Request for Proposals for Data Center/Mainframe Hosting Solution PROPOSALS DUE: June 4, 2013 @ 5:00PM (PST) Provided to (Company): Accepted by (Representative):
Table of Contents Instructions... 2 Overview... 3 Purpose... 3 Requirements... 3 Respondents Business overview... 4 Questionaire... 5 Hardware... 6 Software... 6 Support... 7 Client Management... 8 Migration... 8 Disaster Recovery... 9 Facility... 10 Security... 10 Software applications currently in use:... 11 Pricing... 12 Request for Proposals for Data Center/Mainframe Hosting Solution Page 1
XyberNET Inc. Data Center RFP Instructions Deadline for submission of questions by candidates 05/24/2013 EOD (PST) Responses to questions to be returned no later than 05/28/2013 10:00am (PST) An original proposal must be signed and delivered to the address below by 5:00pm (PST) on 06/04/2013. An electronic copy must also be emailed to: Sales@Xyber.net Respondents may mail or deliver three (3) printed copies of their proposals to: XyberNET 10640 Scripps Ranch Blvd San Diego, CA 92131 XyberNET will review completed RFP responses during the week of June 4 th and contact selected candidate companies on June 10 th or June 11 th to schedule interviews. Interviews will be completed by June 21 st and final candidates will be selected by June 28 th. Contract negotiations will be conducted during the month of July. XyberNET will not be responsible for any Proposal(s) that is (are) lost in the mail or not delivered by the stated deadline for any reason. XyberNET is not held liable for any costs incurred by any respondents to this RFP, during the preparation or delivery of their responses. Costs incurred are the sole responsibility of the vendor. XyberNET reserves the right, at its sole discretion, to reject any/all Proposals or to cancel this RFP in entirety as determined to be in XyberNET s best interests. Any Proposal received which does not meet the requirements of this RFP, may be considered to be non responsive, and the Proposal may be rejected. Proposers must comply with all of the terms of this RFP and all applicable Federal, State and Local laws and regulations. XyberNET reserves the right, at its sole discretion, to waive any technicality in Proposals provided such action is in XyberNETs best interest. Where XyberNET waives minor technicalities in Proposals, such waiver does not modify the RFP requirements or excuse the proposing Firm from full compliance with the RFP. Notwithstanding any minor technicalities, XyberNET may hold any Firm to strict compliance with the RFP. Request for Proposals for Data Center/Mainframe Hosting Solution Page 2
Overview XyberNET is looking for the ideal outsourcing data center to meet both our current and future needs. XyberNET has been in business for over 30 years and is the leading provider of software and services to the insurance vertical. We specialize in, but are not limited to, products and support for credit insurance, debt protection and P&C business. Our client base is split between companies that license and install our software products in their own environments and those that utilize our software products through our Application Service Provider (ASP) services. XyberNET s business model includes licensing software, ASP services, annual maintenance agreements and a variety of professional services such as custom programming, training and consultation. We maintain a full staff of professionals that are available to do the various support work. For our ASP clients, we provide Production Control services as well. Overall, XyberNET has approximately 20 clients located throughout North America, with potential for additional international clients. We are looking for a business partner that can support us in both a production environment, servicing several clients, as well as a full development environment. Security and connectivity reliability are both crucial to our business as ours is a 24/7 environment. Our core software products run on an IBM mainframe, using Cobol, VSAM and DB2. We also have products that are run on SQL Server as well as ASP.NET web products. We are at a crossroads and are looking for a data center that wants to move forward with us. With less than 20 employees we are a small shop, but our client base includes some of the biggest names in the industries we support. We are currently on older releases of many of the software products we use, which is holding us back from some of the projects we have on our docket. We are looking for a well staffed, forward thinking, reliable and proven data center to support our needs. Purpose The purpose of this RFP is to determine whether or not the ideal business partner is out there and available to us. It is our desire to move to completion on this process within a 3 4 week timeframe, so, if you are interested in participating, we ask for quick turnaround from you. If you choose not to participate, please email that information to us and return the RFP to our attention. Requirements XyberNet has long relied upon mainframe processors to conduct business for itself as well as its client base. Current mainframe processing is performed on an IBM z9 processor running OS release 1.7 in a single 100 MIP LPAR with a total memory of 4096M. System security is thru RACF. It should be noted that the current environment Request for Proposals for Data Center/Mainframe Hosting Solution Page 3
is no longer adequate for our needs, we are looking for a larger, faster environment closer to the 150 MIP range. XyberNet supports multiple ASP clients with client access to multiple CICS v2.3 regions, as well as TSO. In total there are 25 active CICS regions with another 16 regions which may be activated for special release level activities at any time. Clients access the system through secured VPN connections and/or TN3270 over the internet using SSL. XyberNet provides FTPS services to its client base and it is imperative that any new data center relationship provide this and other secured protocols to the mainframe. Client connectivity and online availability is critical to the success of this company. One critical aspect of this relates to the processing of client batch cycles during off hours. As such, XyberNet requires 24 hour production control and technical support from its vendor of choice. This includes the monitoring and notification of batch processing activities during second and third shifts to insure that all cycle activities and online systems are available to our clients by their specified time. XyberNET s DASD farm is approximately 2TB in size, this includes volumes specifically allocated for system services (HSM, VTS, SYSRES), development and client production environments. These environments are SMS managed. The tape farm consists of approximately 18,000 in house tapes, with the vast majority allocated to HSM and for offsite storage. XyberNET is very interested in pursuing a tapeless environment and the selected vendor must be able to accomplish the transition to this environment within 1 year. This would also involve the expansion of the current DASD farms for VTS, HSM and others to conform to the new structure. As part of this transition, XyberNET is also interested in the electronic transmission of critical production and system related files to a secured offsite storage location. Annually, XyberNET performs its Business Continuity testing. This testing includes not only validating our ability to perform functions in support of our development needs, but also functions related to the production support of our clients. We also invite our clients to participate in the testing of their environment during this period as well. This test normally occurs during the September to October timeframe (for a period of 2 days). It is preferable that the selected vendor have an established B.C. site to perform this testing. Respondents Business overview Please provide an overview of your business and the solutions you provide. Include all lines of business and a short description of each. Request for Proposals for Data Center/Mainframe Hosting Solution Page 4
Questionaire (We request that vendor candidates answers be as detailed as possible) 1. Define your corporate structure to include: a. Ownership structure of your company, including any parent companies. b. How many data centers to you have? c. Where are the data centers located? d. Where are your corporate headquarters located? 2. How long have you been in business as a data center? 3. How long has your data center, or data centers, been in their current locations? 4. How many data center related clients do you service? a. Please provide a breakdown of how long your clients have been utilizing your data center services. 5. What contract terms, in years, do you offer your clients? 6. What percentage of your clients renew their contracts for your services? 7. What percentage of your renewals are multiple year contract renewals? 8. How many clients do you provide combination mainframe and server based hosting services for; meaning they themselves are service providers to their clients? 9. Do you have existing clients that, in addition to developing mainframe applications, host these production applications and data for their client base on your systems? 10. What kinds of businesses do you support? 11. To what professional organizations do you belong? 12. How do you stay abreast of new ideas and current trends? 13. Are you an IBM business partner? a. If yes: i. What level? ii. Explain how your company complies with IBM standards iii. What requirements does your company fulfill in order to maintain its partner status, and how often? iv. How long has your company held Business Partner status? b. If no: i. Explain how your company complies with IBM standards? ii. Explain how your company leverages 3 rd party IBM partners in support of your clients? iii. What SLAs are in place to govern the relationship with your 3 rd party IBM partner(s)? iv. Does your company contact IBM directly for assistance or work solely through business partner(s)? 14. What technical certifications do you require your staff to obtain and maintain? 15. Please provide an overview of your current staff that would be supporting our business, broken down by primary functions. 16. What is your Full Time Employee to Contractor ratio? 17. Please provide your company s current Organizational Chart Request for Proposals for Data Center/Mainframe Hosting Solution Page 5
18. What data management and datacenter environment certifications does your company have? 19. Does your facility meet SAS70/SSAE16 requirements? a. Please explain b. How often do you complete SAS70/SSAE16 audits? 20. Does your facility meet ISO9000 requirements? a. Please explain 21. Is your facility PCI compliant? a. Please explain 22. Is your facility HIPPA compliant? a. Please explain. 23. Will you allow XyberNET or a XyberNET specified third party vendor to perform regularly scheduled audits for the purposes of validating adherence to mutually agreed upon SLAs for hardware, software, mainframe and network topology configurations and updates? 24. Are your facilities completely redundant? Hardware 1. Please describe your hardware maintenance philosophy related to mainframe, server and network appliances. 2. Please describe your mainframe processing capabilities a. How many and what type of mainframe computers are installed at your facility? b. How many of these systems are shared, versus client specific? 3. Describe your peripheral environment 4. For shared mainframe systems, please describe your methodology for dividing up the system and ensuring enough processing power for normal, peak and excessive processing demands. 5. Can you provide, and support, a XyberNET specific LPAR with multiple development and production regions? 6. Do you allow clients to perform regularly scheduled audits to confirm hardware maintenance, updates and configurations meet the agreed to SLA requirements? 7. Can you provide Network Time Server services on the mainframe and NTP? Software 1. Please describe your software maintenance philosophy as it relates to: a. Mainframe, network, peripheral, data center firmware b. IBM operating system updates c. Mainframe utilities d. All other programs running on the mainframe. 2. Do you have currently installed security certificates issued based on 2048 bit security key encryption on your mainframe systems? Request for Proposals for Data Center/Mainframe Hosting Solution Page 6
3. What is the highest level of security encryption and what algorithms are supported for SSL certificates? 4. Do you notify clients when software applications such as operating systems, system utilities and other data center managed applications are due for upgrades? 5. Will you allow XyberNET or a XyberNET specified third party vendor to perform regularly schedule audits to validate software applications meet agreed to SLA requirements? 6. How would you structure XyberNET access to enterprise software licenses? 7. How do you manage recommendations for software; i.e. if there is a software package that could perform better or better suit our needs, how would you bring this to our attention? 8. How do you manage software inventory in production and dormant and provide consultation on the usage of these applications? Support 1. Do you provide on site 24X7 support? a. If yes, please explain your existing support structure for i. Mainframe services ii. Hosted server services iii. Network services iv. Monitoring of operating system consoles v. Monitoring of jobs and critical applications vi. Supporting scheduled processing of batch jobs and backups inclusive of re run/re start procedures and problem resolution vii. Documenting cause and nature of both scheduled and unscheduled outages viii. Responding to system messages and requests for resources as required ix. Reporting equipment malfunctions and contacting client when appropriate x. Daily incremental backups and full volume backups. 2. Will you provide on site operational support for our production cycles 24/7? 3. What are your standard response commitments to system administration and ongoing engineering change requests? 4. Please provide an example of your standard SLA s for hosting services to include: a. Response times on issues resolution b. System availability c. Change requests, such as port assignments d. Updating network settings on the mainframe, including but not limited to: i. DNS server settings ii. NTP Request for Proposals for Data Center/Mainframe Hosting Solution Page 7
iii. IP addresses/subnet mask iv. Gateway 5. Do you support Defense in Depth, mainframe security through host based firewall, credentialing and permissions? 6. Will you respond to regular security questionnaires submitted by XyberNET? 7. Do you provide SSL Services utilizing security certificates issued by commercial Certificate Authorities to support: a. FTPS (Port 992) b. TN3270 (Port 990) c. HTTPS for web and CICS d. Other services 8. Can your company support: a. Taking custody of XyberNET s equipment in the current datacenter and spearhead its migration to your facility? b. Ongoing shipping and packaging, on request, of network appliances, peripherals and servers? c. Provide, as needed, installation of XyberNET owned servers, network appliances, power management and peripherals and comply with and maintain a documented network topology? d. Provide power cycles to XyberNET hardware 24x7 upon request? e. Supplying rack systems for Dell rapid rails, standard racks and rack support for XyberNET appliances? 9. Do you foresee the need to add staff to support our business? 10. What metrics do you provide to your customers for monitoring system performance and processing times for both mainframe and non mainframe applications and hardware? 11. Provide a list of performance monitoring tools used at your data center. 12. Describe the reporting that can be generated and provided to your clients and on what frequency. 13. Describe your process for validating fixes, prior to implementation into your clients production environments. 14. Do you have an on site test lab which would enable your engineers to troubleshoot outside of the production environments? 15. Please explain your change management process. Client Management 1. What is your overall approach to managing your clients? 2. What are your overall goals of Client Management? 3. Do you assign an Account Manager to each client? If so, please elaborate on the role of this individual. Migration 1. Describe how your company would manage the migration of XyberNET s presence from our current data center to yours. This presence includes: Request for Proposals for Data Center/Mainframe Hosting Solution Page 8
a. Hardware b. Software c. DASD farm d. Tape silo e. Servers f. Network equipment 2. If the migration includes any form of electronic data transmission, how would you ensure the security of the data during transmission? 3. What security measures would be invoked for the physical transfer of data contained on tape or other medium, between facilities? 4. When was your last client migration? a. What was involved? b. How how long did the exercise take to complete? c. Was the migration completed as scheduled? d. What were some of the challenges faced? e. Please describe the team your company assembled to handle the migration (Please include number of team members, roles and responsibilities). Disaster Recovery 1. Please provide an overview of your disaster recovery capabilities to include: a. Do you provide 24 hours disaster recovery response? i. Please describe. b. What disaster recovery certifications are in place? c. Where is your disaster recovery facility located? d. Type of mainframe and server hardware located at your disaster recovery facility. e. Staffing 2. Does your disaster recovery facility maintain mirror images of production systems and data, or just backup data? 3. If mirror images are maintained, how often are the images refreshed from production? 4. In the event of a disaster, can full production services be switched over to the disaster recovery systems, and how quickly? 5. Does your company have a documented disaster recovery and business continuity plan? a. Please provide a summary of how applications/system functionality and data would be restored for XyberNET Inc. and its clients according to this plan. 6. How do you determine priority order for bringing your client base up? 7. How often are your disaster recovery procedures tested and what is your test execution success criteria? Request for Proposals for Data Center/Mainframe Hosting Solution Page 9
Facility 1. Does your facility provide direct fiber connection from the hosted mainframe to XyberNET s firewall and from XyberNET s firewall to a supplied ISP? 2. Please provide an overview of your facilities electrical power capabilities in relationship to power consumption needs, including emergency backup power resources. 3. Will you supply dedicated power circuits to XyberNET s equipment and maintain IBM standards for clean and sufficient power to the mainframe? 4. Please explain how your facility complies with (ESD) Electro Static Dissipation standards. 5. Describe your fire suppression systems in detail. 6. What are the standard room temperature and humidity operating levels of your facility? 7. What tier level is your data center? 8. Is your facility a bunker or silo? Security 1. Describe how your facility protects stored data (data at rest) from unauthorized access? a. Is this protection enabled by default, or is it optional? b. If encryption is used, please describe the algorithm or bit strength. 2. What methods are employed to protect data being transferred between systems installed within your facility (i.e. mainframe data being transferred to a database server). 3. Do you have clients that generate data requiring physical storage, outside of their active systems, in excess of one year (i.e. tape, disk, reporting, feeds)? 4. Does your company have a formal, written information security policy and program? If so, please provide a copy of any supporting documentation. a. Please provide a brief summary of what is covered in the policy and program. b. How is this policy communicated to employees and contractors? c. How often is the policy updated? 5. Does your company use the following Information Security Technologies on all platforms that will host, process, transmit or store XyberNET s or its clients data: a. Network Firewalls b. Network Intrusion Detection/Intrusion Protection Systems c. Host Intrusion Detection/Intrusion Protection Systems d. Anti virus software 6. Does your company employ or contract with external auditors and/or external security companies to perform regular information security tests (penetration tests)? a. If yes, please list the frequency and parameters of the tests. Request for Proposals for Data Center/Mainframe Hosting Solution Page 10
7. Has your company undergone a third party audit of its IT control policies and procedures such as a SAS70/SSAE16? a. If yes please attach a summary of the findings and any relevant documentation. 8. Are you PCI compliant? 9. Does your company have a formal process for tracking and remediation of security vulnerabilities and security patches? a. Please describe. 10. Provide the methods that would be used to physically, or logically, segregate XyberNET or its clients data from other clients data. 11. Provide frequency and rotation schedule for backups of your customers data, including offsite storage procedures and controls used to ensure media is accounted for during transport and storage. 12. Provide the method by which you would perform a data breach notification as it relates to your customers. 13. Does your company have a tool that enables you to create a discrete data snapshot for archived storage if needed? Snapshot should only contain identified data; it should not be a full server backup that includes unneeded data. 14. Do you have a procedure in place for complying with legal or audit hold requests to suspend data destruction? Provide the procedure or describe the process for notifying you of a hold and for monitoring items placed on hold. 15. Do you have a documented procedure to destroy or securely delete confidential or sensitive data and the media types on which they reside at the end of their lifecycle? a. If yes, describe or attach or attach your information and media destruction policies 16. List all physical locations where XyberNET Inc. and its clients data will be processed or stored, and controls that secure against unauthorized access and removal from those facilities (card readers, palm readers, electronic gates, video surveillance, iris/retina scanners, etc.). Software applications currently in use: Detail ASG TMON for CICS/ESA ASG TMON for MVS (z/os) ASG OASIS ASG ZEBB ASG ZEKE ASG SmartScope Do you Currently Own (Y/N) Interprise License (Y/N) Request for Proposals for Data Center/Mainframe Hosting Solution Page 11
BMC MAINVIEW SRM (STOPX37) CA ADVANTAGE CA DADS PLUS for CICS CA ALLFUSION CA OPTIMIZER/II CA BRIGHTSTOR CA 1 TAPE MGMT CA BRIGHTSTOR CA ISM CA EXTEND/DASD VSAM Compression CA BRIGHTSTOR CA ISM FAVER VSAM Protection CA BRIGHTSTOR CA ISM CA MASTERCAT VSAM Catalog Management N/A CA BRIGHTSTOR CA ISM CA VSAMAID VSAM Tools CA Common Services (CA90s) CA UNICENTER CA EASYTRIEVE PLUS REPORT GENERATOR CA JCLCHECK CA View CA Vtape Chicago Soft MVS Quick Ref Compuware File AID/MVS Compuware Xpediter/TSO Compuware Xpediter/CICS CSI fka BIMoyle BIMEDIT Mackinney VtamSwitch PKWare PKZIP SAS Institute Base SAS SEA $avers Innovation Data Processing IAM VSAM performance enhancement tool. For the above listed software applications; if you currently do not have licensed copies available, what would your proposal be for obtaining them to meet our business needs? Pricing 1. Please provide your standard pricing models and terms with lists of included products and services. 2. Please provide your detailed solution proposal for our unique data center needs. Request for Proposals for Data Center/Mainframe Hosting Solution Page 12