FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS ORGANISATION DES NATIONS UNIES POUR L ALIMENTATION ET L AGRICULTURE ORGANIZACION DE LAS NACIONES UNIDAS PARA LA AGRICULTURA Y LA ALIMENTACION Viale delle Terme di Caracalla, Cables: Telex: 625852 FAO I Facsimile: +39 0657053152 Telephone: +39 0657051 00100 Rome, Italy FOODAGRI ROME 610181 FAO I FAO/RFI/2015/CIO-01-PA Request for Information (RFI) for Managed Hosting Service Closing Date: 7 September 2015, 12:00 hrs Rome time Introduction: FAO is seeking information and proposals from qualified vendors to provide options for the managed hosting services, including server colocation, virtual hosting, infrastructure hosting, platform hosting, and application hosting. The managed hosting service should be hosted in a tier 3/4 data centre and fully comply with FAO security and privacy policy. The service need to be reliable, resilient, flexible, and cost effective. Information requested We kindly request you to provide us with the following information: Provide general information of your company, years in business, focus and experience in providing similar services. Describe how you would meet the requirements set out in Annex 1, describing the details/features/functionalities of such service/solution and the roles and responsibilities of your company and FAO; Are there are any specific requirements that your company cannot meet; or are possible changes to the requirements that would render the service dramatically cheaper or simpler to provide? Please limit your responses to 25 pages or less of 12 point text. PLEASE DO NOT PROVIDE ANY COSTS OF THE PRODUCT OFFER AS THE ORGANIZATION INTENDS TO ISSUE A TENDER BASED ON THE RESULTS OBTAINED THROUGH THIS REQUEST FOR INFORMATION. The information shall be sent by email to: CSAP-Contracts-Group@fao.org by the closing date 7 September 2015, 12:00 hrs Rome time. Should you have any question, please refer to this email address: CSAP-Contracts-Group@fao.org. Yours sincerely, Donatella Castellucci Senior Contracts Officer, CSA 1
Annex 1 Request for Information Background and Requirements Background 1. FAO/CIO has decided to adopt hybrid architecture for the organization s enterprise datacenter. The purpose of this Request for Information (RFI) is to invite prospective service providers to submit proposals to supply Managed Hosting Services to support the IT services, applications, platforms, and infrastructure operated by FAO. 2. Currently, almost all FAO information systems and services are run on about 536 servers split in the two Datacenters located in the Headquarters premises. The Data Centre infrastructure is operated by CSAI, while the IT infrastructure is built and operated by CIO. 3. Despite this significant ongoing investment, there are major challenges that must be addressed. These include: The need for the global community to access systems around the clock and hence the need for around the clock IT support. The need for greater resilience because of the current dependency on one location. The need to improve energy efficiency of the Datacenter, and in doing so to contribute to the Corporate Environmental Sustainability initiative. The need to meet the challenge of the increased sophistication of cyber security attacks. The need for effective disaster recovery plans to meet business continuity needs. The need to update and maintain technical skills across an ever-increasing range of specialized skills. The need for capabilities and flexibility to meet future demands, especially for expected exponential growth in data. The need for a major overhaul of the datacenter infrastructure within the next 3-5 years. 4. CIO propose that the Organization chooses a hybrid solution to address these issues, with the underlying principles being that: a) UNICC 1 be used to host internal FAO systems in order to ensure FAO s Privileges and Immunities are maintained over confidential data. b) Managed Hosting or Public Cloud providers be used to host all systems with less confidential data after going through the risk assessment and information classification process. c) Public Cloud software services (SaaS) should be used where appropriate after a risk assessment exercise, with Office 365 being the most significant use case. 5. The future state of the FAO enterprise datacenter can be described in the diagram below: 1 United Nations International Computing Centre - http://www.unicc.org/ 2
6. CIO envisages that the move to a hybrid solution would take just over 3 years, with 2018 being the target data for fully completing the move. The current IT environment at FAO 7. Almost all FAO information systems and services are run on 536 servers in the two Datacenters in the Headquarters premises. The Data Centre infrastructure is operated by CSAI (Infrastructure and Facilities Management), while the IT infrastructure is built and operated by the IT Division. 8. Annex 2 table provides the list of physical and virtual servers as well as applications hosted in FAO datacenters. 9. The current database environment, including databases destined for UNICC, can be described as follows has 150 or so database instances, 45 or so TB of data; 588 schemas. Just over half are for production use. 10. Annex 3 table provide a list of the applications running in the existing FAO datacenters. Targeted Infrastructure and Applications for Hosted Environment 11. The targeted infrastructure and applications for hosted environment can be described as follows: Targeted Applications for Virtual Infrastructure (This list is subject to change and is a draft list of 3
Application Layer Data Layer services) Application Presentation MySQL Server Oracle Server Ms SQL Server PostgreSQL? Security Layer Security Firewall and Application Firewall Reverse Proxy OS Layer Windows server 2012R2 Linux RedHat Hypervisor VMWare Authentication Active Directory Storage SAN (mainly) Requirements 12. Datacenter 13.1 (Mandatory) TIA-942 Tier 3 or Tier 4 datacenter compliant 13. Provisioning 14.1 (Mandatory) All requests from FAO will follow a standard approval procedure. 14.2 (Mandatory) The turnaround time for setting up a new computing environment should be less than 1 week for a dedicated physical server (from the spec below), 4 hours for a virtual server (from the pre-defined templates below). 14. Service Level Agreement 15.1 (Mandatory) Network Uptime: Minimum 99.9% network uptime. Datacenter network needs to be available 7x24 of the time in a given month, excluding scheduled maintenance. 15.2 (Mandatory) Server Availability: FAO expects about 20% of servers will be mission critical associated with very stringent SLA numbers; 50% will in the middle or less stringent SLAs, and 30% will be test/development or small systems with lower levels of SLA requirement. Interested Service Provider should provide SLA proposals for the three categories. The reference availability for the three environments is: 99.95%, 99.5%, and 99.0%). 15.3 (Mandatory) Any planned outages must be communicated to FAO within 7 days and each cannot exceed duration of 4 hours. 15. Administration 16.1 (Mandatory) TIA-942 Tier 3 or above datacenter compliant 16.2 (Optional) provide datacenter services including, but not limited to: 4
a) Installation of devices and networking scheme as directed b) Maintain all computing environment, hardware and OS, on an ongoing basis, including configuration changes as directed 16.3 (Optional) Provide console access to the physical and virtual servers 16.4 (Optional) Provide secure VPN remote access to the servers for purposes of server administration should FAO need to perform this function for specific servers. VPN should be managed and monitored by the service provider, have flexible options for administrative access, installations, as well as user and patch management. 16.5 (Optional) Interested Service Provider should provide a proposal for administration options for Infrastructure as a service (IaaS), Platform as a service (PaaS), and Software as a service (SaaS). 16. (Mandatory) Both proactively and reactively monitoring solutions should be put in place to monitor and report the health of the system, the requirement includes, but not limited to: 24/7 infrastructure monitoring and management Customer control panel and management portal Customer reporting capabilities, including trend report Capable of alerts to FAO support team in the event of an incident. Direct trouble ticket system with single-tier support response The ticketing system is integrated with FAO service desk system Performance monitoring including database performance monitoring 17. Server Specification 18.1 (Mandatory) Interested Service Provider should provide detailed server specification. 18.2 (Mandatory) FAO should have the ability to adjust the resources of the cloud servers after deployment (i.e. adjust CPU, RAM or Disk without deleting the server or migrating data) 18.3 (Optional) Hybrid solutions that are part of cloud environment 18.4 (Optional) Ability to back data on a server through the cloud UI 18.5 (Optional) Ability to clone a VM server 18.6 (Optional) Provide flexibility to add or delete cloud server on demand 18.7 (Optional) FAO current standard is HP server as per table below: Servers Specifications Entry Level Server HP Proliant DL120 G9 or equivalent High Capacity Server HP Proliant DL360 G9 or equivalent High Density Server for virtualization HP Proliant DL580 G8 or equivalent 18. Network Services 19.1 (Mandatory) Service must be accessible from all FAO countries 19.2 (Mandatory) Provide managed DMZs, minimum three tier architecture with presentation, application and database. 19.3 (Mandatory) Provide multitier firewalls 19.4 (Mandatory) Provide reverse proxy and load balancing 5
19.5 (Mandatory) SSL certificates should be terminated on the Reverse proxy or load balancer 19.6 (Mandatory) Provide high speed link ie. MPLS or site to site VPN connectivity with stringent SLAs to FAO HQ or/and other FAO offices 19.7 (Mandatory) Bandwidth and bandwidth on demand 19.8 (Mandatory) NTP (Network Time Synchronization): Respondent needs to provide local NTP services. 19.9 (Mandatory) DNS (Domain Name Service / Resolver): Respondent needs to provide DNS services. 19.10 (Mandatory) Links with QoS 19.11 (Mandatory) Instant provisioning: ability to quickly upgrade links 19. (Optional) Storage & backup Provide mass storage systems that are compatible with servers that require mass storage access. Systems should support the following functionality and features: High availability NAS Create snapshot /Revert to snapshot Create clone Export clone to be backed up by the customer system Tiered storage option Block level storage option Optional Hadoop Clear and documented backup policy 20. (Mandatory) Security and privacy 21.1 All access log should be kept for minimum 12 months 21.2 Physical security, tier 3 datacenter complaint: on-site security guards electronic access control CCTV monitoring Alarm systems, windows, doors, server areas, etc. logging of site access power and network redundancy power surge protection fire suppression systems heating/air conditioning 21.3 Vulnerability Control and management 21.4 Security incident response 21.5 IDS and security logging 21. Disaster Recovery: 22.1 (Mandatory) Provider must be capable to offer different levels of Disaster Recovery options. 22.2 (Optional) Reference disaster recovery requirements 6
Business Process MTD (Maximum Tolerated Downtime) RTO (Recovery Time Objective) FAOStat 48 hours 24 hours Inland water 1 week 48 hours FORIS 1 week 48 hours E-dpr 1 week 48 hours FAOterm 1 week 48 hours Official communication with members 1 week 48 hours EIMS 1 week 48 hours Database on legislation 1 week 48 hours RPO (Recovery Point Objective) Information Requested 22. Interested Service Provider may submit for any solution that partially or fully meets the requirements or may associate with other vendor/service provider to enhance their qualifications. 23. Interested Service Providers must supply the following corporate information along with a specific interest in an identified service: Company Name/Year Established /Number of Employees List independent, non-affiliated clients/companies Certificate of quality standards datacenter certification Areas of Interest as per the RFI List of various models of services provided Detailed of roles and responsibilities for each model (Service Provider/FAO) Models of pricing (pricing is not requested but an understanding on which parameters the pricing is dependent is required) Architecture of the primary computer center with diagram of disaster recovery center(s) Example of SLAs (without confidential and/or nominal data) 7