SUBJECT: REQUEST FOR PROPOSALS FOR HARBOR DEPARTMENT CLOUD COMPUTING SERVICES

Transcription

1 DATE: May 30, 2017 SUBJECT: REQUEST FOR PROPOSALS FOR HARBOR DEPARTMENT CLOUD COMPUTING SERVICES Pursuant to the Harbor Department Cloud Computing Services Request for Proposals (RFP), all proposers were to submit any questions regarding this RFP no later than Thursday, May 25, 2017 by 3PM. Questions were to be answered in writing and all questions and responses were to be posted on the Department s website. Below is a list of questions received from proposers and the Department s response: 1. Q: What is the budget allocated for this RFP/Work? A: Not applicable. 2. Q: Is the Harbor Department willing to be flexible on terms and conditions? A: Please specify ALL proposed revised terms and conditions on the response. 3. Q: Does the Harbor Department use any non-city hosting centers today? With whom? A: Yes. Various including Microsoft and Oracle. 4. Q: How will the 20 mile distance requirement be measured? As the crowflies? A: Crow flies or Beeline. 5. Q: Does the Harbor Department have a published security standard which the selected vendor must adhere? If so, may we have a copy or link to it? A: Yes, see attached. 6. Q: Can the Harbor Department purchase off of national contracts like NASPO Value Point, GSA Schedule 70, or MiCTA in lieu of this RFP? A: No, not at this time. 7. Q: If a bidder has an existing contract with the City of Los Angeles, with a number of the City standard forms already loaded into Track4LA, will the HD accept those as having been submitted for purposes of this response? A: No. Please read RFP for administrative requirements.

2 8. Q: Will the Harbor Department consider a two week extension of the due date? A: No 9. Q: The RFP talks a little about Disaster Recovery in Section VI. Would there be interest in seeing an offering around a fully managed DRaaS service that could scale across laas, PaaS and SaaS? A: No, not at this time. 10. Q: What applications will the Harbor Department be running in cloud? A: Various, including but not limited to custom application such as ERP and GIS. 11. Q: Would the Harbor Department, through this resulting contract, want to be able to access Application Developers from the vendor who is knowledgeable in Cloud and Hybrid IT across multiple platforms? A: No, not at this time.

3 CLOUD REQUIREMENT SUPPLIER SECURITY POLICY APPENDIX 1 - SECURITY CLAUSES FOR SUPPLIER AND PARTNERS Document ID Number: Version 1.3 Version Date: 4/18/2016 Created by: Tony Zhong, The Port of Los Angeles Manager of Information Security Approval Date: 4/14/2016 Approved by: Lance Kaneshiro, The Port of Los Angeles Chief Information Officer Confidentiality Level:

4 Change History Date Version Author Description of Change 3/14/ Tony Zhong, Port of Los Angeles Manager of Information Security Draft version 4/14/ Tony Zhong Initial version 4/15/ Tony Zhong 4/18/ Tony Zhong Changed typo error on approval date and updated footer version to proper version Renamed title to Supplier Security Cloud Requirement Document Review History Date of Review Date of Next Review Reviewer Name Review Results 4/13/2016 Lance Kaneshiro, CIO Request Discussion on 4/14 4/14/2016 5/1/2017 Lance Kaneshiro Approved 4/21/2016 5/1/2017 Lance Kaneshiro Approved changes to 4/18 4/20/2017 5/1/2018 Lance Kaneshiro Reviewed, no changes are required Cloud Requirement Supplier Security Policy Page 2 of 6

5 1 Purpose, Scope and Users The purpose of this document is to prescribe requirements to ensure supplier include secured infrastructure for security, network, equipment and /or software that comply with ISO Information Security Management Systems (ISMS). This document is applied to the entire Information Security Management System (ISMS) scope, i.e. to all workplaces and systems located within the ISMS scope. Users of this document are all employees of the Port of Los Angeles 2 Policy and Security Control Requirements for Supplier The term cloud computing is a type of internet-based computing that provides shared processing resources and data to the customer, The Port of Los Angeles (POLA). As of this document s writing, there are three types of cloud solutions: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Regardless of the solution chosen between the supplier and POLA, the supplier shall furnish proper documentation of security controls that comply with the ISO Information Security Management Systems (ISMS) standards in order to protect the confidentiality, integrity and availability of the customer s data and/or systems. All data and systems shall reside within the Continental United States. POLA shall be provided or have full access and visibility to system logs and monitoring of systems. POLA s Information Security team will review and approve the cloud infrastructure including but not limited to security, network, equipment, and/or software. Supplier shall provide the following documentation: Service Level Agreement (SLA) Security and Network Design for customer s computing environment Application or data flow diagram Information Security, Organization and Privacy Policies Asset Management Policy Human Resource Policy Access Control Policy Cryptography Policy Physical and Environmental Security Policy Operations Security Policy Communications Security Policy System Maintenance Policy Supplier Relations Policy Information Security Incident Management Policy Business Continuity and Disaster Recover Policy Compliance Policy Cloud Requirement Supplier Security Policy Page 3 of 6

6 Please refer to the next page (Appendix Supplier requirements) for a checklist of controls related to the required document listed above. If the supplier requires additional details regarding policies and security controls, please contact POLA s Information Security team. Any exception and/or request made shall be reviewed and be approved by POLA s Information Security team. Cloud Requirement Supplier Security Policy Page 4 of 6

7 3 Appendix Supplier requirements Checklist: Information Security and Privacy Policies Human Resource security Policy, If Applicable o Prior to employment o During employment o Termination and change of employment Asset Management Policy o Responsibility for assets o Information classification o Media handling Access Control Policy o Business requirements of access control o User access management o User responsibilities o System and application access control Cryptography Policy o Cryptographic controls Physical and Environmental Security Policy, If Applicable o Secure areas o Equipment Operations Security Policy o Operational procedures and responsibilities o Protection from malware or malicious code o Backup o Logging and monitoring o Control of operational software o Technical vulnerability assessment and management o Auditing Communications Security Policy o Network security management o Information transfer System Maintenance Policy o Support and maintenance processes Cloud Requirement Supplier Security Policy Page 5 of 6

8 Supplier Relations Policy o Information security in supplier relationships o Supplier service delivery management Information Security Incident Management Policy o Incident response guidelines and procedures Business Continuity and Disaster Recover Policy o Information security continuity o Redundancies Compliance Policy o Compliance with legal and contractual agreements o Information security reviews/audits Cloud Requirement Supplier Security Policy Page 6 of 6