ADDENDUM TENDER: TENDER FOR MANAGED SERVICES - I.T SECURITY OPERATIONS CENTER (SOC) ADDENDUM NO.1 CLARIFICATIONS

ADDENDUM TENDER: TENDER FOR MANAGED SERVICES - I.T SECURITY OPERATIONS CENTER (SOC) ADDENDUM NO.1 CLARIFICATIONS In accordance with the RFP for the Tender for Managed Services - I.T Security Operations Center (SOC) sent on 16 th July 2014, Kenya Commercial Bank (KCB) hereby issues addendum No.1 as follows:- No. Section/Paragraph Request for Clarification Response by KCB 1. Section-2.1, Paragraph (2) 2. Section-2.1.2, Paragraph (1) As per the RFP it says that the Service provider should deliver the SOC services, is all the relevant tools to perform SOC operations are already available in KCB, tools like SIEM, performance monitoring tool etc. Please provide us the list of existing tools available. If not do the vendors have to propose the required tools as part of this RFP response? RSA envision, Tripwire, McAfee DLP, Websense Content Filter, Tivoli enterprise manager(tem), Imperva Secure sphere DAF/WAF, T24 Fraud Monitoring Tool, Mail marshal these are the security tools available with KCB currently and the vendor should leverage the existing tools to perform the SOC operations? is there any requirement for some other security products as well? if yes please provide the details. 3. Section-2.2, Table -1 KCB has requested for 7 FTE. Does KCB expect all 7 resources to be onsite at KCB premises? Can we suggest a remote monitoring model in which people will run SOC from our SOC in India and we SIEM- RSA Envision Performance monitoring tool none. Please quote for the tools you deem necessary. These tools and licenses will belong to KCB Please make the suggestion to us. Make sure you do not duplicate. On site -No Please Provide options for onsite, off site and or hybrid 1

4. Section-2.3.1, Paragraph (1) 5. Section-2.3.1.1, Paragraph (1) 6. Section-2.4, Paragraph (1) 7. Section-2.4, Paragraph (1) will have one or two resource for incident management onsite? We understand that SIEM has been deployed and devices already integrated. However the RFP states that vendor should integrate additional devices. Please specify the number of devices to be integrated and also the type and version of these devices It s mentioned in the RFP that the assets configured and included in the SIEM tools are to be monitored, please provide us with the count on number of devices which has already been integrated and which will be in scope for monitoring? Security Product Management activity is expected as an onsite activity? Vendor can propose the appropriate number of resource to manage this? Please provide us the complete details of the devices in scope for product management such as number of devices in scope, product brand and version etc If we feel the need for additional resources, do they also have to be onsite at KCB? Can we propose to do product management remotely from our SOC? 8. Section-2.5.1 People provide is the number of assets and applications in scope for vulnerability management 9. Section-2.5.1 Please suggest the frequency at which these assets need to assessed (quarterly, bi-yearly or yearly) 10. Section-2.5.1 If we feel there is a need for a dedicated resource for vulnerability management, can we propose the resource remotely? Access to the assets should be It is not possible to give a comprehensive list. Because the environment keeps changing with new additions. Do not have the details now. This is a changing number as we continuously add more devices. Quote for onsite and off site. The number of devices keeps changing. It is not possible to give a comprehensive list now. Quote for onsite and offsite. And provide rational for additional resources. It is for the whole enterprise Provide best practice Quote for onsite, off site and or hybrid 2

given remotely 11. Section-2.6.1 Please provide details on the number of websites in scope for malware monitoring, this information is very critical for us to consider the commercials. 12. Section-2.7 For SIEM gap assessment please provide the make of SIEM, the number and type of components (For example 1 correlation engine, 2 logging engine etc) 13. 1.3.14 and Top Request for extension to the submission date from page 13th August 2014 to Friday 29th August 2014. 14. Page 19 Section 2.4 15. Page 14 Section 2.2 Resource Count 7 ( L1 : 3 shifts & L2 : 2 shifts) 16. Page 12 2.1 Which module of Tripwire you use? Further down on Page 15 the shift breakup gives a total count of 8 resources on weekdays and 6 additional for weekends. Please clarify What is the make of firewall? Firewall Management 17. Page 13 Section 2.1.3 KCB requires VAPT to be conducted as and when required. Kindly let us know for how many devices? 18. Page 2.3.1.1 How many assets would be included under SIEM Security Monitoring, Policy Compliance, and Malware Monitoring? 19. Page 30 Sec 2.9 Point no 6 Project Plan for delivering these services and resources ramp up required for project execution will be mutually decided by Bidder & KCB. Should One website RSA Envision The date of submission has been extended to Friday, 29 th August 2014 at 3:00pm (GMT+3) Enterprise 8.1 These are the FTE to provide the managed services on a 24X7X365 Checkpoint For the enterprise(kenya and subsidiaries) This can be concluded on engagement. Work with unit costs Yes If you have to charge. 3

20. Page 35 Section 2.21 we factor for this while working out the final cost? At least one certified expert (2 in general certification and specialized) and a back-up person are required in the technical areas. No Are these 2 resources in addition to the resource requirement (7 in total ) as stated in the RFP? 21. If current Security tools are outdated or out of warranty, what is the expectation of KCB from Service Providers? Give your proposal. If new tools are required please say so and quote for them. Please avoid duplication of tools 22. If the existing Tool/tools not meeting the expectations of KCB related to information security, What will be the role of SOC Service Provider? 23. Kindly share details of all the tools with warrantee & support terms from respective vendors if possible. 24. 25. 26. 1.2 advanced threats and risks 1.2 Regulatory compliance with industry standards SECTION 2 : SCOPE OF WORK - Security Operations Center Is there any Software / Subscription to any communities to notify about the threats and risks? Is there any Standard communication channel between Compliance and IT SOC? (SOC) Services What is the Tool used for SIEM? 2.1 Master Scope What is the Uptime SLA for SIEM and Security Tools? Please provide your proposal. This is not necessary From our requirements, this should not have any direct impact on the bid. The question is not clear. RSA Envision 99.99% uptime. Failover mode. 27. Are they in Cluster or failover mode? 4

2.1 Master Scope Security incident and event management Any Vendor Support for Software/Hardware Tools used for Security Management? ( referred to Scope in RFP )? ( Ex: Anti-virus management, Firewall management etc ) There are vendor support. 28. 29. 30. 2.1 Master Scope - Identity and Access Management (IAM) 2.1.3 Vulnerability Management Services: b. Conduct VAPT and Application Security tests as in when required. Bidder has to provide tools / utilities and skilled resources to conducting them. The bidder s (SOC) team has to provide steps for closure of findings & provide reports on daily basis till closure. What is the SLA for Response and Resolution? Is Scope is limited to Application ( IAM) Management OR Server ( IAM is hosted) Management also? What Tools /Utilities are recommended for conducting VAPT? How Frequent do VAPT and Application Securuty tests need to be performed? 5 Quote for both separately. Suggest best tools you prefer to use and Best practice standard frequency. The Bank expects the response to the clarifications to assist in this understanding. We kindly request for a pre-bid meeting to 31. understand the expectation of the Bank. 32. What are PIM and FIM solutions? PIM personal information manager

FIM federated identity management Note: KCB does not have these tools. Please ignore this Does the bank have tokens? If so please advise From our requirements, this should not have any 33. model. direct impact on the bid. 34. Does the bank have a test environment? Bidder to simulate any changes independently. Kindly advise if the bidder is mandated to use the Yes 35. reuse the existing infrastructure to deliver the services 36. Please confirm that KCB Sudan is South Sudan only South Sudan only. 37. 38. 39. 40. 41. Will KCB allow the use of offshore resources to deliver parts of the services remotely from shared Global Delivery Centers Please confirm that all billing will be in USD to KCB Group Kenya, if not please elaborate. Please provide a list of additional tool types and quantities being considered for deployment over the 36 month contract period. Please provide additional details about the existing security tools deployed currently - are they all fully deployed / operational? Can KCB provide a list of licensed product sku's for these technologies? Can KCB provide additional information / diagrams with environmental details such as the number events per second (EPS) is the SIEM solution licensed for, does Tripwire have integrated change reconciliation implemented, how many Websense content policy filter rules have been implemented? Please provide the quantity of websites to be scanned 6 Please quote for both offshore, onsite and or hybrid USD The details you are asking for are too detailed and can be provided upon contractual agreements only. All the tools quoted in the RFP are in production except for DAM/WAF which is an ongoing project. 1 main website.

42. 43. 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2 Master Scope Will the supplier be required to implement new technologies? If so, please list the technologies to be implemented. The tools used by the Bidder include those technologies owned by KCB (RSA envision, Tripwire, etc). Please confirm the cost of these identified tools and OEM annual maintenance & support required to meet the SLA's outlined is OUTSIDE the scope of the Bidder. There are about 5 areas included in this RFP. a. Security Monitoring Services b. Security Product Management c. Vulnerability Management Services d. Malware Monitoring Services e. SIEM & Security Tools implementation GAP Analysis Services (onetime) Please advise if KCB is looking for any specific solutions or tools for the above mentioned 5 services, or is it entirely up to the Vendor to recommend specific solutions which we are experienced or accustomed with? Suggest any new technology you wish to implement and the cost. Please note that all the Tools and licenses will belong to KCB. But there cannot be any duplication to any existing tool which needs to be discussed This is inside the scope of the bidder. It is entirely up to the Vendor to recommend specific solutions which they are experienced or accustomed with? Please also note that the Bank has tools that cover these areas which you may have to use or provide the rational of using others. 44. 45. We believe that KCB can gain significant cost and operational efficiencies by integrating activities for IT Monitoring, IT Security Operations and IT Service Desk. Hence in addition to responding to individual RFPs, we would like to submit a summary document that illustrates this integrated model and the associated cost and operational efficiencies. Is KCB open to evaluating such an You are open to do so but it may affect you suitability since your evaluation vis-a- vis the other bids will not one for one. However if a particular Vendor is selected, then this proposal to benefit be bank will be revisited and agreed 7

integrated approach? 46. 47. 48. 49. 50. 51. Section 1 Section 1 Section 1 Section 2.1 Section 2.3.1 Section 2.3.1.1 Scope - The RFP's Master Scope details a comprehensive list of Security Services; not all Services' Specification and Deliverables are detailed in the RFP. Please confirm that only following products are in scope for Security Management: RSA envision, Tripwire, Mcafee DLP, Netguadians T24 fraud monitoring tool, Imperva Secure sphere DAF/WAF, and any new product procured. Cognizant is aware that Kenya Commercial Bank has operations in five neighbouring countries. Does the bank has consolidated Enterprise IT Structure in a centralized datacenter or the subsidiaries have their own regional IT Structures. Does the consolidated datacenter configured as Hot or a Cold site. Does Kenya Commercial Bank have a distributed IT Architecture, please elaborate on distribution of information assets - Number of Servers and Applications. Please provide details on deployed PIM tool, the number of users and servers in scope and number of service requsets generated on a monthly basis. Cognizant understands through the RFP that the Kenya Commercial Bank requires a Dedicated Support Model for Managed Security, though not explicitly stated. Please confirm. Is the bank open for a Shared Managed Security Model. The Asset Scope section for Security Monitoring Service doesn't elaborate on the total number of devices being monitored and their types (Firewalls, IPS, Servers, Network Devices, etc). Please provide the details on device types being monitored, their The listed products are in use, but the bank could acquire any new product as need may arise. Some products are centralized while others are in the respective subsidiaries. To a large extent, the architecture is distributed. However we are moving into a new DC architecture which is expected to be much simpler than the present one This tool does not exist currently. Please ignore this section. Security Monitoring will have to be managed fully by the Vendor regardless of the delivery model. Please quote for onsite, offsite and or hybrid models This should be covered at the contractual level. 8

count, and overall Events per Second (EPS) on RSA Envision. 52. 53. 54. 55. 56. 57. 58. 59. Section 2.3.1.1 Section 2.3.1.1 Section 2.3.1.3 Section 2.3 Section 2.4 Seciton 2.4 Section 2.5 Section 2.5 Please share information on RSA Envision version details. If RSA Envision is reaching EOL, please provide information on upgrade/migration strategy. Please share information on Threat Intelligence third party feeds currently being utilized. The RFP states logs retention requirement at offsite location. Please confirm on the availability of sufficient storage infrastrucute for log retention for a period of one year. Please share the Security Monitoring ticket volume for the last 4-6 months with priority/severity classification. Please provide information on existing tools being used for Security Management of devices - Fault, Availability, and Performance Management. Please share the Security Management ticket volume for the last 4-6 months with priority/severity classification. Please state the vulnerability remediation schedule from corporate Security Policy. The schedule/frequency will decide the scan frequency and appropriate resource effort estimation. The RFP states the requirement of a Compliance Monitoring solution, though not stated explicitly. Please confirm and provide the overall count of IP Addresses in scope. We know our version is near end of life. Please propose way forward. Any new solution will belong to KCB. Please propose your suggested solution. Storage space is available. Average is 1000 calls per month and not limited to it We primarily use RSA envision. Please any additional tools. Average is 1000 calls per month and not limited to it Please propose solution based on your experience in other sites of similar nature. Please work with about 5000 employees 9

60. 61. 62. 63. 64. 65. 66. 67. Section 2.5 Section 2.5 Section 2.6.1 Section 1 Section 1 Section 1 Section 1 Section 1 Please share the details on overall scope - number of servers, devices, and applications and information on total count of IP addresses (internal and external). Please share the details on Penetration Testing scope - frequency and count of applications. Does the bank Enterprise Policy has constraints with SAAS model provisioning for Vulnerability Management servcie. Please share information on number of sites/pages in scope for Malware Scanning. Please provide the vendor support details (SLA) for Security Devices under scope? Do you have a TAC support contract in place for L3/L4 support? How is the remote site management done? Do you have dedicated resources working out of each remote site or is it centrally managed. Please describe the level of documentation maintained for your current Security? What tools/applications/portals do you use to make this documentation available, accessible and for updates (e.g. CMDB)? Do you follow the ITIL Process? The support level in scope is consideration to be end-to-end support (L1, L2, L3 and third party vendor coordination)? Please clarify if our assumption is correct. Please provide details of the international Security standards and regulations that your organization follow currently (ISO 27001, PCI, SOX etc.). Please work with about 5000 employees Pen test frequency to be agreed upon. Yes. The question is not clear Can be only shared after contractual agreement Centrally managed by the Vendor Please bid as per Industry best practice and experience in other sites of similar nature. Only L1, Monitor and escalate to the KCB onsite Engineer through different medium ISO 27001, PCI DSS. 10

68. 69. 70. 71. 72. 73. 74. Section 1 Please describe the level of documentation maintained for your current Network, Security and Telecom infrastructure? What tools/applications/portals do you use to make this documentation available, accessible and for updates (e.g. CMDB).E15 Do you follow the ITIL Process. Page 19 Section 2.4 Which module of Tripwire you use? Page 14 Section 2.2 Further down on Page 15 the shift Resource Count 7 ( breakup gives a count of 8 resources L1 : 3 shifts & L2 : 2 on weekdays and 6 additional for shifts) weekends. Please clarify Page 12 2.1 Firewall Management Page 13 Section 2.1.3 Page 2.3.1.1 Page 30 Sec 2.9 Point no 6 Project Plan for delivering these services and resources ramp up required for project execution What is the make of firewall? KCB requires VAPT to be conducted as and when required. We want to know for how many devices? How many assets would be included under SIEM Security Monitoring, Policy Compliance, and Malware Monitoring? Should we factor for this while working out the cost? Please bid as per Industry best practice and experience in other sites of similar nature. Enterprise 8.1 Thse are the FTE required to provide the service 24X7X365, Vendor to come up with the right mix as long as the SLAs and the contractual agreements are met Checkpoint The whole enterprise. All core systems of the bank. Yes. If you must charge 11

75. 76. will be mutually decided by Bidder & KCB. Page 35 Section 2.21 At least one certified expert (2 in general certification and specialized) and a back-up person are required in the technical areas Clarification Clarification Are this 2 resources in addition to the resource requirement (7 no s) given in the RFP? Confirmation of the number of sites were log collection will happen Can we please get any existing metrics on the current platform o Current EPS rate o Current Set of Use Cases No. The whole enterprise. Suggest/Use industry best practice 77. o Existing KPIs All resources to be onsite? Or remote We are open to Onsite, offsite and or hybrid. 78. management & administration is allowed? That the environment should be forensically What is expected as part of Forensic Analysis? 79. ready thus aiding any investigations 80. DLP at desktop, server or network level? all 81. What are the existing tools in use? Macfee DLP Will the responsibility lie only for providing Lease give us your best practice proposal 82. personnel, following process or also getting tools to manage? 83. Does KCB currently use any incident tracking solution? What are the areas not addressed by current tool? No incident tracking solution please make your proposal. 12

84. 85. 86. 87. 88. Is there a test environment for testing the changes before applying in production? In there a CAB in place for approval of changes? Is there a document available clearly highlighting the service requests from change requests? If the RCA and preventive measures have costs associates in terms of implementing a solution, how the process will be? Will it affect the uptime, if the approval process is time consuming? Will the projected business growth be shared with bidder for capacity planning? For obsolete products(hardware/software), though in working condition but out of support from OEM, will there be immediate replacement upon highlighting by the bidder?, as it may affect the uptime if any issues is encountered. What is a PIM & FIM solution? 13 no yes You have to justify and get approvals for any downtime No Make your proposal for replacements. Please note that all the equipment s and license will be owned by KCB PIM personal information manager FIM federated identity management Note: KCB does not have these tools. Please ignore this What is the best practice? Provide your proposals 89. Will the security subscriptions for defn. update, IOS upgrade, replacement support be managed by 90. KCB? If the database, network, server has a critical What is the best practice? patch which is important to patch a vulnerability, but the application or KCB network needs to be upgraded and needs time to support it. Will the risk 91. be borne by KCB? 92. Is consortium allowed? Procurement to guide on this. Bidder is required to make SOC for compliance & Please provide your proposals certification to ISO 27001, PCI DSS, ISO 20000, BS 25999. Can you elaborate? Is the bidder required 93. to comply to all standards in complete?

94. POCs should be supported from time to time what is the limit and types of POCs? 95. Section 2.1, Page 12 96. Section 2.1.2 97. Page 14, Resource Table Please provides the device volumes in-scope for the following services: 1. Anti-virus, number of management servers and agents 2. File Integrity Monitoring, number of management servers and agents 3. Host Intrusion Prevention, number of management servers and agents 4. Network Access Control, technology deployed 5. Network IPS, number of sensors 6. Firewalls, number of devices and management servers 7. Email security, number of servers deployed and mail-boxes monitored 8. Encryption, encyption type and volumes 9. Web Content Filter, number of servers/appliances 10. WAF product currently in use & its placement in the overall architecture 11. Imperva, please list the component and deployment details How many applications and servers are integrated with T24 Fraud Monitoring Tool Is the bidder expected to provide these services with 7 FTEs? Since this is a managed services requirement, can the bidder be provided the flexibility to decide on the number of resources required to deliver the services adhering to the functional and technical requirements of the RFP? To be agreed with successful bidder. This details cannot be provide now There is no integration, the tool analyses logs collected from other applications such as AD, DHCP, VPN e.t.c The bidder is expected to provide the services with the 7 FTEs or whatever deemed fit for meeting the contractual agreements and SLAs. 14

98. 99. 100. 101. 102. 103. 104. Section 2.4.2, point #25 Section 2.4.2, point #28 ANNEX 3 KCB IT RISK & SECURITY TECHNICAL SECURITY CHECKLIST (Pg 69)/ Availability - item 2 2.1.3 b. Application security tests, 2.5 - >2.5.1 Asset Scope - > Application Scanning 2.1.3 b. Application security tests, 2.5 - >2.5.1 Asset Scope - > Application Scanning 2.1.3 b. Application security tests, 2.5 - >2.5.1 Asset Scope - > Application Scanning 2.1.3 b. Application security tests, 2.5 - >2.5.1 Asset Scope - > Application Scanning Please elaborate what is meant by PIM solution. Is this through some additional tools, please specify. Please provide more details around what 2 FA solution is deployed in KCB. How many users are supported on 2 FA How does KCB propose to administer the disaster recovery and business continuity plans? Is KCB open to a governance layer as a part of the SOC governance model - which is independent from the operations team - to maintain oversight over day-to-day operations? How many web applications that will be in scope for security testing? How many of these applications are already in production and how many applications are under development? Are these applications internet facing or are there any internal applications in scope? Please provide an approx. estimate of the maximum number of static and dynamic pages we can expect in any application (e.g., 50 static and 50 dynamic pages) What is the technology landscape of the web applications? (e.g., Java,.NET, PHP etc.,)? Are the applications hosted internally or by 3rd party vendors or in cloud such as AWS? Does the application interface with any external systems? If yes how many? External systems like Content Management systems, third-party Payment Gateways, etc. 15 PIM personal information manager FIM federated identity management Note: KCB does not have these tools. Please ignore this The bidder is expected to provide the solution. Please suggest your best approach to this for consideration. 2 on production. On in the pipe line Internet facing -yes Technology landscape of the web applications include but is not limited to Java,.NET, PHP. Mostly hosted internally. Most applications interface with internal systems with limited external.

105. 106. 107. 108. 109. 110. 111. 2.1.3 b. Application security tests, 2.5 - >2.5.1 Asset Scope - > Application Scanning 2.1.3 b. Application security tests, 2.5 - >2.5.1 Asset Scope - > Application Scanning 2.1.3 b. Application security tests, 2.5 - >2.5.1 Asset Scope - > Application Scanning 2.1.2 Security Product Management 2.1.2 Security Product Management 2.1.2 Security Product Management 2.1.2 Security Product Management How many application penetration tests need to be performed and what will be the frequency of these tests? Are these applications developed inhouse or by 3rd party vendors? Are you using File uploads or Card payment in your web applications? If Yes, pls specify the related application details What is the maximum number of user roles for which privilege escalation attacks have to be performed in any application? (e.g., 3 user roles) Are there any other capabilities that the WAF should provide, besides web traffic filtering - SSL, Data Loss Prevention, Logging, Load Balancing, etc Please provide the type & number of applications being protected through WAF? Please list the present technology / Version of DLP solution implemented at KCB along with the number of users supported. How many incidents on the average DLP solution registers per month? What all DLP components are rolled out currently in KCB, Please select from the list below. Data discovery (data discovery) Data in use (end point) Data in monition (network) Use industry best practice norms No card payments Use industry best practice norms This is project in progress. This is project in progress. McAfee DLP 9.2 Fine tuning of incidences is ongoing. So we can t the exact number. Data discovery (data discovery) Data in use (end point) Data in monition (network) 5,000 End points. 16

112. 113. 114. 115. 116. 117. 118. 119. 2.1.2 Security Product Management 2.1.2 Security Product Management 2.1.2 Security Product Management Please specify the number of end points (Laptops, Desktops, PDA, Other) that are currently under the scope of DLP How many databases are in KCB DAM scope. Pls give a split on the type of db- DB2, oracle, SQL etc. What is the volume of data contained in these databases How many datacenters are in scope for deployment of the DAM solution. How many incidents on the average DAM solution registers per month? 2.1.2 Security Product Management Number of resources currently deployed for DAM? Page 27, Section 2.6.2 Service Specificiation Provide the total number of websites would required to be scanned under Malware scanning scope 24*7 Page 27, Section 2.6.2 point # 4 Can the bidder propose cloud based malware scanning service, through its associate partner, instead of on-premise, product based solution. Please confirm KCB concurrence on the same. ly applicable Section 2.3.1.2, point #1 Would the bidder team be supported by the existing KCB team for handling the demand for security monitoring and operations. What working model does KCB plans to have between the bidder team and its existing SOC team KBC indicates that bidder should monitor, detect and manage incidents for a minimum set of IT infrastructure events. Are correlation use-cases already built on KBC's existing SIEM platform or is the supplier expected to build them as part of service transition Ditto This is project in progress. 2 Data centres, need to be discussed This is project in progress. This is project in progress. 1 main website. KCB prefers on-premise. Yes. Bidder team does the monitoring and reporting as L1 and forwards any item that needs further investigations to KCB team. The supplier expected to build them as part of service transition. 17

120. 121. 122. 123. 124. 125. Section 2.3.1.2, point #9 We assume that KBC will provide the underlying infrastructure including forensic tools required if any for this purpose and supplier is to utilize the relevant technologies. Please confirm on same Section 2.3.1.2, point #12 Section 2.3.1.2, point #12 Section 2.3.1.2, point #23 Section 2.5 Section 2.3.1 Forensics is a specialized requirement which requires skills outside of security monitoring, what is KCB's expectation around the same. Does KCB expect the forensics to be performed by the proposed 7 staff itself? Forensics is a specialized requirement which requires skills outside of security monitoring with pricing typically provided on a per incident basis, please confirm if the bidder can provide this on a per incident basis as well Automatically reset the end-users password without the involvement of helpdesk technicians - Please elaborate on the user base for password reset, the user directory ( AD/LDAP ) to be integrated, the number of directories to be integrated For vulnerability management please specify: a. Number of internal IP addresses b. Number of external IP addresses c. Scan frequencies Please provide the number of log sources integrated with SIEM and the EPS handled by the current SIEM platform The bidder is expected to provide resources and tools if they not exist in KCB. KCB will eventually own the tools and licenses. Yes. Not to be provided on a per incident basis. Please propose a solution to achieve this. We use Microsoft AD. We have 6 AD s to be integrated. Use approx. 5000 employees. The environment is dynamic and the number is expected to go up. 18

126. 127. 128. 2.1 Master Scope: Identity and Access Management (IAM) 2.1 Master Scope: Identity and Access Management (IAM) 2.1 Master Scope: Identity and Access Management (IAM) To understand the Identity and Access Management (IAM) landscape, please provide the following information: 1) Which product of the Identity Manager is currently being used along with the product version e.g. Oracle Identity Manager 11gR2 2) Which product of the Access Manager is currently being used along with the product version e.g. Oracle Access Manager 11gR2 3) Which product of the Access Governance is currently being used along with the product version e.g. Oracle Identity Analytics 11gR2 Please specify the total No and types of applications (homegrown or product applications) which are integrated with Identity and Access Management (IAM) solution per IAM component e.g Inventory of the applications that are integrated with Identity Manager, Inventory of the applications that are integrated with Access Manager etc...? Please provide number of users categorized based on internal users(employee, Contractors) and external users(customers, Partners) 1) None. 2) None. 3) None. KCB does not have an IAM solution. Please provide your proposals Approximately 5,000 users. 19

129. 130. 2.1 Master Scope: Identity and Access Management (IAM) Please quantify the scope and provide support information for the past 6 months with reference to the following: 1)Total Ticket Volumes 2) Total Number of tickets for Identity Management 3) Total Number of tickets for Access Management 3) Total Number of tickets for Access Governance Solution 4) Total Number of tickets per severity 5) Number of environments to be supported e.g. Dev, Test, UAT and Prod Kindly share the asset list which includes number of devices for each type and location. Please specify the number of devices in High Availability 131. Please provide a list of assets which the bank plans to add to the existing scope 132. Does KCB have a DR site and are the devices in DR site also in scope of monitoring 133. Are all devices integrated with SIEM tool. If not, are they excluded from the scope of monitoring For all devices not integrated with the SIEM does the bank expect the bidder to integrate the 134. devices Please provide the current peak volumetric for the following 135. a. No of incident tickets daily b. Number of change and problem requests in a week. c. Number of IAM tickets in a day Ditto The environment is dynamic and the assets can change. The environment is dynamic and the assets can change. Yes. The bank has a DR site also in scope. Not all devices are integrated. The bank does expect the bidder to integrate the devices. Yes but gradually See comments above 20

d. Service requests which are part of the service catalogue in a day. 136. 137. Please provide number of IP addresses or systems and network devices for Vulnerability Assessment. What is the scanning frequency for each asset type. (network. Systems and applications) 138. Please provide list of devices and systems for configuration assessment. 139. 2.1.3 Vulnerability Management Services point F 140. 141. 142. 143. The RFP mentions The Bidder should perform the Application Security Scans. The team has to report and certify the application go live. How many applications are part of this ready for service assessment each year. Will KCB provide the tools or bidder is expected to use its on tools for scanning Please provide number of applications for Malware scans. What is frequency of the scans for each application? We understand bank uses RSA envision as its SIEM tool. Since this is EOL product, does the bank have any plans to upgrade the SIEM or migrate to another product? Can bidder offer its SIEM as a service? Are current operations insourced or outsourced to any other vendor. What is the average service transition timeline expected by KCB. SEE comments in this document Quote for Best practice. Too broad. To be discussed with successful bidder. Use unit cost for quoting. The environment is dynamic but the applications that go live are not quite many. Bidder expected to use its own tools for scanning. Bidder offer its SIEM as a service Please provide your proposal Current operations insourced 21

144. 145. 146. Section 3.5 - Performance Security 147. 148. Please confirm if the below understanding is No. the 7 to do all that correct a) 7 resources specified by KCB are for L1/L2 monitoring only b) The resources Product management, Vulnerability Assessment, Malware Scanning etc. will be additional to the 7 resources mentioned in point a Does the bank use any tool for service desk Bidder to use its own tool. Make your proposal management or it expects the bidder to use its too. own tool. What is the amount of Performance Security? 10% Is it 5% of total contract value? All resources to be onsite? Or remote management & administration is allowed? Please elaborate on Threat Intelligence (Security incident & event management) Encryption Is this disk encryption, data encryption or anything else? Provide proposal for onsite, offsite and or hybrid models Use RSA Envision Disk Encryption, Data encryption and data in use encryption. 149. Reconstruction of events as they occurred, What is expected as part of Forensic Analysis? 150. where, and by whom e.t.c 151. DLP at desktop, server or network level? Both Host and Network level. 152. What are the existing tools in use? As per the RFP. Will the responsibility lie only for providing Also getting tools to manage. personnel, following process or also getting tools to 153. manage? 154. Does KCB currently use any incident tracking solution? What are the areas not addressed by current tool? RSA Envision. Events correlation. 22

155. 156. 157. 158. 159. 160. 161. Is there a test environment for testing the changes before applying in production? In there a CAB in place for approval of changes? Is there a document available clearly highlighting the service requests from change requests? If the RCA and preventive measures have costs associates in terms of implementing a solution, how the process will be? Will it affect the uptime, if the approval process is time consuming? Will the projected business growth be shared with bidder for capacity planning? For obsolete products(hardware/software), though in working condition but out of support from OEM, will there be immediate replacement upon highlighting by the bidder?, as it may affect the uptime if any issues is encountered. POCs should be supported from time to time what is the limit and types of POCs? Bidder is required to make SOC for compliance & certification to ISO 27001, PCI DSS, ISO 20000, BS 25999. Can you elaborate? Is the bidder required to comply to all standards in complete? Yes. But not elaborate and not for all applications. Yes. There is a change management process in place. Yes it will affect uptime. This should be properly planned to avoid downtime that can negatively affect services. Yes. Under NDA. Replacement should be immediate but if it impacts on the bank s operations, appropriate time frame will be allocated. The environment is dynamic. The limit of the POCs will depend on what products the bank is looking forward to deploy. Yes. The bidder should comply to all standards in complete. 162. 163. Is consortium allowed? Yes If the database, network, server has a critical patch which is important to patch a vulnerability, but the application or KCB network needs to be upgraded and needs time to support it. Will the risk be borne by KCB? By the bidder. 23

164. 165. 166. 1.3.12 Clarification of Bidding Document (vi) Will the security subscriptions for defn. update, IOS upgrade, replacement support be managed by KCB? Request for more clarifications What is a PIM & FIM solution? By the bidder. The last date for receipt of requests for clarifications from bidders was on Friday, 25th July 2014. PIM personal information manager FIM federated identity management Note: KCB does not have these tools. Please ignore this This addendum has been sent to all bidders who had registered interest in the Tender. ACKNOWLEDGEMENT OF ADDENDUM NO. 1 WE, the undersigned hereby certify that the addendum is an integral part of the document Tender for Managed Services - I.T Security Operations Center (SOC) and that the understanding set out in the addendum has been incorporated in our tender proposal accordingly. Signed Name Tenderer Date 24