FORM 13
Tender 12/2017
Implementation Services for a new Records Management System for the Central Bank of Cyprus using OpenText Content Server
NON-FUNCTIONAL REQUIREMENTS FOR CBC’S RECORDS MANAGEMENT SYSTEM
Requirement / ComplianceYES/NO / Tenderer Response/Comments
1 / Compliance with CBC Infrastructure
1.1 / Operating environment
1.1.1 /
- The RACKS are nineteen inches (19 ") wide.
- Electricity is provided by a central UPS 230V / 50Hz. Power Distribution is provided through PDU compliant with BS1363 / 13A standard.
- Data network connections follow the Ethernet 1000BASE-T standard and are Full Duplex - Auto Sensing. Higher speed (e.g. 10 Gbps) connections can be provided if required after Q3 2018.
- Storage Area Network (SAN) connections are 8 Gbps Fiber Channel with LC fiber optic connectors.
- The equipment is configured using fixed IP settings.
- Inside the server rooms, the temperature is set to 20-22 °C.
- For fire-fighting purposes, the FM200 gas system is being used inside the server rooms.
- The direct control of the servers, is achieved either through KVM switches or through the exclusive provisioning of a screen, a keyboard and a mouse.
- Contracting Authority’s working hours (excluding Bank Holidays): Monday to Thursday 07:30 to 15:00 and Friday 07:30 to 14:30.
1.2 / Servers Rooms
1.2.1 / The Contracting Authority has three (3) server rooms (a Main, a Backup and a Remote Data Center - DRS). The main and the backup server rooms are located in the Contracting Authority’s main building, while the remote server room is located in another building, not more than 20 km away from the Contracting Authority’s main building. Multiple redundant connections exist between the main building and the Remote Data Center for the IP and FC network.
1.3 / IP Network
1.3.1 / • The backbone network operates at 10 Gbps excluding the connection between the main and the Remote Data Centre which utilizes a 4 Gbps connection with less than 1 ms latency
• Servers are connected to the network using single or multiple 1 Gbps or 10 Gbps connections.
• Users’ equipment is connected to the network using single 1 Gbps connections.
• The network is segmented into a number of security Zones of trust and control such as DMZ, production Zone, User Zone, Management Zone and extranet zones. Each Zone is further segmented into pseudo-zones based on the specific security and functional requirements of the associated components/services. Traffic within zones, within pseudo-zones and within zones and pseudo-zones is controlled through the firewalls which operate at all 7 layers of the OSI model.
1.4 / Database Auditing and Real Time Protection
1.4.1 / The Bank uses the product "Imperva X2510 Database Firewall" for database auditing and real time protection.
The system provides the following capabilities:
- Access to tables/columns with sensitive data is audited and information owners will be alerted in case of any unauthorised access.
- Unauthorised access to sensitive data is blocked.
- Detect in real time protocol attacks (worms, DOS), application attacks (sql injections) and suspicious activity.
1.5 / General Data Protection Regulation (GDPR)
1.5.1 / As per the EU General Data Protection Regulation (GDPR), the Bank wishes to provide adequate protection of all personal information stored in the proposed Records Management System by means of encryption. The proposed solution shall provide the necessary means for adequate encryption at the database level for all data deemed necessary by the Bank (transparent database encryption, table space/columns encryption).
1.6 / Storage Area Network (SAN)
1.6.1 / The tenderers shall propose their required SAN as the Records Management System will need to utilise its own SAN – the Bank’s existing SAN cannot be used for this system.
1.6.2 / Background information on the Bank’s existing SAN:
• For high availability purposes of the connection between the equipment and the SAN, two separate SAN networks (SAN switches: Brocade 300 and 8 Gbps speed ports) are maintained and all equipment is connected to both of them.
• The two SAN networks are available in the central and backup server rooms and each one extends to the remote server room using 2 Gbps Fiber Channel connection and extended fabric ports with less than 1 ms latency.
1.7 / SIEM (Security Information and Event Management)
1.7.1 / The Bank is in the process of establishing a central collection, categorization and reporting of security incidents and other events from its various systems, network and security infrastructure. The SIEM infrastructure will reside outside the network of the Bank. Appropriate mechanisms will be put in place for the collection, compression and dispatching of the various logs to the central repository.
1.7.2 / The SIEM solution adheres to the syslog protocol. For systems not adhering to the syslog protocol, appropriate mechanisms can be put in place to transform the logs in a format supported by SIEM. In such a case, the successful tenderer shall provide all the required information for the necessary transformation.
1.8 / Load balancers
1.8.1 / The Bank usesa number of KEMP load balancers. A pair of load balancers is placed on the Internal network and another one on the Internet perimeter for external connections. Each pair of load balancers is hosted on the Contracting Authority’s main building and the DRS respectively.
1.9 / Other software and infrastructure components
1.9.1 /
- The Bank uses the following 2 products for back up purposes:
- Windows environment: Computer Associates ArcServe server release 17.5
- Unix environment: Veritas NetBackup release 7.5.0.4
1.9.2 / The Bank uses Microsoft Windows Server 2012 R2 Active Directory for User Directory, Time service and Domain Name Service (DNS). The servers will be upgraded to MS Windows server 2016 in Q3 2018.
1.9.3 / All workstations and servers of the Bank run Symantec end point protection for virus and spyware protection.
2 / Interfaces
2.1 / Office Automation
2.1.1 / The System must interact with the MS-office suite products. Currently the Bank uses MS Office 2013 suite of products. MS Office 2016 will be rolled out to the Bank users by Q3 2018.
2.2 / Electronic mail
2.2.1 / The System must interact with the MS-Outlook client. The Bank uses MS Outlook 2013 pro plus and 2016 pro plus.
2.3 / Web Browsing
2.3.1 / The system must be compatible with the browser versions used by the Bank. The Bank uses MS IE ver 11 and MS Edge.
2.4 / Business applications
2.4.1 / The system must interact with Oracle Forms systems.
3 / Performance
3.1 / End-user actions
3.1.1 / The system must not have any significant impact upon the current average response time for users dealing with records (in terms of performance).
3.1.2 / Opening a record, or its metadata, must take no more than 3 seconds if the object is located on the highest quality storage class (end-to-end response time). Searches must take less than 5 seconds (from issuing the search request until the presentation of the first hit list on the user desktop).
3.2 / Server actions
3.2.1 / A distributed service allows for the core components of the system, such as the database server, web server, file store and authentication services to be run on separate servers.
3.2.2 / The services of the system must support load balancing.
4 / Criticality Issues
The system is assessed as Highly Critical for the CBC, in terms of Availability, Confidentiality and Integrity
4.1 / Availability
4.1.1 / The system will be available on a 24x7 basis. As the system’s time-criticality is high, the maximum allowed outage is between 1 and 4 hours.
High-availability of the service is of paramount importance to ensure that users can rely on having access to records at any time.
4.2 / Integrity
4.2.1 / A solution of mirroring data to a backup site and plan as well as a fall-back server to take over within a day in case of problems.
Page1of7