AGO Attorney General's Office

Transcription

1 AGO Attorney General's Office IT Managed Services Invitation to Quote Attorney General s Office Primary Contact: Roger Hill Head of ICT Attorney General's Office businesssupport.team@attorneygeneral.gsi.gov.uk Author: Roger Hill, Will Haven Date: 26 August 2011 Issue: 1.0 Invitation to Quote - AGO IT Services Page 1 of August 2011

2 Product Invitation to Quote Issue Date 26 Aug 2011 Author Roger Hill, Will Haven Version History Version Date Author Comment July 2011 R Hill Aug 2011 W Haven Aug 2011 R Hill, W Haven Invitation to Quote - AGO IT Services Page 2 of August 2011

3 CONTENTS CONTENTS INTRODUCTION Attorney General's Office Office for Budget Responsibility PURPOSE OF THIS DOCUMENT TERMS Contract Core Right to Publish ITQ PROCESS Timescales ITQ Further Information ITQ Response Requirements Format of Requirements ADDITIONAL GUIDELINES Innovation Third Parties Acceptance Confidentiality SCOPE OF THE PROCUREMENT Core Services Core Packaged Applications Bespoke Applications Locations Current Authority IT Assets INFRASTRUCTURE SERVICES Infrastructure Assets Desktops, laptops, printers Technology Refreshment Asset Register and Asset Disposal Software Licences and Contracts Desktop Services Access to Services Local Area Network Remote Access Service Desk and User Support Problem Severity...15 Invitation to Quote - AGO IT Services Page 3 of August 2011

4 7.12 Equipment Loan Installs, Moves and Changes Administration of user accounts Service Downtime Infrastructure Administration Capacity management Performance management Back-Up Disaster Recovery Configuration Management Minor Infrastructure Enhancements Service Levels Service Availability IT Strategy SUPPORT REQUIREMENTS Service Hours System Operation and Maintenance Resilience and Recovery Other Services Third Party Suppliers EXTERNAL CONNECTIVITY IT SECURITY IT Compliance Requirements Security and Maintenance Patches and Virus Protection IMPLEMENTATION OF NEW SYSTEMS TRANSITION AND SERVICE HANDOVER CONTRACT MANAGEMENT Governance Service Reporting Quality Management User Satisfaction Monitoring Managing Change Terms and Conditions of Contract PRICE...24 ANNEX A EXISTING SERVICE LEVELS...25 ANNEX B ASSET LIST...27 ANNEX C GLOSSARY...29 Invitation to Quote - AGO IT Services Page 4 of August 2011

5 ANNEX D - EVALUATION SCORING...31 TOTAL...31 Invitation to Quote - AGO IT Services Page 5 of August 2011

6 1. Introduction The Attorney General s Office ( AGO ) is a government department with two ministers which superintends the Crown Prosecution Service, Treasury Solicitor s Department, the Serious Fraud Office, and HM CPS Inspectorate. The AGO shares its outsourced IT service with another government agency, the Office for Budget Responsibility ( OBR ). The AGO and OBR are collectively referred to as the Authority in this document. The purpose of issuing this Invitation to Quote ( ITQ ) is to procure IT services for a period of three years from 16 January 2012 to 31 March 2015 with the option of two further one year extensions, under OGC Framework RM717 for Managed Services. 1.1 Attorney General's Office The AGO provides high quality legal and strategic policy advice and support to the Attorney General and the Solicitor General (the Law Officers). The Attorney General: Is Chief Legal Adviser to the Crown; Is a Minister of the Crown with responsibility for superintending the prosecuting departments, and Has a number of independent public interest functions. 1.2 Office for Budget Responsibility The OBR was created in 2010 to provide independent and authoritative analysis of the UK s public finances. It is one of a growing number of official independent fiscal watchdogs around the world. The OBR has four main roles: Produce forecasts for the economy and public finances Judge progress towards the Government s fiscal targets Assess the long-term sustainability of the public finances Scrutinise the Treasury s costing of Budget measures 2. Purpose of this document This document has been produced by the Authority as part of the Requirements Documentation issued under an ITQ for an IT outsourced service under the OGC Managed Services framework (RM717). This document defines the services required by the Authority. The ITQ forms the second stage in the procurement process and follows the receipt of Capability Assessments from interested suppliers in June The document specifies the requirement for the managed services sought by the Authority and describes the context within which the requirement is set. Together with the bidder s proposal, this document will form the basis of negotiations leading to an agreement with the successful bidder for the provision of the service, This document should be read in conjunction with the Annexes, which give details of the Authority s current service. 3. Terms 3.1 Contract Invitation to Quote - AGO IT Services Page 6 of August 2011

7 The Authority is seeking to award a three year contract to March 2015 with the option of a further two one year extensions. The contract will have no annual indexation. Options should be provided for a fullterm contract, and for a mid-term break without penalty, Day rates should be in line with OGC framework contracts. The Authority is prepared to consider variant bids and potential Contractors are encouraged to come up with suggestions on how the Authority can achieve best value for money. The aim is to use the standard terms and conditions as set out in the OGC Framework Model Contract wherever possible. 3.2 Core Right to Publish The parties acknowledge that if a contract is awarded, except for any information which is exempt from disclosure in accordance with the provisions of the FOIA, the content of the Contract is not Confidential Information. The Authority shall be responsible for determining in its absolute discretion whether any of the content of the Contract is exempt from disclosure in accordance with the provisions of the FOIA. Notwithstanding any other term of the Contract, the Provider hereby gives his consent for the Authority to publish the Contract in its entirety, (but with any information which is exempt from disclosure in accordance with the provisions of the FOIA redacted) including from time to time agreed changes to the contract, to the general public. The Authority may consult with the Provider to inform its decision regarding any exemptions but the Authority shall have the final decision in its absolute discretion. The Provider shall assist and cooperate with the Authority to enable the Authority to publish the Agreement. 4. ITQ Process 4.1 Timescales The anticipated timings for this stage of the procurement process are summarised below. In the event of any delay, subsequent dates will be put back by the same amount, excepting only the Service Date. Event Date ITQ issued 30/08/2011 Deadline for questions 02/09/2011 Deadline for AGO to respond to questions 07/09/2011 Suppliers submit ITQ responses 16/09/2011, 12 noon Evaluation of responses 27/09/2011 Notification of evaluation results select two suppliers to go forward to BAFO Suppliers submit BAFO 03/10/ /11/2011, 12 noon BAFO Evaluation 21/11/2011 Notification of BAFO evaluation results 25/11/2011 Due diligence 30/11/ /12/2011 Invitation to Quote - AGO IT Services Page 7 of August 2011

8 Complete contract 12/12/2011 Supplier on site 03/01/2012 Service Date 16/01/2012 The AGO Business Support Team will oversee supplier communications and negotiations via 4.2 ITQ Further Information To ensure you have as much information as possible to complete your submission in as timely a manner as possible we ask that you read all documentation carefully and submit any questions you have no later than the date in 4.1 to the address in ITQ Response Requirements The Authority asks that suppliers respond to each of the requirement set out in this ITQ. Responses should evidence how you will provide the service required (not just confirmation that you can provide the service) and should be as succinct as possible. Bidders should follow these instructions diligently and if in doubt should get in touch with the Authority. 4.4 Format of Requirements Following sections define the services required from the Supplier during the course of the contract and information required from Bidders. Bidders should be aware that the information provided in response to these requirements will be used in any future contract with the Authority. Specific requirements always appear in a table. There are three types of requirement identified as follows: M means a core mandatory service requirement; O means an optional service requirement; I means a request for information. A bidder s response to this ITQ must include a response to each of these requirements; the information provided will be used to evaluate responses. Where there are any additional or variable charges associated with any requirement and in particular the mandatory ones this should be clearly identified along with any variable on which the charge is dependent. 5. Additional Guidelines 5.1 Innovation In preparing this ITQ, the Authority has endeavoured to set out its requirements for this solution in the best possible way. In so doing, it is possible that the Authority has constrained suppliers from offering alternative, innovative approaches. Where suppliers believe this to be the case, they are encouraged to propose these alternative approaches, which should be stated in addition to their responses. 5.2 Third Parties Where a supplier s responses to any of the questions assumes the usage of either third party software or functionality that is not yet developed this must be very clearly stated within the relevant response. Invitation to Quote - AGO IT Services Page 8 of August 2011

9 5.3 Acceptance The Authority shall not be bound to accept any of the responses received. 5.4 Confidentiality The contents of this ITQ, including specification, designs, drawings or other related documents shall be considered confidential and shall not be disclosed by you, your servants or agents to any persons, firm or corporation without the consent of the Authority. Any such specifications, designs, drawings or other documents shall remain the property of the Authority and shall be returnable on demand. 6. Scope of the Procurement 6.1 Core Services Office infrastructure (Server support, desktop and laptop installation and support, data network management) Service Desk Microsoft Windows and Office (or alternatives) operation and support IT security controls and maintenance Implementation of new systems Asset management License management Patching voice and data Intranet GSi and x.gsi connectivity, and via GSi to internet Blackberry or similar device support None. 6.2 Core Packaged Applications Software Package Max No of Licences Microsoft Windows operating system (or alternative) 75 Microsoft Office (or alternative) 75 Wordpress Intranet publishing tool wordpress.org 10 Stata data analysis software 15 WinSolve statistics package winsolve.surrey.ac.uk 15 Ecowin charting and analysis software from Reuters 15 Dragon Naturally Speaking speech recognition software 10 Cardbox database software 20 Becrypt disk encryption software to CESG standard 75 PGP CD/DVD encryption software to CESG standard Bespoke Applications 6.4 Locations There are presently 65 staff, the majority of which are based in one office in 20 Victoria Street, London, SW1. Many laptop users (including Ministers) are highly mobile, a number of these frequently travel world-wide and require secure remote access if practicable within CESG guidelines. All laptop users also need to be able to work remotely and from home to reduce the footprint of the office in line with government guidelines. Invitation to Quote - AGO IT Services Page 9 of August 2011

10 6.5 Current Authority IT Assets At present, the Authority owns all the hardware and software used on its premises to provide the necessary services an inventory of Authority assets is supplied in Annex B of this ITQ. These assets are managed by the Current Supplier on the Authority s behalf, and will be made available to the successful contractor should they so wish. In the interests of brevity, this ITQ has been written as if this arrangement will continue under the new contract. However, the Authority is keen to explore alternative options, where these are likely to represent value for money, and intends to be open-minded in considering Bidders proposals. As an alternative to the current arrangements, there are a range of approaches which could be adopted including the following examples: Bidders may choose not to use any of the existing hardware and software, and to deliver the services using their own assets, some of which may be located off-site e.g. in a data centre; Bidders would then have to take responsibility for disposal of existing assets in line with CESG guidelines. As equipment becomes obsolete, Bidders may choose to replace it by equipment which will be owned by the Supplier, some of which may be located off-site. Clearly, there are other options; Bidders should use their judgement to propose the best value for money solution to the Authority s requirements. Bidders should base their proposal on supporting the existing Authority assets and provide alternative proposals as an option, unless they can offer a completely costed disposal option. The Authority is committed to trying to get best value for money from its hardware assets. Should the solution retain Authority procurement, Supplier will be required to assist the Authority in maximising the life of assets and assisting in procuring resilient replacement assets as required. Software is to be replaced to meet the business requirements of the Authority and taking into account the software supplier s upgrade cycle, and on-going support from the software vendor. Bidder is responsible for ensuring costs are included in their bid for the length of the contract. 7. Infrastructure Services 7.1 Infrastructure Assets M1 M2 M3 M4 Supplier must maintain and support all Authority infrastructure hardware and equipment as listed in the Annex to this ITQ including but not limited to: Desktop hardware, a mix of laptops and desktop PCs; IT infrastructure components including servers and firewalls; Network & standalone printers; Ancillary equipment such as scanners and multi-functional devices Data network components including hubs, routers and switches. Bidders must describe their proposal for providing or using infrastructure components. This must include the proposed location of servers and the means by which they will ensure the security of Authority information. Servers must be maintained to ensure effective and efficient operation of the infrastructure in line with CESG security requirements. The infrastructure must support a range of applications as specified without any degradation in performance. Supplier must support secure remote access to the network via Laptops or other Invitation to Quote - AGO IT Services Page 10 of August 2011

11 I1 I2 devices with CESG approved encryption software. Bidders should describe how they would source new equipment. Bidders should describe how equipment and software including that inherited from the existing Infrastructure will be integrated into the proposed overall architecture, design and implementation. 7.2 Desktops, laptops, printers. M5 M6 M7 M8 All network Desktops must be ergonomically designed with a minimum 18.5 TFT screen. All laptops are provided in Authority premises with docking stations, screens as desktops, keyboards and mice. Larger keyboards and other devices must be available for users with special requirements or visual impairment. The number of devices to be supported is listed in Annex B of this ITQ, with future moves tending towards more laptops. The Supplier must build all new Desktop and Laptop client devices in accordance with the agreed client build documentation set. This will be agreed at the start of the contract. A4 black and white network printers are required, minimum 40 ppm. In addition, A3 colour networked Multi Functional Devices will be required. All such printers will be based in Victoria Street. All network printers must be able to print a minimum of 1000 DPI or better; must have sufficient internal memory to support all identified Desktop functions, and have a sheet feeder capacity equal to or greater than 500 sheets. The number of network printers is specified in the Asset Annex. Stand-alone printers must be supported for secure and home working. These should be light weight compact A4 black and white printers capable of 10 ppm. 7.3 Technology Refreshment M9 O1 M10 O2 Supplier must provide advice on the specification of any new IT asset, hardware or software, in order for the Authority to procure through its preferred IT supplier. The Supplier must, if required, obtain any necessary quotations or purchase said goods on behalf of the Authority. OR, If the assets concerned are owned by the Supplier, the Supplier must replace or upgrade any hardware, software or equipment that is not capable of meeting Service Levels. Bidders are expected to assist the Authority in the choice of software release. Bidders are invited to comment on this policy. If the Supplier is proposing to supply some or all of the hardware and software, the Supplier must provide proposals that will ensure that the infrastructure technology is refreshed on an on-going basis. The Authority s Information Strategy recognises the need to introduce greater mobility, with the gradual move on the client side from a majority of desktops to a mixed environment of laptops, tablets, mobiles and desktops, with laptops predominating. Supplier should demonstrate how these changes would be accommodated in their solution. Invitation to Quote - AGO IT Services Page 11 of August 2011

12 7.4 Asset Register and Asset Disposal M12 M13 M14 I3 Supplier must maintain an up to date asset register of all items that comprise the Infrastructure, The Supplier must make the asset register available to the Authority, on demand. Supplier must dispose of unwanted IT equipment in line with CESG standards and in particular ensure all data is removed from any storage. Supplier must ensure that any assets which are disposed of are recorded on the asset register. Bidders must describe their proposals for maintaining an up to date asset register and making it available to the Authority. This should include details of any software products used to collect, verify or store information. 7.5 Software Licences and Contracts M15 M16 M17 M18 I4 Supplier must provide license management to the Authority and work with the Authority to identify and implement the most cost-effective way of licensing software. Supplier may offer the option of a change of ownership if this is cost effective for the Authority. Supplier must ensure that: All software installed on the Infrastructure has appropriate licences; Sufficient licences are available to cover all Authority requirements; All licences are current; All usage is within the terms of the existing licences; The Authority does not pay more for licences than is necessary; Forecasts are provided on license management costs for future years. Supplier must use automatic software distribution techniques to centrally deploy managed software, and provide audit records. Supplier must carry out regular audits of software installed to comply with the Federation Against Software Theft (FAST). Alternatively, the Supplier may indemnify the Authority against this risk. Bidders should describe their approach to provision and management of software licences and associated contracts. Where due diligence identifies any potential issues associated with the Supplier s envisaged use of any of the Authority s existing software, the Supplier must set out its proposed approach for dealing with such issues. 7.6 Desktop Services M19 Supplier must provide the following core services, using standard products defined jointly with the Authority, to all Authority staff at their normal place of work (including home and mobile workers) Word-processing, spreadsheet, database and presentation facilities (currently provided using Microsoft Office) Electronic Diary (currently Microsoft Outlook) Access to the GSi Access to web-based products and systems (currently provided using Internet Invitation to Quote - AGO IT Services Page 12 of August 2011

13 Explorer); Access to shared documents and records stored on the network (currently provided using Windows Explorer); Access to the World Wide Web via GSi; Internal and external (currently provided using Microsoft Outlook and Exchange). Internal means within the Authority including to and from overseas users, external means from outside the Authority; Printing to network and local printers. Virus protection and local firewalls. The ability to transfer information and documents between all users as attachments. Support for the display and printing of all pre-agreed fonts, symbols and (where printer capabilities permit) colours, including the Euro symbol and all fonts and colours required to comply with the AGO and OBR s corporate identity guidelines as amended from time to time. The ability for users, with appropriate access permissions (as granted by the Authority) to work on data that is Restricted on GSi and Confidential on x.gsi networked devices in accordance with HMG security requirements as defined by CESG. Access to GSi and calendar via Blackberry or other similar device. M20 M21 I5 At Authority premises only: - Access to the x.gsi for 5 users from dedicated machines using a dedicated LAN network Supplier must, on receipt of an authorised request, provide approved additional software to any member of the staff. Any additional or variable charge, such as a percentage on top of the verifiable licence charge, must be identified. Supplier should provide enhanced Desktop configurations in response to authorised user requests that provide for access to Desktop services for people with disabilities (which may require reasonable adaptations to be made). Any additional or variable charge on top of verifiable hardware or software licence charges must be identified. Suppliers should describe their approach to and previous experience of providing solutions for of this nature. 7.7 Access to Services M22 M23 I6 The Supplier must ensure that all users of the IT infrastructure can access their core services from any Desktop or Laptop designated for user access in the Authority s premises (i.e. support for hot-desking ). Users must not be able to log-on at more than one device concurrently. Supplier must provide Laptop computers with the agreed configuration from the Authority s stock upon receipt of an authorised request at no additional charge. Bidders should describe their proposals for providing access to the required IT services. This should include services to users working away from their office. 7.8 Local Area Network M24 M25 Supplier must manage and support the Authority s Local Area Networks and external connections, which include GSi and x.gsi connections. Supplier should explain experience of managing the separation of these networks. Supplier must manage and maintain internal data links, linking Desktops and Laptops to servers via switches, hubs, routers and cabling to data outlets at each Desktop and Laptop. Links must be monitored to identify performance problems. Invitation to Quote - AGO IT Services Page 13 of August 2011

14 M26 M27 Supplier must manage the patching of all network and communication devices from device to floor port and patch port to network switch. Supplier must maintain network connectivity as the Authority s accommodation changes in future years. 7.9 Remote Access M28 M29 M30 Supplier must operate, monitor and manage the Authority s remote access (including Blackberry and 3G USB modems for Laptops) solution. Supplier must add and remove devices and or user accounts which have been authorised or denied access to remotely access the Authority s network. Supplier must maintain any route filtering in place to ensure the integrity of the remote access solution and limit accessibility of remote client devices. Supplier must log and manage the issuing of remote access authentication tokens to authorised Authority staff Service Desk and User Support M31 M32 M33 M34 M35 M36 M37 I7 The Supplier must provide and manage a Service Desk service for all users of the IT Infrastructure, that will provide Incident Management in accordance with ITIL best practice, in particular: Receive and record all problems or enquiries concerning the Authority s Infrastructure or Applications that run on the Infrastructure; Manage the resolution of all reported problems, co-ordinating any input required from other Authority staff or approved third parties; Maintain communication with customers, keeping them informed of progress of their outstanding problems/queries; Only close a problem or enquiry when it has been resolved with the user, in accordance with standards agreed with the Authority. The Supplier must maintain statistics on all problems and queries raised/resolved and incorporate these in monthly service management reports. The Service Desk must be capable of receiving problems and queries by and telephone. There must be a fully manned Service Desk service for all on-site and remote staff between the hours of 08:00 and 18:00 Monday through Friday. With prior agreement the Supplier must provide access to Service Desk and user support services in the evenings, at weekends and over Bank Holiday periods. Additional cost, if any, should be identified. The Service Desk must allow users to track the progress of the problem they have raised directly. The Service Desk staff must be experienced users of MS Office applications. Over 80% of all calls should be resolved at first call. Supplier must provide Full Service Support for all hardware for both Local and Remote users. Supplier must provide technical support for both office and remote users. Bidders should describe their approach to providing support services, during and outside normal working hours, for short periods of extended service and in support of remote and home workers, and their experience of increasing the percentage of calls resolved at first call. Invitation to Quote - AGO IT Services Page 14 of August 2011

15 7.11 Problem Severity M38 M39 Supplier must provide problem management in accordance with ITIL Problem Management best practise to ensure all problems raised are dealt with in a timely and efficient manner. This will include the co-ordination of all problems with 3rd parties and management of different classes of problem in accordance with the SLA. Supplier must assign a severity level to all problems and requests received from callers and in the case of Severity One and Two agree that severity level with the Authority s service manager. Severity One Total Loss of Service to: a. More than 10% of users OR b. Degradation of Service of 25%+ to more than 10% of users Severity Two All other incidents which involve either: a. Partial Loss of Service to more than 10% of users OR b. Degradation of Service of 25%+ to more than 10% of users. Severity Three A single user cannot use a Mandatory part of the IT Service M40 M41 Severity Four A single user from using a part of the IT Service but the user can continue to operate albeit at a lower level of efficiency. Supplier must agree a problem escalation process with the Authority and must escalate problems as per contract. Supplier must analyse all incidents to identify significant trends. They must recommend any work required to secure or improve services that would provide a business advantage to the Authority Equipment Loan M42 I8 The Supplier must manage the supply of loan equipment to Authority staff. This will include the loan of Desktops, Laptops, portable printers and projection equipment to staff based at Authority or remote premises. Bidders must describe their approach to providing equipment on a temporary loan, stating any constraints that would apply to the services Installs, Moves and Changes M43 M44 M45 M46 Supplier must carry out IMAC - minor equipment moves and changes (including network wiring if requested) - for relocated staff and ensure that they have the correct IT services available. IMAC of less than 10 relocations within the Authorities premises performed at the same time must be done at no additional charge. Supplier must assist in any major accommodation moves undertaken by the Authority. Suppliers must confirm what, if any, additional charges would apply. Supplier must assist in the specification of any environmental considerations for the provision of IT Services to any new accommodation. Supplier must move any hardware (desktops, laptops, keyboards, mice, other pointing devices, screens, scanners, KVM switches, USB hubs, printers, servers, Invitation to Quote - AGO IT Services Page 15 of August 2011

16 I9 hubs, routers, switches or any other IT equipment as defined by the Authority) at the Authority s premises. Suppliers should describe their approach to handling moves, stating the different categories of move anticipated and the arrangements that would be appropriate to each category Administration of user accounts M47 M48 M49 M50 Supplier must create user accounts for Authority staff, (including temporary staff, consultants and contractors) and, when required to do so, change, augment or diminish user access rights. Supplier should note a variety of domains may be used. Supplier must, under Authority direction, manage access permissions for user s personal and Authority shared data areas, assigning and removing permissions in accordance with the agreed authorisation processes. This must include the management and control of access and of user passwords. Supplier must actively monitor user accounts to identify unused accounts and take appropriate action. Supplier must periodically and at the request of the Authority complete a continued business need audit of all active user accounts on all Authority IT systems. This will include accounts owned by Authority staff and also by the Supplier, to ensure redundant accounts are removed from the system at the earliest opportunity Service Downtime M51 M52 M53 I10 The Supplier must make the Services available for use whenever possible. Any scheduled downtime must be agreed with the Authority 5 working days in advance. The Supplier must notify all impacted users of any planned withdrawal of Service outside of normal working hours and must also provide users with regular reminders of the planned withdrawal of Service. In the event of issues affecting performance in normal service hours Supplier must notify users when the normal service will be resumed. Bidders should describe their approach to making Services available and notifying users of any planned or unplanned disruption Infrastructure Administration M54 M55 Supplier s management and support of the infrastructure must include: Server and client housekeeping (e.g. cleaning up redundant data) in accordance with a policy agreed with the Authority; Provision of consumables necessary to support any IT equipment but excluding CDs, DVDs and paper. In particular, this means provision at Authority premises of sufficient toner to reduce printer and multi-functional device down-time. Supplier must maintain up-to-date documentation of the infrastructure Capacity management M56 Supplier must actively monitor the storage capacity and bandwidth availability. The Supplier must inform the Authority of any issues as soon as they become apparent and make recommendations for remedy. Should this require equipment purchased by the Authority, any additional charge above the equipment cost should be Invitation to Quote - AGO IT Services Page 16 of August 2011

17 M57 M58 identified. Supplier must manage the servers to ensure efficient and effective use of these resources to the satisfaction of the Authority. Supplier will be expected to identify opportunities for rationalising the Authority s capacity requirements. The Supplier must identify and implement efficient performance standards for file transfer and data storage within CESG guidelines and notify users of these standards Performance management M59 Performance management must include but not be limited to: Pro-active monitoring of the infrastructure workloads, response times and throughput to identify changes, patterns and trends. Detection of conditions which could be detrimental to performance and the taking of corrective action. Tuning the infrastructure to meet agreed performance levels. Tuning operating systems & shared storage. Verifying that the system back-up processes work successfully. Investigation of detected or reported failures to meet performance levels Review of usage trends Assessing the impact of proposed changes to applications, the user population and organisation upon the performance of the Services Back-Up M60 M61 M62 I11 Supplier must ensure IT systems are backed up in accordance with the Authority s backup strategy, and ensure all backup media are held in secure off-site storage. This presently requires daily incremental and weekend full back-ups, with full backups maintained for 7 years. The Supplier must put procedures in place to ensure that any data lost by Authority staff can be recovered with minimal user intervention. All recovered data must be available within one day of request. Supplier must ensure that systems and procedures allow for the restoration of data to be in the case of any investigation and audit by the Authority. Bidders must describe their proposal for backup and recovery of data and systems Disaster Recovery M63 M64 M65 M66 I12 Within one month of award, Supplier must create and maintain a Disaster Recovery Plan for the Infrastructure that are consistent with the Authority s overall business continuity plans, and this must be agreed with the Authority within 3 months of contract award. The Plan must permit of early warning of potential disasters as well as the events themselves. Supplier must initiate annual disaster recovery tests at times to be agreed with the Authority and provide the Authority with the test results. In the event of a disaster, Supplier must invoke the Disaster Recovery Plan, using all reasonable endeavours in restoring Services. If an Authority premises is temporarily closed, Supplier must ensure that key services are provided to key staff within 24 hours. The definitions of key services and key staff will have previously been agreed in the Disaster Recovery Plan. Bidders should describe their approach to business continuity including a menu of Invitation to Quote - AGO IT Services Page 17 of August 2011

18 services they would propose Configuration Management M67 Supplier must maintain proper configuration control over all hardware, software and documented procedures, in line with best practice Minor Infrastructure Enhancements M68 I13 The Supplier must deliver and carry out minor infrastructure enhancements as required by the Authority at no additional charge. These include Apply service releases of existing software; Apply emergency fixes and patches Firmware upgrades. Bidders should describe their approach to applying minor enhancements to the infrastructure. Bidders may describe the types of enhancements they envisage and the staffing, processes, tools, and standards that would be applied Service Levels M69 I14 By the Service Date, Supplier s infrastructure services must meet the Service Levels as detailed in the Annex. Bidders must confirm they can comply with these service levels. Service credits will apply to non conformance for business critical service levels and Supplier must propose a service credit regime. Bidders may comment on the required service levels, suggesting alternatives where appropriate, together with the benefits to the Authority of the proposed alternative service level Service Availability M70 The Supplier must monitor and maintain system availability of Authority systems to meet the Service Levels, preferably by automated means IT Strategy M71 The supplier must provide formal IT strategy advice at least once every 6 months. 8. Support Requirements 8.1 Service Hours M72 M73 M74 The full range of Services covered under this contract must be available during Standard Hours, 08:00 18:00, Monday to Friday, excluding Bank Holidays but not privilege holidays. The infrastructure must normally be available for use outside Standard Hours. Any periods of planned unavailability of services outside Standard Hours must be agreed with the Authority in advance, except in cases of emergency. The Supplier must provide uninterrupted access to servers, in agreed service hours, for file storage, network printing, access to business application systems, core applications, the Internet and FTP services. Invitation to Quote - AGO IT Services Page 18 of August 2011

19 8.2 System Operation and Maintenance M75 M76 M77 M78 M79 M80 M81 M82 Supplier must accept responsibility for end-to-end performance and availability in accordance with the Service Levels, managing the relationships with subcontractors and third party contractors. Supplier must maintain and repair all components of the infrastructure to ensure that the required Service Levels are met. Changes to the infrastructure must only be implemented following agreed change management procedures The infrastructure must be managed and administered in accordance with good IT infrastructure management practices as detailed in ITIL Supplier must identify its processes & procedures for the following: Managing Service Desk calls. Managing escalation. Managing problems. Management of the communications network, both voice and data Managing Service Requests. Managing Change Requests. Managing security. Managing . Asset management. Managing all licenses. Supplier must co-operate fully with system health checks and security audits to provide continuing assurance as to compliance and to support any investigative or diagnostic activity which the Authority deem necessary. Supplier must make every effort to maintain the integrity of relevant databases, records and security logs and to keep them in a form, clearly documented. Supplier must change /or reset passwords for Windows Active Directory in accordance with Service Levels 8.3 Resilience and Recovery M83 In the event of failure of an individual Desktop or Laptop, data loss must be minimal. Supplier should identify how to achieve this. 8.4 Other Services M84 M85 M86 M87 Supplier must offer services on a call off basis to develop small applications using MS-Office or similar. Details of availability and charges should be provided in a table with daily and hourly rates. Supplier must provide a User Guide giving an overview of the infrastructure services, and which provides a key to obtaining further information as necessary about particular services, authorisation procedures, and details of the Service Desk and other contact points, agreed performance standards and escalation procedures. This may be provided on-line if accessible to all Authority users. Supplier must provide a plan for ensuring all infrastructure equipment is kept in a clean and safe condition, and must implement that plan after its agreement. Supplier must archive data in response to user requests. Archived data must be stored securely off site. Archived data must be stored for a period specified by the user at the time of archiving, and must be restored to on-line status on request from Invitation to Quote - AGO IT Services Page 19 of August 2011

20 M88 the user. Supplier must keep Desktop cabling in a safe and tidy state using industry standard cable management practice. Frame rooms and patch cabinets must be properly cabled and managed using colour coding to denote the purpose of the cable. This must be fully documented and made available for Authority inspection. Supplier must keep all areas safe in accordance with the Authority s Health and Safety Policy. 8.5 Third Party Suppliers M89 M90 M91 Supplier must agree to manage all day-to-day responsibilities with any 3rd party suppliers to the Authority including, but not limited to:- Problem resolution involving the provision of 2nd and 3rd Line support Purchase and installation of specialist software or hardware Contingency and disaster planning & tests. Change management. Security related services. Systems Integration services. Data network services. Other government departments who provide services to the Authority. Supplier must act as the single liaison point for all dialogue between 3rd party suppliers and the Authority in the event of any hardware, network, component failure or software failure. Suppliers must support the applications listed in Section 6.2 Core Applications. Bidders should indicate what level of experience they have of these and how they propose to support the systems listed, in particular Cardbox. 9. External Connectivity M92 M93 M94 M95 M96 M97 Supplier must act as Authority s point of contact for all matters concerning the GSi and x.gsi connection and the provision of Internet and Web Browsing. Supplier must work with the suppliers of the GSi service to maximise system availability at all times both within and outside of normal working hours. Supplier must provide Internet Web and access in accordance with the Service Levels. Supplier must provide Authority with the ability to transfer data to and from Authority websites. An Internet connection must be provided to allow to external, organisations, and permit Internet access. Connections to the GSi and x.gsi must be provided to enable secure with other public sector organisations. Supplier must provide the Authority with the capability to access other government departments (OGD) Intranets, where permission to implement access has been obtained by the Authority. 10. IT Security M98 Supplier must, in accordance with the Authority s security policy: Invitation to Quote - AGO IT Services Page 20 of August 2011

21 M99 M100 Protect Authority information from unauthorised parties Ensure that all Authority information is completely expunged from equipment before disposal in line with CESG guidance; Monitor s, detect and report inappropriate usage Monitor internet access, detect and report inappropriate usage Report any security concerns to the Authority s IT Security Officer, as soon as practicable and to any agreed third party such as UNIRAS; Log and report all breaches of security to the Authority s Departmental Security Officer, other than minor previously agreed procedural breaches; Maintain adequate records and facilitate inspections to enable the investigation of incidents and verification of compliance by the Authority. All Supplier staff who require access to the Authority s building or systems must be security cleared to minimum of SC. Supplier is responsible for ensuring that they carry out pre-employment checks on all staff in line with CPNI guidance. Subcontractors and consultants who are working on the infrastructure will need to be supervised by security cleared Supplier staff at all times. Whether servers are hosted on or off Authority s premises, the Supplier must ensure that systems and information are secure and protected against loss. Supplier must deploy suitable physical security measures at least equal to those required by CESG standards IT Compliance Requirements M101 M102 M103 M104 M105 M106 M107 M108 M109 M110 M111 Supplier must be aware of and comply with CESG and other relevant HMG security guidance. Supplier must actively monitor government security notifications and advise the Authority in a timely manner on a required course of action Supplier must lead the development of Authority s IT Security Policy. Whilst the Authority retains overall responsibility, work to ensure compliance to CESG standards will be undertaken by the Supplier. Supplier must develop, secure all approvals and maintain appropriate Security Operating Procedures (SyOPs) and System Operating Procedures (SOPs), Service Management Procedures, RMADS and other necessary system documentation as required by CESG and the Authority. Supplier must ensure that all the Authority s IT equipment, software and networks are supplied, configured, operated and maintained so as to ensure compliance with the Authority s Security Policy and RMADS. Supplier must conduct regular reviews of the RMADS to ensure compliance with CESG standards and update if required. Supplier must ensure that the Authority s infrastructure is initially accredited for connection to the GSi and x.gsi and maintains this accreditation. Supplier must maintain compliance with BS7799. Supplier must ensure that all users are identified and authenticated before being given access to the Authority s infrastructure. Data must be protected in accordance with HMG s Protective Marking regime. This means Confidential information must be maintained with access to the x.gsi network only and Restricted information may be maintained on the x.gsi or the GSi network. No Secret or more highly classified information may be maintained with a connection to any external network. Supplier must, at regular intervals, undertake a health check of all Authority Servers and Desktops and Laptops to ensure that they meet the agreed security settings. Supplier must ensure that there is a facility for auditing failed log on attempts and notify the Authority of possible security violations. Invitation to Quote - AGO IT Services Page 21 of August 2011

22 M112 M113 M114 Supplier must ensure that there is a facility that terminates terminal and other processes after a period of inactivity. Supplier must conduct penetration tests of the infrastructure using trusted 3 rd parties. This must occur a minimum of annually. Supplier must provide technical support for the use of encryption technologies such as PGP, as required and agreed with Authority Security and Maintenance Patches and Virus Protection M115 M116 M117 I15 Supplier must actively monitor the availability of system critical security and maintenance patches for all supported software and hardware and install any required on all supported software and hardware within the Service Levels Supplier must provide virus detection and eradication processes for local and remote devices capable of detecting viruses, which are introduced through any known means, in accordance with prevailing CESG advice. The Supplier must act as the support interface between Authority and the Anti-Virus Solution provider for the GSi and x.gsi Bidders should describe their approach to network and information security. 11. Implementation of new systems M118 M119 M120 The Supplier must assist the Authority in the acceptance testing of any new bespoke applications which are developed by third party suppliers under contract to the Authority. The Supplier must install any new applications (COTS and bespoke) on the Authority s infrastructure and make such applications available to authorised Authority users. The Supplier must interface/integrate new applications with existing Authority systems as required. 12. Transition and Service Handover M121 M122 M123 M124 M125 M126 The infrastructure (including - hardware network and cables and software) must be delivered (or transferred in ownership), and ready for use by Authority staff by the Service Date. Bidders should explain how this may be accomplished. A high-speed connection, to the GSi and x.gsi must be ready for use by Authority staff by the Service Date. It is anticipated that the incumbent supplier will assist in transfer, but Bidders should explain how they have accomplished a speedy transfer in previous situations. All Authority user data, including MS Outlook data ( , address lists, calendar data etc) must be available for immediate use on the Service Date. The current supplier and the Authority will provide assistance in facilitating this transfer. The Supplier must ensure that, during service handover, levels of service do not fall below those listed in Annex A. The Transition Plan must be produced within 1 week of contract award, and must detail responsibilities, activities, deliverables, milestones, resources, timescales, dependencies, risks and quality control and assurance activities The Supplier must identify in his Transition Plan any building work, site services or similar activities the Authority is required to undertake to enable successful installation within the designated buildings. Failure to do so will render the Supplier Invitation to Quote - AGO IT Services Page 22 of August 2011

23 M127 M128 I16 liable for any costs incurred by Authority. The Supplier must manage the transition and service handover using a recognised project management methodology and identify it here. During transition and service handover, the Supplier must ensure that: All work is carried out without disruption to users. Authority is kept informed weekly of progress Bidders should describe their proposed approach to the maintenance of service quality identifying in particular: Their overall management approach; The order of take-on of services, including the transfer of assets and relocation of servers; What help and assistance would be required from the Authority; How they would minimise the risk of service disruption during service handover 13. Contract Management 13.1 Governance M129 Supplier must identify by name: - Senior Director: to act as a senior escalation point Account Director: to take full responsibility for the account; Contract Manager: to take full responsibility for ensuring that the contractual terms remain up to date; Service Manager: to take day-to-day responsibility for providing the ongoing service, acting as the primary point of contact for all matters relating to the services; the Service Manager, or a nominated deputy, must be available at all times to Authority during normal business hours; Transition Manager: to manage the transition including the handover of services. M130 Supplier must co-operate proactively with third parties particularly the Authority s other suppliers. The Supplier must undertake to provide reasonable information and assistance to such suppliers. I17 Bidders should provide details of the organisation they would expect to put into place to manage and provide services Service Reporting M131 M132 Supplier must provide monthly reports on performance against Service Levels and on problems and issues arising during the previous period. These reports must provide sufficient information presented in a structured format to enable easy reconciliation with the Supplier s invoices and must include, at a minimum, monthly figures (against service levels) and trends for: Service availability and performance; Capacity; Problem management including: details of problems resolved; outstanding problems & steps being taken to effect permanent solutions fix times for the different severity levels of problems; Progress in all ongoing projects; Future plans and Innovation. Inactive accounts Security incidents Supplier must agree to the Authority (or its auditors) auditing the performance reporting and management procedures, systems and records twice annually, or more frequently at the Authority s request. Invitation to Quote - AGO IT Services Page 23 of August 2011