Post on 19-Jul-2018
Hong Kong Science and
Technology Parks
Corporation
REQUEST FOR PROPOSAL
ON
Revamp of VPN Connectivity
(Ref: RFP/IT/2017/08/001)
RFP - Revamp of VPN Connectivity Page 2 of 28
Table of Contents
TABLE OF CONTENTS ..................................................................................... 2
OBJECTIVE .................................................................................................... 3
OUR BACKGROUND ........................................................................................ 3
SCOPE OF WORK ASSIGNMENTS ................................................................... 4
SUBMISSION OF RESPONSE TO RFP ............................................................ 11
CLOSING DATE .............................................................................................. 14
ENQUIRY ...................................................................................................... 15
EVALUATION CRITERIA ............................................................................... 15
BUY HK SME INNOVATION PREFERRED .................................................................. 16
EVALUATION AND AWARD PROCESS ...................................................................... 17
SCORE CALCULATION METHODOLOGY .................................................................... 18
PAYMENT TERMS & SCHEDULE .................................................................... 19
GENERAL CONDITIONS OF RFP ................................................................... 20
PURCHASE ORDER TERMS & CONDITIONS .................................................. 27
RFP - Revamp of VPN Connectivity Page 3 of 28
Objective
Hong Kong Science and Technology Parks Corporation (HKSTP) would like to
solicit proposals to replace the existing VPN gateways by a dedicated network
appliance which delivers VPN connectivity to the authorized individuals and
parties.
The awarded tenderer (the vendor) shall accomplish the work assignments,
terms and conditions stipulated in this Request for Proposal (RFP) and the
awarded proposal.
The assignment is named Revamp of VPN Connectivity.
Our Background
Hong Kong Science and Technology Parks Corporation (HKSTP) is a statutory
body dedicated to build a vibrant innovation and technology ecosystem to
connect stakeholders, nurture technology talents, facilitate collaboration, and
RFP - Revamp of VPN Connectivity Page 4 of 28
catalyse innovations to deliver social and economic benefits to Hong Kong and
the region.
Hong Kong Science Park (HKSP), which is one of the compositions of HKSTP,
is located in Shatin and provides world-class infrastructure for business partners
and visitors.
HKSTP also runs laboratories or support centres based in HKSP to provide
R&D support services to nurture new science and technology businesses.
Scope of Work Assignments
The scope of the revamp of VPN connectivity covers the following
assignments and requirements:
1. The vendor shall recommend and supply a VPN-capable network
appliance to replace existing VPN gateways.
2. The appliance shall be able to provide:
RFP - Revamp of VPN Connectivity Page 5 of 28
a. High availability of VPN connectivity services over approximate
100MB effective network bandwidth:
i. Gateway-to-Gateway VPN;
ii. Client-to-Gateway VPN;
iii. SSL/TLS VPN for remote services by web access, including
remote desktop and file shares, Microsoft Outlook, Microsoft
SharePoint, Citrix Metaframe / XenApp.
b. Pervasive VPN protocols, including but is not limited to, IPsec
(version 2 and version 3) and SSL/TLS.
c. Secure cipher suites and automated keying methods (e.g.,
IKEv2, AES-256, SHA-256/SHA-384, etc.) as well as legacy
cipher suites and keying methods (e.g., IKEv1, 3DES, SHA1,
etc.).
d. Application level VPN connectivity for authorized mobile
applications (e.g. Cisco Jabber, etc.) on company-manned
smartphones.
RFP - Revamp of VPN Connectivity Page 6 of 28
e. Endpoint health and security check in attempting VPN
connection.
f. Two factor authentication using either hardware token or digital
certificate with AD/LDAP, RADIUS and RSA SecurID directory
and authentication servers in attempting VPN connection by
authorized individuals and parties, and in attempting appliance
administration by authorized administrators.
g. Best practice in implementation of authentication and
authorization in logical access control (please indicate which
item can be complied and which cannot).
i. Password length should be at least 7 characters long.
ii. Password complexity should be a combination of characters
from both letters and numbers. Space character should also
be acceptable and consecutive space characters should be
replaced by a single space prior to verification.
RFP - Revamp of VPN Connectivity Page 7 of 28
iii. New password should be checked against 5 or more old
passwords, repetitive or sequential characters (e.g.
“1234abcd”, etc.), dictionary words, context-specific words
(e.g. name of the service, the username, and derivatives
thereof, etc.), palindrome, and/or, a black list of
unacceptable passwords (e.g. “Password1”, “QWERTY”,
passwords obtained from previous breach corpuses, etc.).
iv. The rate of failed authentication attempts should be limited
to 5 or less.
v. Authorized administrators should able to force a password
change if there is evidence of compromise.
vi. Passwords stored in the appliance shall be salted with
arbitrary value (at least 32 bits in length) and hashed by
strong cryptography.
vii. Authorization should be role-based model or group-based
model with Auditor role or equivalent read-only group.
RFP - Revamp of VPN Connectivity Page 8 of 28
h. Robust logging and reporting of VPN connectivity and
administrative activities for security information and event
management.
i. The appliance company shall be in the upper quadrants in the
evaluation of the ability to execution in the report of “Gartner
Magic Quadrant: Unified threat Management, SMB Firewalls
2017”.
3. The vendor shall commit one-off implementation service:
a. Installation and configuration in best security practice;
b. Migration of existing authorized VPN connectivity:
i. 3 IPsec gateway-to-gateway VPN connectivity;
ii. 78 IPsec client-to-gateway VPN connectivity;
iii. 50 SSL/TLS VPN connectivity.
c. Documentation including implementation plan, manuals and
post-implementation report.
d. Acceptance test and report;
RFP - Revamp of VPN Connectivity Page 9 of 28
e. At least 1 man-day for post-implementation nursing support and
technical workshop to network administrators.
4. The vendor shall commit on-going maintenance and support service for
a minimum of 3 years:
a. Hardware and software warranty;
b. On-site support including critical security vulnerability patching,
parts replacement and parts on loan, etc., on weekdays (9:00
am - 6:00 pm) and Saturday (9:00 am – 1:00 pm) excluding
Hong Kong general holidays;
c. Off-site support by phone and email.
5. The tentative start date of the work assignments is in October of 2017
and has to be completed in one month. The tenderer is required to
propose a complete implementation schedule with the planned
completion date for each milestone.
RFP - Revamp of VPN Connectivity Page 10 of 28
6. The vendor is responsible for planning and scheduling meetings, at
appropriate time points and as required by HKSTP during the work
assignment life cycle, to prepare meeting agenda, to chair and to take
notes for all the meetings with various parties, and any other activity
which are necessary for the satisfactory completion of the work
assignment.
7. The vendor shall ensure that all designated personnel in connection
with the assignments have the competence and have the security of
HKSTP in mind.
8. The vendor shall ensure that all information furnished by HKSTP or
extracted from it is treated as confidential and is used by designated
personnel in connection with the assignments.
9. The vendor shall carefully schedule all activities to avoid / minimize
service interruption and agree with user on the schedule, possible
impact and fall-back / recovery procedure if such is inevitable.
RFP - Revamp of VPN Connectivity Page 11 of 28
10. The vendor shall ensure that the security level of the information
systems is not affected in the work assignments. The vendor shall also
ensure that the services provided have minimum impacts on the daily
operations.
11. The vendor shall ensure that no malicious software, backdoor or
anything which would disrupt the operation or lead to compromise of
any system is embedded in either the information or its storage media
when disseminate and/or exchange with HKSTP.
Submission of Response to RFP
Tenderers shall submit response to this RFP for HKSTP consideration
including a detailed technical proposal for the complete scope of work
assignments and a price proposal for the price offering.
RFP - Revamp of VPN Connectivity Page 12 of 28
For technical proposal, tenderers shall provide, but is not limited to, the
following information:
a) Company profile;
b) Proposed solution, fulfilment and limitation to the work
assignments and requirements;
c) Project schedule;
d) Description of any Hong Kong SME Innovation element in the
proposed solution eligible for the Buy HK Innovation Preferred
technical score;
e) Detailed reference with at least 2 similar services.
For price proposal, tenderers shall submit the price offering in Hong Kong
currency and precise breakdown for a validity of 3 months.
The proposals shall be submitted in separate sealed envelopes respectively:
RFP - Revamp of VPN Connectivity Page 13 of 28
• One envelope is for the technical proposal marked "RFP - Revamp
of VPN Connectivity (RFP/IT/2017/08/001) - Technical Proposal”. It
shall contain a hardcopy of the technical proposal and a softcopy of
the technical proposal in MS-Word or PDF format (stored in a
CD/DVD). The envelope or the proposal MUST NOT contain
any price information and HKSTP reserves the right to disqualify
any tenderers violating this requirement.
• Another envelope is for the price proposal in attached prescribed
price proposal form and marked “RFP - Revamp of VPN Connectivity
(RFP/IT/2017/08/001) - Price Proposal”. It shall contain a
hardcopy of the price proposal and a softcopy of the price proposal
in MS-Excel format (stored in a CD/DVD).
RFP - Revamp of VPN Connectivity Page 14 of 28
The proposal shall be sent to the address shown below and submitted into
the tender box on or before the closing date. All submissions shall be addressed
to:
Attn: Procurement Department
Hong Kong Science & Technology Parks Corporation
8/F Bio-Informatics Centre
No 2 Science Park West Avenue,
Hong Kong Science Park,
Shatin, New Territories, Hong Kong.
Closing Date
The closing date and time for this RFP submission is 8 September 2017 12:00
noon (HKT). Late submissions or submissions that do not address the
requesting information will NOT be considered. In case a rainstorm black
warning or typhoon signal No.8 or above is hoisted on the closing date, the RFP
closing time will be extended to 12:00 noon on next working day.
RFP - Revamp of VPN Connectivity Page 15 of 28
Enquiry
Any enquiry shall be sent to our Information Security Officer via email at
tony.szeto@hkstp.org with the subject “Enquiry on the RFP - Revamp of VPN
Connectivity” or by phone at 26296835 before the closing date.
Evaluation Criteria
HKSTP will assess the proposal on a set of pre-determined criteria. The
assessment of proposal is 70% based on competence element and 30% based
on price element. The assessment on the competence will include the following
areas:
RFP - Revamp of VPN Connectivity Page 16 of 28
Evaluation Criteria (Total: 100 Points) Point
Company profile (year of establishment, experience in similar
projects, size, etc.).
10
Proposed solution, function and features, fulfilment and limitation
of assignments and requirements.
50
Project Schedule and Project Team’s experience. 20
Hong Kong SME Innovation Element. 5
Reference with similar services. 15
Total Score: 100
Table 1. – List of Evaluation Criteria
Buy HK SME Innovation Preferred
To show HKSTP’s support for the Hong Kong innovation & technology SME
community, up to 5% of the evaluation score will be given to any tenderer who
could show their proposed solution containing HK SME Innovation. The tenderer
RFP - Revamp of VPN Connectivity Page 17 of 28
shall furnish the relevant information to HKSTP in order to be eligible for the
preferential scoring.
A HK SME Innovation is any product/solution designed, researched or
developed in Hong Kong by a Hong Kong SME company.
HKSTP’s judgment will be final in determining whether a proposed solution
contains HK SME Innovation and to what extent.
The vendor warrants that the content of HK SME Innovation nominated in the
proposal will be met in full. Failure to achieve this will render the termination of
the contract by HKSTP at its sole discretion with no compensation to the vendor.
Evaluation and Award Process
An assessment panel will evaluate all responses to this RFP. Proposals must
meet all essential requirements and achieve required minimum point score (60
points in Table 1) before continuing for consideration.
RFP - Revamp of VPN Connectivity Page 18 of 28
HKSTP may require tenderers to have presentation and / or demonstration
(as proof of concept) to the assessment panel on their proposed solution. If a
presentation or demonstration is scheduled for HKSTP assessment, the key
personnel in connection with the assignments shall attend it and provide
briefings on the proposal.
Score Calculation Methodology
Technical Score
Vendor Technical Score = (Vendor Point Score / Highest Point Score) x
70%
Price Score
Vendor Price Score = (Lowest Price / Vendor Price) x 30%
Overall Score
Overall Vendor Score = Vendor Technical Score + Vendor Price Score
RFP - Revamp of VPN Connectivity Page 19 of 28
The vendor price is for assessment purpose and does not equal to the
eventual contract price. The awarded tenderer would usually be the one with
the highest overall score.
Payment Terms & Schedule
Payment to the vendor will be made in Hong Kong currency within 30 days
upon receipt of invoice. The payment schedule is as follows:
Payment Schedule Invoice Amount (% of
Total)
1st invoice upon tender awarded. 30%
2nd invoice upon the delivery of
implementation plan and the delivery of the
appliance on premises.
40%
Last invoice upon one month after
acceptance of the one-off implementation
service.
30%
Table 2. – Payment Schedule
RFP - Revamp of VPN Connectivity Page 20 of 28
General Conditions of RFP
Acceptance / Rejection of Proposal
Any response to this RFP submitted by a tender represents a firm offer to
contract on the terms and conditions described in this RFP.
Tenderers are requested to bid on complete scope and submit the fixed price
for the total solution and no partial solution or alternation of price afterwards is
considered or accepted.
HKSTP will evaluate proposals in strict confidential. HKSTP may elect at sole
option to accept all or any item or items of the tenderer’s offer and HKSTP has
sole discretion whether or not to accept any of the tenderer’s proposal
irrespective to its prices. If a quote is submitted on the basis of an overall
acceptance of all the services offered, this must be clearly stated in the proposal.
HKSTP reserves the right to negotiate with any tenderer about tender offer.
RFP - Revamp of VPN Connectivity Page 21 of 28
It shall be noted that HKSTP would not be responsible for the reimbursement
of any cost incurred by tenderers for the preparation of the submission.
By submitting the proposal to us, tenderers agree the terms and conditions
stated in this Request for Proposal.
Accuracy of RFP Prices
Tenderers shall make certain that the prices quoted are accurate and all
products and services (shipment, delivery, un-pack, installation, integration,
customization and configuration, wiring & cabling patching, etc.) are properly
included as per HKSTP’s request before submitting response. Under no
circumstances will HKSTP accept any request for price adjustment on the ground
that a mistake has been made in the RFP.
Alteration and Assumption
No unauthorized alternation or erasure to the text of the RFP document will
be permitted. No unauthorized assumption will be entertained.
RFP - Revamp of VPN Connectivity Page 22 of 28
Award
At no time shall HKSTP be considered to be under any obligation or
commitment to purchase any product or service from any respondent to the RFP
unless after a written contract or purchase order has been entered into with such
respondent. The award is intended to be made to the tenderer whose overall
proposal is determined by HKSTP in its sole discretion to be the most
advantageous to it.
Assignment of Contract or Sub-Contracting
The vendor shall not assigned or otherwise transfer this contract or any of its
rights and obligations hereunder whether in whole or in part without written
consent of HKSTP.
Liquidated Damages
If the vendor fails to deliver the goods or complete the services, then it shall
follow up all related activities without any extra cost to HKSTP. HKSTP may
RFP - Revamp of VPN Connectivity Page 23 of 28
without prejudice to any other methods of recovery, deduct the sum of such
damages from any monies due or to become due to the vendor under this
and/or any other contract valid at the time between HKSTP and the vendor. The
payment or deduction of such damages shall not relieve the vendor from the
obligations to deliver the goods or complete the services or from any other of its
obligations under the contract.
Work Site Damages
The vendor shall make sure that there is no damage to the existing system
during and after the service assignment. Any damage to existing utilities,
equipment or system resulting from the performance of works during the service
assignment shall be repaired to HKSTP’s satisfaction at the vendor’s expense.
Warranty
The vendor agrees that the goods / services furnished under any award
resulting from this RFP shall be covered by the most favourable commercial
RFP - Revamp of VPN Connectivity Page 24 of 28
warranties the vendor gives any customer for the goods / services. A copy of
this warranty shall be furnished with the quote. At a minimum, all materials,
equipment and labour shall be fully guaranteed by the vendor against defects
resulting from the use of inferior materials, equipment or workmanship for one
year from the date of final acceptance of the goods / services. During the
warranty period, defects discovered shall be rectified by the vendor to HKSTP
satisfaction at no cost to HKSTP.
Confidentiality
The vendor is under an obligation to protect the interest of HKSTP by not
divulging confidential information to any parties. The vendor is required to sign
a Non-Disclosure Agreement before commencement of contract.
Intellectual Property Rights
Any and all Intellectual Property Rights in the specifications, plans, tests,
reports, data, results, custom programs and other materials developed by the
RFP - Revamp of VPN Connectivity Page 25 of 28
vendor and any of its employees, sub-contractors or agents in performance of
the works and the custom programs and relevant document supplied by the
vendor under or in connection with this contract are and shall be the sole and
exclusive property of HKSTP.
Insurance
The vendor shall be responsible to provide Employees’ Compensation
Insurance coverage for those employed for the execution of the services under
this contract. The vendor shall indemnify HKSTP against all losses and claims in
respect of injuries or damage to any person, equipment or installation
whatsoever which may arise out of or in connection with the services.
Termination
If the vendor fails to deliver the goods or complete the services to the
satisfaction of HKSTP, HKSTP may terminate the contract by giving one month
RFP - Revamp of VPN Connectivity Page 26 of 28
prior written notice to the vendor and the payment will be subject to the extent
of the work in progress as determined by HKSTP.
Anti-collusion
The tenderer shall not communicate to any person other than HKSTP the
amount of any tender, adjust the amount of any tender by arrangement with
any other person, make any arrangement with any other person about whether
or not he or that other person should or should not tender or otherwise collude
with any other person in any manner whatsoever in the tendering process until
the tenderer is notified by HKSTP of the outcome of the tender exercise. Any
breach of or non-compliance with this clause by the tenderer shall, without
affecting the tenderer’s liability for such breach of rules and laws or non-
compliance, invalidate his tender.
This clause shall have no application to the tenderer’s communications in
strict confidence with his own insurers or brokers to obtain an insurance
quotation for computation of tender price and communications in strict
RFP - Revamp of VPN Connectivity Page 27 of 28
confidence with his consultants / sub-contractors to solicit their assistance in
preparation of tender submission.
Purchase Order Terms & Conditions
The HKSTP’s Purchase Order Terms and Conditions version dated 4 March
2016 which is available in our Corporation’s website
https://www.hkstp.org/hkstp_web/en/hkstp/Supplier registration/ refers.
*** END ***
RFP on Revamp of VPN Connectivity
(Ref: RFP/IT/2017/08/001)
PRICE PROPOSAL FORM
Submitted by
____________________________________________________________
Name of the firm (in block letters)
Item (in Hong Kong dollars)
Total fixed lump sum all inclusive fee for the
provision of the Services as described in this
RFP (including three year maintenance and
any software subscription)
We offer to provide the Goods and/or Services to HKSTP at the prices quoted
in accordance with the requirements and the terms and conditions stated in this
Request for Proposal. Acceptance of this offer shall be evidenced by the issuance
of a completed Purchase Order by HKSTP.
Authorized Signature with Company Chop: ___________________________________
Name: _______________________________
(in block letters)
Title: ________________________________ Date: ___________________________