Data Centre Colocation Service Request for Proposal Version 1.5 Date: 8 May 2009 Hong Kong Internet Registration Corporation Limited Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central, Sheung Wan, Hong Kong. Tel.: +852 2319 1313 Fax: +852 2319 2626 Email: enquiry@hkirc.hk Website: www.hkirc.hk 1
Table of Contents 1. Summary...3 2. Definitions...3 3. About HKIRC...3 4. Information Security...4 5. Background of the Project...5 5.1. Background...5 5.2. Scope of Service...5 5.2.1 Server Colocation Service...5 5.2.2 Implementation Services...8 5.2.3 Information Security...9 5.3. Service Acceptance...9 5.4. Contractual Consideration...9 6. Limitation of Liability and Indemnity...9 7. Project Schedule...11 8. Payment Schedule...11 9. Elements of a Strong Proposal...12 10. Service agreement negotiation and signature...12 11. HKIRC Contacts...13 Appendix A HKDNR Information Security Policy and Guidelines: An Extract Relevant to Outsourcing...14 Appendix B HKIRC Proposal Requirements...18 1.1 Proposal Deadline...18 1.2 Proposal Content...18 1.3 Cover Page...19 1.4 Executive Summary...20 1.5 Conflict of Interest Declaration...20 1.6 Company Background...20 1.7 Facilities standard and management practice related to colocation service...21 1.8 Proposed Costs of Service...21 1.9 Implementation Time Table...21 1.10 Support Arrangement and Services...21 1.11 Commercial and Payment Terms...21 2
1. Summary HKIRC is going to commission an external Service Provider to provide Data Centre Colocation Service for the Company. The service shall provide four 42U rack space, power for all racks and environment, security protection as well as remote hand support for server support. It shall also include all services required for the implementation of the Project. The period of the contract will be 24 months. 2. Definitions The following terms are defined as in this section unless otherwise specified. The Contractor means the company delivering the Project. HKIRC means Hong Kong Internet Registration Corporation Limited. HKDNR means Hong Kong Domain Name Registration Company Limited, a wholly-owned subsidiary of HKIRC, the company requesting the proposal for the Project. The Project means the Data Centre Colocation project with requirements stipulated in Section 5 of this document, the Background of the Project. remote hand means physical access to and operation of the equipment on the rack by qualified technical personnel of the Contractor under the direction of HKIRC s technical staff. RFP means this Request for Proposal 3. About HKIRC Hong Kong Internet Registration Corporation Limited (HKIRC) is a non-profit-making and non-statutory corporation responsible for the administration of Internet domain names under '.hk' country-code top level domain. HKIRC provides registration services through its wholly-owned subsidiary, Hong Kong Domain Name Registration Company Limited (HKDNR), for domain names ending with '.com.hk', '.org.hk', '.gov.hk', '.edu.hk', '.net.hk', '.idv.hk', '. 公 司.hk', '. 組 織.hk', '. 政 府.hk', '. 教 育.hk', '. 網 絡.hk', '. 個 人.hk' and '.hk'. 3
HKIRC endeavours to be: Cost-conscious but not profit-orientated Customer-orientated Non-discriminatory Efficient and effective Proactive and forward-looking More information about HKIRC can be found at http://www.hkirc.hk. 4. Information Security The company submitting the proposal ( the company ) shall acknowledge and agree that, if the company is selected as the Contractor, it shall be bounded by our Non-Disclosure Agreement (NDA) and Information Security Policy (highlights of the policies are illustrated in Appendix A). The company shall also comply with the obligations under the Personal Data (Privacy) Ordinance and any other obligations in relation to personal data. The company shall be provided with a set of NDA and Information Security Compliance Statement after HKIRC received the company s Express-of-Interest before the stipulated time. The NDA and the Information Security Compliance Statement shall be signed and returned to HKIRC attached with documents required by the Compliance Statement before the scheduled deadline. HKIRC will only consider proposals from companies which have signed both the NDA and the Information Security Compliance Statement. The proposal should be marked RESTRICTED at the centre-top of each page in black color. It must be encrypted if transmitted electronically. Each proposal will be reviewed under the terms of non-disclosure by the HKIRC s staff and Board of Directors of HKIRC. 4
5. Background of the Project 5.1. Background Currently, all our production servers are co-located in a hosting service provider s data centre. Current equipment occupies four 42U Racks. The hosting service provider is responsible for providing power conditioning (main and UPS), environmental control/protection (fire, flood, temperature, humidity etc.), and security and access control. In addition, the service provider also provides remote hand to physically access the servers if needed. 5.2. Scope of Service The following defines the scope of service to be provided by the Contractor:- 5.2.1 Server Colocation Service 1. Server Racks Requirements a. The Contractor shall provide four 42U racks, 600mm wide and at least 950mm in depth. b. All racks should be located on the same row, next to each other. If for any reason they need to be located in different rows, no less then two racks should be located on the same row next to each other. c. In case where racks are located in different rows, the Contractor shall provide capacity for inter-rack networking d. All racks shall have lockable perforated doors at the back and the front e. Partition shelves should be available if required f. Cabling to each rack should either be fed through using either under floor (in a raised floor facility) or ceiling cable tray or trunking g. Power & data cabling should be in separate tray or trunking 2. Power Supply Requirements a. Duel power feed is required for each rack. b. Each power feed should not come from the same phase c. Each power feed should be fed from independent breaker d. Each power feed should provide at least twenty 13A sockets e. All power feed must be protected from brownout, spike & surge by 5
Uninterrupted Power Supply, with capacity to supply stable power up to 30 minutes after power failure f. The Data Centre power should be backed up by a Power Generator, which should be in service within 30 minutes of any power failure. g. Power Generator should have fuel supply for at least 7-day continuous operation. h. The Contractor shall supply three racks with at least 1.5KVA and one rack with 3KVA 3. Environmental Control/Protection:- a. The Data Centre facility shall be protected by gas based fire suppression system with pre-active dry pipe water fire suppression system. b. Fire detection system shall be in place. E.g. smoke and/or heat detector c. Water leakage detection system shall be in place to detect possible water damage due to leakage or flooding d. Temperature, humidity and static control shall be in place. Temperature shall be kept between 15 and 20 degree Celsius. Humidity shall be between 40% and 60% to avoid static electricity. Anti-static flooring should be used to prevent excess static build up. e. Air Conditioning system should provide 24x7 cooling and humidity control with redundancy in case of break down. 4. Security and Access Control a. 24-hour Security monitoring shall be in place. CCTV monitoring and recording on common access area and entrances should be provided. All access doors of entrances shall have a security lock with access control system to record and control access. b. All entries and accesses to the Data Centre shall be logged and can be reviewed by HKIRC c. All equipment delivery and removal from the Data Centre shall be recorded d. Data Centre shall provide Access Control only allowing authorized person to access secured areas. 5. Network and Communication Facilities a. The facility should provide easy access for any major telecom company to provide data communication infrastructure for HKIRC 6
b. Shareable Internet access shall be provided by the facility. 100Mb/s sharable bandwidth should be provided within the facility and 10Mb/s bandwidth for local access (within Hong Kong, preferable with HKIX connection) and 5Mb/s bandwidth for International. Optional temporary expandable bandwidth for International access is desirable. c. The Contractor s network infrastructure shall have process, procedure and capacity to mitigate Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks originated outside of the facility. Suitable technology/technique, e.g. Routing blackhole should be pre-configured and employed to limit or stop such attack. In case of such attack targeting HKIRC/HKDNR, the Contractor shall be able to provide temporary burstable bandwidth to cater for such attack, should it be required. d. The Contractor shall be able to provide and manage multi-home, WAN access e.g. router with BGP and AS Number with different telecom supplier. e. Network performance reports/tools shall be available for monitoring the shared network. f. Data Centre shall provide a direct fax/data line access to the racks. 6. Miscellaneous a. The facility shall provide on site remote hand for physical access to the HKIRC equipment, eg. Power cycle equipment, remove/insert CD or other media, report on status of equipment (warning lights & status light), report on physical state of equipment etc. b. The Contractor shall have proven process and procedure for tracking issues and requests from HKIRC. c. Location of the Data Centre facility should be easily accessible by public transports and should not be located near HKIRC office, ideally in the Kowloon area. d. The Contractor shall be subject to HKIRC Security Audit as and when required by HKIRC or HKIRC external auditor. 7. Service Levels The Contractor shall guarantee the following service levels in addition to the above Technical Requirements: a. Data Centre uptime of 99.98% per year. A service is deemed failed if any of the following conditions is not met: 7
Power: Nominal Out Voltage 230V with less then 5% distortion at full load. Frequency for 50 Hz nominal +/- 3Hz Network: Internal network within datacenter, response time <3ms to any IP within datacentre. Ping time to local network (HKIX) <50ms. Cooling and humidity control: Temperature should be kept within 15 to 20 degree Celsius. Humidity shall be between 40% and 60%. b. A penalty of at least one month service charge will be imposed if the above uptime is not met. c. 24x7 round the clock on-site NOC support and monitoring are required. d. For any security breaches like break-in to data centre, racks, un-authorized access or vandalisation to HKDNR equipment etc, the customer should be notified within 15 minutes according to the escalation list provided by HKIRC. e. Incident reports for all reported incidents shall be available within 48 hour from the report of incident f. All schedule maintenance period shall be pre-notified by at least 10 days, and for major service interruption at least 4 week notice is needed. 8. Relocation Services (Optional) a. In case where HKIRC is going to relocate to a new Data Centre, the new service provider shall provide an optional relocation service including: i. Physical relocation of existing HKIRC s infrastructure to the new data centre ii. Re-racking of all HKIRC s infrastructure to new racks iii. Relocation of HKIRC s multi-home WAN networks iv. Re-cabling of HKIRC s infrastructure b. Detail information on relocation requirement will be given after the signing of NDA. 5.2.2 Implementation Services The professional services for this Project should cover the following: Basic hardware and network setup 8
Documentation for the processes and procedures like NOC Support procedures, Incident Report procedures, Incident Handling Process etc. 5.2.3 Information Security The Contractor shall follow HKDNR Information Security Policy and Guidelines set out by HKDNR on personal and co-operation data security. Contractor s Information Security Policy is subject to HKIRC review if needed. 5.3. Service Acceptance The overall project acceptance can be broken down into acceptances at various levels:- 1. Delivery, setup of racks 2. Services provided like optional relocation services 3. Functionality of the integrated system like networks, NOC operation 4. Performance of monitoring system & reporting system 5. Quality of service provided Under this acceptance framework, the vendor should fulfill the scope of services described in section 5.2.1. In addition, interested vendors may provide additional acceptance criteria and the related plan in detail in their proposals. 5.4. Contractual Consideration Although the contract period is 24 month, HKIRC will start the new contract re-tendering process at month 21. In case the re-tendering process did not complete at the end of the current contract, HKIRC reserves the right to extend the current contracts for another 3 months, with the same terms and conditions. Also, if for any reason the contract is to be terminated before the completion of the contract period, the initiating party should give a 3-month notice in advance of the early termination date. 6. Limitation of Liability and Indemnity The company submitting the proposal agrees that if the company becomes the 9
Contractor of the Project, it shall indemnify HKIRC and HKDNR against any claim, demand, loss, damage, cost, expense or liability which the company may suffer from. 10
7. Project Schedule Project schedule Tasks To be Completed by Remark 1 Publish RFP 8/5/2009 2 Express of interest 15/5/2009 Sign NDA and InfoSec 3 Compliance Statement with all 29/5/2009 interested vendors Deadline for vendors to submit 29/5/2009, 4 proposal and quotation 5:30pm 5 Selection of vendor by panel 19/6/2009 Conclude final decision and 6 appoint the vendor 2/7/2009 Prepare service agreement 7 contract 4/7/2009 Sign service agreement 8 contract with the appointed 9/7/2009 vendor 9 Service implementation 8/8/2009 If relocation needed Service commencement 9/7/2009 10 8/8/2009 If relocation needed 8. Payment Schedule The following payment schedule is recommended but interested vendors may propose their own in their proposals. Milestone/Acceptance Expected Payment duration 1 (a) Completion of Service Implementation 4 weeks One time setup charge 11
2 (a) Start of Colocation Service 24 month Monthly charge TOTAL 24 month & 4 weeks 100% 9. Elements of a Strong Proposal All submitted proposal must following the format as stated in Appendix B - HKIRC Proposal Requirements. Successful vendor is the one who submitted a clearly worded proposal that shows the following attributes: a persuasive section on the company background international recognize certification for IT facility management & IT Security Management a strong and flexible product meeting HKIRC requirements with minimum customization high level of interaction between HKIRC and the vendor excellent fit with the capabilities and facilities of HKIRC strong company and project management team Proposals are evaluated based on major criteria as follows (the percentages given are the weighting) Company Background (10%) Quality of facilities (30%) Facility management competency (20%) Understanding of our requirements (10%) Knowledge and advices on projects (10%) Proposed cost of the project and its flexibility (20%) 10. Service agreement negotiation and signature The service agreement will be drawn up between the selected vendor and HKDNR, the wholly-owned subsidiary of HKIRC. HKIRC welcomes the vendor s proposal on a suitable service agreement for the project. The service agreement must be signed by both parties within three weeks from the project award date. If the agreement is not signed within the said period, HKIRC will 12
start the negotiation with the next qualified vendor on the selection list. 11. HKIRC Contacts HKIRC Contacts information Contacts Hong Kong Internet Registration Corporation Limited Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central, Sheung Wan, Hong Kong +852 23191313 telephone +852 23192626 fax http://www.hkirc.hk If you are not sure about the appropriate person to call, the receptionist can help you. IT Manager Ben Lee +852 23193811 ben.lee@hkirc.hk Project Manager Benjamin Choy +852 23193819 ben.choy@hkirc.hk CEO Jonathan Shea +852 23193821 jonathan.shea@hkirc.hk 13
Appendix A HKDNR Information Security Policy and Guidelines: An Extract Relevant to Outsourcing This document provides an extract of the HKDNR Information Security Policy and Guidelines with the purposes of (a) introducing various measures and controls to be executed by HKDNR regarding outsourcing and (b) setting the expectation of any potential contractors that their participation and conformance in these measures and controls are essential contractual obligations. The original Policy and Guidelines applies to HKDNR s employees, contractors and third party users. However, a potential contractor may interpret the clauses up to their roles and responsibilities only. Nonetheless, the keyword contractors hereby refers to all relevant staff members of the contractor and those of any other subcontractors under the contractor s purview. Herein, HKDNR would also set the expectation of any potential contractors that upon their express-of-interest to the project, they shall be required in the subsequent stages (a) to sign off a non-disclosure agreement (NDA) on all information to be provided and (b) to sign off a Compliance Statement where compliance requirements are specified in more details. (A) Extract from the HKDNR Information Security Policy In the following, the organization means Hong Kong Domain Name Registration Company Limited, the company requesting the proposal for the Project. 8. Human resources security 8.1 Security objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities. 8.1.1 Security roles and responsibilities of employees, contractors and third party users shall be defined and documented in accordance with the organization s information security policy. 8.1.2 Background verification checks on all candidates for employment, contractors, 14
and third party users shall be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks. 8.1.3 As part of their contractual obligations, employees, contractors and third party users shall agree and sign the terms and conditions of their employment contract, which shall state their and the organization s responsibilities for information security. 8.2 During employment Security objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error. 8.2.1 Management shall require employees, contractors and third party users to apply security measures in accordance with established policies and procedures of the organization. 8.2.2 All employees of the organization and, where relevant, contractors and third party users shall receive appropriate awareness training and regular updates on organizational policies and procedures, as relevant to their job functions. 8.3 Termination or change of employment Security objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner. 8.3.2 All employees, contractors and third party users shall return all of the organization s assets in their possession upon termination of their employment, contract or agreement. 8.3.3 The access rights of all employees, contractors and third party users to information and information processing facilities shall either be removed upon termination of their employment, contract or agreement, or adjusted upon change. 12. Information systems acquisition, development and maintenance 12.5.5 Outsourced software development shall be supervised and monitored by the organization 15
13. Information security incident management 13.1 Reporting information security events and weaknesses Security objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action. 13.1.2 All employees, contractors and third party users of information systems and services shall be required to note and report any observed or suspected security weaknesses in systems or services. (B) Extract from the HKDNR Information Security Guidelines 6. ORGANIZING INFORMATION SECURITY 6.2 EXTERNAL PARTIES 6.2.1 Identification of Risks Related to External Parties The risks to the organization s information and information processing facilities from business processes involving external parties should be identified and appropriate controls implemented before granting the access. 6.2.3 Addressing Security in Third Party Agreements Agreements with third parties involving accessing, processing, communicating or managing the organization s information or information processing facilities, or adding products or services to information processing facilities should cover all relevant security requirements. 7. ASSET MANAGMENT 7.1.3 Acceptable Use of Assets Rules for the acceptable use of information and assets associated with information processing facilities shall be identified, documented, and implemented. 8. HUMAN RESOURCE SECURITY 8.1.1 Roles and Responsibilities Security roles and responsibilities of employees, contractors and third party users shall be defined and documented in accordance with the organization s information security policy. 8.1.2 Screening Background verification checks on all candidates for employment, contractors, and 16
third party users shall be conducted in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks. 8.1.3 Terms and Conditions of Employment As part of their contractual obligation, employees, contractors and third party users shall agree and sign the terms and conditions of their employment contract, which shall state their and the organization s responsibilities for information security. 8.2.1 Management Responsibilities Management shall require employees, contractors and third party users to apply security measures in accordance with established policies and procedures of the organization. 12. Information systems acquisition, development and maintenance 12.5.5 Outsourced Software Development Outsourced software development shall be supervised and monitored by the organization. 17
Appendix B HKIRC Proposal Requirements 1.1 Proposal Deadline All proposals must reach HKIRC as stated in Section 7, Project Schedule, item no. 4. 1.2 Proposal Content The proposal should contain the following: Cover Page Executive Summary Conflict of Interest Declaration Company Background o o o o o o Financial Situation Track Records Organization and management team Project team with credentials Company credentials Staff credentials Facilities standard and management practice related to colocation service Knowledge and Advices on Projects o o o Understanding of our requirements Colocation experience Certification in the future Deliverable Services & Facilities Proposed Cost of Services and Payment Schedule Implementation Time Table Support Arrangement and Services Commercial and Payment Terms. e.g. Compensation for delay. 18
Proposal requirements Submission deadline Delivery address Hard copies Please refer to Section 7 - Project Schedule, item no. 4 for the proposal submission deadline. Hong Kong Internet Registration Corporation Limited Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central, Sheung Wan, Hong Kong 2 copies of the full proposal are required. Electronic copy Electronic copy, if available, on disk or by email to elisa.chung@hkirc.hk and bonnie.chun@hkirc.hk ; also cc ben.lee@hkirc.hk and ben.choy@hkirc.hk. This is not a substitute for the physical copies mentioned above. Proposal format Specified in this document Page count 30 pages or fewer. Stapled. Do not bind. Font Electronically published or typed. Times New Roman 12 point font. 1.3 Cover Page Prepare a non-confidential cover page with the following information in the order given. Cover Page Project Title Data Centre Colocation Service project Project Manager Name: Title: Mailing address: Phone: 19
Fax: Email: Company Contact person: Title: Company name: Mailing address: Phone: Fax: Email: Website: 1.4 Executive Summary The executive summary provides a brief synopsis of the commercial and technical solution the vendor proposed for the project. This summary must be non-confidential. It should fit on a single page. The executive summary should be constructed to reflect the merits of the proposal and its feasibility. It should also clearly specify the project s goals and resource requirements. It should include: Rationale for pursuing the project, the technology needed and the present state of the relevant technology. Brief description of the vendor s financial situation. Brief description of the vendor s facilities and experience on colocation services 1.5 Conflict of Interest Declaration Declare any conflict of interest in relation to the Data Centre Colocation Service project and the.hk cctld registry HKIRC. 1.6 Company Background The vendor must describe its company background. Major activities, financial situation, organizational structure, management team and achievements in software development or service outsourcing of the company should be elaborated. Tracked records are preferred. 20
1.7 Facilities standard and management practice related to colocation service The vendor should describe the company s strengths in colocation facilities management and how they will be applied to the project. Track records are preferred. List the key technical and management personnel in the proposal. Provide a summary of the qualifications and role of each key member. 1.8 Proposed Costs of Service Such costs include: Fixed setup cost Labour unit costs for additional requirements. They are typically quoted in unit man day. Quoted in normal working hour, non-working hour and in emergency. Equipment that is permanently placed or purchased for HKIRC, if any. Subsequent support or maintenance service. Other direct costs including services, materials, supplies, postage, etc. 1.9 Implementation Time Table The vendor should present in this section the implementation schedule of the project. The schedule should be realistic and achievable by the vendor. 1.10 Support Arrangement and Services The vendor must provide support to the database and storage system enhancement project with respect to the preparation, implementation, monitoring and review of the new framework. The vendor must describe the support arrangement and services. E.g. availability, local/remote, time to on/off site support, etc. 1.11 Commercial and Payment Terms The vendor should describe the commercial and payment terms of the services e.g. compensation for the delay of the project. 21