Provision of support services for the operation and maintenance of the ZUS

Security System xmlns="http://publications.europa.eu/resource/schema/ted/R2.0.8/publication">The Contracting Authority informs that below it presents only basic information on the scope of the contract for the provision of support services for the operation and maintenance of the ZUS ICT Security System". This information is preliminary, informative. The description of the subject matter of the contract meeting the requirements of Article 400 of the Public Procurement Law (Journal of Laws of 2023, item 1605), hereinafter referred to as the "Public Procurement Act", will constitute an element of the Terms of Reference and will be submitted to the Contractors together with the invitation to submit tenders in accordance with Article 411(2) of the Public Procurement Law.

PART I - SUBJECT MATTER OF THE CONTRACT

The subject of the contract for the support of the operation and maintenance of the ICT Security System of the Social Insurance Institution (hereinafter: SBT ZUS) owned by the Contracting Authority is the provision of in particular the following Services:

1) Maintenance of the indicated IT Application Services, Tools Services and Management Processes in the Production Environment to the extent and on the terms specified in the Service Metrics Artist.

2) Provision of Maintenance Services and Maintenance;

3) Performing the role of the Security Integrator within the scope and on the terms set out below and other indicated roles in the implementation of changes in the ZUS SBT, in accordance with the Operating Procedures and IT Standards of the Social Insurance Institution;

4) Provision of Additional Services, including in particular:

a) adaptation of SBT ZUS to organizational changes of the Contracting Authority,

b) adaptation of SBT ZUS to changes in IT Services or IT Standards of ZUS,

c) support in the implementation of tasks resulting from legislative changes,

d) additional implementation support for IT Services and post-implementation support for IT Services,

e) preparation of documentation, in particular: design, operational, as-built, analytical and reporting, etc.,

f) analysis, development and maintenance of the indicated areas of the Contracting Authority's IT architecture,

g) analysis and recommendations regarding the Contracting Authority's IT architecture in the field of ICT security Contracting Authority,

h) analysis and recommendations on the planned implementations and their impact on the SBT ZUS and the level of security of the Contracting Authority,

i) analysis and recommendations on the development of communication channels with external entities and their impact on the level of ICT security of the Contracting Authority.

1.1 Services

Support provided by the Contractor shall be provided to the extent and at the level described in the Contractor's Service Metrics. The Contractor's Service Metric will be a document specifying the scope of the Contractor's obligations and the conditions for the performance of these obligations.

The level of compliance by the Contractor with the service parameters (SLA) resulting from the Contractor's Service Metrics will be measured and accounted for by the Contracting Authority and provided by the Contracting Authority in the form of a report on the level of service provision. The Contracting Authority is responsible for the preparation of mechanisms for measuring and accounting for the level of parameters complied with by the Contractor. For the Contractor's Service Metrics, the settlement of the levels of services provided is carried out through the parameters of the Maintenance Service, i.e. availability, reliability, continuity, efficiency. The obtained parameter values are obtained from the Contracting Authority's Services Monitoring System (SMU).

The purpose of defining the parameters of the Maintenance Service is to ensure the level of services provided by the Contractor at a level not lower than that specified by the values of these parameters. Each of the parameters has established guaranteed values, i.e. those that determine the lowest level allowed by the Ordering Party at which the service can be provided. This level should guarantee the smooth implementation of system processes. Communication between the Contractor and the Contracting Authority in the field of handling and diagnosing Incidents will ultimately take place through the integration of the Contractor's Request Handling System with the Contracting Authority's Request Handling System. A description of communication and integration will be described in the Terms of Reference.

Contractor's Responsibilities

The Contractor is obliged in particular to:

1. Provide maintenance services at the level specified in the Agreement in accordance with the use of the Administrator Procedures defined by the Contractor approved by the Contracting Authority or held by the Contracting Authority.

2. Ensure compliance with the Maintenance Service Parameters specified in the metrics.

3. Administration and configuration of SBT ZUS, including providing the Contracting Authority with the necessary recommendations, guidelines and guidelines for the operation of the Hardware and System Infrastructure supporting SBT ZUS covered by the Contractor's Service Metrics.

4. Provision of Maintenance Services, including removal of problems resulting from malfunction of systems covered by the Contractor's Service Metrics.

5. Providing the Contracting Authority with information on all updates of the versions of systems offered and supported by the manufacturer covered by the Contractor's Service Metrics, with assistance in their implementation in the Contracting Authority's environment. The Contractor shall agree with the Contracting Authority on the time of installation of the provided system update, and the Contracting Authority shall make the final decision on its installation (the Contracting Authority, assisted by the Contractor, shall update the Software, unless the Parties agree otherwise).

6. Updating the Documentation as a result of the availability of new versions of systems and the introduction of corrections.

1.1.1 Maintenance services

The following maintenance services are planned:

Contractor Service Category; Property ID; The name of the service;

SBT Application Maintenance Service _ PAM Maintenance of the ICT Security System in terms of securing access to the Contracting Authority's infrastructure

SBT Application Maintenance Service _END Maintenance of the ICT Security System in the field of security of workstations, e-mail

Application Maintenance Service SBT_DLP Maintenance of the ICT Security System in the field of protection of the organization against information leakage

Application Maintenance Service SBT _UTS_ INC Maintenance of the ICT Security System in the area of information security incidents

SBT Application Maintenance Service _UTS_TAG Maintenance of the ICT Security System in the field of tagging and encryption applications

Maintenance service – IT management tools and processes SBT _TEST_KOD Source code testing – implementation according to the needs of the Ordering Party on request

Maintenance of IT management tools and processes SBT process _TEST_PEN Implementation of PENTEST – implementation according to the needs of the Contracting Authority on request

The final list of Contractor's Service Metrics will be determined in the Terms of Reference. The agreement will provide for the possibility of adding new metrics according to the Contracting Authority's needs resulting from, for example, the development of SBT ZUS.

A. Maintenance of SBT ZUS

The purpose of providing Maintenance Services within the scope specified in the Contractor's Service Metrics is to ensure the production operation of SBT ZUS in the implemented under the Framework Agreement, including ensuring their proper functioning in the system and hardware infrastructure and their integration with other external systems.

As part of the service related to the ongoing maintenance and support of SBT ZUS, the Contractor will be responsible in particular for:

a) current administration of SBT ZUS and databases;

b) identifying problems and responding to identified problems and irregularities;

c) troubleshooting the systems covered by the metric;

d) solving problems with the operation of agents on the Ordering Party's workstations;

e) support and assistance in updating the system software on the Ordering Party's servers;

f) analysis and recommendations for database tuning at the operating system/infrastructure level and their implementation after the Contracting Authority's consent;

g) recommendations for installing patches and upgrades (SBT, ZUS and databases);

h) implementation of administrative procedures;

i) making and testing backups;

j) reconfiguration of SBTs ZUS related to the current needs of the environment and users;

k) analysing and recommending specific actions and changes necessary to ensure high efficiency of SBT ZUS;

l) informing about new versions of SBT ZUS and conducting tests at the request of the Contracting Authority;

m) arrangements for SBT ZUS update schedules;

n) update of the SBT ZUS Documentation;

o) verifying the completeness of administrative procedures, updating and supplementing them and creating new ones;

p) preparation of installation packages for SCCM in the field of installation/update of agents and assistance in their implementation;

q) Upload reports.

B. Ordering and implementation of security tests defined as part of maintenance services SBT _TEST_KOD, SBT _TEST_PEN

The purpose of commissioning tests as part of metrics is to identify vulnerabilities that constitute or may pose a threat to the security of processed, transmitted and stored information and data, and business services provided by the Contracting Authority's ICT systems, the purpose of which is to design a secure ICT environment in the Social Insurance Institution.

Depending on the needs, the Ordering Party orders tests within the following metrics: SBT _TEST_KOD, SBT _TEST_PEN.

1. SBT _TEST_KOD

A source code security study is a detailed analysis of the source code, the purpose of which is to answer the questions whether the tested application can be installed and used in production, as well as whether it can be placed on the network, whether there may be specific risks associated with it, and if so, what they are.

2. SBT _TEST_PEN

The vulnerability test of applications, systems and networks carried out from the internal and external network is a test that allows to examine the resistance of the environment to an attack resulting from an intruder breaking the security at the interface with external networks, gaining access to the internal infrastructure by the intruder intentional or unintentional action of a legitimate user of the network (e.g. launching malware from a user's workstation). The purpose of this study is to detect security vulnerabilities and verify them for potential threats.

1.1.2 Maintenance Services

The Ordering Party provides the following maintenance services:

SBT Service _ODI Software Incident Handling

SBT Maintenance Service _KON Maintenance Consultations

A. Maintenance Services SBT_ODI – Software Incident Handling

The Service includes activities necessary to restore the correct operation of the systems as soon as possible, including: registration of the Request, identification of the causes of the Incident, providing the results of the Diagnosis along with the cause of the Incident, for Incidents for which as a result of the Diagnosis it was determined that it was necessary to provide a Workaround or Solution, developing and making available a Workaround and a Solution, or developing and making available a Solution, in the event that a Workaround in the service process is not provided, updating the Documentation if the Workaround or Solution required it.

B. SBT_KON - Maintenance consultations

Consultation Service is an exchange of information for the purposes of development, integration, ensuring the continuity of SBT ZUS operations and removal of emerging failures, carried out between the Contractor, the Contracting Authority and other contractors (providing support services under other agreements with A permanent establishment in an area outside the SBT ZUS). The purpose of the Maintenance Consultation Service is not to outsource analytical, design or programming work to other participants of the Consultation process, nor is it a mechanism for the transfer of general knowledge about SBT ZUS resulting from the documentation.

Communication within the Consultations between Contractors is carried out through the Contracting Authority.

1.1.3 Security Integrator – Acting as a Security Integrator

Security Integrator issues opinions on all Modifications, Additional Services and solutions implemented as part of handling service requests, the implementation of which is planned in all implementation windows (planned and additional). The Security Integrator is obliged to take part in the General Consultations provided by the contractors of framework agreements for the development of the Comprehensive IT System of the Social Insurance Institution.

The Security Integrator cooperates with the Integrator as a contractor bound by a contract, the subject of which is the support services for the operation and maintenance of KSI ZUS.

A. Tasks of the Security Integrator in SBT ZUS projects

a) Assessment of the impact on technical resources and services

The task is carried out throughout the duration of each SBT ZUS project (hereinafter referred to as the "project"). Projects may concern all implemented changes to SBT ZUS systems/functionalities, in particular Modifications, Additional Services, repair of service requests and elements at the interface between SBT ZUS and other systems.

b) Participation in the preparation of the project's products/Other contractor's Products, acceptance of software and its implementation

As part of the task, the Security Integrator participates in the work of the Project Team, acceptance tests and performs regression, inter-module, performance, and security tests.

The task of the Security Integrator is to unambiguously assess whether the project's products / Third-Party Contractor's products work in accordance with the project's assumptions and applicable standards and to confirm the correct operation of the software in the Pre-Production Environment.

c) Commencement of operation and monitoring of the Stabilization Period. System monitoring during the maintenance period

As part of the task, the role of the Safety Integrator is to unambiguously assess whether the project's products / Third-party contractor's products operate in accordance with the applicable Performance Standards. The Security Integrator confirms the correct operation of the software in the Production Environment during the Stabilization Period and recommends the end of the Stabilization Period.

d) Ongoing monitoring of the capacity level in the context of maintenance and development of security systems allowing the Contracting Authority to plan and implement the necessary infrastructure purchases

As part of the task, the role of the Security Integrator is to unambiguously assess the status of the capacity and issue recommendations.

e) Identification of licensing needs and ongoing monitoring of the level of license usage

The task is carried out throughout the duration of each SBT project (hereinafter referred to as the "project"). Projects may concern all implemented changes to SBT ZUS systems/functionalities, in particular Modifications, Additional Services, repair of service requests and elements at the interface of the SBT ZUS system with other systems.

As part of the task, the role of the Security Integrator is to unambiguously assess licensing needs and determine the activities to be performed.

B. Tasks of the Security Integrator in projects/Planned purchases carried out at the interface of SBT ZUS with other systems

Assessment of the impact on technical resources and related services

The task is carried out throughout the duration of the Contract in accordance with the project implementation cycle according to the schedule agreed with the Ordering Party or on demand, in accordance with the Ordering Party's needs.

As part of the task, the role of the Security Integrator is to identify risks arising from projects/procurement requirements in the context of security, to recommend requirements for changes in specific, ongoing projects/procurement requirements or to use a specific architecture or technology in terms of security, and to verify design assumptions, including assumptions integration, in the context of the feasibility of implementation and the impact of the solutions proposed in the given projects on the technical and system infrastructure of SBT ZUS, including the capacity and number of SBT ZUS licenses.

C. Tasks of the Security Integrator ensuring the security of the implementation of changes

The Security Integrator closely cooperates with the Integrator as a contractor bound by a contract, the subject of which is the support services for the operation and maintenance of KSI ZUS. The Security Integrator analyses and gives opinions on the changes planned to be implemented in terms of security on an ongoing basis on the basis of the submitted documents.

D. Tasks related to support in the development and maintenance of SBT architecture ZUS

Security Integrator provides support in the development and maintenance of IT architecture in the following scope:

1. Support in managing changes in the architecture of SBT ZUS in the field of analysis of temporal and architectural dependencies between SBT ZUS projects and between SBT ZUS projects and projects outside SBT ZUS (at the interface with SBT ZUS).

2. Architectural support in the analysis of the current state of SBT ZUS architecture.

3. Architectural support in the scope of SBT ZUS architecture review and update of the document describing the SBT ZUS architecture.

E. Participation of the Security Integrator in the process of development of SBT ZUS and projects at the interface with SBT ZUS

1. The Security Integrator provides support to the Contracting Authority in coordinating the development/modification of SBT ZUS IT systems.

2. The task of the Security Integrator is to assess the impact of the implementation of the products of the projects/Products of another contractor implemented under development contracts in the Production Environment on the level of IT security of the Social Insurance Institution.

3. The Security Integrator verifies the correctness, consistency and integrity of the Software Source Codes in the Contractor's/Ordering Party's Pre-Production Environment by performing the compilation process.

4. The Security Integrator cooperates with the Ordering Party in the maintenance and development of methods for validation of the source codes of the SBT ZUS software.

1.2 Additional Services

Additional Services Orders may include, in particular, the performance of works in the following scope:

a) adaptation of SBT ZUS to the organizational changes of the Contracting Authority,

b) adaptation of SBT ZUS to changes in IT Services or IT Standards of ZUS,

c) support in the implementation of tasks resulting from legislative changes,

d) additional implementation support for IT Services and post-implementation support for IT Services,

e) preparation of documentation, in particular: design, operation, as-built, analytical and reporting, etc.,

f) analysis, development and maintenance of the Contracting Authority's IT architecture,

g) analysis and recommendations regarding the Contracting Authority's IT architecture in terms of the Contracting Authority's ICT security,

h) analysis and recommendations on the planned implementations and their impact on the ZUS SBT and the level of security of the Contracting Authority,

i) analysis and recommendations on the development of communication channels with external entities and their impact on the level of ICT security of the Contracting Authority.

1.3 Workshops

The Contractor is obliged to conduct on-site instructions, m.in. in the field of administration of systems and equipment covered by the Maintenance Services, system configuration, installations, introduction of changes in configuration, maintenance, expansion and modification of bases and modernization of systems. The Contractor will conduct instructions for persons indicated by the Contracting Authority.

Part II - SERVICE TAKEOVER PERIOD

After concluding the contract, the Contracting Authority shall enable the Contractor to familiarize itself with the SBT ZUS Elements and provide the relevant documentation for review.

The acquisition of the services will take place within the time limit specified in the Terms of Reference.

1. Period of transfer of services to the next Contractor

1. The Contractor is obliged to support the Contracting Authority in transferring the Services to the Contracting Authority or to a new Contractor.

2. The Handover of Services is planned to be carried out in the form of workshops/briefings.

Part III - GENERAL DESCRIPTION OF THE ICT SECURITY SYSTEM OF THE SOCIAL INSURANCE INSTITUTION

The ICT security system of the Social Insurance Institution (SBT ZUS) consists of a number of hardware and technological solutions and software increasing the level of ICT security Contracting authority.

Its main area of activity is to provide security for e-mail, Internet access, workstations, networks, privileged identities.

SBT ZUS consists of:

1. ICT stack for cybersecurity systems with backup - virtualization environments and backup for operating virtual servers SBT ZUS.

2. Server and matrix infrastructure providing network connection with the rest of the infrastructure, and infrastructure for the data backup system, in particular:

a) provides network and server infrastructure for virtualization clusters and other SBT ZUS systems;

b) ensures the possibility of connecting proxy systems with the Contracting Authority's infrastructure;

c) provides the ability to connect the Anti-APT systems with the Contracting Authority's infrastructure.

3. Network devices and Firewall with their configuration, and separation of management environments of individual subsystems.

4. Network Visibility systems – an infrastructure consisting of a single packet broker platform and active TAP devices.

5. Tools to prevent data leaks, at the level of endpoints, networks, e-mail and information services.

6. Anti-APT class system.

7. A PAM system that allows you to manage privileged accounts.

8. An Information Right Management application, whose basic functionalities are file encryption, encryption of e-mails and/or attachments, the ability to restrict read-only permissions.

9. Information categorization (classification) technology, which allows files to be divided into groups that are subject to classification rules based on the content of the file or the user's intentions.

All systems are standard software available on the market.

A detailed list of systems and equipment comprising the ZUS SBT allowing for the submission of an offer will be disclosed to the Contractors together with the Terms of Reference.