IaaS Request for Proposal Template

Transcription

1 IaaS Request for Proposal Template Created by the Dimension Data Cloud Business Unit Created by Dimension Data Page 1 of 24

2 Release Version Date released Pages affected Remarks All Initial creation of document Page 2 of 24

3 Table of contents Introduction Purpose of Document Personnel Security / Auditing Do you provide background/credit/education/drug screening of employees involved in the delivery of your service? Do your personnel sign non-disclosure and confidentiality agreements? Does an internal security awareness policy exist for employees? Does the information security programme include a policy on: How are employees kept abreast of changes to the security policy? Are employees aware of the process for reporting security incidents? Is there an internal audit group responsible for reviewing the information security environment? Do contracts with your vendors require a minimum level of security from the vendor? When an employee leaves the company, are access privileges immediately revoked? Physical Security / Auditing Are visitors required to sign-in, be issued with identify badges, and be escorted while on the premises? Are access logs from the facility maintained for at least 30 days? Does the company have policies on removable media in the data centre? Do third parties have physical access to data center space where your cloud infrastructure is located? Are the facilities premises separated into different control areas such as data center floor, loading/delivery areas and others? What are the hours of operation of the security facilities at the data center? Is there CCTV monitoring data center floor? Are loading dock or delivery areas monitored by CCTV? What is the retention policy on CCTV feeds? How is the cage space for your cloud environment separated from other data center clients? Describe the fire suppression solution used in the data center Are temperature and humidity controls in the data centre restricted to authorised personnel only and separated from the rest of the facility? Are there procedures in place to control the removal of property from the facility? Is there a holding area for deliveries at the data centre where internal doors can be secured while external doors are open? How are power and communications cables physically separate? Are there locked/alarmed conduit boxes? Are intentory records maintained of all hardwar? Do you sweep for unauthorised devices attached to cables? Does the facility include the following physical security elements? Logical Security / Auditing Please provide a copy of your information security policy Does a separation of duties exist between individuals who authorise access, personnel who enable access, and personnel who verify access to your infrastructure? Are all critical system clocks and times synchronised, and do logs include a date and time stamp? Is it standard for you to have the development/test systems segregated from the production systems to ensure segment access control between diverse envionments? Do access control logs contain successful/unsuccessful login attempts and access to audit logs? Do audit trails include a record of individual or process identity, date, time, function performed and the resource(s) accessed? Does a formal log review process exist? Are system logs unalterable (e.g. use write-once technology or equivalent protection)? Page 3 of 24

4 3.9. Are all activities on the Networking infrastructure performed by personnel with unique logins and are logged? Do you provide two-factor authentication? Are installation and vendor-default passwords provided with new hardware, system software, etc. reset before they go into production? Do administrators and remote users have individually-assigned user identities and passwords? Do systems notify users of their last successful login to their account? Are all activities on the virtualisation layer performed by personnel with unique logins and are logged? Are access scripts with embedded passwords prohibited? Are system administrators the only people who have administrative privileges? Is access to all program libraries restricted and controlled? Are your support representatives able to access client data? Can client support representatives obtain client passwords? Explain how passwords are created and communicated to clients? (i.e. password requirements and policy) Are all operator accounts reviewed on a regular basis to ensure that malicious, out-ofdate, or unknown accounts do not exist? Is an automatic computer screen locking facility enabled for system administrators? This would lock the screen when the computer is left unattended for a certain period What type of operating system hardening does your company have experience in? Do you periodically check your network to ensure that no unauthorised equipment has been attached to it? What type of security procedures/policy is in place to ensure the security of equipment outside of the organisation? (including portable equipment, offsite equipment, hot-site, etc) Does the company have a formal programme in place to classify, label, handle, and dispose of information? Does the company have the appropriate controls in place to co-operate with investigations by law enforcement officials? Do collection of evidence policies and procedures exist? Explain the process and controls in place for SSL key management Do you have access to the client s VM OS admin passwords? Does your the underlying portal management systems ensure that clients cannot access networks and systems owned by other clients, and does it present no ability to bypass the management interface to the underlying infrastructure? Monitoring / Request Management What controls does your company have in place to monitor the cloud infrastructure capacity? Do your clients have access to a monitoring portal? Can you monitor the performance of our application? Can you monitor the performance of our database environment? Is there an option to receive alerts directly from your monitoring solution? Do you have the ability to monitor logs for specific event codes or error codes? What process we would follow to request support assistance? Can your ticketing system integrate with ours? Do you provide trending reports on capacity and performance? Data backup / business continuity /disaster recovery Does your company have a formal written business continuity policy? Is the distance between the backup recovery facility and the primary location adequate to ensure that one incident does not affect both facilities? Does the recovery location use different power and telecommunications grids from those used by the primary site? Page 4 of 24

5 5.4. Do you have insurance coverage for business interruptions or general service interruptions, regardless of the reason? Does your company carry cyber-insurance? Does this cover identity theft, cyber-extortion, cyber-terrorism, information asset network security, web content, errors and omissions, and network business interruptions? Is there a communication plan in place for notifying clients that a major event has occurred and could potentially impact service delivery? Do you have established recovery time objectives in the event of a disaster? What is the retention scheme for standard server backups? Do you have an auto or self provisioned back up solution for your Public Cloud? If so please describe the features it offers based on previous questions asked about backups Would the recovery location use different power and telco grids from those at the primary site? Vulnerability /intrusion detection /anti-virus Please describe your general network security and intrusion detection system (IDS) information? How does your company prevent Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks? Are third party vulnerability assessments conducted? Are penetration tests conducted? Describe your incident response procedures Is anti-virus software utilised on system components? What information is typically logged? Does a formal network log review process exist? Are the following general server controls in use? Are wireless devices utilised in your network? Are system configuration checking tools (host intrusion detection systems (HIDS) utilised and maintained (e.g. Tripwire, Symantec, ESM)? Please indicate tools and versions What host-based intrusion detection system (HIDS) do you use? Are tools in place to monitor and manage file integrity? Is vulnerability assessment management in place? Do routers have defined access control lists to specify access to and from your network? Is access to network perimeter devices strongly authenticated and/or IP strapped? Do system standards/procedures include disabling all unneeded or unused services? Is network address translation or port address translation used to conceal IP addresses from the public domain? Do firewalls block all IP and port access- and use-defined access control lists or conduits to specify address and port access for known communication into and out of the network? Are firewall access control lists reviewed as part of either an internal or external audit? Is network address translation (NAT) or Port Address Translation (PAT) used to conceal IP addresses from the public? Can clients conduct independent penetration testing of their environment? Control / incident response processes Describe your company s formal change control process Describe your company s patch management procedures Are your processes covered under your SSAE16 audit? Describe your process for security event monitoring and notification/alert/response plans Managed services Do you have managed services options? Please provide an overview of your services Do you have experience in supporting Web applications? Is your support available 24/7/365? Do you have experience in supporting highly available solutions (i.e. database clustering, load balancing)? Page 5 of 24

6 8.5. Can you support the rollout of application changes and updates to our custom SaaS application? How can you help with identifying performance issues with our application? Do you have experience with implementing and supporting highly available solutions at the database tier? Do you have a security team that can assist with security audits/certifications, if needed? Do you support OS patching? Please describe the support structure you deploy Please describe your activation process Can you help with application optimisation? Please elaborate Compliance / Certifications Does the company comply with existing US Dept of Commerce Safe Harbor registrations and certifications and EU Data Privacy regulations? Does your company comply with HIPAA data privacy and security standards? Are your facilities and/or environments PCI certified? When was the most recent SSAE 16 review been performed? How can you assist me in certifications or comliancy that my company must have but you may not currently hold? IaaS / Cloud Features and Functions General Network information Storage information Cloud server information Page 6 of 24

7 Introduction Purpose of Document The intent of this document is to assist companies in creating of a Request for Proposal (RFP) document that is focused on cloud or infrastructure-as-a-service (IaaS) solutions and managed services of the environment. Companies can use this document to ensure they are covering the most important and relevant questions in assessing cloud vendors, solely from an infrastructure perspective. Soliciting detailed answers beyond simply yes/no will give you more clarity regarding how the right provider can assist in the growth of your business. Companies should also make sure to address the following areas as part of the RFP document format which are not directly addressed by this RFP Template. 1. Project overview - Introduction to your company - Project description - Terms and definitions - Minimum requirements for selection - RFP schedule 2. Instructions and procedures - Communication - Proposal format - Proposal pricing - Proposal submission requirements - RFP and proposal participation requirements - Standard terms and conditions - Evaluation criteria and process The pen symbol to the left highlights notes for the section or a particular question. You will see these symbols throughout this document. Page 7 of 24

8 1. Personnel Security / Auditing Note: This section is important in ensuring that you gain a good understanding of the cloud vendor you re reviewing. You want to ensure the provider has the proper processes in place to validate the personnel they employ. This may be particularly relevant if you are subject to compliance requirements Do you provide background/credit/education/drug screening of employees involved in the delivery of your service? 1.2. Do your personnel sign non-disclosure and confidentiality agreements? 1.3. Does an internal security awareness policy exist for employees? 1.4. Does the information security programme include a policy on: Data encryption: Data handling (secure use, storage, and destruction of sensitive data): Data classification: Physical access: Electronic access: Data retention: Acceptable/authorised use policy ( /internet/etc.): Security configuration standards for networks, operating systems, applications, and desktops: Security patching: Vulnerability management: Password management: File directory rights and permissions: Prevention of computer viruses: Disaster recovery plans: 1.5. How are employees kept abreast of changes to the security policy? 1.6. Are employees aware of the process for reporting security incidents? Page 8 of 24

9 1.7. Is there an internal audit group responsible for reviewing the information security environment? 1.8. Do contracts with your vendors require a minimum level of security from the vendor? 1.9. When an employee leaves the company, are access privileges immediately revoked? Page 9 of 24

10 2. Physical Security / Auditing Note: This section looks at the mechanisms, systems, and procedures that the cloud vendor has in place to address physical security in the environments they use to provide their services. It s very important to have a solid understanding of the facility and how access is controlled to ensure that your data and your business are adequately protected Are visitors required to sign-in, be issued with identify badges, and be escorted while on the premises? 2.2. Are access logs from the facility maintained for at least 30 days? 2.3. Does the company have policies on removable media in the data centre? 2.4. Do third parties have physical access to data center space where your cloud infrastructure is located? 2.5. Are the facilities premises separated into different control areas such as data center floor, loading/delivery areas and others? 2.6. What are the hours of operation of the security facilities at the data center? 2.7. Is there CCTV monitoring data center floor? 2.8. Are loading dock or delivery areas monitored by CCTV? 2.9. What is the retention policy on CCTV feeds? How is the cage space for your cloud environment separated from other data center clients? Page 10 of 24

11 2.11. Describe the fire suppression solution used in the data center Are temperature and humidity controls in the data centre restricted to authorised personnel only and separated from the rest of the facility? Are there procedures in place to control the removal of property from the facility? Is there a holding area for deliveries at the data centre where internal doors can be secured while external doors are open? How are power and communications cables physically separate? Are there locked/alarmed conduit boxes? Are intentory records maintained of all hardwar? Do you sweep for unauthorised devices attached to cables? Does the facility include the following physical security elements? electronic access control CCTV monitoring alarm systems, windows, doors, server areas, etc. on-site security guards building specifications identity badge procedures logging of site access power and network redundancy power surge protection fire suppression systems heating/air conditioning 3. Logical Security / Auditing Note: This section focuses on access to systems, networks, and overall logical security practices, allowing you to gain an understanding of how the vendor maintains a secure environment. It s critical that the provider has the processes or procedures Page 11 of 24

12 in place to provide a secure environment and maintain visibility of potential security breaches. Remember this really pertains to the Cloud Infrastructure that provides the resources you will consume. This is infrastructure access that YOU will not have access to, so you want to know the provider has it covered Please provide a copy of your information security policy. The answer to this question may be that they couldn t provide a copy of the security policy, as that is part of the security policy. A write up on what it covers should be best here Does a separation of duties exist between individuals who authorise access, personnel who enable access, and personnel who verify access to your infrastructure? 3.3. Are all critical system clocks and times synchronised, and do logs include a date and time stamp? 3.4. Is it standard for you to have the development/test systems segregated from the production systems to ensure segment access control between diverse envionments? 3.5. Do access control logs contain successful/unsuccessful login attempts and access to audit logs? 3.6. Do audit trails include a record of individual or process identity, date, time, function performed and the resource(s) accessed? 3.7. Does a formal log review process exist? 3.8. Are system logs unalterable (e.g. use write-once technology or equivalent protection)? 3.9. Are all activities on the Networking infrastructure performed by personnel with unique logins and are logged? Page 12 of 24

13 3.10. Do you provide two-factor authentication? Are installation and vendor-default passwords provided with new hardware, system software, etc. reset before they go into production? Do administrators and remote users have individually-assigned user identities and passwords? Do systems notify users of their last successful login to their account? Are all activities on the virtualisation layer performed by personnel with unique logins and are logged? Are access scripts with embedded passwords prohibited? Are system administrators the only people who have administrative privileges? Is access to all program libraries restricted and controlled? Are your support representatives able to access client data? Can client support representatives obtain client passwords? Explain how passwords are created and communicated to clients? (i.e. password requirements and policy) Are all operator accounts reviewed on a regular basis to ensure that malicious, out-of-date, or unknown accounts do not exist? Is an automatic computer screen locking facility enabled for system administrators? This would lock the screen when the computer is left unattended for a certain period. Page 13 of 24

14 3.23. What type of operating system hardening does your company have experience in? Do you periodically check your network to ensure that no unauthorised equipment has been attached to it? What type of security procedures/policy is in place to ensure the security of equipment outside of the organisation? (including portable equipment, offsite equipment, hot-site, etc) Does the company have a formal programme in place to classify, label, handle, and dispose of information? Does the company have the appropriate controls in place to cooperate with investigations by law enforcement officials? Do collection of evidence policies and procedures exist? Explain the process and controls in place for SSL key management Do you have access to the client s VM OS admin passwords? Does your the underlying portal management systems ensure that clients cannot access networks and systems owned by other clients, and does it present no ability to bypass the management interface to the underlying infrastructure? 4. Monitoring / Request Management Note: Monitoring and ticketing systems are important solutions that a provider should have in place to monitor the capacity of the underlying cloud infrastructure. There are also services you can leverage to monitor your cloud environment that may be useful. A request management or ticketing system is important to ensure proper documenting and tracking of issues/requests. Page 14 of 24

15 4.1. What controls does your company have in place to monitor the cloud infrastructure capacity? 4.2. Do your clients have access to a monitoring portal? 4.3. Can you monitor the performance of our application? 4.4. Can you monitor the performance of our database environment? 4.5. Is there an option to receive alerts directly from your monitoring solution? 4.6. Do you have the ability to monitor logs for specific event codes or error codes? 4.7. What process we would follow to request support assistance? 4.8. Can your ticketing system integrate with ours? 4.9. Do you provide trending reports on capacity and performance? Page 15 of 24

16 5. Data backup / business continuity /disaster recovery Note: SaaS companies are expected to provide protection for their services and for their clients data, including backups for disaster recovery. A provider s understanding of these requirements will give you and your client s peace of mind. Here you want to understand what the provider can offer that you can leverage Does your company have a formal written business continuity policy? 5.2. Is the distance between the backup recovery facility and the primary location adequate to ensure that one incident does not affect both facilities? 5.3. Does the recovery location use different power and telecommunications grids from those used by the primary site? 5.4. Do you have insurance coverage for business interruptions or general service interruptions, regardless of the reason? 5.5. Does your company carry cyber-insurance? Does this cover identity theft, cyber-extortion, cyber-terrorism, information asset network security, web content, errors and omissions, and network business interruptions? 5.6. Is there a communication plan in place for notifying clients that a major event has occurred and could potentially impact service delivery? 5.7. Do you have established recovery time objectives in the event of a disaster? 5.8. What is the retention scheme for standard server backups? 5.9. Do you have an auto or self provisioned back up solution for your Public Cloud? If so please describe the features it offers based on previous questions asked about backups. Page 16 of 24

17 5.10. Would the recovery location use different power and telco grids from those at the primary site? 6. Vulnerability /intrusion detection /anti-virus Note: Security and data protection is a concern for organisations using SaaS in every market segment. Your clients expect you to have systems in place to address attacks of every type. Your provider can supply you with some of these solutions and recommend others to address you needs. Attacks happen every day and in most cases you can t prevent them but you need to have the controls in place to mitigate and respond. Ask about the services the provider has to offer to leverage their best practice in protecting web applications from malicious attacks Please describe your general network security and intrusion detection system (IDS) information? 6.2. How does your company prevent Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks? 6.3. Are third party vulnerability assessments conducted? 6.4. Are penetration tests conducted? 6.5. Describe your incident response procedures Is anti-virus software utilised on system components? 6.7. What information is typically logged? Does a formal network log review process exist? 6.8. Are the following general server controls in use? restricted access to authorised users only regular reviews of access privileges automatic lockouts after a period of inactivity Page 17 of 24

18 removal of default/guest passwords and accounts 6.9. Are wireless devices utilised in your network? Are system configuration checking tools (host intrusion detection systems (HIDS) utilised and maintained (e.g. Tripwire, Symantec, ESM)? Please indicate tools and versions What host-based intrusion detection system (HIDS) do you use? Are tools in place to monitor and manage file integrity? Is vulnerability assessment management in place? Do routers have defined access control lists to specify access to and from your network? Is access to network perimeter devices strongly authenticated and/or IP strapped? Do system standards/procedures include disabling all unneeded or unused services? Is network address translation or port address translation used to conceal IP addresses from the public domain? Do firewalls block all IP and port access- and use-defined access control lists or conduits to specify address and port access for known communication into and out of the network? Are firewall access control lists reviewed as part of either an internal or external audit? Is network address translation (NAT) or Port Address Translation (PAT) used to conceal IP addresses from the public? Page 18 of 24

19 6.21. Can clients conduct independent penetration testing of their environment? 7. Control / incident response processes Note: Your cloud vendor should have experience in these critical processes to ensure high levels of uptime when they are performing changes to shared infrastructure or if they are making changes on your behalf. This is something that should be standard process for providers but not always so make sure to get the Describe your company s formal change control process Describe your company s patch management procedures Are your processes covered under your SSAE16 audit? 7.4. Describe your process for security event monitoring and notification/alert/response plans. 8. Managed services Note: Managed services can help drive down your operational costs. Offloading the daily care of your Web application environment allows your staff to focus on development or tasks that require deep domain expertise in your application. Most businesses prefer to invest in product development or sales personnel than in operations. System administration is a time-consuming, low-value task, particularly as environments grow. In addition, running operations effectively is difficult and few companies wish to invest in making running operations a core competency Do you have managed services options? Please provide an overview of your services. Page 19 of 24

20 8.2. Do you have experience in supporting Web applications? 8.3. Is your support available 24/7/365? 8.4. Do you have experience in supporting highly available solutions (i.e. database clustering, load balancing)? 8.5. Can you support the rollout of application changes and updates to our custom SaaS application? 8.6. How can you help with identifying performance issues with our application? 8.7. Do you have experience with implementing and supporting highly available solutions at the database tier? 8.8. Do you have a security team that can assist with security audits/certifications, if needed? 8.9. Do you support OS patching? Please describe the support structure you deploy Please describe your activation process Can you help with application optimisation? Please elaborate. 9. Compliance / Certifications Note: A provider s understanding of and experience in compliance/certifications can add significant value, depending on your application and industry. Leveraging a provider s certifications or its ability to provide guidance in this area can save you time and money and ensure that there s an appropriate level of focus on security. Page 20 of 24

21 9.1. Does the company comply with existing US Dept of Commerce Safe Harbor registrations and certifications and EU Data Privacy regulations? 9.2. Does your company comply with HIPAA data privacy and security standards? 9.3. Are your facilities and/or environments PCI certified? 9.4. When was the most recent SSAE 16 review been performed? 9.5. How can you assist me in certifications or comliancy that my company must have but you may not currently hold? Page 21 of 24

22 10. IaaS / Cloud Features and Functions Note: This area is focused on the core cloud infrastructure s features and functions. Having visibility of the flexibility, scale, functional capability of the service enables you to make optimum use of the resources. An API is key to ensuring you leverage the full power of IaaS in terms of scaling, performance and the overall experience of your SaaS application. If your application is sensitive to latency, location may become a key criterion. General information General In which countries is your cloud available? Which hypervisor software you use for your cloud? Do you provide the option for private clouds to be hosted in your facility or in a facility we provide? Do you have an API for your cloud? If so, are any functions limited to the API that is available through the UI? Can responsibilities on your cloud portal be segmented per user account? Are reports available through your cloud portal? If so, please provide examples What is the increment of resource billing? (i.e. monthly, hourly, etc). Page 22 of 24

23 10.2. Network information Are DMZs available? i.e. Three tier architecturepresentation/application/database? Does your IaaS or cloud solution support multi-cast? Do you provide firewall? If so how? Do you provide load balancing? If so how? Can SSL certificates be installed on cloud load balancers? Can I add custom firewall rules to a cloud network? How many cloud servers can I create in a cloud network? Can you support MPLS or direct circuit connections into your cloud? Do you have site-to-site or client-to-site VPN options? Do you automatically assign a public IP address to a server when it s deployed? Does your IaaS/cloud provide NATing capability? Do you have encrypted connections between all of your global cloud locations? If so are they optimized? Storage information Can we utilise CIFS and/or NFS with your IaaS or cloud solution? Does your IaaS or cloud have a NAS solution? Do you offer tiered storage options for your Cloud Servers? Please describe Do you offer Hadoop as an option on cloud? Do you have a block-level storage option? Do you have a external storage options? Page 23 of 24

24 10.4. Cloud server information What are the maximum CPU, RAM, and storage limits a cloud server can have? Are your clients locked into specific image sizes when deploying cloud servers? (i.e. specific amount of RAM, CPU, and Disk locked in) Do your clients have the ability to adjust the resources of the cloud servers after deployment? (i.e. adjust CPU, RAM or Disk without deleting the server or migrating data) Does your IaaS or cloud allow the use of database clustering such as MS SQL clustering? Do you offer physical servers or hybrid solutions as part of the cloud environment? Do you provide console access to the cloud servers? Do you have the ability to back up data on a server through your cloud UI? Can you clone or copy a server? Is you cloud server storage persistent? Can you add or delete cloud server storage as necessary? How do you protect VMs from being deployed on the same underlying physical host servers? Page 24 of 24