Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource...

27
Invitation to Tender for Outsource Contract of Digital Forensic Support Services 17 April 2019

Transcript of Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource...

Page 1: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

Invitation to Tender for Outsource Contract of Digital Forensic Support Services 17 April 2019

Page 2: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

2

Contents Introduction 3 Requirement Specification 4 Guidelines for Tenderers 11 Evaluation of Proposals 14 Payment and Other Terms 15 Grievance Procedures 17 Appendix A: The Technical Part 18 Appendix B: The Price Schedule 21 Appendix C: Confidentiality Acknowledgement 24

Page 3: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

3

Introduction

1. Background

1.1 With the increasing reliance on information technology in the market, there is an increasing chance of the SFC handling electronic evidence while discharging its regulatory duties. In order to further increase the capability in digital forensic related matters, the SFC would like to seek for qualified service providers for digital forensic support services (the Services) with a 2-year contract.

1.2 The purpose of this Invitation to Tender (the “Tender”) is to invite prospective tenderers to submit a proposal on providing digital forensic support services to the SFC.

2. Invitation to Tender and Interpretation

2.1 The SFC invites tenderer(s) submitting proposals for providing digital forensic support services. The details could be found in Section 4-9 of this Invitation to Tender.

2.2 In this document, the following terms shall have the following meanings:

2.2.1 “Contract” means a formal agreement to be entered into between the SFC and those successful tenderer(s) in relation to the digital forensic support services containing such terms and conditions as the parties shall agree including (but not limited to) those terms set out in this invitation to tender (unless the same shall have been modified by the SFC);

2.2.2 “Digital forensic support services” (“the Services”) includes any kind of forensic support services that are either performed onsite (i.e. target premises) or offsite (i.e. SFC’s office or forensic laboratory); and

2.2.3 “tenderer” means the person or persons or corporation tendering for the project and includes the executors and administrators and permitted assigns of such person or persons or corporation.

Page 4: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

4

Requirement Specification

3. Tender Objective and Overall Requirements

3.1 The objective of the tender is to select qualified digital forensic support service providers (“service providers”) to provide the Services upon the SFC’s request. The proposed solution should be able to serve the following requirements:

3.1.1 Confidentiality: Information relating to each request and the Services performed relating to that request must be kept strictly confidential and should be protected in a highly secure manner. Tenderers must be aware that leaking confidential information violates Securities and Futures Ordinance (“SFO”) section 378 “Secrecy of Information”.1

3.1.2 Admissibility: Tenderers must have approaches, procedures, equipment and qualified skills to preserve, identify, duplicate and analyse evidence in order to make the evidence obtained admissible in court.

3.1.3 Availability: Tenderers must have adequate local resources and expertise available to match the needs of the SFC.

4. Selected Staff

4.1 The awarded tenderer should provide a list of staff (“Selected Staff”) that will provide the Services during the contract period. When new staff is assigned to the list, the awarded tenderer must actively report to the SFC within 7 business days. For reporting resignation or termination of selected staff, at least one month prior notice must be given to the SFC. The awarded tenderer should also assist SFC in contacting the person(s) in the list upon request by the SFC. Please refer to Section 9 - Requirements of Service Team for detailed requirements.

5. Responsibility of the Selected Staff

5.1 The Selected Staff of the awarded tenderer who actually perform the digital forensic work:

5.1.1 should prepare and sign personally a formal statement that can be used in a Court or Tribunal to represent the work that has been performed in delivering the Services.

5.1.2 should attend Court or Tribunal to give evidence upon request by the SFC or if summoned by a Court or Tribunal. This responsibility exists even if the following situations occur:

(i) the Selected Staff has left the awarded tenderer; or

(ii) the awarded tenderer goes out of business,

1 If you contravene s 378(1) of the SFO, you commit an offence under s 378(10) of that Ordinance. Any person who commits an offence under s 378(10) is liable:

(a) on conviction on indictment to a fine of $1,000,000 and to imprisonment for two years; or

(b) on summary conviction to a fine of $100,000 and to imprisonment for six months

Page 5: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

5

but is not limited to such situations.

6. Request Handling Requirements

6.1 When on-site forensic support is required by the SFC, the awarded tenderer should be able to complete checking for conflicts of interest:

(i) the next business day before 12:00 noon if the request is made before 12:00 noon; or

(ii) the next business day before 5 pm if the request is made after 12:00 noon.

6.2 The awarded tenderer must provide support on an agreed timeframe with the SFC after confirming that there is no conflict of interests.

6.3 The awarded tenderer must maintain the service level as mentioned in 6.1 and 6.2 even if the SFC makes multiple requests simultaneously.

6.4 The SFC reserves the right to engage any number of service providers.

6.5 The Selected Staff who are assigned to the task must attend the briefing sessions organizing by the SFC (either on-site at the SFC office or via teleconference, with no charge to the SFC) for each request before the commencement of work.

6.6 In any cases, all information obtained must be kept strictly confidential and the awarded tenderer and its Selected Staff must be aware of the consequence of violating section 378 of the SFO.

6.7 Tenderers are required to describe how to handle the following:

6.7.1 overall task management and interaction with the SFC

6.7.2 conflict checking and information security

6.7.3 estimate lead time before actual work execution

6.7.4 guaranteed resources to serve our request

6.7.5 continuity of qualified skills and knowledge in case of staff movement

6.7.6 mechanisms to ensure the ethics and quality of its staff

6.7.7 apparent or potential conflict of interest situation after having accepted an assignment from the SFC

7. Digital Forensic Technical Requirements

7.1 Awarded tenderers must adopt sound digital forensic approaches, procedures, and equipment which have been recognized by Courts or Tribunals to perform the assigned tasks.

Page 6: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

6

7.2 Awarded tenderers must provide their own service laptops, equipment, mobile 4G wifi router for Internet connection, and digital forensic tools when performing the Services. Upon completion of an assigned support services and with the SFC confirmation, the awarded tenderers are responsible to ensure all data collected, which relate to the performance of support tasks requested by the SFC, are properly erased and cannot be recovered.

7.3 Awarded tenderers should keep themselves up to date with sound digital forensic technology and approaches. Where necessary, new digital forensic tools should be acquired during the course of the contract to fulfil the SFC’s requirements.

7.4 Awarded tenderers and its selected staff are expected to provide technical, information technology and digital forensic related advice upon SFC’s request

7.5 Awarded tenderers and its selected staff are expected to refer all enquiries from SFC’s counter-parties to SFC and should refrain from responding such enquiries directly without SFC’s consent.

7.6 Awarded tenderers and its selected staff should perform forensic activities in cautious manner. Activities that may cause conceivable impacts to the seizures or subsequent forensic inspection / processing of evidence, will be considered as potential exceptions. If any potential exceptions becomes unavoidable, Awarded tenderers and its selected staff should immediately approach the SFC and be aware of the followings:

7.6.1 explain clearly to the SFC about the potential exceptions and the probable impacts and provide reasons / justification for making such potential exceptions approach

7.6.2 relevant SFC consents must be obtained prior to making any potential exceptions

7.6.3 such potential exceptions, the probable impact and relevant SFC consents must be documented in details into a dedicated exception record/logs.

7.7 On-site preview of electronic data may need to be performed upon the SFC’s request. This should not affect the integrity of evidence. Based on instructions of the SFC, the awarded tenderer should assist in seizing and transporting relevant seizures including but not limited to servers, computers, laptops, tablets, wearable devices, mobile phones, digital storage media, and/or other electronic devices.

7.8 The seizures should be kept by the SFC.

7.9 Except on-site support requested by the SFC, all tasks should be performed in the SFC’s premises unless the SFC expressly permits in writing the awarded tenderer to perform the work elsewhere. No digital seizure or information collected when performing support tasks is allowed to leave the premises without the SFC’s express written consent.

7.10 Upon the SFC’s instructions, the awarded tenderer should seal all the documents in both electronic or physical form (including working papers, reports, and etc.), items

Page 7: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

7

seized and their duplicates. Without the SFC’s express written consent, these should not be unsealed.

7.11 The awarded tenderer should be able to deliver following:

7.11.1 signed records/logs with full details of what work has been performed by the relevant Selected Staff and submit to the SFC in a timely manner.

7.11.2 chain of custody must be maintained by the awarded tenderers and submit to the SFC with agreed record format.

7.11.3 signed dedicate records/logs of any potential exceptions or activities performed, the probable impacts, and the relevant SFC consents where applicable as mentioned in 7.6.3

7.11.4 upon request by the SFC, the awarded tenderers are able to produce a progress report with up-to-date cost incurred.

7.11.5 upon completion of the assigned work, a final report should be submitted to the SFC in a timely manner.

7.12 Please provide the following:

7.12.1 tenderers are required to describe how digital forensic support is conducted in a timely and court admissible manner to obtain the target results in the following situation:

(a) recovering deleted, password protected or encrypted files such as emails or documents

(b) retrieving data from faulty/damaged hard drives

(c) retrieving data from proprietary systems (e.g. self-developed accounting system)

(d) restoring significant volume of backup data

(e) retrieving data from mobile devices such as smartphones and tablets

(f) retrieving data from different Apps in smartphones and tablets

(g) handling (e.g. correlate, sort) a significant volume of emails

(h) reconstructing Internet activities histories and identify relevant caches

(i) retrieving data from faulty/damaged mobile devices and removable storage devices

(j) retrieving data from online and cloud-based solutions such as Gmail, Dropbox, Workday and Facebook, etc.

Page 8: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

8

(k) retrieving data from social media network such as QQ, WhatsApp, WeChat, Facebook, Instagram, etc.

(l) retrieving data from database such as Oracle, MySQL, MS-SQL, MongoDB, ElasticSearch, NoSQL DB, etc.

(m) retrieving data from corporate ERP solutions, such as SAP, etc.

(n) forensic imaging / retrieving data from a running server

(o) forensic imaging / retrieving data from virtual machines resided in seized evidence

(p) other circumstances that your skill or knowledge may help collecting target evidence

7.12.2 Tenderers are required to describe what equipment will be used and for what purpose.

7.12.3 Tenderers are required to describe:

(a) the handling and preservation of the seized items

(b) how seized items and duplicates (e.g. forensic images) are securely stored during and after forensic imaging processes

7.12.4 Tenderers are required to describe the processes how to erase the Services related data upon the SFC’s request.

8. Court Testify and Expert Statement

8.1 One or more of the Selected Staff, in the awarded tenderers’ local Service Team, should have experience in preparing Expert Statement(s) which were held admissible by a Court or Tribunal.

9. Requirements of Service Team

9.1 Tenderers must have a local (Hong Kong) Service Team which consists of at least 3 Selected Staff, and the Selected Staff should have:

9.1.1 a minimum 3 years of digital forensic experience

9.1.2 relevant certifications and hands-on experience in using digital forensic tools (e.g. Encase, FTK, Cellebrite, NUIX, and etc.)

9.1.3 experience in forensic handling of smart phones (in particular iPhone, Android and Blackberry), tablets (in particular iPad) and servers

9.1.4 good English and Chinese communication skills in both written and oral

9.2 Tenderers are required to describe their team assigned to engage in the Services. This includes but is not limited to:

Page 9: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

9

9.2.1 service team structure

9.2.2 local resources in your company directly dealing with digital forensic services

9.2.3 relevant professional qualifications and certifications of each Selected Staff

9.2.4 what each Selected Staff is specialised in

9.2.5 how long each Selected Staff has worked for the tenderer

10. Added Value Services and Alternative Proposal

10.1 A tenderer may, but is not required to, include other related services that add value and help address SFC's digital forensic needs.

10.2 Although the SFC intends to outsource its digital forensic support services according to requirement specification shown in Section 4 - 9, tenderers are welcome to propose alternative solutions (including Service Team structure, conflict check arrangement, project management methodology, etc.) and / or additional services for this outsourcing project, in the following scenarios:

10.2.1 the tenderer could not directly fulfil some of the listed requirements, but could offer alternative solution to deliver equivalent services in forensically sound manner

10.2.2 the alternative solutions and / or additional services proposed will add significant value to strengthen the forensic support services

10.3 If an alternative solution is proposed, tenderers are required to include, in Section 3 Exceptions to SFC’s Conditions and Requirements of the Technical Part the following:

10.3.1 a comparison of alternative solution proposed against original requirement specification shown in Section 4 – 9

10.3.2 how the alternative solution could deliver equivalent services without affecting court-admissibility of evidence and service levels

10.3.3 [optional] how the alternative solution proposed could add value to strengthen the digital forensic support services

11. Number of Service Providers Required

11.1 The SFC reserves the rights to outsource or not to outsource its digital forensic support services. If none of the tenderer(s) meet an expected service level, the SFC reserves the right not to award the contract to any tenderer(s). Please also note that after contract award, the SFC has the option to call for or not to call for digital forensic support services. The outsource service arrangement may be adjusted subject to the final decision of the SFC after tender evaluation. The tenderer is reminded to take this into consideration when responding to the tender.

Page 10: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

10

12. Other Terms And Conditions

12.1 The SFC reserves the right to accept/reject any of Selected Staff proposed.

12.2 If there is any turnover to the Selected Staff, at least one month prior notice must be given to the SFC. Please note that any ex-Selected Staff member is still subject to s378 of the SFO and must keep all information obtained during their engagement on work performed for the SFC strictly confidential, and could be summoned for a Court or Tribunal appearance and required to provide a statement if such need arises.

Page 11: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

11

Guidelines for Tenderers

These guidelines are intended to provide tenderers with guidance on the procedure for submitting their proposals and the approach that the SFC will generally adopt in assessing such proposals. They do not bind, and are not intended to bind, the SFC in any way. The SFC reserves the right to accept or reject all or any part of a proposal.

13. Preparation and Submission of Proposals

13.1 What must proposals cover?

13.1.1 In the proposal, the tenderers should present their company profiles, including the organisation of the company and the makeup of the project team, and highlight relevant works in their credentials. Tenderers should describe their previous experience (with references of previous work) in similar digital forensic projects.

13.1.2 Tenderers may propose alternatives to the SFC’s conditions and requirements if they consider that such conditions and requirements are either not feasible or do not provide the SFC with the best solution in the circumstances.

13.2 What form must proposals take?

13.2.1 All proposals must be submitted in writing in both physical and electronic form.

13.2.2 One hardcopy of each proposal must be provided, together with a softcopy on CD-ROM (email or other media are not accepted). The softcopy should be in Microsoft Word® format (version 6 or above) or Adobe Acrobat® format (version 4 or above).

13.2.3 The SFC will not consider any proposal that is submitted in writing without an accompanying softcopy.

13.3 To whom must proposals be submitted?

13.3.1 Written proposals should be marked with the reference “Outsource Contract of Digital Forensic Support Services” and must be submitted in a sealed envelope and deposited to a TENDER BOX at the following address:

Securities and Futures Commission 30th Floor, Cheung Kong Center 2 Queens’s Road Central Hong Kong

13.4 What is the deadline for the submission of proposals?

13.4.1 Proposals must be received by the SFC at the above-mentioned addresses on or before 2:00pm 15 May 2019.

13.4.2 The SFC will not consider any late proposals.

Page 12: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

12

13.5 How must proposals be set out?

13.5.1 Each proposal must be separated into the following parts:

(a) a Technical Part describing the proposals;

(b) a Price Schedule; and

(c) a Letter :

(i) offering to carry out the works described in the Technical Part for the prices detailed in the Price Schedule in compliance with the "Payment and Other terms" set out in section 19-24 of this Invitation to Tender;

(ii) stating the period that the offer is to remain open;

(iii) undertaking to negotiate in good faith to finalize promptly the Contract and to commence work immediately thereafter;

(iv) containing an acknowledgement and agreement that the SFC:

is not bound to accept the lowest tender or any tender;

reserves the right to make changes to the project requirement; and

will not defray any expenses incurred in tendering and/or in negotiating the Contract, whether successful or otherwise

(v) signed by the tenderer (in the case of an individual) or a duly authorized officer of the tenderer (in the case of a company).

13.5.2 For the proposal hardcopy as well as its softcopy, the Technical Part, the Price Schedule and the letter must be submitted as separate documents and be placed in separate envelopes. The envelope containing the Technical Part must be clearly marked “Technical Proposal”. The envelope containing the Price Schedule must be clearly marked “Price Schedule” The envelope containing the Letter must be clearly marked “Offer Letter”. Price information must not be specified in the Technical Part.

13.5.3 Details in relation to what should be specified in each part are set out in APPENDIX A (Technical Part) and B (Price Schedule) to this document.

13.6 How long should tenderers’ offers remain open?

13.6.1 By making a proposal in response to this Invitation to Tender, a tenderer will be treated as having made an offer to the SFC. A tenderer should clearly state in its proposal how long this offer will remain open.

Page 13: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

13

13.6.2 In order to allow the SFC sufficient time to consider all proposals validly submitted, tenderers should keep their offers open for at least 90 days from the closing date of this Invitation to Tender. If this cannot be done, the reason must be stated in the proposal.

14. Queries Regarding This Invitation to Tender Or Proposals Made In Response

14.1 What if the SFC has any queries about a particular proposal?

14.1.1 If the SFC considers that any aspect of a proposal requires clarification from the tenderer, the SFC may request that the tenderer:

(a) supplement its proposal; or

(b) answer the SFC’s queries

orally or in writing, or in any manner that the SFC deems fit.

14.2 What if a tenderer has any queries?

14.2.1 Any queries regarding this Invitation to Tender should be made to:

Mr. Steven CHAN Senior Manager Information Technology, Corporate Affairs Telephone: 2231 1278 Email: [email protected]

Or, alternatively: Mr. Gary HU Manager Information Technology, Corporate Affairs Telephone: 2231 1198 Email: [email protected]

Note: Please sign and return the Confidentiality Acknowledgement (Appendix C) before making any enquiry.

Page 14: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

14

Evaluation of Proposals

15. How does the SFC evaluate valid proposals that it receives?

15.1 There are two parts to the SFC’s evaluation process: evaluation of the Technical Part and evaluation of the Price Schedule (in that order). The Price Schedule will only be considered after the SFC has evaluated the Technical Part. The SFC will not make any selection based solely on price.

16. Evaluation of the Technical Part

16.1 The SFC will generally evaluate the technical aspects of each proposal according to the following criteria:

(a) Completeness and adequacy of the proposal according to the requirements as stipulated in this Invitation to Tender

10%

(b) Company background and related experience - Previous experience which the tenderer had in conducting

similar support service

20%

(c) Quality in the Proposed Solution

20%

(d) Selected Staff (experience, qualifications and skills)

50%

The above criteria are for reference only, which provide tenderers an indicative guideline of their relative significance. SFC reserves the right to change the criteria and/or the relative percentage weighting of any item without further notifying the tenderers.

17. Notification Of Results And Rejection Of Proposals

17.1 The SFC will notify each tenderer by post and/or e-mail within 14 days of finalising its shortlist as to whether or not they have been selected by the SFC to appear on such shortlist.

17.2 The SFC retains the right to reject any or all tenders(s) submitted.

18. Acceptance

18.1 No tender (or part thereof) shall be taken to have been accepted unless and until execution of the Contract.

Page 15: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

15

Payment and Other Terms

19. Payment terms

19.1 The SFC has a performance-based payment policy, under which payments will be made on actual delivery of services or products.

19.2 Wherever possible, and if the SFC considers appropriate in the circumstances, the SFC will pay the successful tenderer for each agreed phase of the project:

19.2.1 the SFC should not be charged for tasks performed in Section 6 (e.g. conflict of interest checking, arranging resources required and attending briefing sessions before commencement of work)

19.2.2 Service charge for Section 7 should be charged based on number of units of electronic devices (e.g. computers, mobile devices etc.). Where services could not be charged by unit basis, they should be charged by number of man hours/days. Proof of actual number of man hours/days charged and description of detail work performed must be provided for billing. Billing for Section 7 should be made upon completion and submission of final report.

19.2.3 Service charge for Section 8 should be charged based on number of man hours/days incurred. Proof of actual number of man hours/days charged and description of detail work performed must be provided for billing. Billing for Section 8 is subject to the terms and conditions agreed for each request and should be made upon completion and submission of final report.

19.2.4 Please apply the suggested pricing model on our sample cases in Appendix B - Price schedule to calculate the cost for each sample case for our consideration

20. Other terms

20.1 The contract period is two years. At the SFC’s discretion, the contract may be extended upon contract expiry.

20.2 Before signing the contract, the tenderer must provide proof of their financial position for vetting by SFC.

21. Termination of service

21.1 The successful tenderer shall use its best endeavours to perform the Contract with such due care and skill as is expected of a provider of similar services and products and of a comparable standing in the industry but, if for whatever reason, the SFC in its opinion, concludes that the successful tenderer is in breach of the Contract or does not provide the level of service required by the SFC, the SFC shall have the right to terminate the contract by notice in writing to the successful tenderer.

Page 16: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

16

22. Sub-contracting of services

22.1 Due to the nature and sensitivity of this Tender, sub-contracting of services is not permitted.

22.2 During the course of their work, the awarded tenderers may encounter situations where special and unique technology/equipment/services from other vendors are required. Under that situation, the awarded tenderers may subcontract that particular work upon SFC’s prior written agreement.

23. Conflicts of interest

23.1 A tenderer must have no or any potential conflicts of interest with its duties to the SFC under the proposal. If a tenderer has, or has potential, conflicts of interest with its duties to the SFC under the proposal, the tenderer should clearly state this in the proposal. This requirement extends to the tenderer’s associates, associated persons, group companies and each member of the tenderer’s professional staff (and their associates and associated persons).

24. The incorporation of proposals into Contract signed with the SFC

24.1 Any proposals and responses submitted by the successful tenderer to the SFC’s inquiries may form part of the Contract made between the SFC and such tenderer.

24.2 Every representation by the successful tenderer (whether of fact or performance, and whether set out in the proposal or otherwise) will be incorporated as warranties in any Contract between the SFC and such tenderer. The SFC reserves the right to seek an indemnity if tenderers fail to keep these warranties. Therefore, any statement of fact or performance that the tenderer does not wish to be treated as a warranty should be clearly indicated.

Page 17: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

17

Grievance Procedures

25. SFC, as a public body, has a duty to conduct its affairs in a responsible and transparent manner. We have therefore put in place the Grievance Procedures with effect from 1 April 2004. The policy on Public Interest Grievances is intended to assist persons who are engaged by or to work in/with SFC who believes that they have discovered improper practices or misconduct relating to the running of SFC or work related activities of employees of SFC to report these in a constructive manner.

25.1 This policy is for any person who has an employment contract with SFC, is on secondment to SFC, is engaged as an independent consultant by SFC or is a contractor or supplier of services to SFC. Public Interest Grievances might include:

25.1.1 Criminal activity, such as accepting a bribe;

25.1.2 Financial or administrative malpractice;

25.1.3 Misconduct or improper behaviour;

25.1.4 Failure to comply with legal obligations such as those set out in the Securities and Futures Ordinance;

25.1.5 Endangering occupational health or safety;

25.1.6 Attempts to suppress or conceal information relating to any of the above.

25.2 The Policy on Public Interest Grievances can be found on the SFC website under “Lodge a complaint > Against the SFC > Staff/contractor complaints against the SFC or its employees”. Please contact the Commission Secretary of the SFC if you have any questions.

Page 18: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

18

Appendix A: The Technical Part

The tenderer is free to include any information that it considers to be relevant to its proposal. However, as a minimum, this part should contain all of the following:

Table of Contents

1. Executive Summary

1.1 This section should provide a full summary of the proposed solution.

2. The Proposed Solutions and Service Plan

2.1 This section should describe the proposals in detail and explain how the proposals meet the conditions and requirements set out in Section 4 - 9, and describe any limitations and compatibility issues associated with the proposals

2.2 Submit a work plan/procedure (including tools and resources and estimated time required) with expected output and detailed descriptions of approaches adopted for handling each of the following sample cases.

2.2.1 Describe how the SFC is involved

2.2.2 Describe what your team would look for

2.2.3 Describe how you start with the service

2.2.4 Describe how to conduct quality checking

2.2.5 Describe what potential difficulties may happen

Case 1: Perform forensic support which involved seizing of 5 computers on-site each with hard disk size 1TB, and perform subsequent forensic imaging of seized evidence. Case 2: Perform forensic support which involved seizing 1 iPhone with latest version of iOS installed and 1 Android phone, and perform subsequent forensic imaging of seized evidence, and extracting of data stored (including but not limited to e-mail, instant messages, and social media information) in these devices . Case 3: Perform forensic support which involved extracting and analysing emails in 3 mailboxes which may contain legal professional privilege (LPP) materials. Some emails were already deleted on the server. The following describes the details:

Location Details Online Server 2 GB for each mailbox Backup tapes • Daily full backup (perform at day end): 2 x backup tapes for each

day (retain for 30 days) with a total of 30 sets • Monthly backup (perform at month end): 2 x backup tapes (retain

for 1 year) with a total of 12 sets

Page 19: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

19

Assumptions:

Focus on emails of the most recent 3 months.

10 keywords are requested for analysis.

Extracted email must be checked by lawyer of counter parties to segregate LPP materials from non-LPP items.

The SFC will examine non-LPP materials only.

Case 4: Perform forensic support to retrieve Microsoft office files and emails from Microsoft Office 365 with consent from the target, and perform subsequent forensic imaging of seized evidence.

3. Exceptions to the SFC’s Conditions and Requirements

3.1 If a tenderer wishes to propose alternatives to the SFC’s conditions and requirements, these alternatives should be specified here. The tenderer should explain:

3.1.1 why the SFC’s conditions and requirements do not provide the SFC with the best solution in the circumstances; and

3.1.2 the ways in which their alternatives are better.

4. Vendor Profile

4.1 The tenderer should provide full details of its company profile. This should include the following matters:

4.1.1 the company’s background, history;

4.1.2 the company’s financial strength, supported by an audited report or financial summary;

4.1.3 its experience in similar projects;

4.1.4 references for similar projects (please provide the Scope, Team Size, Type of Services Provided etc.); and

4.1.5 other relevant information.

5. Appendices

5.1 Project Team and Structure

5.1.1 Names, detailed qualifications and detailed work experience (in particular, please provide a list of court experience including case names, their roles, and whether they were required to testify in court) of persons proposed to be assigned to implement the project and the team structure. The information provided may be subjected to verification.

Page 20: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

20

5.2 Sample Deliverables

5.2.1 Provide your sample deliverables that the SFC will receive for each of job assigned. This includes but not limited to the followings:

(a) Chain of Custody Form

(b) Log sheets and other working papers

(c) Evidence Inventory

(d) Final report

5.3 Professional Ethics

5.3.1 Describe your professional ethics in managing the digital forensic process that includes but not limited to:

(a) Confidentiality of the SFC’s investigations

(b) Disposal of working results and reports containing sensitive information

(c) Undertaking for damages to the SFC due to negligence

5.4 Other relevant information

5.4.1 The tenderer can include any other information that it considers to be relevant to its proposal.

Page 21: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

21

Appendix B: The Price Schedule

This part should contain all of the following:

1. Executive Summary

1.1 This part should provide a full summary of the project fee structure, and any payment arrangements.

2. Fees Schedule

2.1 All fees must be quoted in Hong Kong Dollars.

2.2 Provide the pricing model. All fees should be properly itemized and explained and include all amounts payable by way of royalty, licence fee, software licence fee or otherwise for patent, any copyright design fee or other intellectual property rights. The fees on hardware, software and consultancy services must be separately stated. Here is a sample pricing table for reference:

Hourly rate for on-site digital forensic support:

On-site support service hourly rate HK Dollar Office hours (Mon – Fri, 9:00am – 6:00pm) $ X,XXX.00 After office hours (Mon – Fri, 6:00pm – 9:00am, Saturday, Sunday & Public Holiday)

$ Y,YYY.00

Expected Deliverables: • Completed Chain of Custody Forms • On-site support log sheet/working papers/analysis results signed by Selected

Staff • Personal statement signed by Selected Staff, that could be used in court and / or

tribunal

Flat rate charge for forensic imaging (PC/Laptop/iMac/Mac notebook/Removable hard disk)

Number of hard disks per assignment

Cost per hard disk up to 500 GB (HKD)

Cost per hard disk above 500 GB and less than or equal to 1TB GB (HKD)

Cost per hard disk above 1TB and less than or equal to 2TB (HKD)

Cost per hard disk above 2TB and less than or equal to 4TB (HKD)

Cost per hard disk greater than 4TB (HKD)

1 to 3 $ Z,ZZZ.00 $ Z,ZZZ.00 $ Z,ZZZ.00 $ Z,ZZZ.00 $ Z,ZZZ.00

4 to 10 $ Y,YYY.00

$ Y,YYY.00

$ Y,YYY.00

$ Y,YYY.00

$ Y,YYY.00

More than 10 $ X,XXX.00

$ X,XXX.00

$ X,XXX.00

$ X,XXX.00

$ X,XXX.00

Page 22: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

22

Expected Deliverables: • Completed Chain of Custody Forms • On-site support log sheet with Image acquisition worksteps and image details

signed by Selected Staff • Two copies of Encase forensic image (.E01 or .Ex01) and verify the Encase

forensic image hash value without error by using Encase software • Personal statement signed by Selected Staff, that could be used in court and / or

tribunal Flat rate charge for forensic imaging (Traditional Mobile Phone/BlackBerry/Smart Phone/PDA/Tablet)

Number of Traditional Mobile Phone/BlackBerry/ Smart phone/PDA/Tablet per assignment

Cost per device

1 to 3 $ Z,ZZZ.00 4 to 10 $ Y,YYY.00 More than 10 $ X,XXX.00

Expected Deliverables: • Completed Chain of Custody Forms • On-site support log sheet with Image acquisition worksteps and image details

signed by Selected Staff • Two copies of forensic image/reports/analysis results • Reader program ( e.g. cellebrite reader ) for opening forensic image / extracted

information of the imaged mobile phone • Personal statement signed by Selected Staff, that could be used in court and / or

tribunal

** Note: Removable memory card will be imaged and charged separately. Flat rate charge for forensic imaging (CD/DVD, Memory Card & USB flash drive up to 32 GB)

Number of CD/DVD Disc, Memory Card & USB per assignment

Cost per device

1 to 3 $ Z,ZZZ.00 4 to 10 $ Y,YYY.00 More than 10 $ X,XXX.00

Expected Deliverables: • Completed Chain of Custody Forms • On-site support log sheet with Image acquisition worksteps and image details

signed by Selected Staff • Two copies of Encase forensic image (.E01 or .Ex01) and verify the Encase

forensic image hash value without error by using Encase software • Personal statement signed by Selected Staff, that could be used in court and / or

tribunal

Page 23: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

23

Flat rate charge for forensic imaging (Memory Card & USB flash drive over 32GB & up to 512GB)

Number of Memory Card & USB flash drive over 32GB & upto 512 GB per assignment

Cost per device

1 to 3 $ Z,ZZZ.00 4 to 10 $ Y,YYY.00 More than 10 $ X,XXX.00

Expected Deliverables: • Completed Chain of Custody Forms • On-site support log sheet with Image acquisition worksteps and image details

signed by Selected Staff • Two copies of Encase forensic image (.E01 or .Ex01) and verify the Encase

forensic image hash value without error by using Encase software • Personal statement signed by Selected Staff, that could be used in court and / or

tribunal

Hourly rate for court testimony:

Court testimony / Expert Statement hourly rate HK Dollar Office hours (Mon – Fri, 9:00am – 6:00pm) $ X,XXX.00 After office hours (Mon – Fri, 6:00pm – 9:00am, Saturday, Sunday & Public Holiday)

$ Y,YYY.00

Expected Deliverables: • Selected Staff is expected to attend court to testify on work performed • Written report / Personal statement signed by Selected Staff, that will be used for

court and / or tribunal testimony

2.3 Submit a quotation (in terms of dollars, elapse time) with necessary breakdown for each of the sample cases mentioned in Appendix A: The Technical Part using the rate quoted in 2.2 – 2.3.

3. Payment Terms and Arrangements

3.1 Payment terms and arrangements should be described in accordance with the SFC’s performance-based payment policy (see PAYMENT AND OTHER TERMS in Section 19 – 23 of this tender)).

Page 24: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

24

Appendix C: Confidentiality Acknowledgement

Acknowledgement and Undertaking

Acknowledgment in relation to the preservation of secrecy pursuant to section 378 of the Securities and Futures Ordinance (Chapter 571 of the Laws of Hong Kong) (“SFO”) and avoidance of conflict of interests pursuant to section 379 of the SFO. Terms in this acknowledgement shall have the same meaning as defined in the SFO, unless otherwise defined herein. ___________________________________________________________________ Section 378 of the SFO binds you and in particular subsection (1) of that section which provides as follows: (1) Subject to subsection 13(A), except in the performance of a function under, or

for the purpose of carrying into effect or doing anything required or authorized under, any of the relevant provisions, a specified person -

(a) shall preserve and aid in preserving secrecy with regard to any matter coming to his knowledge by virtue of his appointment under any of the relevant provisions, or in the performance of any function under or in carrying into effect any of the relevant provisions, or in the course of assisting any other person in the performance of any function under or in carrying into effect any of the relevant provisions;

(b) shall not communicate any such matter to any other person; and (c) shall not suffer or permit any other person to have access to any

record or document which is in his possession by virtue of the appointment, or the performance of any such function under or the carrying into effect of any such provisions, or the assistance to the other person in the performance of any such function under or in carrying into effect any such provisions.

TAKE NOTICE THAT IF YOU CONTRAVENE SECTION 378(1) OF THE SFO YOU COMMIT AN OFFENCE UNDER SECTION 378(10) OF THE SFO. ANY PERSON WHO COMMITS AN OFFENCE UNDER SECTION 378(10) IS LIABLE: (a) on conviction on indictment to a fine of HK$1,000,000 and to imprisonment for two

years; or (b) on summary conviction to a fine of HK$100,000 and to imprisonment for six months.

Page 25: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

25

Section 379 of the SFO binds you and in particular subsections (1), (2) and (3) of that section which provide as follows:

(1) Subject to subsection (2), any member of the Commission or any person performing any function under any of the relevant provisions shall not directly or indirectly effect or cause to be effected, on his own account or for the benefit of any other person, a transaction regarding any securities, structured product, futures contract, leveraged foreign exchange contract, or an interest in any securities, structured product, futures contract, leveraged foreign exchange contract or collective investment scheme -

(a) which transaction he knows is or is connected with a transaction or a person that is the subject of any investigation or proceedings by the Commission under any of the relevant provisions or the subject of other proceedings under any provision of the SFO; or

(b) which transaction he knows is otherwise being considered by the Commission.

(2) Subsection (1) does not apply to any transaction which a holder of securities

or a structured product effects or causes to be effected by reference to any of his rights as such holder -

(a) to exchange the securities or structured product or to convert the securities or structured product to another form of securities or structured product;

(b) to participate in a scheme of arrangement sanctioned by the Court of First Instance under the Companies Ordinance (Cap. 622) or the relevant Ordinance;

(c) to subscribe for other securities or another structured product or dispose of a right to subscribe for other securities or another structured product;

(d) to charge or pledge the securities or structured product to secure the repayment of money;

(e) to realize the securities or structured product for the purpose of repaying money secured under paragraph (d); or

(f) to realize the securities or structured product in the course of performing a duty imposed by law.

(3) Any member of the Commission or any person performing any function under any of the relevant provisions shall forthwith inform the Commission if, in the course of performing any function under any such provisions, he is required to consider any matter relating to -

(a) any securities, futures contract, leveraged foreign exchange contract, structured product, or an interest in any securities, futures contract, leveraged foreign exchange contract, collective investment scheme or structured product - (i) in which he has an interest; (ii) in which a corporation, in the shares of which he has an

interest, has an interest; or (iii) which -

(A) in the case of securities, is of or issued by the same issuer, and of the same class, as those in which he has an interest;

Page 26: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

26

(B) in the case of a futures contract, is interests, rights or property based upon securities of or issued by the same issuer, and of the same class, as those in which he has an interest; or

(C) in the case of a structured product, is interests, rights or property based on a structured product of or issued by the same issuer, and of the same class, as that in which he has an interest; or

(b) a person - (i) by whom he is or was employed; (ii) of whom he is or was a client; (iii) who is or was his associate; or (iv) whom he knows is or was a client of a person with whom he is

or was employed or who is or was his associate. TAKE NOTICE THAT IF YOU CONTRAVENE SECTION 379(1) AND/OR SECTION 379(3) OF THE SFO YOU COMMIT AN OFFENCE UNDER SECTION 379(4) OF THE SFO. ANY PERSON WHO COMMITS AN OFFENCE UNDER SECTION 379(4) IS LIABLE: (a) on conviction on indictment to a fine of HK$1,000,000 and to imprisonment for two

years; or (b) on summary conviction to a fine of HK$100,000 and to imprisonment for six months. The term “specified person” is defined in section 378(15) of the SFO and means-

(a) the Commission; (b) any person who is or was a member, an employee, or a consultant, agent or

adviser, of the Commission; or (c) any person who is or was -

(i) a person appointed under any of the relevant provisions; (ii) a person performing any function under or carrying into effect any of

the relevant provisions; or (iii) a person assisting any other person in the performance of any function

under or in carrying into effect any of the relevant provisions. The term “person” has the meaning attributed to it in section 3 of the Interpretation and General Clauses Ordinance (Cap. 1) which provides that “person” includes any public body and any body of persons, corporate or unincorporate, and this definition shall apply notwithstanding that the word “person” occurs in a provision creating or relating to an offence or for the recovery of any fine or compensation.

Page 27: Invitation to Tender for Outsource Contract of Digital ... · Invitation to Tender for Outsource Contract of Digital Forensic Support Services . 17 April 2019 . 2 Contents . ... forensic

27

I/We acknowledge that I/we have received and read carefully a copy of sections 378 and 379 of the Securities and Futures Ordinance (Cap. 571), and understand that these sections (in particular, sections 378(1) and 379(1), (2) and (3)) impose statutory obligations on me/us. I/We further confirm that I/we understand and agree to be bound by the provisions of sections 378 and 379 of the Securities and Futures Ordinance (Cap. 571). ______________________________ Signature ______________________________ Name / Entity name (as applicable)

______________________________ Name of authorized signatory (in the case of an entity) ______________________________

Title of authorized signatory (in the case of an entity) ______________________________ Date

Witnessed by: ______________________________ Signature ______________________________ Name ______________________________

Title ______________________________ Date