Data Centre Colocation Service

Request for Proposal

Version 1.5
Date: 8 May 2009

Hong Kong Internet Registration Corporation Limited

Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central,
Sheung Wan, Hong Kong.
Tel.: +852 2319 1313 Fax: +852 2319 2626
Email: enquiry@hkirc.hk

Website: www.hkirc.hk

Table of Contents
1.
2.
3.
4.

Summary ................................................................................................................3
Definitions..............................................................................................................3
About HKIRC ........................................................................................................3
Information Security ..............................................................................................4

5.

Background of the Project .....................................................................................5

5.1.
Background ....................................................................................................5
5.2.
Scope of Service ............................................................................................5
5.2.1
Server Colocation Service......................................................................5
5.2.2
Implementation Services........................................................................8
5.2.3
Information Security ..............................................................................9
5.3.
Service Acceptance ........................................................................................9
5.4.
Contractual Consideration .............................................................................9

6.
7.
8.

Limitation of Liability and Indemnity ...................................................................9

Project Schedule................................................................................................... 11
Payment Schedule................................................................................................ 11

9. Elements of a Strong Proposal .............................................................................12

10.
Service agreement negotiation and signature ..................................................12
11.
HKIRC Contacts ..............................................................................................13
Appendix A HKDNR Information Security Policy and Guidelines: An Extract
Relevant to Outsourcing ..............................................................................................14
Appendix B HKIRC Proposal Requirements ...........................................................18
1.1 Proposal Deadline ..............................................................................................18
1.2 Proposal Content................................................................................................18
1.3 Cover Page .........................................................................................................19
1.4 Executive Summary ...........................................................................................20
1.5 Conflict of Interest Declaration .........................................................................20
1.6 Company Background .......................................................................................20
1.7 Facilities standard and management practice related to colocation service ......21
1.8 Proposed Costs of Service .................................................................................21
1.9 Implementation Time Table ...............................................................................21
1.10 Support Arrangement and Services..................................................................21
1.11 Commercial and Payment Terms .....................................................................21

1. Summary
HKIRC is going to commission an external Service Provider to provide Data Centre
Colocation Service for the Company. The service shall provide four 42U rack space,
power for all racks and environment, security protection as well as remote hand
support for server support. It shall also include all services required for the
implementation of the Project. The period of the contract will be 24 months.

2. Definitions
The following terms are defined as in this section unless otherwise specified.
The Contractor means the company delivering the Project.
HKIRC means Hong Kong Internet Registration Corporation Limited.
HKDNR means Hong Kong Domain Name Registration Company Limited, a
wholly-owned subsidiary of HKIRC, the company requesting the proposal for the
Project.
The Project means the Data Centre Colocation project with requirements stipulated
in Section 5 of this document, the Background of the Project.
remote hand means physical access to and operation of the equipment on the rack
by qualified technical personnel of the Contractor under the direction of HKIRCs
technical staff.
RFP means this Request for Proposal

3. About HKIRC
Hong Kong Internet Registration Corporation Limited (HKIRC) is a
non-profit-making and non-statutory corporation responsible for the administration of
Internet domain names under '.hk' country-code top level domain. HKIRC provides
registration services through its wholly-owned subsidiary, Hong Kong Domain Name
Registration Company Limited (HKDNR), for domain names ending with '.com.hk',
'.org.hk', '.gov.hk', '.edu.hk', '.net.hk', '.idv.hk', '..hk', '..hk', '..hk', '.
.hk', '..hk', '..hk' and '.hk'.

HKIRC endeavours to be:

Cost-conscious but not profit-orientated

Customer-orientated
Non-discriminatory
Efficient and effective
Proactive and forward-looking

More information about HKIRC can be found at http://www.hkirc.hk.

4. Information Security
The company submitting the proposal (the company) shall acknowledge and agree
that, if the company is selected as the Contractor, it shall be bounded by our
Non-Disclosure Agreement (NDA) and Information Security Policy (highlights of the
policies are illustrated in Appendix A). The company shall also comply with the
obligations under the Personal Data (Privacy) Ordinance and any other obligations in
relation to personal data.
The company shall be provided with a set of NDA and Information Security
Compliance Statement after HKIRC received the companys Express-of-Interest
before the stipulated time. The NDA and the Information Security Compliance
Statement shall be signed and returned to HKIRC attached with documents required
by the Compliance Statement before the scheduled deadline. HKIRC will only
consider proposals from companies which have signed both the NDA and the
Information Security Compliance Statement.
The proposal should be marked RESTRICTED at the centre-top of each page in
black color. It must be encrypted if transmitted electronically.
Each proposal will be reviewed under the terms of non-disclosure by the HKIRCs
staff and Board of Directors of HKIRC.

5. Background of the Project

5.1.

Background

Currently, all our production servers are co-located in a hosting service providers
data centre. Current equipment occupies four 42U Racks. The hosting service
provider is responsible for providing power conditioning (main and UPS),
environmental control/protection (fire, flood, temperature, humidity etc.), and security
and access control. In addition, the service provider also provides remote hand to
physically access the servers if needed.

5.2.

Scope of Service

The following defines the scope of service to be provided by the Contractor:-

5.2.1

Server Colocation Service

1. Server Racks Requirements

a. The Contractor shall provide four 42U racks, 600mm wide and at least
950mm in depth.
b. All racks should be located on the same row, next to each other. If for
any reason they need to be located in different rows, no less then two
racks should be located on the same row next to each other.
c. In case where racks are located in different rows, the Contractor shall
d.
e.
f.
g.

provide capacity for inter-rack networking

All racks shall have lockable perforated doors at the back and the front
Partition shelves should be available if required
Cabling to each rack should either be fed through using either under
floor (in a raised floor facility) or ceiling cable tray or trunking
Power & data cabling should be in separate tray or trunking

2. Power Supply Requirements

a. Duel power feed is required for each rack.
b.
c.
d.
e.

Each power feed should not come from the same phase
Each power feed should be fed from independent breaker
Each power feed should provide at least twenty 13A sockets
All power feed must be protected from brownout, spike & surge by
5

Uninterrupted Power Supply, with capacity to supply stable power up

to 30 minutes after power failure
f. The Data Centre power should be backed up by a Power Generator,
which should be in service within 30 minutes of any power failure.
g. Power Generator should have fuel supply for at least 7-day continuous
operation.
h. The Contractor shall supply three racks with at least 1.5KVA and one
rack with 3KVA
3. Environmental Control/Protection:a. The Data Centre facility shall be protected by gas based fire
suppression system with pre-active dry pipe water fire suppression
system.
b. Fire detection system shall be in place. E.g. smoke and/or heat detector
c. Water leakage detection system shall be in place to detect possible
water damage due to leakage or flooding
d. Temperature, humidity and static control shall be in place. Temperature
shall be kept between 15 and 20 degree Celsius. Humidity shall be
between 40% and 60% to avoid static electricity. Anti-static flooring
should be used to prevent excess static build up.
e. Air Conditioning system should provide 24x7 cooling and humidity
control with redundancy in case of break down.
4. Security and Access Control
a. 24-hour Security monitoring shall be in place. CCTV monitoring and
recording on common access area and entrances should be provided.
All access doors of entrances shall have a security lock with access
control system to record and control access.
b. All entries and accesses to the Data Centre shall be logged and can be
reviewed by HKIRC
c. All equipment delivery and removal from the Data Centre shall be
recorded
d. Data Centre shall provide Access Control only allowing authorized
person to access secured areas.
5. Network and Communication Facilities
a. The facility should provide easy access for any major telecom
company to provide data communication infrastructure for HKIRC
6

b. Shareable Internet access shall be provided by the facility. 100Mb/s

sharable bandwidth should be provided within the facility and 10Mb/s
bandwidth for local access (within Hong Kong, preferable with HKIX
connection) and 5Mb/s bandwidth for International. Optional
temporary expandable bandwidth for International access is desirable.
c. The Contractors network infrastructure shall have process, procedure
and capacity to mitigate Denial-of-Service (DoS) or Distributed
Denial-of-Service (DDoS) attacks originated outside of the facility.
Suitable technology/technique, e.g. Routing blackhole should be
pre-configured and employed to limit or stop such attack. In case of
such attack targeting HKIRC/HKDNR, the Contractor shall be able to
provide temporary burstable bandwidth to cater for such attack, should
it be required.
d. The Contractor shall be able to provide and manage multi-home, WAN
access e.g. router with BGP and AS Number with different telecom
supplier.
e. Network performance reports/tools shall be available for monitoring
the shared network.
f. Data Centre shall provide a direct fax/data line access to the racks.
6. Miscellaneous
a. The facility shall provide on site remote hand for physical access to
the HKIRC equipment, eg. Power cycle equipment, remove/insert CD
or other media, report on status of equipment (warning lights & status
light), report on physical state of equipment etc.
b. The Contractor shall have proven process and procedure for tracking
issues and requests from HKIRC.
c. Location of the Data Centre facility should be easily accessible by
public transports and should not be located near HKIRC office, ideally
in the Kowloon area.
d. The Contractor shall be subject to HKIRC Security Audit as and when
required by HKIRC or HKIRC external auditor.
7. Service Levels
The Contractor shall guarantee the following service levels in addition to
the above Technical Requirements:
a. Data Centre uptime of 99.98% per year. A service is deemed failed if
any of the following conditions is not met:
7

Power: Nominal Out Voltage 230V with less then 5%

distortion at full load. Frequency for 50 Hz nominal +/- 3Hz

Network: Internal network within datacenter, response time

<3ms to any IP within datacentre. Ping time to local
network (HKIX) <50ms.
Cooling and humidity control: Temperature should be kept

within 15 to 20 degree Celsius. Humidity shall be between

40% and 60%.
b. A penalty of at least one month service charge will be imposed if the
above uptime is not met.
c. 24x7 round the clock on-site NOC support and monitoring are
required.
d. For any security breaches like break-in to data centre, racks,
un-authorized access or vandalisation to HKDNR equipment etc, the
customer should be notified within 15 minutes according to the
escalation list provided by HKIRC.
e. Incident reports for all reported incidents shall be available within 48
hour from the report of incident
f. All schedule maintenance period shall be pre-notified by at least 10
days, and for major service interruption at least 4 week notice is
needed.
8. Relocation Services (Optional)
a. In case where HKIRC is going to relocate to a new Data Centre, the
new service provider shall provide an optional relocation service
including:
i. Physical relocation of existing HKIRCs infrastructure to the
new data centre
ii. Re-racking of all HKIRCs infrastructure to new racks
iii. Relocation of HKIRCs multi-home WAN networks
iv. Re-cabling of HKIRCs infrastructure
b. Detail information on relocation requirement will be given after the
signing of NDA.

5.2.2

Implementation Services

The professional services for this Project should cover the following:

Basic hardware and network setup
8

Documentation for the processes and procedures like NOC Support procedures,
Incident Report procedures, Incident Handling Process etc.

5.2.3


Information Security

The Contractor shall follow HKDNR Information Security Policy and Guidelines
set out by HKDNR on personal and co-operation data security.
Contractors Information Security Policy is subject to HKIRC review if needed.

5.3.

Service Acceptance

The overall project acceptance can be broken down into acceptances at various
levels:1.
2.
3.
4.
5.

Delivery, setup of racks

Services provided like optional relocation services
Functionality of the integrated system like networks, NOC operation
Performance of monitoring system & reporting system
Quality of service provided

Under this acceptance framework, the vendor should fulfill the scope of services
described in section 5.2.1. In addition, interested vendors may provide additional
acceptance criteria and the related plan in detail in their proposals.

5.4.

Contractual Consideration

Although the contract period is 24 month, HKIRC will start the new contract
re-tendering process at month 21. In case the re-tendering process did not complete at
the end of the current contract, HKIRC reserves the right to extend the current
contracts for another 3 months, with the same terms and conditions. Also, if for any
reason the contract is to be terminated before the completion of the contract period,
the initiating party should give a 3-month notice in advance of the early termination
date.

6. Limitation of Liability and Indemnity

The company submitting the proposal agrees that if the company becomes the
9

Contractor of the Project, it shall indemnify HKIRC and HKDNR against any claim,
demand, loss, damage, cost, expense or liability which the company may suffer from.

10

7. Project Schedule
Project schedule
Tasks

To be Completed

Remark

by

1 Publish RFP

8/5/2009

2 Express of interest

15/5/2009

Sign NDA and InfoSec

3 Compliance Statement with all

29/5/2009

interested vendors
4

Deadline for vendors to submit 29/5/2009,

proposal and quotation

5 Selection of vendor by panel

6
7

Conclude final decision and

appoint the vendor
Prepare service agreement
contract

5:30pm
19/6/2009
2/7/2009
4/7/2009

Sign service agreement

8 contract with the appointed

9/7/2009

vendor
9 Service implementation
10

Service commencement

8/8/2009
9/7/2009

If relocation needed

8/8/2009

If relocation needed

8. Payment Schedule
The following payment schedule is recommended but interested vendors may propose
their own in their proposals.
Milestone/Acceptance

Expected

Payment

duration
1

(a) Completion of Service Implementation

4 weeks

One time
setup
charge
11

(a) Start of Colocation Service

24 month

Monthly
charge

TOTAL 24 month & 100%

4 weeks

9. Elements of a Strong Proposal

All submitted proposal must following the format as stated in Appendix B - HKIRC
Proposal Requirements. Successful vendor is the one who submitted a clearly worded
proposal that shows the following attributes:

a persuasive section on the company background

international recognize certification for IT facility management & IT Security
Management

a strong and flexible product meeting HKIRC requirements with minimum

customization
high level of interaction between HKIRC and the vendor
excellent fit with the capabilities and facilities of HKIRC

strong company and project management team

Proposals are evaluated based on major criteria as follows (the percentages given are
the weighting)

Company Background (10%)

Quality of facilities (30%)

Facility management competency (20%)

Understanding of our requirements (10%)

Knowledge and advices on projects (10%)
Proposed cost of the project and its flexibility (20%)

10. Service agreement negotiation and signature

The service agreement will be drawn up between the selected vendor and HKDNR,
the wholly-owned subsidiary of HKIRC. HKIRC welcomes the vendors proposal on
a suitable service agreement for the project.
The service agreement must be signed by both parties within three weeks from the
project award date. If the agreement is not signed within the said period, HKIRC will
12

start the negotiation with the next qualified vendor on the selection list.

11. HKIRC Contacts

HKIRC Contacts information

Contacts
Hong Kong Internet Registration
Corporation Limited

IT Manager

Unit 2002-2005,

+852 23193811

20/F ING Tower,

ben.lee@hkirc.hk

Ben Lee

308 Des Voeux Road Central,

Sheung Wan,

Project Manager

Hong Kong

Benjamin Choy
+852 23193819

+852 23191313 telephone

ben.choy@hkirc.hk

+852 23192626 fax

http://www.hkirc.hk

CEO
Jonathan Shea

If you are not sure about the appropriate

person to call, the receptionist can help you.

+852 23193821

jonathan.shea@hkirc.hk

13

Appendix A HKDNR Information Security Policy and

Guidelines: An Extract Relevant to Outsourcing
This document provides an extract of the HKDNR Information Security Policy and
Guidelines with the purposes of (a) introducing various measures and controls to be
executed by HKDNR regarding outsourcing and (b) setting the expectation of any
potential contractors that their participation and conformance in these measures and
controls are essential contractual obligations.
The original Policy and Guidelines applies to HKDNRs employees, contractors and
third party users. However, a potential contractor may interpret the clauses up to their
roles and responsibilities only. Nonetheless, the keyword contractors hereby refers
to all relevant staff members of the contractor and those of any other subcontractors
under the contractors purview.
Herein, HKDNR would also set the expectation of any potential contractors that upon
their express-of-interest to the project, they shall be required in the subsequent stages
(a) to sign off a non-disclosure agreement (NDA) on all information to be provided
and (b) to sign off a Compliance Statement where compliance requirements are
specified in more details.

(A) Extract from the HKDNR Information Security Policy

In the following, the organization means Hong Kong Domain Name Registration
Company Limited, the company requesting the proposal for the Project.
8. Human resources security
8.1 Security objective: To ensure that employees, contractors and third party users
understand their responsibilities, and are suitable for the roles they are considered for,
and to reduce the risk of theft, fraud or misuse of facilities.
8.1.1 Security roles and responsibilities of employees, contractors and third party
users shall be defined and documented in accordance with the organizations
information security policy.
8.1.2 Background verification checks on all candidates for employment, contractors,
14

and third party users shall be carried out in accordance with relevant laws, regulations
and ethics, and proportional to the business requirements, the classification of the
information to be accessed, and the perceived risks.
8.1.3 As part of their contractual obligations, employees, contractors and third party
users shall agree and sign the terms and conditions of their employment contract,
which shall state their and the organizations responsibilities for information security.
8.2 During employment
Security objective: To ensure that all employees, contractors and third party users are
aware of information security threats and concerns, their responsibilities and liabilities,
and are equipped to support organizational security policy in the course of their
normal work, and to reduce the risk of human error.
8.2.1 Management shall require employees, contractors and third party users to apply
security measures in accordance with established policies and procedures of the
organization.
8.2.2 All employees of the organization and, where relevant, contractors and third
party users shall receive appropriate awareness training and regular updates on
organizational policies and procedures, as relevant to their job functions.
8.3 Termination or change of employment
Security objective: To ensure that employees, contractors and third party users exit an
organization or change employment in an orderly manner.
8.3.2 All employees, contractors and third party users shall return all of the
organizations assets in their possession upon termination of their employment,
contract or agreement.
8.3.3 The access rights of all employees, contractors and third party users to
information and information processing facilities shall either be removed upon
termination of their employment, contract or agreement, or adjusted upon change.
12. Information systems acquisition, development and maintenance
12.5.5 Outsourced software development shall be supervised and monitored by the
organization

15

13. Information security incident management

13.1 Reporting information security events and weaknesses
Security objective: To ensure information security events and weaknesses associated
with information systems are communicated in a manner allowing timely corrective
action.
13.1.2 All employees, contractors and third party users of information systems and
services shall be required to note and report any observed or suspected security
weaknesses in systems or services.

(B) Extract from the HKDNR Information Security Guidelines

6. ORGANIZING INFORMATION SECURITY
6.2 EXTERNAL PARTIES
6.2.1 Identification of Risks Related to External Parties
The risks to the organizations information and information processing facilities from
business processes involving external parties should be identified and appropriate
controls implemented before granting the access.
6.2.3 Addressing Security in Third Party Agreements
Agreements with third parties involving accessing, processing, communicating or
managing the organizations information or information processing facilities, or
adding products or services to information processing facilities should cover all
relevant security requirements.
7. ASSET MANAGMENT
7.1.3 Acceptable Use of Assets
Rules for the acceptable use of information and assets associated with information
processing facilities shall be identified, documented, and implemented.
8. HUMAN RESOURCE SECURITY
8.1.1 Roles and Responsibilities
Security roles and responsibilities of employees, contractors and third party users
shall be defined and documented in accordance with the organizations information
security policy.
8.1.2 Screening
Background verification checks on all candidates for employment, contractors, and
16

third party users shall be conducted in accordance with relevant laws, regulations and
ethics, and proportional to the business requirements, the classification of the
information to be accessed, and the perceived risks.
8.1.3 Terms and Conditions of Employment
As part of their contractual obligation, employees, contractors and third party users
shall agree and sign the terms and conditions of their employment contract, which
shall state their and the organizations responsibilities for information security.
8.2.1 Management Responsibilities
Management shall require employees, contractors and third party users to apply
security measures in accordance with established policies and procedures of the
organization.
12. Information systems acquisition, development and maintenance
12.5.5 Outsourced Software Development
Outsourced software development shall be supervised and monitored by the
organization.

17

Appendix B HKIRC Proposal Requirements

1.1 Proposal Deadline
All proposals must reach HKIRC as stated in Section 7, Project Schedule, item no. 4.

1.2 Proposal Content

The proposal should contain the following:
Cover Page
Executive Summary
Conflict of Interest Declaration

Company Background
o Financial Situation
o Track Records
o Organization and management team
o Project team with credentials

Company credentials
o Staff credentials
Facilities standard and management practice related to colocation service
Knowledge and Advices on Projects

Understanding of our requirements

o Colocation experience
o Certification in the future
Deliverable Services & Facilities

Proposed Cost of Services and Payment Schedule

Implementation Time Table
Support Arrangement and Services
Commercial and Payment Terms. e.g. Compensation for delay.

18

Proposal requirements
Submission deadline

Please refer to Section 7 - Project Schedule, item no. 4 for

the proposal submission deadline.

Delivery address

Hong Kong Internet Registration Corporation Limited

Unit 2002-2005,
20/F ING Tower,
308 Des Voeux Road Central,
Sheung Wan,
Hong Kong

Hard copies

2 copies of the full proposal are required.

Electronic copy

Electronic copy, if available, on disk or by email to

elisa.chung@hkirc.hk and bonnie.chun@hkirc.hk ; also cc
ben.lee@hkirc.hk and ben.choy@hkirc.hk. This is not a
substitute for the physical copies mentioned above.

Proposal format

Specified in this document

Page count

30 pages or fewer.

Font

Electronically published or typed. Times New Roman 12 point

Stapled.

Do not bind.

font.

1.3 Cover Page

Prepare a non-confidential cover page with the following information in the order
given.
Cover Page
Project Title
Data Centre Colocation Service project
Project Manager

Name:
Title:
Mailing
address:
Phone:

19

Fax:
Email:

Company

Contact person:
Title:
Company
name:
Mailing
address:
Phone:
Fax:
Email:
Website:

1.4 Executive Summary

The executive summary provides a brief synopsis of the commercial and technical
solution the vendor proposed for the project. This summary must be non-confidential.
It should fit on a single page.
The executive summary should be constructed to reflect the merits of the proposal and
its feasibility. It should also clearly specify the projects goals and resource
requirements. It should include:
Rationale for pursuing the project, the technology needed and the present state

of the relevant technology.

Brief description of the vendors financial situation.
Brief description of the vendors facilities and experience on colocation
services

1.5 Conflict of Interest Declaration

Declare any conflict of interest in relation to the Data Centre Colocation Service
project and the .hk ccTLD registry HKIRC.

1.6 Company Background

The vendor must describe its company background. Major activities, financial
situation, organizational structure, management team and achievements in software
development or service outsourcing of the company should be elaborated. Tracked
records are preferred.
20

1.7 Facilities standard and management practice related to

colocation service
The vendor should describe the companys strengths in colocation facilities
management and how they will be applied to the project. Track records are preferred.
List the key technical and management personnel in the proposal. Provide a summary
of the qualifications and role of each key member.

1.8 Proposed Costs of Service

Such costs include:
Fixed setup cost
Labour unit costs for additional requirements. They are typically quoted in
unit man day. Quoted in normal working hour, non-working hour and in

emergency.
Equipment that is permanently placed or purchased for HKIRC, if any.
Subsequent support or maintenance service.
Other direct costs including services, materials, supplies, postage, etc.

1.9 Implementation Time Table

The vendor should present in this section the implementation schedule of the project.
The schedule should be realistic and achievable by the vendor.

1.10 Support Arrangement and Services

The vendor must provide support to the database and storage system enhancement
project with respect to the preparation, implementation, monitoring and review of the
new framework. The vendor must describe the support arrangement and services. E.g.
availability, local/remote, time to on/off site support, etc.

1.11 Commercial and Payment Terms

The vendor should describe the commercial and payment terms of the services e.g.
compensation for the delay of the project.

21