Response Annexures for Information Security Bid (Identity and Access Control Management)

TECHNICAL REQUIREMENTS / 43

ANNEXURES (B,C &D)

RESPONSE ANNEXURES FOR INFORMATION SECURITY BID (IDENTITY AND ACCESS CONTROL MANAGEMENT)

FOR

THE SOUTH AFRICAN SOCIAL SECURITY AGENCY

ANNEXURE B: MANDATORY REQUIREMENTS TO THE BID

NB: In line with Section 1 of the bid document, including bid evaluation condition as stipulated under Section 6, Bidders are to fully comply with Mandatory Requirements (including submitting all information as required). Failure to provide evidence of compliance to any of the mandatory requirements will result in the bid response being disqualified. All mandatory requirements in the bid document are preceded or marked with three asterisks (***).

2.2.3 The bidder is required to propose an Identity and Access Management solution and cover the following aspects;
a) Identity Lifecycle
b) Entitlement Management
c) ***Access request
d) ***Workflow
e) Policy management
f) ***Access certification
g) Fulfilment
h) ***Password management
i) Role management
j) ***Auditing
k) Identity & Access Analytics
l) Reporting and dashboards
m) Ease of deployment
n) Scalability and performance
o) ***Privileged Access Management
such as:
i. Privileged Session management
ii. Super User privilege management
iii. Application to application password management / Comply / Not Comply
Remarks:
2.2.4***The solution being proposed must comply with the interoperability standards as set out in the latest version of Minimum Interoperability Standards for Government information systems (herein referred to as the MIOS). Elaborate on the compliance with this requirement and zoom into the following;
a)  Relational Database Access
b)  SecureXML/XACML Encoding for Exchange Biometric Data & Policy Expression,
c)  REST/OAuth for the forthcoming Web Enabled Application Environment
d)  Data Element Specification
e)  Interchange format Framework
f)  IT Security standards
. / Comply / Not Comply
Remarks:
2.2.5*** The solution being proposed must comply with minimum Information Security standards (MISS). Elaborate on the compliance with this requirement. / Comply / Not Comply
Remarks:
2.2.9***The solution must accommodate for the special needs ofprivilegedaccounts, including their provisioning and life cyclemanagement, authentication, authorization, passwordmanagement, auditing, andaccesscontrols. / Comply / Not comply
Remarks:
2.2.10***The solution must have the capability to manage Shared Access to Privileged Accounts across all platforms (Windows, Linux, Novell and Mainframe). It should give authorized internal users, outsourced IT and third party vendors secure, always-on access to critical shared account passwords, while maintaining control over who has access, which account passwords they have access to and how those passwords are managed. / Comply / Not Comply
Remarks:
2.2.11 ***The solution must have the capability to manage Privileged Sessions by allowing the granting of access to administrators, remote vendors and high-risk users for a specific period — or session — with full recording and replay capabilities. / Comply / Not Comply
Remarks:
2.2.15*** The solution must be able to integrate with the following authentication methods on some of the agency’s applications to re-authenticate users every time they perform a high risk transaction:
a)  OTP token (NIST: "multifactor OTP hardware token," "single-factor OTP token" and "lookup secret token")
b)  X.509 token (NIST: "multifactor hardware cryptographic token," "multifactor software cryptographic token" and "single-factor cryptographic token")
c)  OOB authentication (NIST: "out-of-band token" / Comply / Not Comply
Remarks:
2.2.17***The solution must be able to produce standard reporting. List at least the reporting views that come standard with the solution, and indicate the level which each view will target, ad uses thereof in a manner that enables the business of the agency / Comply / Not Comply
Remarks
2.2.19***The proposed solution must enable user ID/account provisioning, driven by key events in the HR & Supply Chain Modules in the ERP System. Furthermore, the Identity and Access Management system must provide an “easy to change” rules based response to these events including but not limited to:
a)  New HR or Supplier (System User) = New Identity & Account Type
b)  Suspended, Sick Leave or Holiday = Temporarily Suspended Account
c)  Contract Terminated or Expired = Account Suspended / Archived
d)  User’s ability to initiate updating of specific user information (telephone number, location, etc / Comply / Not Comply
Remarks
2.2.22***The proposed Identity and Access Management System must have a User Access Workflow that;
a)  Functions from the time a user has been created as an employee or system using supplier on the ERP System and/or a user has been created as a consultant on the consultant Security Management System, until all the access requirements, including enrolment thereof, has been fulfilled;
b)  has an SLA measurement capability from the time the user was created on the system as an employee to the point where the enrolment has been completed, and where SLA measure is per each step of the workflow as well as averaged;
c)  has notifications capabilities both of email and SMS for each gate of identity and access approval;
d)  has an escalation path and capability if one approval or action gate takes longer than required;
e)  only allows a request to be closed once all the access requirements have been provided, including the enrolment thereof;
f)  allows for multiple steps of approval by line managers, managers of managers as well as system administrators for any identified access requests; / Comply / Not Comply
Remarks
2.2.25 ***The proposed Identity and Access Management System must have an Automate Exit interview capability that is able to, from a single interface, revoke access for any user from all systems temporarily or permanently. This immediate suspension capability should extend to physical access and be effective immediately / Comply / Not Comply
Remarks
2.2.26***The bidder MUST demonstrate a track record of the Identity and Access Management System being proposed where;
a)  Such Identity and Access Management System has Access Request Workflows, Business Rules Management (segregation of duties and toxic combinations)and Breach Incident Management capabilities; and
b)  Such system has been integrated with critical business systems of the enterprise in question.
c)  Such a system has achieved:
·  Rule Based access control
·  Full Role Based Access Control
·  Partial Role Based Access Control
d)  Such system has achieved automation and HR driven Identity & Account Provisioning;
e)  Such a system has achieved closed loop access remediation;
f)  Such a system has been integrated with a banking or payments system;
g)  Such system has provided “Restful API” Security including use of OAuth in a Cloud / Public Facing Microservice environment / Comply / Not Comply
Remarks
2.2.28***The proposed identity and Access Management must have access certifications capability with the ability to:
a)  Conduct user certifications by line managers;
b)  Conduct system access certifications by system administrators;
c)  Highlight access violations as defined in the business rules;
d)  Multi step approval process for access removal;
e)  Automatically fulfill any access removal/rejection requests triggered through a certification;
Remediate and reconcile orphan accounts across systems mentioned above / Comply / Not Comply
Remarks
2.2.30***The proposed Identity and Access Management System must integrate with, but not limited to the following systems;
a) Novell eDirectory
b) Novell Groupwise
c) Microsoft Active Directory 2012
d) Microsoft Exchange 2012
e) Oracle ERP
f) SOCPEN (Winet Emulator, Natural ADABAS and RACF);
g) MIS Registry and MIS Workflow (Dot Net and SQL)
h) Livelink
i) 3om / HP VCX
j) VSA Rampage TM
k) Unisin Galactrix TMS
l) Microsoft PKI
m) Planned Future State Systems (3 Years)
i. Banking & Payments System
ii. Web Enabled Application Environment
iii. Device Application Environment
iv. Microservices & APIs / Comply
/ Not Comply
Remarks
Remarks
3.1.5 ***The Agency requires a non-repudiation capability that will provide unbiased evidence that is traceable and tamper-proof and further compliant to the ECT ACT. In addition to irrefutably linking an act of fraud with an official such that such evidence is admissible in a South African court of law, to also assist in preventing future transgressions that takes place as a result of stolen identities and credentials. / Comply / Not Comply
Remarks
3.1.6 ***The Agency requires that the non-repudiation capability be fulfilled through a Three Factor Authentication solution enterprise wide. This solution will affect all 11,000 (approximate figure) employees of the Agency.
Factor / Authentication type / Authentication Description
1 / User ID and password authentication used for authentication, to prove identity or gain access to an eDirectory or Active Directory or any LDAP Directory Service / The identification of a user and a password used for authentication
2 / Smart Card / A plastic smartcard about the size of a credit card, with an embedded microprocessor that can be loaded with data, i.e. a private key and digital certificate, and possibly minutiae of a fingerprint for on-card identity verification, used for applications access, and establishes an identity when logging on to different business applications.
2 / One Time Password / SMS authorization of a transaction (Out Of Band)
2 / USSD / USSD based authorization and option selection.
3 / Biometric Identifier / Fingerprint
/ Comply / Not Comply
Remarks
3.1.7 ***In addition to the above, this system must be able to re-authenticate users every time they perform a high risk transaction in the ORACLE SOCPEN, ERP Systems and should also perform this function as part of a future planned web enabled grant administration system incorporating all future planned banking and payment related systems. The Agency has approximately 11 000 employees who have access to these two main systems. No external users ERP except a few from the Department of Social Development on SOCPEN. / Comply / Not Comply
Remarks
3.1.8 ***The Agency requires that such a capability be robust and tamper-resistant to achieve high levels of integrity and achieve 99.9% nonrepudiation. / Comply / Not Comply
Remarks
3.2.1***The bidder must propose a 3 Factor Authentication solution to address the Strength of Authentication and Non-Repudiation requirements, and cover the following aspects:
a)  The High Level Solution Design;
b)  The components of the solution (both hardware and software, brands and models, etc.);
c)  The details of each component of the solution, the OEM etc.; and
d)  The solution's integration aspects with SASSA Network and Systems both in the current state and the planned medium term future state (3 year). / Comply / Not Comply
Remarks
3.2.2***The solution being proposed must comply with the latest interoperability standards as set out in the Minimum Interoperability Standards for government information systems (herein referred to as the MIOS). Elaborate on the compliance with this requirement zoom into the following elements;
a)  Relational Database Access;
b)  Secure XML and XACML Encoding for Exchanging Biometric Data;
c)  Data Element Specification
d)  Interchange Format Framework
e)  OpenID / OAuth
f)  REST / Comply / Not Comply
Remarks
3.2.3***The solution being proposed must comply with the minimum information security standards (MISS). Elaborate on the compliance with this requirement; / Comply / Not Comply
Remarks
3.2.4***The solution must be able to interoperate with the following elements. Elaborate on the compliance with this requirement:
a)  Oracle ERP;
b)  WINET Emulator
c)  Entire-X
d)  Natural ADABAS Security software
e)  Novell e-Directory; and
f)  Microsoft Active Directory
g)  Forthcoming:
·  Web Enabled Grant Application
·  Banking and Payment Systems. / Comply / Not Comply
Remarks
3.2.6***The solution must be able to make use of the following authentication methods:
a)  Lexical KBA (NIST: "preregistered knowledge token"):
b)  Graphical KBA (no corresponding NIST category)
c)  OTP token (NIST: "multifactor OTP hardware token," "single-factor OTP token" and "lookup secret token")
d)  X.509 token (NIST: "multifactor hardware cryptographic token," "multifactor software cryptographic token" and "single-factor cryptographic token")
e)  OOB authentication (NIST: "out-of-band token") / Comply / Not Comply
Remarks
3.2.7***The solution must have the capacity to scale to allow for the on-going enrolment of beneficiaries using the same user-registration I provisioning process albeit that the data be stored in a separate database. / Comply / Not Comply
Remarks
3.2.8***The solution must have the capacity to scale to allow for the on-going enrolment of beneficiaries using the same user-registration I provisioning process albeit that the data be stored in a separate database. / Comply / Not Comply
Remarks
3.2.9***The solution must be able to produce standard reporting that includes but not limited to the elements listed here-below. Elaborate on the compliance with this requirement on each element:
a)  failed authentications;
b)  exceptional transactions; and
c)  list of authentications done; / Comply / Not Comply
Remarks
3.2.10***The solution must have a policy-based, fined grained access control, and access to resources, including privileged accounts with audit trail. Elaborate on the compliance with this requirement. / Comply / Not Comply
Remarks
3.2.11***The solution should provide activity logs that are captured to provide user and server reports for a defined time period. Elaborate on the compliance with this requirement. / Comply / Not Comply
Remarks
3.2.12 ***The solution must provide for the tamper proof storage of all transactional and user audit logs. / Comply / Not Comply
Remarks
3.2.14***The solution must provide an encryption on all authentication credentials e.g. password, smartcard information, and biometric template when traversing the network. Elaborate on the compliance with this requirement. / Comply / Not Comply
Remarks
3.2.15***The solution must further provide for digital signatures. Elaborate on the compliance with this requirement. Make reference to how the solution offers cryptography services for the purpose of digital signing of e-forms, and other digital artifacts in support of ink signature and rubber stamp replacement. This requirement must be linked to the re-authentication requirement specified above / Comply / Not Comply
Remarks
3.2.16***The solution must perform authentication of scanned fingerprint before allowing the user to proceed with either the logon process or the high risk transaction. Elaborate on the compliance with this requirement. / Comply / Not Comply
Remarks
3.2.18***The solution must have high-availability architecture with seamless failover between 07:00am and 17:00pm. Elaborate on the compliance with this requirement and how will this be measured / Comply / Not Comply
Remarks
3.2.19***The solution must come with Disaster Recovery capabilities. That means, the solution must be able to fit into the agency’s IT Disaster Recovery strategy as detailed in the BCP strategy. Elaborate on the compliance with this requirement. / Comply / Not Comply