___________________________ have read this tender document and agree with

the terms and conditions stipulated therein.
Signature of tenderer -------------------------------------------
Date.
Company Stamp/Seal.

Page 58 of 58

Security and Web Application Monitoring

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Security and Web Application Monitoring

Hochgeladen von

Copyright:

Verfügbare Formate

KENYA COMMERCIAL BANK LIMITED

REQUEST FOR PROPOSAL

IT/AUGUST 2014/SUPPLY AND IMPLEMENTATION OF A DATABASE AND

Friday, 22nd August 2014

Last Date for Receipt of bids:

Friday, 5th September 2014 at 3.00pm

ISSUE OF RFP DOCUMENT TO PROSPECTIVE BIDDERS

Email Address (this e-mail address

IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

1.2 Background of the Project ........................................................................................... 5

Format of RFP Response and Other Information for Bidders .............................. 6

SECTION 2 SCOPE OF WORK.............................................................................................. 16

Award of Contract ........................................................................................................ 20

Application of General Conditions of Contract ................................................... 20

Bid Validity Period ......................................................................................................... 20

Performance Security .................................................................................................. 21

Delays in the Bidders Performance ........................................................................ 21

Liquidated damages for delay ................................................................................. 22

Governing Language .................................................................................................. 22

Bidders Obligations ................................................................................................. 22

The Banks Obligations ............................................................................................ 23

Force Majeure ............................................................................................................ 24

SECTION 4 : APPENDIXES ........................................................................................................ 25

IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

The Quotation or Response to this RFP submitted by prospective

The Company awarded the task of supplying all the items

Supply, installation and commissioning of all the works, equipment

Period from the time installation and testing is completed, during

IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

The Kenya Commercial Bank Limited (hereinafter referred to as the Bank) is

IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

implement a more secure, productive, industry standard information technology

from suppliers of database and web

The information in this document and its appendices and attachments is

Automatically learning the web application structure and user behavior

Format of RFP Response and Other Information for Bidders

1.4.1 The overall summary information regarding the SUPPLY AND

IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

IT/AUG 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL

IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

Software/ License Cost

IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

Total cost of ownership

b. Additional Cost to Complete. Provide an itemized list of any items not

IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

Please note that tenders received by facsimile or electronic mail will be

All correspondence related to the contract shall be made in English.

IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

Any clarification sought by the bidder in respect of the RFP shall be

IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

The technical evaluation will include a desktop evaluation and additional

IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

The Supplier should provide the following information related to previous

Demo /Proof of Concept

IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

Financial Evaluation (separate sealed envelope )

IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

Where there is a discrepancy between the amounts in

Where there is a discrepancy between the unit rate and

IT/August 2014/ DATABASE AND WEB APPLICATION SECURITY/FIREWALL SOLUTION

SECTION 2 SCOPE OF WORK

Supply, install, configure and maintain Database and Web Application

Provide Web Application Firewall solutions with core capabilities of

Develop and propose an implementation methodology with