Attachment “A”
RFP#0074
Identity and Access Management
Attachment A for RFP#0074
Functional & Technical Requirements
Issue:
Issue Date:
1.0
October 13, 2015
1
Attachment “A”
RFP#0074
Copyright © 2013 Independent Electricity System Operator. All rights reserved.
Table of Contents
1.
Introduction .......................................................................................................................................................... 3
1.1
Purpose ............................................................................................................................................................ 3
2.
Functional & Technical Requirements .............................................................................................................. 3
3.
Background of Existing Processes ..................................................................................................................... 3
4.
5.
3.1.1
Add Person............................................................................................................................................... 4
3.1.2
Change Person ......................................................................................................................................... 5
3.1.3
Extending a Rotation ............................................................................................................................... 5
3.1.4
Extended Absence.................................................................................................................................... 5
3.1.5
Leaves: Suspension of Building and Remote Access .............................................................................. 6
3.1.6
Leaves: Return to work ............................................................................................................................ 6
3.1.7
Remove Person ........................................................................................................................................ 6
3.1.8
Extending a Contractor or Temporary Employee .................................................................................... 7
3.1.9
Review Access ......................................................................................................................................... 7
Functional Requirements ........................................................................................................................................ 8
4.1.1
Manage Role Definitions ......................................................................................................................... 8
4.1.2
Manage Role Access .............................................................................................................................. 10
4.1.3
Review Role Access .............................................................................................................................. 13
Technical Requirements........................................................................................................................................ 15
5.1.1
VENDOR RESPONSE CODES ............................................................................................................ 15
5.1.2
Availability and Reliability .................................................................................................................... 16
5.1.3
Performance ........................................................................................................................................... 17
5.1.4
Transaction Volume ............................................................................................................................... 17
5.1.5
Usage Profile ......................................................................................................................................... 18
5.1.6
Data Retention ....................................................................................................................................... 18
5.1.7
Access Control ....................................................................................................................................... 19
5.1.8
Logging and Reporting .......................................................................................................................... 21
5.1.9
Integration with IESO Systems .............................................................................................................. 22
5.1.10
Vendor Risk ........................................................................................................................................... 24
5.1.11
Browser and Thick Client Support ......................................................................................................... 25
5.1.12
IT Architecture ....................................................................................................................................... 26
5.1.13
Servers, Storage and Network ................................................................................................................ 27
5.1.14
Migration Requirements ........................................................................................................................ 28
6.
Information Model ................................................................................................................................................ 29
7.
IESO System Overview ........................................................................................................................................ 29
2
Attachment “A”
1.
Introduction
1.1
Purpose
RFP#0074
1
The purpose of this document is to specify the requirements for the Identity Access Management Solution. The
document specifies technical and high level functional requirements for the Identity Access Management
solution.
2
This document will be used in conjunction with the Request for Proposal (RFP) to identify, procure and
implement an Identity Access Management solution that provides automation and electronic information
management related to an Identity Access Management solution.
2.
Functional & Technical Requirements
1
The requirements listed for each functional area are not intended to be exhaustive, but are aimed at providing a
high-level description of the major information and processing capabilities needed.
2
It is critical that all the functionality in the proposed solution provided be clearly described, and that the
proposal includes specific descriptions of the complete functionality. It is also critical that where applicable,
the respondent provides details for any previous experience implementing the solution or functionality.
Specific emphasis during the evaluation of any proposal will be placed on the functionality that meets the
requirements to the highest degree as described in this document.
3
It is the sole responsibility of the respondent proposing the solution to ensure that they fully understand the
functional and technical requirements. If any of the functional or technical requirements are unclear or if the
concept or requirement is not fully understood, it shall be the respondent's responsibility to contact the IESO
for further clarification as laid out in the RFP document.
4
Comments should be provided for most, if not all, requirements as necessary, to explain how the functionality
will be met by the proposed solution and to provide sufficient details and context in order to avoid
misunderstanding during evaluation. Response to these requirements will be used as the first step in evaluating
the respondent.
5
Respondents must describe the full extent of the functions present in the base solution; specify need for
customization and configuration of the base solution; and explain the implementation of each function (e.g.
what information is needed, in what format, and how each function is implemented.)
6
Respondents must specify any additional cost pertaining to delivering any function not covered by base
solution using the table provided in the Pricing Proposal Template.
7
Respondents must also estimate the amount of effort required by IESO staff (and resource type) to carry out the
implementation of each function using the table provided in the Pricing Proposal Template.
3.
1
Background of Existing Processes
The IESO has a current set of access grant/revoke/change processes that can provide an understanding of the
current landscape. These processes will need to be modified as part of the solution implementation but they
can provide the relevant insight into how the IESO currently manages access.
3
Attachment “A”
3.1.1
RFP#0074
Add Person
1
When Human Resources personnel receives the new employee’s signed acceptance letter, they will advise the
direct supervisor’s admin assistant and the Staff Notification Officer (currently Building Security staff) via a
notification email issued by Human Resources Information System (i.e. SAP SuccessFactors). The Staff
Notification Officer will send an ‘Add Person Notification’ email to several departments, including IT
Operations and Facilities, with a copy to the supervisor.
2
If the new person is a regular or temporary employee, the supervisor must have the signed letter of offer with
security clearances and a signed non-disclosure agreement.
3
If the new person is a contractor, the contract manager must have the signed procurement contract with security
clearances and a signed non-disclosure agreement.
4
All new staff (regular, temporary, and contractor) must have signed the code of conduct and provide proof of
base security training completion to Building Security staff prior to being given electronic or unescorted
physical access to IESO.
5
The Staff Notification Officer initiates the provisioning of: (1) access to IESO controlled assets; (2)
workspace; and (3) electronic assets with an email notification to the IT Service Desk containing the following
information:
a)
Name of person – documented last name and first name
b)
“Preferred to be called”
c)
Title (Mr., Ms., etc.)
d)
Start date
e)
Termination date (for temporary employees and contractors)
f)
Name of direct supervisor
g)
Division/Department
h)
Person class (regular, temporary, contractor)
i)
Accounting code
j)
Primary work location
6
The IT Service Desk opens a Person Change ticket using the HP Service Manager for the ‘Add Person
Notification’.
7
End dates for the building access, domain access and remote access must be set for all contractors. The IT
Service Desk will be responsible to set reminder dates for these end dates in the HP Service Manager. HP
Service Manager automatically triggers email reminder to the direct supervisor as end date approaches and will
issue a ‘Remove Person Notification’ email to Staff Notification Officer 4 days before end date.
8
Contractors cannot be granted a duration period exceeding twelve months for access control points at which
time the contract manager must approve a request to renew them if the contractor is to work beyond twelve
months.
9
End dates for the building access, domain access and remote access must be set for all temporary employees.
The IT Service Desk will be responsible to set reminder dates for temporary employees in the same manner
done for contractors.
10
The IT Operations (ITOPS) Customer Support requests the access requirements for the new person by sending
the person requirements form to the supervisor. The form specifies the new person’s requirements for:

Access to IESO information and systems (including remote access) and buildings

Physical assets such as computers, telephone, Blackberry,

Workspace requirements, including location, special ergonomic needs, etc.
Note: the supervisor may assign a delegate, as long as the delegate is at least at section head level.
4
Attachment “A”
RFP#0074
11
The supervisor completes the requirements form (i.e., staff interview) and submits the form to the IT Service
Desk for implementation.
12
IT Operations will open service request tickets for physical assets and for setting up the workspace.
13
Related Person Change ticket tasks are spawned to various groups to delivering building access, access to
IESO systems and information, and setting up the workspace and equipment for the new person. These tasks
provide audit trail for work completion and document the access that was requested and granted. If a supervisor
needs an update, the supervisor shall call the IT Service Desk to find out the status of the various service
requests – the IT Service Desk can access all the tickets.
14
If the new person needs access to the Enterprise Records Management solution with access control restrictions,
the supervisor shall send an email request to IT Service Desk for Person Change ticket to record the request
and to open a service ticket. The Enterprise Records Management solution support team receives the service
ticket, completes the authorized request, and closes the service ticket.
3.1.2
Change Person
1
When Human Resources personnel receive the employee’s promotion, acceptance or transfer letter, they will
advise the Staff Notification Officer (currently Building Security staff) via a notification email issued by
Human Resources Information System (i.e. SAP SuccessFactors). The Staff Notification Officer will send a
‘Change Person Notification’ email to several departments, including IT Service Desk and Facilities, with a
copy to the supervisor.
2
The IT Service Desk opens a Person Change ticket in HP Service Manager and assigns the ticket to IT
Operations (ITOPS) Customer Support.
3
After receiving the Change Person ticket , the ITOPS Customer Support and the Facilities department will
contact the new supervisor to determine any changes to the employee’s requirements for:

Access to IESO information and systems, including remote access. ITOPS shall be sure to revoke
access that is no longer needed.

Workspace and equipment requirements
Note: the supervisor may assign a delegate, as long as the delegate is at least at section head level.
4
The supervisor completes the requirements form (i.e. staff interview) and submits the form to the IT Service
Desk for implementation.
IT Operations will open service request tickets for physical assets and for setting up the workspace.
5
The Supervisor contacts the Enterprise Records Management solution support team to change the employee’s
previous access rights. The Supervisor must ensure to revoke access for the subject person that is no longer
needed.
3.1.3
Extending a Rotation
1
If a supervisor wishes to extend the end date for a rotation, and the home department supervisor agrees, will
contact Human Resources (HR). HR will let the supervisor know if this is allowed under the IESO collective
agreements.
2
The supervisor sends an email to the Staff Notification Officer with the new end date. The Staff Notification
Officer will ensure the end date reminder is updated.
3.1.4
1
Extended Absence
If an employee will be absent for four weeks or longer, or if the current absence is expected to exceed four
weeks, the Pay Services must send the IT Service Desk a request to suspend the employee’s building and
remote access. If an end date for the absence is known, the Pay Services includes it in the email.
5
Attachment “A”
3.1.5
RFP#0074
Leaves: Suspension of Building and Remote Access
2
When an employee is approved for an extended leave, such as parental, compassionate or educational leave,
the supervisor sends an email to the Staff Notification Officer with the leave start and end dates. The Staff
Notification Officer will send an email, ‘Suspend Access Notification’ requesting the IT Service Desk to
suspend the employee’s access during the leave. The recipients of this notice will also update the organization
charts and suspend the employee’s business credit card for the duration of the leave.
3
If there are sound business reasons, the employee’s access may continue during the leave. The supervisor must
email the IT Service Desk with the reasons and request that the employee’s access not be suspended during the
leave.
3.1.6
1
Leaves: Return to work
As the end of the leave approaches, the Pay Services will contact the supervisor to confirm when the employee
will return to work. On receiving supervisor’s confirmation, the Pay Services will issue a ‘Restore Access
Notification’ to restore the employee’s access just before the return to work.
3.1.7
Remove Person
3.1.7.1
1
Normal Departure
When a supervisor receives a departure letter from an employee (resignation or retirement), the supervisor
forwards the letter to Pay Services to start their departure processes, and sends an email to the Staff
Notification Officer (Building Security staff), who will start the ‘Remove Person’ process.
Note: The supervisor must forward the departure letter and send the notification at least seven days before the
departure date so that the process service levels can be met.
2
If the person is a contractor, the contract manager must email the Staff Notification Officer to start the
‘Remove Person’ process.
3
The supervisor sends the email notice to the Staff Notification Officer mailbox and includes the following:
4

Person’s name

Departure date

Supervisor’s name

Department

‘Person class’, i.e., contractor, temporary, regular

Accounting code

Primary work location
The supervisor receives an automated reminder of a contractor or temporary employee approaching their
scheduled departure date. Access will be revoked unless supervisor extends the departure date.
3.1.7.2
1
Departure with Security Concerns
If a supervisor has security concerns (even though the employee or contractor has left voluntarily), the
supervisor must contact the IT Service Desk; and ask them to start the ‘Rapid Departure’ process.
Within one hour:

Building access will be removed
6
Attachment “A”

RFP#0074
Access to IESO information and systems (including remote access) will be removed
The Supervisor must:

Inform Human Resources that the supervisor has made this request.

Information Security will review the records left by the departed person to determine follow-up.
3.1.8
Extending a Contractor or Temporary Employee
1
If a supervisor wishes to extend the end date for a temporary employee, the supervisor must contact Human
Resources. Human Resources will let the supervisor know if this extension is allowed under the IESO
collective agreements.
2
For temporary employees, if supervisor wishes to extend their access to IESO buildings and systems, the
supervisor must send an email to the Staff Notification Officer with the new departure date. The Staff
Notification Officer will send out an ‘Extend Person Notification’ email.
3
For contractors, if a supervisor wishes to extend the end date for their access to IESO buildings and systems,
the contract manager must send an email to the Staff Notification Officer with the new departure date. The
Staff Notification Officer will send out an ‘Extend Person Notification’ email.
3.1.9
1
Review Access
Every calendar quarter, a supervisor must:

For electronic access, verify that all user accounts, user account groups, or user role categories, and
their specific, associated privileges are correct and are those that the organization determines are
necessary.

Verify that access to the designated storage locations for Critical Cyber Asset Information, whether
physical or electronic, are correct and are those that the organization determines are necessary for
performing assigned work functions.
7
Attachment “A”
RFP#0074
4. Functional Requirements
4.1.1
Manage Role Definitions
Capability:
The IESO will establish a number of business roles. Each of the business roles will be assigned specific access rights to an asset (i.e. system or building
component) that are required by a person to execute the processes and procedures assigned to the business role. For details, refer information model and IESO
system overview diagrams provided at the end of this section.
The IESO will:
a) Define system and building components, their access rights (i.e. privileges), and associated metadata (e.g. name, description, owner, steward, type,
classification, etc.)
b) Compose access groups (i.e. technical roles) where each access group represents a set of access rights for a component.
c)
Manage changes to IESO’s component list, access rights, access groups, and associated metadata; and maintain a time stamped audit trail of all changes.
d) Compose access roles (i.e. business roles), their access rights/groups memberships, and associated metadata (e.g. name, description, owner, steward,
type, classification, etc.)
e)
Map job roles, defined in SAP SuccessFactors, to access roles.
f)
Map training prerequisites to access roles; where the training curriculum is defined in Learning Management System module of the SuccessFactors.
g) Manage changes to IESO’s access roles, their access rights/groups memberships, training prerequisites, and associated metadata; and maintain a time
stamped audit trail of all changes.
h) Track a role definition change request from its inception to approval and implementation.
i)
Assign (i.e. delegate) role stewardship (e.g., during vacation etc.)
Vendor to describe related product functionality, workflows, automation through systems integration, major features, limitations, etc.
8
Attachment “A”
RFP#0074
<Vendor Response>
9
Attachment “A”
4.1.2
RFP#0074
Manage Role Access
Capability:
IESO will confer membership to a person’s user account(s) in predefined roles, change existing role membership for a person’s user accounts, and revoke a
person’s user account(s) role membership.
Some roles have training prerequisites. A person, being granted the request, requires completion of a predefined set of training courses prior to being granted
authorized cyber access, unescorted physical access in a physical security perimeter (PSP), and access to designated storage locations, whether physical or
electronic, for BES Cyber System Information.
Upon a person’s termination, IESO will revoke the person’s user account cyber access, unescorted physical access in a PSP, and access to designated storage
locations, whether physical or electronic, for BES Cyber System Information within 24 hours.
Upon onboarding a person as an IESO employee, the person’s profile information is created and maintained in the SuccessFactors. The new hire will require
completing one or more training in SuccessFactors. The prerequisite training will be based on the person’s job role. For the contractors, the SuccessFactors
learning module is used to track their training requirements; however, contractors do not have a profile in the SuccessFactors - a local account is created in
SuccessFactors for purpose of accessing training module. For a new staff, the base set of access privileges are determined based on the person’s job role. The
base set of privileges could be revised and fulfilled upon approval at any time. The IESO will:
a)
Create an employee user account based on person’s profile information (e.g. name, account, job role, organizational unit) stored in SuccessFactors.
b) Create a contractor user account based on person’s local account created in SuccessFactors.
c)
Revise a person’s user account base set of access role membership with date effectivity and authorize the changes.
d) Grant a person’s user account non-BES access role memberships with date effectivity based on the person’s job role and start/end dates defined in
SuccessFactors.
e)
Grant a person’s user account BES access role memberships with date effectivity based on the person’s job role and start/end dates defined in
SuccessFactors once the person meets the prerequisite training requirements.
f)
Grant a person’s user account physical access to the IESO site(s) on the first day on the job (i.e. start date.)
g) Specify time of day limits needed for access for a person or specific groups (e.g. students, contractors.)
h) Track progress of grant access requests by authorized individuals (e.g. the person, person’s superiors, administrators, etc.)
i)
Log a time-stamped audit trail of grant access request, approval/rejection, activation, implementation, etc.
j)
Fulfil approved access rights for a person’s user account in the downstream systems (e.g. Active Directory and other application data repositories) for
purpose of user account authentication and authorization.
10
Attachment “A”
RFP#0074
A person’s job role could permanently or temporarily be changed or get suspended if the person accepts a new position, goes on rotation, or leaves the
organization for an extended period respectively. As a result the person’s profile information is updated in the SuccessFactors. The new job role could have
additional prerequisite training requirements. The IESO will:
k) Change a person’s user account access role membership.
l)
Retain a person’s user account’s current access role memberships in a suspended state when adding the person’s user account to any new access role
membership (e.g., instead of having to remove the person’s existing user account access role membership to suspend it.)
m) Change a person’s name and other attributes and the associated account IDs and other account specific attributes (e.g. name change due to marriage.)
n) Notify specified role members and individuals of a person’s and user accounts attribute changes.
o) Issue reminders before a scheduled end date for a person’s user account role change based on the date effectivity information.
p) Log a time-stamped audit trail for each access change request, approval/rejection, activation, implementation, etc.
At the time of off-boarding a person, the person’s profile information is updated in the SuccessFactors. Revoke a person’s user account(s) and associated role
memberships.
q) Remind contract manager or supervisor of a contractor or temporary employee approaching their scheduled departure date. Access will be revoked
unless contract manager or supervisor extends the departure date.
r)
Remove a person’s user account cyber access, unescorted physical access in a PSP, and access to designated storage locations, whether physical or
electronic, for BES Cyber System Information within timelines ranges, such as within an hour, 24 hours, 7 days, etc.
s)
Issue a confirmation notification of a person’s user account role membership revocation to specified role members and people.
t)
Log a time-stamped audit trail for an access removal request, approval/rejection, implementation, etc.
Vendor to describe related product functionality, workflows, automation through systems integration, major features, limitations, etc.
11
Attachment “A”
RFP#0074
<Vendor Response>
12
Attachment “A”
4.1.3
RFP#0074
Review Role Access
Capability:
The IESO will verify at least once each calendar quarter that individuals with active electronic access or unescorted physical access have authorization records.
The IESO will:
a)
Determine a person’s user account(s)’ current complete role group memberships, role permissions, and direct account permissions (i.e., local accounts
set outside a role).
b) Determine a person’s user account(s)’ complete role group memberships, role permissions, and direct account permissions (i.e., local accounts set
outside a role) for a given date and/or by a system.
c)
Verify that all user accounts, user account groups, or user role categories, and their specific, associated privileges are correct and are those that the
organization determines are necessary.
d) Verify that access to the designated storage locations for Critical Cyber Asset Information, whether physical or electronic, are correct and are those that
the IESO determines are necessary for performing assigned work functions.
e)
Verify a person’s training requirements; and will suspend a person’s user account cyber access, unescorted physical access in a PSP, and access to
designated storage locations when the person fails to complete mandatory prerequisite for access, such as, but it is not limited to completing all
associated mandatory training courses on time (e.g. cyber security refresh training) in the IESO’s Learning Management System, security background
check renewal, etc.
f)
Reconcile a person’s user account(s) existing role memberships, role permissions, and direct account permissions to the authorized grant/revoke
requests for that person in IAM.
g) Alert asset and role stewards via email when the IAM solution detects unauthorized access permission fulfilments.
h) View person’s user account role group memberships by role category or by asset (e.g., BES, Non-BES, Settlement, etc.)
i)
Assign proxy asset and role stewards with specified date effectivity.
j)
Send notification or reminder to asset and role stewards of pending access reviews
Vendor to describe related product functionality, workflows, automation through systems integration, major features, limitations, etc.
13
Attachment “A”
RFP#0074
<Vendor Response>
14
Attachment “A”
RFP#0074
5. Technical Requirements
5.1.1
VENDOR RESPONSE CODES
These codes are to be used in the following sections to describe your ability to meet the requirement in your current state for the solution being
proposed in your response.
Response Code
Description
Y – Existing
Feature is delivered as standard functionality and can be demonstrated by the vendor.
F – Future
Feature is not currently included but will be available in a future release. Please indicate expected release time
frame.
T – Third Party
Feature is provided by a third party vendor.
N – Not Available
Requirement cannot be met.
15
Attachment “A”
5.1.2
RFP#0074
Availability and Reliability
Target reliability requirements address the acceptable downtime (service interruption) of the system.
Requirement
1. The solution should support:
a)
Functional
Existence
Priority
Vendor
Response
(Y/F/T/N)
Vendor Description
Critical
An automated mechanism that allows failover/redundancy or other relevant mechanism to
ensure IESO users can access IAM application
components, data availability (data resiliency), and
IAM system components can continue to function
during different events (e.g. - planned, unplanned and
disaster outage conditions.)
b) An automated mechanism that provides a means of
IAM data availability to IESO users (either via failover/redundancy or other relevant mechanism)
16
Attachment “A”
5.1.3
RFP#0074
Performance
Performance requirements specify the timing characteristics of system. They may consider or specify response time (interval between a user-command and the
onset of an action from the system), and cycle time (time required to complete a given operation).
Requirement
Functional
Vendor
Vendor Description
Existence
Response
Priority
(Y/F/T/N)
2. Person’s user account and role membership information
should take effect within 15 minutes.
Critical
3. System should be able to handle recording, storing and
processing of system and application related audit trails.
Critical
5.1.4
Transaction Volume
Transactional volume requirements specify the maximum number of transactions the system must be able to handle within a specified time frame and an
anticipated rate of growth.
Requirement
Functional
Vendor
Vendor Description
Existence
Response
Priority
(Y/F/T/N)
4. Respondent to provide the maximum transaction volume
handling capability of the solution considering the number
of person accounts, role memberships, and downstream
systems within an hour interval.
Critical
17
Attachment “A”
5.1.5
RFP#0074
Usage Profile
Usage profile requirements specify the maximum number of concurrent users within a specified time frame and the total number of users the system must be able
to handle. The usage profile may drive software licensing and related costs.
Requirement
Functional
Vendor
Vendor Description
Existence
Response
Priority
(Y/F/T/N)
5. At a minimum, the solution should be able to handle 1000
users (employees/contractors).
Recommended
6. IESO might expand this IAM solution to manage users
from customer and partners. Please provide the maximum
capabilities of the system for user expansion.
Recommended
7. The solution should be able to handle at least 15000
concurrent end user accounts for authentication and
authorization processes.
Critical
8. The administrator GUI should be able to handle at least 10
concurrent end users.
Critical
9. The solution should be able to manage at least 15000 user
accounts.
Critical
5.1.6
Data Retention
Data retention requirements specify how long data produced by a process should be retained in a data store before it is archived or purged.
Requirement
10. All person, account and role group information should be
retained from time of creation, deactivation, end dating
for a period of 4 years.
Functional
Existence
Priority
Vendor
Response
(Y/F/T/N)
Vendor Description
Critical
18
Attachment “A”
11. The system should provide facilities to ensure past 4
years’ worth of all work flow / audit trail records are
available.
5.1.7
RFP#0074
Critical
Access Control
Access control restricts the system access to authorized users and protects the privacy of data.
Requirement
12. The solution should be able to support:
a)
Functional
Existence
Priority
Vendor
Response
(Y/F/T/N)
Vendor Description
Critical
Search and read only access (e.g. for supervisors and
persons) to view profile information role group
memberships and access for their staff only.
b) Create/update access requests (e.g. by stewards) for
authorized persons.
c)
Approve access requests (e.g. by asset owner).
d) Create/Update person information (e.g. for system
administrators) for an authorized person (i.e. their
staff)
e)
Implement a person’s access (e.g. by system
administrators)
f)
Create/update accounts, roles, role groups, access
groups, access rights (e.g. by stewards or system
administrators)
g) Full support and administration (e.g. by technology
support staff)
19
Attachment “A”
13. The solution should provide password management:
a)
RFP#0074
Critical
Provide predefined defaults and configurable best
practices for password strength, complexity, and
expiration date that can be applied across individual or
groups of apps.
b) Allow for password reset both on and off network, via
mobile and web.
c)
Provide the ability to synchronize password changes
between multiple application types.
d) Support complex password policies, including
password length, complexity, character types,
detection of account attributes, etc.
e)
Allow password resets without requiring the user to
call the helpdesk, using confidential challenge
questions to verify personal identity.
f)
Provide the ability for end users to populate their
multi-factor authentication information, including
personal email, personal phone, and knowledge based
authentication answers.
g) Enforce password policies including password
strength, length, complexity and expiration on a perapp or app-group basis must be provided.
h) Support password management across a wealth of
technologies (e.g. native databases, directories,
platforms, mainframes, and web-based SaaS
applications).
i)
Track application access activity, which can be used
for activities such as license utilization usage tracking
or access monitoring.
14. The solution should provide single sign-on.
Critical
Respondents to explain the features of their SSO
capability.
20
Attachment “A”
5.1.8
RFP#0074
Logging and Reporting
The proposed IAM system must maintain all changes made to a person, account, role, role groups, access groups, access rights through their life cycle (e.g.
record logs on who, when and what information has been changed).
Requirement
Functional
Vendor
Vendor Description
Existence
Response
Priority
(Y/F/T/N)
15. The system must be able to provide means for thorough
audit trails to enable reconstruction of past events,
including, but not limited to individual accountability to
all identity and access control changes within the system
and application, as well as attempts of security breaches,
attempts of confidentiality breaches, etc.
Mandatory
16. The system must protect audit trail data from tampering,
and unauthorized access.
Mandatory
17. The system must be able to export logs for the
consumption by IESO centralized logging system
Mandatory
21
Attachment “A”
5.1.9
RFP#0074
Integration with IESO Systems
The proposed IAM system shall provide functionality for supporting various enterprise application integration capabilities and methods. Respondents shall
comment in detail on the integration functionality met by the solution as detailed below but not limited to such. Any other functional recommendations and
capabilities that a respondent considers important should be detailed.
Requirement
Functional
Vendor
Vendor Description
Existence
Response
Priority
(Y/F/T/N)
18. The system should be able to integrate with the following
data sources:
a)
Critical
Active Directory environments (11 forests)
b) SAP SuccessFactors (HR system used for onboarding, off-boarding, and training)
c)
HP Service Manager version 9.21 (used for change
management, configuration management, incident
management, etc.)
d) Appian version 7.9 (Workflow Cloud Solution)
19. Authentication and authorization policy enforcement for
server platforms:
e)
Windows – 2003 and newer
f)
Unix - TRU64 v.4.0F and newer, SunOS 5.8 or newer
Critical
g) Linux – Red Hat Linux Enterprise Server version 3
and newer
h) Specify any other supported platforms (information
purpose only)
20. Authentication and authorization policy enforcement for
database servers:
a)
Critical
Oracle 10G, 11G and 12G RAC
b) Oracle 10G , 11G and 12G standalone
c)
SQLServer 2005 and newer Cluster
d) SQLServer 2005 and newer standalone
22
Attachment “A”
21. Authentication and authorization policy enforcement for
network appliances and devices, but are not limited to the
following:
a)
RFP#0074
Recommended
Checkpoint firewalls
b) RSA authentication system
c)
HP Tippingpoint Intrusion Prevention System (IPS)
d) Websense content filter
e)
Juniper SSL VPN system
f)
EMC storage systems
g) Cisco network switches/routers
h) Eaton/Cooper Industries Cybectec RTU
i)
Clearswift Mimesweeper
j)
F5 load balancer
k) IBM QRadar
l)
Avaya CS1K, System & Session Manage
m) NetApp Storage
n) Sun Tape Library
o) Commvault Backup
p) Avocent Remote Access
q) Symantec Brightmail
r)
Symantec Antivirus
23
Attachment “A”
22. Authentication and authorization policy enforcement for
the following application systems:
a)
RFP#0074
Critical
ABB SCADA/EMS Network Manager 6.4
http://new.abb.com/network-management
b) Novell/NetIQ Operations Center Central Alarm
and Monitoring Systems (CAMS)
c)
Custom Web applications (Java based)
d) Other Custom Applications (C#, .NET)
e)
Interactive Intelligence - Customer Interaction Center
(CIC)
23. The solution should provide a means to guarantee all of
its agents, adaptors, connectors, including custom
connectors integrated with IESO systems that will continue
to work until the IESO’s target system is retired
(decommissioned).
5.1.10
Critical
Vendor Risk
The proposed IAM system should be an “Open Standards” based solution to ensure that the IESO is not locked into a proprietary technology solution.
Respondents shall comment on the capabilities supported by their base solution and specify their solution compatibilities and limitations.
Requirement
Functional
Vendor
Vendor Description
Existence
Response
Priority
(Y/F/T/N)
24. The solution should provide a means that IESO will be
able to recover all of its data in case the proposed IAM
solution technology no longer in practice or supported.
Critical
24
Attachment “A”
5.1.11
RFP#0074
Browser and Thick Client Support
The proposed IAM system interface shall be a traditional Windows client or an IE browser.
Respondents shall comment on the capabilities support by their base solution and specify their solution compatibilities and limitations.
Requirement
Functional
Vendor
Vendor Description
Existence
Response
Priority
(Y/F/T/N)
25. The IAM system shall provide a user interface that is
compatible with the minimum IESO desktop application
requirements:
a)
Recommended
Windows 7 SP1 64 Bit
b) Internet Explorer 9 and higher
c)
JRE 1.6.0.29+ compatible (IESO’s strong preference
is no use of JRE)
26. The IAM system should provide an installation image for
its agents, adaptors, and connectors in the form of an .MSI
file which can be installed and updated via the Altiris
software deployment program.
Recommended
27. The IAM system user interface shall operate on IESO’s
standard PC hardware:
Recommended
Desktops
a)
Dell OptiPlex Series
b) 3.5 Gb of RAM
c)
80 Gb Disk
d) one 1Gb NIC
Laptops
e)
Dell Latitude Series
f)
3.5 Gb of RAM
g) 80 Gb Disk
h) one 1Gb NIC and one Wi-Fi NIC
28. Other Browser Support
Recommended
25
Attachment “A”
RFP#0074
Respondents should provide details regarding other
compatibilities and capabilities supported by.
5.1.12
IT Architecture
It is preferred that the proposed IAM system shall provide the capability of meeting the IESO IT and architectural standards. Respondents shall comment in
detail on the architectural standards met by the solution as listed below but not limited to such. Any other architectural capabilities that a respondent considers
relevant should be detailed and commented on.
Requirement
Functional
Vendor
Vendor Description
Existence
Response
Priority
(Y/F/T/N)
29. The IAM system shall be able to run in an environment
that is compatible with at least one of the following
operating systems:
a)
Recommended
Microsoft Window Server 2012 R2
b) Red Hat Enterprise Linux V6.5 ES (IESO Preference)
30. The IAM system database shall be able to run in an
environment that is compatible with at least one of the
following database systems:
a)
Critical
Oracle 11g
b) MS SQL Server 2008
31. No software will be installed on Active Directory
Domain Controllers that might hinder AD functionalities,
performance or compromises AD security architecture.
Recommended
32. The proposed IAM system should be able to work with
different AD forests as well as with standalone servers.
Critical
33. No Active Directory Schema changes will be required.
Recommended
34. The proposed IAM system should be able to integrate
with MS System Center Operations Manager for system
and application health monitoring purposes.
Recommended
26
Attachment “A”
5.1.13
RFP#0074
Servers, Storage and Network
The proposed IAM system is expected to meet the existing IESO minimum server hardware requirements.
Requirement
Functional
Existence
Priority
35. IESO uses HP BL460C G8 or Dell PowerEdge R730
Server as the standard server systems in its IT environment.
It is preferred that the IAM system shall be able to run on
these hardware platforms. IESO also utilizes EMC’s SAN
Storage technology for its storage needs. IESO prefers the
proposed IAM solution can also be able to utilize IESO’s
existing storage infrastructure.
Recommended
36. If the IAM solution can only be deployed using vendor’s
appliances, all necessary documentation, including a
hardware installation guide, shall be provided in order for
the IESO to be able to configure the necessary hardware.
Recommended
37. An IAM application installation guide and/or fully
documented build scripts shall be provided in order for the
IESO to be able to build and configure the system.
Recommended
Vendor
Response
(Y/F/T/N)
Vendor Description
27
Attachment “A”
5.1.14
RFP#0074
Migration Requirements
The following data migration effort is required. Respondents shall comment in detail on the migration solution and tools that are supported by the base product.
Requirement
38. The system should have the capability to integrate with IESO’s
existing account management systems and take input of existing
accounts, roles, and their access permission into its configuration
database.
Functional
Existence
Priority
Vendor
Response
(Y/F/T/N)
Vendor Description
Critical
28
Attachment “A”
RFP#0074
6. Information Model
6.1
IESO System Overview
IESO will provide the system overview diagram to RFP respondents upon the IESO receiving a signed Non-Disclosure Agreement.
29