REQUEST FOR PROPOSAL #127-09
DUE DATE: APRIL 3, 2009, 5:00 pm, CST
OPENING DATE: APRIL 6, 2009, 2:00 pm, CST
COUNTY DISASTER RECOVERY AND
BUSINESS CONTINUITY PLANNING
DEBORAH SCALES, PRINCIPAL BUYER
Room 830*716 Richard Arrington Jr. Blvd N
Birmingham, Alabama 35203
Phone: (205) 325-5383
Email:
No faxed or emailed responses will be accepted
JEFFERSON COUNTY COMMISSION
PURCHASING DEPARTMENT
ROOM 830 * 716 RICHARD ARRINGTON JR BLVD N
BIRMINGHAM, AL 35203
(205) 325-5383
PRINCIPAL BUYER: DEBORAH SCALES MARCH 20, 2009
BID NO: 127-09
SHEET NO: 2
REQUEST FOR PROPOSAL
Scope
1. Jefferson County Information Technology Department (DOIT) does not have a disaster recovery plan. Therefore DOIT has limited expertise within disaster recovery planning. After reading this RFP, if you feel that DOIT missed critical requirements, please note the missing requirements and include them in your response.
2. The scope of the RFP is to include all key Disaster Recovery Planning and Business Continuity Planning areas, including, but not limited to:
· Business Impact Assessment (BIA),
· Risk & Vulnerability Assessment including risk mitigation recommendations, and
· Detailed Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) including maintenance, training, testing and exercising.
3. The project goal is to prevent interruption of mission critical County services and to re-establish full functionality as quickly and smoothly as possible.
4. The Jefferson County Department of Information Technology (DOIT) seeks to eliminate potential downtime of the critical systems and applications under the department’s responsibility in the event of a disaster.
5. The purpose of this RFP is to establish a contract (County Purchase Order) with a vendor with proven experience in performing a Disaster Assessment and in documenting a Disaster Recovery and Business Continuity Plan within an organization similar in size and scope to the Jefferson County.
6. Within the scope of this RFP the County requests that a Business Impact Assessment of the County’s business operations be conducted to evaluate risks and vulnerabilities under specific types of disaster scenarios. It is the expectation that a Business Impact Assessment should be included within the scope of this RFP for Disaster Recovery and Business Continuity Planning Services.
7. DOIT is seeking a Business Impact Analysis (BIA) and a Risk Assessment (RA) to analyze and document the departmental business processes, map the departmental business processes to information technology systems, classify the processes and systems into tiers of criticality, delineate the recovery time objectives and recovery point objectives for the systems, and determine the process and application dependencies.
8. The BIA and RA must produce the business justifications for a technology solution through the discovery and establishment of the business supported metrics necessary for the classification, selection, and implementation of technologies for mitigation of various disaster scenarios.
Sheet 2 of 19
JEFFERSON COUNTY COMMISSION
PURCHASING DEPARTMENT
ROOM 830 * 716 RICHARD ARRINGTON JR BLVD N
BIRMINGHAM, AL 35203
(205) 325-5383
PRINCIPAL BUYER: DEBORAH SCALES MARCH 20, 2009
BID NO: 127-09
SHEET NO: 3
REQUEST FOR PROPOSAL- Continued
9. The DRP will determine application (software/data) recovery time objectives (RTO) and recovery point objectives (RPO). A recovery priority tier (current disaster recovery tiers) based on industry standards are to be assigned to each critical application. The application list, RTO and RPO will be determined by interviews of County personnel.
10. Jefferson County of Alabama (Jeffco) is the most densely populated county in the State of Alabama with two County courthouses, Birmingham and Bessemer. The information technology/services needs of the County are supported by the Jefferson County Department of Information Technology (DOIT). DOIT currently supports the business applications for the following areas: Board of Equalization, Budget Management Office, County Attorney, Community and Economic Development, Emergency Management Agency, E-911 Center, Environmental Services, Finance, General Services, Inspection Services, Land Development, Payroll Services, Revenue, Roads and Transportation, Tax Assessor, Treasurer, Board of Registration, Cooper Green Mercy Hospital, District Attorney, Family Court, Fleet Management, Jefferson Rehabilitation and Health Center, Office of Senior Services, Pension Office, Probate Court, Human Resources, Sheriff’s Office, and Tax Collector’s Office. In addition to the support of the aforementioned areas, DOIT additionally supports the information technology needs of the Geographic Information Systems (GIS) Division and the County’s Electronic Document Management Systems (EDMS).
11. DOIT works under strict regulations regarding information protection through federal, state, and local regulatory requirements. DOIT’s objective is to provide a robust disaster tolerant environment that offers the availability of the information systems by criticality and that functionally provides protection of information stored on these systems.
Data Center Description (see Appendix A – diagram)
1. The Jeffco data center is located on the seventh floor annex in the Jefferson County Courthouse on the corner of Richard Arrington Boulevard North and Eight Avenue North. There is no service elevator, and all movements of equipment must be coordinated with the Director of General Services to protect the floors, walls, elevators and all aspects of the building structure. The successful bidder will be responsible for repairs in compliance with the director’s standards for any physical facility damages resulting from this project. Examples of such damages are: chipped flooring, scraped paint on wall or scratch on marble.
2. Electrical, air conditioning and equipment delivery/removal must be coordinated with the General Services Department.
3. A document describing electrical, heat load and footprint requirements must be provided to Jeffco, so Jeffco can provide for these resources. Delivery of all items to the data center and any other delivery-associated cost, sometimes called inside delivery, are the responsibility of the bidder.
Sheet 3 of 19
JEFFERSON COUNTY COMMISSION
PURCHASING DEPARTMENT
ROOM 830 * 716 RICHARD ARRINGTON JR BLVD N
BIRMINGHAM, AL 35203
(205) 325-5383
PRINCIPAL BUYER: DEBORAH SCALES MARCH 20, 2009
BID NO: 127-09
SHEET NO: 4
REQUEST FOR PROPOSAL- Continued
4. The data center consists of three hardware platforms: Unisys NX6800 mainframe, Sun Solaris (database, application and web servers) and Intel (database, application and web servers).
5. DOIT deployed in the WINTEL production environment a software product to create virtual Windows machines (VMware). This software gives the County the ability to isolate applications which may be running on the same physical server.
6. Most servers are attached to a Storage Area Network (SAN) comprised of Brocade 4900 switches and EMC DMX2000 storage.
7. Oracle 9i & 10G and Microsoft SQL Server 2005 are the DBMS of choice for open systems applications.
8. Web servers are the current version of Microsoft IIS with Tomcat under Windows and Apache with Tomcat under Solaris.
9. Sun One directory Services (LDAP) is userid/password synchronized by Sun Identity Manager to Microsoft Active directory.
10. The Jeffco Emergency Management Agency (EMA) is provided services from the data center and is network attached. The EMA may take emergency calls and dispatch emergency responders without the data center, but EMA services and public notification are greatly enhanced with the data center resources.
11. The 911 Center is also network attached to the data center and, like EMA, can operate without the data center, but capabilities are enhanced by data center resources.
12. Jefferson County Rehabilitation and Health center (JCRH) and Cooper Green Mercy Hospital are likewise network attached to the data center. The JCRH computer systems are located in the DOIT data center. Cooper Green does have its own data center, but there are some resources provided by the Jefferson County DOIT data center. HIPAA regulations apply to both of these organizations.
13. There are five satellite courthouses located within the County to provide convenient access for the public. The buildings are network attached to the data center.
14. DOIT is utilizing a Cisco switched Ethernet network.
15. DOIT has implemented LANDesk Management Suite & Security Suite.
16. DOIT uses an electronic job scheduler from SMA (OpsCon\xps).
Sheet 4 of 19
JEFFERSON COUNTY COMMISSION
PURCHASING DEPARTMENT
ROOM 830 * 716 RICHARD ARRINGTON JR BLVD N
BIRMINGHAM, AL 35203
(205) 325-5383
PRINCIPAL BUYER: DEBORAH SCALES MARCH 20, 2009
BID NO: 127-09
SHEET NO: 5
REQUEST FOR PROPOSAL- Continued
17. DOIT utilizes VERITAS NetBackup Enterprise Edition 6.5.3 as an enterprise backup solution. NetBackup and ACSLS manage two SUN/STK L700 automated library systems.
a. Open System Backups are performed on L700E utilizing (12) 9940-B drives which support Windows 2000 and 2003 Server and SUN Solaris 10 server environments.
b. Unisys NX6830 mainframe uses an L700 with (3) 9840-A tape drives.
i. Unisys NX6830 mainframe uses 3480 drives and tapes to backup data bases and to create tapes for microfiche. Unisys NX6830 mainframe uses 3480 drives and tapes to perform data bases backups and to create tapes for microfiche.
ii. 4mm tapes are used to copy databases from the production NX6830 to the development Libra 300 system.
18. DOIT utilizes Iron Mountain for off-site storage of magnetic media.
Network
1. The County’s local area network encompasses seven (7) buildings on the downtown campus. The wide area network touches twenty (35) remote sites located throughout the County using a combination of dark fiber, Metro Ethernet, and T1. The campus network consists of a gigabit backbone with 100Mbs to the desktop. Remote site connections vary from gigabit to 10Mbs Metro E. Desktop speeds at remote sites are also 100Mbs.
2. The County’s network is a routed network powered by Cisco 6500s at the core, and in many of the larger distribution closets. Smaller distributions closets are equipped with Cisco 3700 switches. Wireless networking is currently being deployed as needed throughout County facilities.
3. A firewall filters Internet traffic to Jefferson County where Internet-accessible sites are hosted. Other forms of remote access are available upon request and sponsorship approval. All routing is done by Cisco equipment, and routing must be turned off on all hosts. All connecting desktops are running County-approved antivirus. Jefferson County’s network is converged, supporting voice and video in addition to data.
Sheet 5 of 19
JEFFERSON COUNTY COMMISSION
PURCHASING DEPARTMENT
ROOM 830 * 716 RICHARD ARRINGTON JR BLVD N
BIRMINGHAM, AL 35203
(205) 325-5383
PRINCIPAL BUYER: DEBORAH SCALES MARCH 20, 2009
BID NO: 127-09
SHEET NO: 6
REQUEST FOR PROPOSAL- Continued
Requirement
1. A successful bidder must utilize industry best practices in its Disaster Recovery and Business Continuity Planning / Management services through its adoption of industry and federal standards of analysis, structure, and reporting.
2. Perform a detailed Disaster Recovery Assessment of all County Departments.
3. Develop a detailed Disaster Recovery Plan (DRP) that will support the County.
4. Develop a detailed Business Continuity Plan (BCP) to support all County Departments.
5. Via the Disaster Recovery Assessment, the DRP must provide the process and procedures that the County will follow to resume or continue business functions when a major catastrophic, disruptive event denies or has the potential to deny access to the normal procedures and/or facility for an unacceptable period of time. The plan must provide detailed procedures to facilitate recovery of mission critical business functions at one or more secondary site(s) in the event that access to the primary site is denied. The DRP should provide full recovery procedures for all business critical functions in the event of total or extended loss.
a. An Occupant Emergency Plan (OEP) - a plan for occupants of the facility in the event a situation posing a potential threat to the health and safety of personnel, the environment, or property should occur.
b. A Crisis Communication Plan (CCP) - policies and procedures for the coordination of communications within the organization during disruptive events, and between the organization, the media, and the public in the event of an emergency.
c. An Emergency Management Plan (EMP) – plan to provide guidance, framework, and procedures for County wide response during a major emergency or disaster.
6. Analysis – Disaster Recovery Assessment
a. Impact analysis ( Business Impact Analysis, BIA)
I. Differentiation between critical and non-critical County business functions \ applications
II. Legal requirements must be defined and followed in defining critical business functions \ applications.
Sheet 6 of 19
JEFFERSON COUNTY COMMISSION
PURCHASING DEPARTMENT
ROOM 830 * 716 RICHARD ARRINGTON JR BLVD N
BIRMINGHAM, AL 35203
(205) 325-5383
PRINCIPAL BUYER: DEBORAH SCALES MARCH 20, 2009
BID NO: 127-09
SHEET NO: 7
REQUEST FOR PROPOSAL- Continued
III. For each critical and non-critical business function \ application the following values are to be assigned:
1. Recovery Point Objective (RPO) – the acceptable latency of data that will be recovered
2. Recovery Time Objective (RTO) – the acceptable amount of time to restore the function
IV. Define the recovery requirements for each County business function/ application. The recovery requirements must consist of the following:
(1) The business requirements for recovery of the business function
(2) The technical requirements of the recovery of business function
V. A recovery priority tier based on disaster recovery industry standards is to be assigned to each application. For reporting purposes create a business function/application recovery tier and recovery time matrix.
b. Threat analysis
Define potential threats and recommend detailed specific disaster recovery steps unique to the defined threat / disaster.
c. Definition of impact scenarios
Define the impact scenarios and document the recovery process to be used in a recovery plan.
d. Recovery requirements documentation
Define and document the business and technical requirements that are needed to begin the implementation phase
7. Include examples for the Business Impact Analysis (BIA) and Risk Assessment (RA) along with sample architectures of the future state.
8. At the completion of the BIA / RA phase the successful RFP responder will present an executive report to the County Commission.
9. The DRP and BCP will include documented backup and restore standards and procedures for all electronic data, including applications, operating systems, database management systems and databases. Include the option of offsite data replication of enterprise critical data with cost analysis.
Sheet 7 of 19