Asai RFQ Soc

ASA International Request for Quotation –
Managed SOC implementation

In Commercial Confidence
Page 1 of 18, ASA International RFQ for SOC Implementation
Date: March 2023

Table of Contents
1 Introduction ....................................................................................................................................... 4
1.1 About ASA International N.V. .................................................................................................... 4
1.2 Purpose of the document .......................................................................................................... 4
1.3 Confidentiality Statement .......................................................................................................... 5
2 RFQ Scope and deliverables ............................................................................................................... 6
2.1 Countries .................................................................................................................................... 6
2.2 Solution ...................................................................................................................................... 6
2.3 Design and provisioning of the SOC implementation ................................................................ 6
2.4 Operational Acceptance of the SOC implementation ................................................................ 6
2.5 SOC Managed services ............................................................................................................... 7
2.5.1 Monitoring and Analysis: ................................................................................................... 7
2.5.2 Incident Response: ............................................................................................................. 7
2.5.3 Reporting ............................................................................................................................ 8
2.5.4 Maintenance and updates ................................................................................................. 8
2.6 Documentation .......................................................................................................................... 8
3 Project Planning and Management ................................................................................................... 9
3.1 Project planning requirements .................................................................................................. 9
3.2 Schedule of Events ..................................................................................................................... 9
3.3 Responsibility Matrix ............................................................................................................... 10
4 Vendor, technical and commercial qualifications in the proposal .................................................. 13
4.1 Vendor qualifications ............................................................................................................... 13
4.2 SOC setup and implementation ............................................................................................... 14
4.3 Service features ........................................................................................................................ 14
4.4 Quotation from the vendor ..................................................................................................... 15
5 How to Respond & Method of award .............................................................................................. 16
5.1 Vendors response .................................................................................................................... 16
5.2 Method of award ..................................................................................................................... 17
6 Supplementary ................................................................................................................................. 18

Date: March 2023
Version Control
Date Version Changes Author

23rd March 2023 1.0 Published Version ASA International

Date: March 2023
1 Introduction

ASA‐International N.V. (ASAI) is pleased to invite you to respond to this Request for Proposal (RFQ) for
Managed Security Operation Center (SOC) Services. The intention of this RFQ is to solicit responses
and formal proposals from qualified Managed SOC Services Providers (MSPs) and select a single
organization to provide Managed SOC services to ASAI.

1.1 About ASA International N.V.
ASA‐International N.V. is an international microfinance holding company which owns and operates 13
microfinance institutions in Africa and Asia. The Group focuses on providing small loans to low income
female micro‐entrepreneurs for business purposes. The operating model comprises numerous small
branches near lending communities. A key element of the operating model is the use of client groups
to support individual lending. Although there is no joint liability for outstanding loans, the group helps
to guarantee successful outcomes by enabling simplified collection mechanisms and exerting a degree
of social cohesion across group members and hence reducing loan delinquency. ASA International also
offer savings and microinsurance products across a number of operating countries. In some markets,
ASA International have received a banking license and offer a simple deposit account to ASA
International customers with cheque‐based payments supported. In India, ASA International offer a
Business Correspondent (BC) model to an Indian bank – this involves ASA International using its branch
network to recruit customers and offer loans on behalf of the bank.

ASA International’s operating model is highly standardized across countries. This level of
standardization also applies to ASA International’s in‐country organization which consists of branches,
regions, districts, and a country headquarters.

1.2 Purpose of the document
The purpose of this document is to define the scope, requirements, and instructions that comprises a
Request for Quotation for providing a managed SOC service for ASA‐International N.V. (ASAI) for
managing ASAI’s Software, Application and Infrastructure including:

 Cloud infrastructure,
 OnPrem infrastructure,
 Core Banking Solution, Middleware
 Digital Financial System (DFS)
 DevSecOps
 Network Devices (Router, Switch, Storage, Load Balancer etc.)
 Security Solutions (Firewall, IPS, VPN, EDR, Vulnerability Management)
 Endpoint devices
 and software
This RFQ is issued solely for information and planning purposes. This document does not commit ASAI
to contract for any service, supply, or subscription whatsoever. ASAI will not reimburse any
information or administrative costs incurred as a result of participation in response to the RFQ. All
costs associated with response will solely reside at the responding party’s expense.

Date: March 2023
1.3 Confidentiality Statement
All information included in this RFQ is considered confidential and intended only for use by
responders. No information included in this document, or in discussions related to ASAI’s Managed
Service Provider selection effort, may be disclosed to another party or used for any other purpose
without the express written or verbal consent.

Date: March 2023
2 RFQ Scope and deliverables

ASA‐International N.V. wishes to onboard a Vendor for implementing a ASAI SOC and providing
Managed SOC Services for a period of 3 years.

The generic scope of the RFQ for a managed SOC implementation is as per below.

2.1 Countries
The solution as part of the scope of the RFQ must be rolled out to the following countries where ASA is
active:

 Bangladesh
 Ghana
The other countries can be onboarded as part of new subsequent projects

2.2 Solution
The proposed solution should be based on Microsoft Sentinel. ASAI has preference on using cloud
solutions. Procurement of subscription/licenses is a responsibility of ASAI. The SOC design,
implementation and managed services on that infra will be provided by the RFQ vendor.

2.3 Design and provisioning of the SOC implementation
For the design and deployment of the ASAI managed SOC the following items are in scope:

1. Assessment of current security posture and identify potential vulnerabilities and threats.
2. Design and Architecture of the SOC including hardware and software requirements.
3. A detailed project plan with phased approach to implement the SOC
4. Deployment of the SOC with all necessary tools, systems, integrations and processes.
5. Customization to integrate with custom made systems and legacy systems.
6. Business continuity plan (“BCP”) in the event its SOC is unavailable.
7. Documentation on policies and procedures.

2.4 Operational Acceptance of the SOC implementation
For operational acceptance of the SOC implementation the following approach is defined:

1. Operational Acceptance shall commence per country once the system is commissioned for
that country for a period of maximum 30 days.

2. Operational Acceptance will only be provided after the SOC implementation.

3. The Vendor will have to facilitate the Operational Acceptance Tests. Operational acceptance
tests will be performed by ASAI. However, the Vendor will have to facilitate Operation
Acceptance during commissioning of the SOC implementation, to ascertain whether the SOC
conforms to the scope of work. The Vendor will have to facilitate the testing of application
from ASAI users during the Operational Acceptance. Necessary support shall be provided by
Date: March 2023
the Infra and application teams of ASAI.

4. After the Operational Acceptance has completed, the Vendor may give a notice to ASAI
requesting the signoff of the delivery. ASAI will:
a. Signoff the SOC implementation delivery; or
b. Notify the Vendor of any deficiencies or other reason for the failure of the Operational
Acceptance Tests.

5. Once deficiencies have been addressed, the Vendor shall again notify ASAI, and ASAI, with the
full cooperation of the Vendor, shall use all reasonable endeavours to promptly carry out
retesting of the SOC implementation. Upon the successful conclusion of the Operational
Acceptance Tests, the Vendor shall notify ASAI of its request for Operational Acceptance, ASAI
will then sign off the Operational Acceptance, or shall notify Vendor of further deficiencies, or
other reasons for the failure of the Operational Acceptance Test.

2.5 SOC Managed services
After implementation and operational acceptance of the SOC the Vendor is requested to provide a
managed service to operate the SOC for a period of three years

The managed service consists of the following items as described in the subsections below

2.5.1 Monitoring and Analysis:
For the monitoring and analysis activities the following items are in scope:

1. 24/7/365 monitoring of our organization's network and systems.
2. Real‐time analysis of security events, alerts, and logs to identify potential security threats.
3. Correlation and analysis of security events from multiple sources to identify potential security
incidents.
4. Predicting incidents before they happen, preventive alerts of growing global threats, lessons
learned from incidents from other customers.
5. Provide certification training with exam to max 6 ASAI employees on Microsoft SC‐200 and
MS‐500 certification to buildup internal knowledge on SOC operation within ASA
2.5.2 Incident Response:
For the incident response the following items are in scope of the RFQ:

1. Rapid response to identified security incidents.
2. Escalation of critical incidents to our organization's designated personnel in accordance with
the Service Level Agreements (“SLAs”).
3. Mitigation and resolution of security incidents
4. Conducting root cause analysis and corresponding documentations.
5. New use cases and playbooks design and deployment in case it is required.
6. Provide Report for Incident Response:
Date: March 2023
a. the total number of incidents detected and resolved, as well as more specific data,
such as:
1. Breakdown of incidents by type, target, and severity
2. Mean time to detect (MTTD)
3. Mean time to resolve (MTTR)
b. Specific actions taken for each incident, such as log collection, quarantine, Policy
changes, Configuration changes, security patch installation, and password reset or
other authentication system changes.
7. Provide training to ASAI staff on how to integrate ASAI's incident response activities with the
delivered managed service

2.5.3 Reporting
For reporting the following items are in scope of the RFQ:

1. Regular reports on the SOC's performance, security incidents, and trends.
2. Monthly and yearly reports on the SOC's effectiveness, including metrics on incident response
times and incident resolution.
3. Any customized reports needed by management for SOC

2.5.4 Maintenance and updates
During the managed service lifecycle new end points, applications and infrastructure might need to be
connected to keep the SOC span of control complete

2.6 Documentation
The vendor is expected to provide the following deliverables as part of the SOC solution:

1. Design and Architecture documents.
2. SOC Deployment documents.
3. SOC Operating Procedures documents.
4. Incident Response Plan documents.
5. Monthly and yearly performance reports.

Date: March 2023
3 Project Planning and Management

3.1 Project planning requirements
The success of the project depends on the proper project planning and management. At the onset, the
Vendor shall plan the project implementation in great details and should provide a micro level view of
the tasks and activities required to be undertaken in consultation with ASAI. An indicative list of
planning related documentation that the Vendor should make at the onset is as follows:

1. Project Schedule: A detailed week‐wise timeline indicating various activities to be performed
along with completion dates and resources required for the same

2. List of skilled resources: A list needs to be provided with resources who will be deployed on
the project along with the roles and responsibilities of each resource.

3. SOC Infrastructure Deployment List: List and number of all on premise and/or cloud‐based
resources (including but not limited to servers (VMs), storage, network components and
software components) other than manpower that may be required.

4. Communication Plan: Detailed communication plan indicating which form of communication
will be utilized for what kinds of meeting along with recipients and frequency.

5. Governance Plan: Overview of the proposed project governance and managed service
governance

6. Implementation Plan: The Vendor will be required to submit an implementation plan to ASAI
for deploying the SOC and connecting the ASAI devices, end points and infrastructure.
Necessary support will be provided by the infrastructure and application teams of ASAI.

7. Progress Monitoring Plan and Reporting Plan: Detailed Weekly, Monthly Progress Report
formats along with issue escalation format. The format will approved by ASAI to the successful
Vendor before start of the project.

8. Standard Operating Procedures: Detailed procedures for operating and monitoring the Cloud
site.

9. Risk Mitigation Plan: List of all possible risks and methods to mitigate them.

10. Escalation Matrix & Incident Management: A detailed list of key contact persons with contact
details with escalation hierarchy for resolution of issues and problems. This has to be via an
Incident Management system.
3.2 Schedule of Events

The Vendor will have to rollout the project in six phases. The SOC deliverables that need to be
commissioned during each phase are as given below along with the timelines.
Date: March 2023
No Phase Component Timeframe
1 Phase I Final design and sizing of the SOC Within 4 weeks from
the signing of the
contract
2 Phase II Base setup of infra components and configuration of Within 6 weeks after
the SOC and operational acceptance Phase I
3 Phase III Configuration of the country 1: Bangladesh and Within 4 weeks after
operational acceptance Phase II
4 Phase VI Configuration of the country 2: Phillippines and Within 4 weeks after
operational acceptance Phase III
5 Phase V Configuration of the country 2: Ghana and Within 8 weeks after
operational acceptance Phase III
5 Phase VI SOC Managed services Will start from the day
and date on the signoff
of the operational
acceptance of the first
country (Bangladesh)
by ASAI. This will be
for a period of three
years
3.3 Responsibility Matrix

SOC RACI with ASAI and Vendor

Activities ASAI Vendor

Alerts triage √

(SIEM)
Incident creation √

for follow‐up
Incident √
Detection service
validation
Confirmation of √
need to escalate

the incident to
ASAI team
Detection use √
case

opportunities
Detection identification
engineering Risk‐based attack √
scenarios

confirmation,
with red teaming
Date: March 2023
SIEM rules √
creation (SIEM

search creation
and optimization)
Service Testing & √

Tuning
SIEM rules √
maintenance &
fix
Data model √

management
Data acquisition √
and ingestion to
the SIEM
Custom use case

development
Custom Playbook √

development
Automation Tools integration √
engineering with orchestrator

(ITSM, security
solutions...)
Threat √
intelligence

collection and
integration
Security
Threat √
Intelligence
intelligence
Services
sources validation
Threat √
intelligence use
cases build
SOC tools (SIEM, √
SOAR etc.)
administration
Log Source √
Administrative Heartbeat
Services Monitoring
Log Source √

Management
SOC tools √

monitoring
Building and √

updating KPI
Reporting Generating √

Services reporting
Acting upon √

missed SLA
Incident Handling √
Date: March 2023
Forensics √

Investigation
Incident response Improve √
service detection with

incident response
feedback
Detection √
capabilities

assessment
(purple teaming)
Incident response √
Continuous
capabilities
improvement
assessment
(purple teaming)
Scheduling
regular Policy, √
Process check
24x7x365 √
Support, Support &
Maintenance & Monitoring
Monitoring Solution
√
Maintains
License Procurements of √
/Subscriptions licenses for SOC
Purchase tools and Storage
Firewall, Server, √
configuration Application, EDR,
changes of critical Database etc.

IT system for configuration
Incident Handling changes for
Incident Handling

Date: March 2023
4 Vendor, technical and commercial qualifications in the proposal

Vendors are requested to address the following items in their proposal based on the scope as
described above

4.1 Vendor qualifications

1. Vendor Company Information
a. Provide a brief outline of the vendor company and services offered, including:
i) Full legal name of the company
ii) Year business was established
iii) Describe your ability to grow and scale with your customers
iv) Describe your insurance coverage (provide certificates as appropriate)

2. An outline of the offered managed SOC services including:
a. Description of vendor’s experience working within a regulated industry, preferably finance
or micro finance or other industry with compliance requirements
b. Provide any security certification/ audit reports that you have such as ISO 27001, ISO2000,
SOC2, PCI etc
c. Describe which security frameworks are adhered to if any

3. Corporate strategy
a. Describe the company’s corporate values
b. Outline current and future strategies in the market.
c. Describe the companies current experience in working in emerging countries
d. Describe the target client and your value‐add services to them

4. Information on the current managed services clients including:
a. Total number of clients
b. Number of clients with similar Sentinel, Security‐ and SOC Solution needs and a
description of those clients similar to ASA‐International N.V.
c. Distribution of client sizes and engagement level

5. Employee Policies Information
a. Describe the standard process by which you hire and screen your employees (i.e.,
background checks, IQ, EQ testing, or similar)
b. If you provide training opportunities to your employees, please describe your program(s)
c. Describe certifications and any certification processes that your staff maintains.
d. What is your staffing level, and how has it been changing over last two years?
e. Provide the average tenure of your service personnel.

6. Describe your experience working for Clients like us
a. Where would ASA‐International fit in the distribution of companies that you service?
b. How many years have you been servicing companies in our size range?
c. Describe your experience working with clients in the Micro finance or non‐profit space.
Date: March 2023
d. Describe whether you have clients that operate in the countries where ASA‐International
is active: India, Pakistan, Sri Lanka, Philippines, Myanmar, Nigeria, Ghana, Sierra Leone,
Kenya, Tanzania, Uganda, Rwanda, Zambia
4.2 SOC setup and implementation

1. Describe the proposed SOC architecture, Security‐ and Solution design based on Microsoft
Sentinel

2. Describe the approach and timelines to come to a SOC setup

3. Describe the typical team setup in terms of number of resources and available skills for the
proposed SOC Setup
4.3 Service features

1. Monitoring and analysis
a. Describe the monitoring and analysis services provided as part of the managed SOC
service
b. Describe the typical team setup in terms of number of resources, geographic
locations and available skills

2. Incident response
a. Describe the incident response services provided as part of the managed SOC service
b. Describe the proposed standard incident management process
c. Describe the required governance and RACI matrices for the insicent management
process
d. Describe the level of training and experience that is typical for the first responders
e. Provide an overview of the available playbooks as part of the incident response
proposal

3. Reporting
a. Describe the proposed standard daily/weekly/monthly reports as part of the SOC
services
b. Describe the process by which service reports are being generated and submitted.
a. Describe how metrics are used in your organization as tools to improve overall
service?

4. SLA Management
a. If you have an established SLA schedule, provide a copy of your SLA
b. Describe the process by which the formal SLA for managed services is being
established.
c. Describe the process by which SLA is being monitored and evaluated.
d. Describe the process by which SLA is being reviewed and improved

5. Ticket and helpdesk
a. Describe the ServiceDesk/HelpDesk that is offered by your organisation
i. Please include the staffing numbers and opening hours
Date: March 2023
ii. Describe the level of training and experience that is typical for the first
responders
b. Describe the ticket management process
i. Describe how and via which channels the tickets are created/raised
ii. Describe how tickets are triaged
iii. Describe the levels of support provided
iv. Describe how tickets outside of office hours are handled

6. References
a. Please provide two reference customers where you provide similar SOC managed
services preferably in the financial domain
4.4 Quotation from the vendor

1. The vendor is requested to estimate and provide a commercial competitive quote on:
a. The design and implementation of the Managed SOC
b. The implementation of the first two countries Bangladesh, Ghana
c. The 3‐year contract for managed services after GoLive based on the SLA and proposed
team setup for ASAI as described in your response to sections 4.2 & 4.3

Date: March 2023
5 How to Respond & Method of award

5.1 Vendors response

1. Vendors are requested to response to the response outline in section 5 and as summarized in
Annex A – Vendor response checklist

2. Please indicate your intention to respond to this RFQ by email to the Primary RFQ Contact listed
below by the Intent to Respond and Questions Due date outlined below. In addition, please
provide the contact details of the individual responsible for coordinating your RFQ response. You
will receive a request to sign an NDA and after NDA signing the further annexes and details are
send out to you. At the same time, we ask that you submit any clarification questions regarding
the RFQ.

3. Primary RFQ Contact
Please direct all inquiries regarding to this RFQ to:

Md. Ashikur Rahman
Lead System Engineer
ASAI Mangement Services Ltd.
rahman.bd@asa‐international.com
Mobile: +8801814784954
Skype: Md. Ashikur Rahman
WhatsApp: +88001759678765

4. Responses need to be received before or on 30‐04‐2023 to qualify for selection

5. ASAI requires responses to this request for proposal to be delivered in writing. You may attach
documentation to support your answers, if necessary.
Please submit all responses no later than April 30, 2023 to:

HR Department,
AMSL,
10th floor, ASA Tower, 23/3 Bir Uttam A.N.M. Nuruzzaman Sarak, Shyamoli,
Dhaka‐1207.
Email: dhaka@asa‐international.com
rahman.bd@asa‐international.com

Any response received after the delivery date specified, will not be considered without prior
written or electronic approval.

Please complete the attached forms (Attachment A and Attachment B), a proposal document,
pricing breakdown, and a version of any master services agreement or other contract that would
be utilized if chosen.

Date: March 2023
5.2 Method of award

1. The vendors proposal will be evaluated as per the requirements documented in chapter 0 and
accompanied Annexes in this RFQ

2. ASAI will use the following evaluation criteria for scoring each proposal:
Nr Evaluation Criteria Percentage

1 Vendors compliance and coverage to the technical requirements 30
documented in this RFQ
 Vendors understanding and experience with the managed SOC
services required for ASAI’s active countries
 Vendors service management and security certifications to
industry standards like ISO270001, ISO20000‐1 etc
2 Vendors experience, fit with ASAI and client references 10
 Vendors stability, strategy, focus areas, growth strategy
 Vendors overall expertise and client cases
 Vendors cultural fit with the microfinance industry and operating
countries
3 Quality of the proposal 20
 Understanding level of the scope of work as written down in the
proposal
 Project approach for setup and configuration of the SOC
4 Presentation of the proposal 10
 Vendors will be invited to present the proposal to the Senior
Business and IT Management team
5 Cost estimation of the proposal 30
 Vendors are requested to quote on three items
o Design and sizing of the SOC
o Implementation of 2 countries
o 3‐year managed services for the environments

Date: March 2023
6 Supplementary
The following annexes are provided to support the RFQ after signing the NDA:

Annex Name Description
A Attachment A – RFQ Checklist Checklist to validate if the response is complete
based on the RFQ. Please fill this in to have
correct references to the proposal sections
B Attachment B – RFQ Response form Response form to be accompanied by the
proposal
C Attachment C ‐ Service requirements Service requirement list
D Attachment D – Country technical Technical Overview of the country setup
overview

Date: March 2023

Asai RFQ Soc

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Asai RFQ Soc

Uploaded by

Copyright:

Available Formats

Date Version Changes Author

Nr Evaluation Criteria Percentage

You might also like