January 21, 2016

RE:Addendum No. 1

Request for Proposal No. 10046

Privileged Account Management

Dear Offeror:

This notice shall serve as Addendum No. 1 to the aforementioned Request for Proposal (“RFP”) and shall for all purposes become part of the original RFP. This Addendum should be considered when preparing your proposal for submission to the LCRA. The Proposal Deadline remains the same.

Please find attached answers to all questions received by January20, 2016.

Sincerely,

Veronica Frederick

Sr. Category Manager

512-426-4099

Questions & Answers

  1. Will users always be on the internal network when accessing the Privileged Account Management interface, or would access need to be available from the internet? ANSWER: Access will not be from the Internet directly. However, we may allow people to VPN in from the Internet into the system, but that should be treated as internal.
  2. How many applications and solutions are required for integration during implementation? Based on the RFP, there were three listed, please confirm if there are any additional (applications) that need to be included.ANSWER: Service Now, MacAfee SEIM and MS Active Directory are the current applications. We like to have the ability to integrate additional applications as needed; therefore, we asked about an API.
  3. Please supply a Network Diagram of Environment ANSWER: This is not available as our network is large with the typical security and firewalls. There is no direct access to every device and we have ~10 highly segregated networks.
  1. How many sessions and end points do you need full recording on? ANSWER: We do not have a quantity but we definitely want the capability for critical, segmented networks. If this is a factor in pricing calculations, please provide pricing based on multiple ranges.
  1. Can you expand the IT Security Requirement #4 itemc)? ANSWER: We do need to deal with changes for SaaS applications.
  1. Can you expand IT Security Requirement #44? ANSWER: If we can wrap the application, we can do a remotely wipe.
  1. Can you expand on Question #59? ANSWER: Ad-hoc and discovery follow standard definitions.
  1. The term "Privileged session management "PSM" can mean several things depending on who you talk to. Does it mean the actual session monitoring of a shared account session and the forensic evidence to support all activity performed during that session (keystroke logging, video, clipboard, webcam, etc)? ANSWER: Yes, for any account or shared account including the actual recording session.
  2. In LCRA's interpretation does “go live” mean the system should be ready to start migrating systems and accounts by end of May 2016 or full production (all systems migrated into the new solution)? ANSWER: We would expect the test, development and production environments would be operational, training would be completed and some of the accounts and systems would be migrated. We do not expect all 2500 devices will be migrated at go live.
  3. Does the solution allow users to have multiple privileged accounts?Is this questing asking if a user may concurrently check out multiple accounts or if they may have multiple accounts associated with their profile ID? ANSWER: Both would be preferred.
  4. What is "OT (plants, ICS) environments? ANSWER: Operational Technology “OT” is purpose built and proprietary systems with different access policies, etc. These are typically hardened systems used in restricted environmentswith24 hour login by shared accounts. ICS is Industrial Control Systems.
  5. What is meant by "escalated permission"? Does this mean can the system alert when a user utilizes a privileged account? ANSWER: We expect discovery and notification when an account has elevated permissions added that were not present previously. We expect the solution to monitor and provide notification for changes to AD and report such changes.
  6. Can you please give some examples of the types of XaaS service environments LCRA uses? ANSWER: SaaS, other cloud environments, business to business, accessing SOAP messages, STP messages, not used by individual and master service accounts with user provisioning. We may be expanding to other cloud services in the future.
  7. Can LCRA clarify the following statement: the solution's mobile application MUST allow LCRA to enforce security policies such as strong passwords, data loss prevention, and compliance controls? Are you inferring the mobile app should allow the same interaction with the solution as you can do with your workstation or are you implying strong passwords, data loss prevention, and compliance controls on the mobile device itself? ANSWER: The latter. We can provide functionality with our EMM (XenMobile) to wrap the application but we may not have capability for all mobile OS.
  8. How many users (admins) will this service be for? ANSWER: Per the Cost section in the Response Template, we estimated 100 Administrators and 5000 shared Admin/Service Accounts.
  9. Please advise what number of unique service accounts (i.e. each gets their ownverses shared accounts or everyone shares one admin ID)? ANSWER: Per the Cost section in the Response Template, we estimated 5000 which includes unique accounts and services running on the systems. We do not have an exact number and if this is a factor in pricing calculations, please provide pricing based on multiple ranges.
  1. In order to provide an accurate cost, we will require the approximate number of managed devices. ANSWER: Per the Cost section in the Response Template, we estimated 5000 which is based on the following: ~1200-1400 OS instances, ~25 domains, ~50 domain controllers, ~60 hypervisors, ~ 400 network devices, ~300 firewalls.
  2. Do you have an estimate for database servers? A single database server may house multiple database instances however the count for licensing purposes is based on the number of login IDs at the server level. ANSWER: We do want to manage SA accounts for each database engine; however, we do not have an exact number and if this is a factor in pricing calculations, please provide pricing based on multiple ranges.
  1. Do you have an estimate for certain cards on a client or server, such as HP iLO or Dell DRAC, which present a network interface to which IT staff can login remotely? ANSWER: We currently use blades/UCS and we do not have an exact number and if this is a factor in pricing calculations, please provide pricing based on multiple ranges.

LCRA RFP #100461