IRCON_FINAL_05082020

PROJECT DOCUMENT
CHAPTER 5: SCOPE OF WORK

5.1. Project Objectives
While the IA is supplying the licenses and will implement, integrate and support asked SAP S/4 HANA
solution, this specific project is for the selection of a MEITY empaneled Cloud Service Provider, having owned
or leased datacenter with valid leased for 4years contract duration, to supply, implement and integrate
Infrastructure as a Service (IaaS) on/ as per Government Community Cloud model, for implementation of the
planned SAP environment. The cloud environment thus shall enable to achieve the objectives like-
 Ease of management, low total cost of ownership

 Elasticity and speedy roll out
 Robust security similar to a privately created Datacenter setup
5.2. Brief Scope of Work

The Brief Scope of Work of this project shall include but not limited to,
a) Provide Cloud Infrastructure Service for DC and DR for implementation of envisaged SAP system.
b) Provide MPLS connectivity from DC and DR cloud sites to the ENTITY Corporate Office - Delhi.
c) Provide internet bandwidth for accessing SAP S4HANA ERP by Project Offices in India and abroad.
d) Support IA in implementation of SAP system
e) Provide required Project Management, Training for Cloud Infra management, Go-Live and Hand Holding
support.
f) Operation & Maintenance (O&M) Support of the environment for total 4 years (1+3 years)
Please refer to the detailed scope of work section for more details on the scope.
Definitions
Customer: ENTITY, with it’s offices and project locations in India and abroad
Implementation Agency (“IA”): the company which has been selected for supply, implementation, upgrade and
integration and post implementation support of SAP S/4 HANA solution
Cloud Service Provider (“CSP”): A MeitY empaneled cloud service provider, participating in this bid directly.
5.3. Detail Scope of Work
Bidders are advised to go through this section thoroughly to ensure they understand the requirements
clearly. The requirements laid out here are minimum to the best understanding of the customer. Bidder’s
may offer any additional products, services or offerings over and above this, if required, to meet the overall
intended functionalities.
The “bidder”, “CSP” are interchangeably referred here for the party qualifying to the required eligibility
criteria as mentioned in this tender and bidding for this project. A Cloud Service Provider (“CSP”) Essential
qualifying criteria (EQC) and TQC(Technical Qualifying Criteria) as laid down in this tender may bid for this
project.
The bidder shall provide all required equipment, tools and resources which may not be specifically stated
herein, but required to meet intent of ensuring completeness, maintainability and reliability of the total
system covered under this specification.
SAP S4/HANA ERP solution shall be accessible from all locations of ENTITY, with envisaged response time and
other quality parameters as mentioned in "SLA" section.
The Cloud, where the planned ERP solution will be hosted should comply with basic design principles, like:
Scalability: The configuration of the Cloud is expected to have adequate upgrade capability in terms of
processors, RAM, disk storage etc. which should be achievable with minimum disruptions to running system/
processes at no additional cost to the ENTITY. Also, for any software upgrades, updates, patches etc. released
by the ERP OEM, the Cloud should be capable to implement the same seamlessly as and when it gets
released by the ERP OEM with no additional cost to ENTITY.
Reliability: The Cloud should be reliable to comply with the SLA requirements provided in the RFP and there
should not be any outages. Cloud platform should always run in redundancy/High Availability so that in case
of any outage system should automatically switch to the available servers.
Security: The Cloud should have highest level of security features against both physical as well as cyber
threats. It is critical to have a set of IT security management processes and tools to ensure complete cyber
security of ERP solution. An IT security policy, framework and operational guidelines as per ISO 27001 be
maintained by the Cloud service provider (CSP) as an overall guideline to all forms of IT security – Physical,
application, data, network and cloud. Production environment shall be hosted in different network/ VLAN
than other environments.
Manageability: The Cloud should be easily manageable from a management console/ over the Web.
Backup: Appropriate archiving system (i.e. SAN, optical backup equipment or better alternative etc.) to be
available on Cloud. Bidder has to archive yearly backup for complete contract duration. In the event of
serious failure, backed up data must be restored in quickest possible time to ensure continuity of the
services. Backup is required for all Servers Development and Production.
Desired Features of Work for the bidder/ CSP for hosting the application on Cloud is as follows-
 Selected CSP shall be responsible for hosting the entire ERP application and all ancillary in-scope applications
on/ as per Government Community Cloud (GCC) from MeitY empaneled Cloud Service Providers (CSPs) only,
which are empaneled as on the last date of bid submission.
 Selected bidder shall ensure that support and maintenance, performance and up-time levels are compliant
with SLAs as laid down in the SLA section. The bidder is responsible for sizing the Infrastructure to support
the scalability, redundancy, high availability, security and performance requirements of the ERP solution.
 The Cloud Service Provider (CSP) shall provide cloud service at Data Centre having Tier 3 and above
certification and must be ISO 27001 Certified.
 The Cloud service provider should meet any security requirements published (or to be published) by MeitY or
any standards body setup / recognized by Government of India from time to time and notified to the CSP by
MeitY as a mandatory standard.
 Proposed cloud solution shall have required monitoring tools to assess performance of the application e.g.,
round trip time, latency, VM lifecycle , Bandwidth monitoring, security and billing etc.
 Bidder shall make provision for servers, storage, backup, network, security and tools etc. infrastructure in the
cloud to meet the project requirements and as per the bill of material. The infrastructure shall be provisioned
with adequate redundancy / clustering for production environment and standalone for test and
development. Scope includes cost of all infrastructures, OS licenses, Virtualization or any other S/W licenses
required
 Bidder shall create logical domains on servers to provision application, web-layer, database layer etc. Bidder
shall also use virtual machines wherever required to run the software.
 Bidder shall configure the clustering required between production servers for application, web and database
layers as per the instructions of ENTITY/ IA.
 Overall cloud environment thus created must meet uptime availability Services as per Service Level Agreement
i.e. 99.5% uptime of the environment.
 Communication facilities like MPLS connectivity to the ENTITY Corporate Office, Internet based access
connectivity over VPN shall be provisioned as per the requirements mentioned in Bill of Material.
 Bidder shall provision adequate backup media as per requirement for Backup and recovery policy for daily,
weekly, monthly, quarterly and yearly backup, and the data shall be retained as per data retention policy.
 Bidder shall submit various MIS reports on daily, weekly and monthly basis as per agreed schedule, for
example- daily infrastructure utilization report. Schedule and formats of the reports will be finalized during
planning phase.
 The successful Bidder shall have monitoring tools capable of providing the exact utilization of servers. The
Management tool shall provide personalized view into the performance and availability of the Cloud services.
 Proposed cloud solution shall be truly elastic in nature and shall support scale up and down through provided
orchestration/ management portal. Additionally, the solution shall also support auto-scaling.
 The bidder shall deploy sufficient manpower suitably qualified and experienced in shifts to meet the SLA
mentioned in this RFP
 Bidder’s proposal shall cover 24x7x365 support for all the items supplied through this RFP, including all
Infrastructure- cloud instances, software, and tools etc via ticketing and on-call support through various
media like telephone, e-mail and chat. CSP shall rectify any issues within the timelines as specified in the SLA
and to ensure uptime availability of the solution as asked.
 Any updates, upgrades in the proposed Infrastructure and software which are required during the tenure of
the contract are in scope of the bidder.
 Bidder shall provide a management, orchestration and monitoring console to ENTITY for managing the
environment and for monitoring health, quality and security parameters of the setup.
 The platform should provide a dashboard/portal for dashboard that allows users to request VM services, as
well as enables administrators to manage objects such as instances, images, quotas, storage volumes,
networks, security etc.
 Proposed cloud solution shall support multiple Hypervisors
 Portal should also provide administrators a dashboard to manage resources, access control for users, quotas
for users, etc. and shall support integration with LDAP/ directory services for user authentication
 The CSP shall formulate an effective Back-up Strategy and Disaster Recovery Plan and take sign-off from ENTITY.
 All servers will have a standard 3 * RAM (GB) as internal mirrored disks for OS, Kernel applications, SWAPs etc.
 Disk space for Quality and Development system can be Disks mounted on servers or DAS or anything else
with minimum RAID 5 level configuration
 Suitable Backup software and Infrastructure should be proposed - Backup is required at DC only, (e.g. Backup
server, SAN Backup Agents, Disk to disk backup is required)
 DR Sizing- 50% of PRD DC sizing .
 Total 10 public IPs required.
 DR to be hosted in other/different Cloud DC in different seismic zone.
 At Disaster Recovery site 50% of Production environment is required to be allocated. This application
environment at DR site shall be installed and ready for use without any additional software and Database
license cost implication on ENTITY.
 During any outage including deletion of data, DR site will become the primary site and 100% data recovery
shall be ensured as per RPO and RTO defined in the RFP. The VMs at DR shall be initially created with minimal
configurations, and shall be spun with required images/ data mapping within the defined RPO and RTO.
 Monitoring solution shall also provide dashboard view of RPO/ RTO.
 The bidder shall carry out BCP/ DR drill twice in a year and submit a drill report to ENTITY.
 Cloud should provide sufficient capacity in terms of data processing, data storage and network bandwidth to
handle the overall load and traffic coming to the ERP application without compromising the overall
performance of the system.
 The CSP shall also ensure that the hosting services should be portable to another CSP (lift and shift) without
any changes to hosting environment. ENTITY retains the right to retrieve full copies of ENTITY Data residing
and all other information at any time during the project period from the selected cloud environment, and/or
shift the services to another cloud services provider.
 The successful bidder should have capability for migrating S4 HANA ERP applications hosted on other Cloud
Service Provider’s environment to the cloud selected through this tender.
 On expiry or termination of the contract, Bidder shall handover all the data in a standard and agreed format.
The data and images handed over shall be standard’s compliant and portable to other standard cloud service
provider or a physical infrastructure.
 Cloud service provider shall provision required DNS services, public IPs, VPN Gateway, Web Gateway etc. to
ensure smooth end user experience and SLA driven delivery.
 Cloud Service Provider shall be responsible for ensuring security of SAP applications and infrastructure from
any threats and vulnerabilities. The bidder shall ensure all provisions in place for a layered security approach,
like, HIPS, server AV, NIPS, 2 layers of firewalls, WAF, SSL encryption, IP Sec / SSL VPN, user authentication,
security logging and monitoring etc. to name a few.
 To certify security posture of the implemented solution, the bidder shall get VAPT conducted by a 3rd party
CERT-In empaneled auditor of the cloud environment assigned for ENTITY. The frequency of audit of VAPT
will be once before go-live, and thereafter once in a year. Bidder needs to take necessary corrective actions
based on the auditor’s report and findings, without any additional cost to ENTITY.
 Additionally, ENTITY shall have rights to conduct VA-PT tests on designated infrastructure, directly or
through a 3rd party security auditor.
 Solution shall provide logs of all user activity within CSP account including actions taken through mgmt.
Console, command line tools, and any other services.
 System shall prevent IP Spoofing. Cloud service should not permit an instance to send traffic with a source IP
or MAC address other than its own IP.
 Solution shall have required mechanism in place for encryption of data in motion and data at rest. The
solution shall include required TLS/ SSL certificates.
 The SAP system should be deployed on SAP certified hardware on cloud infrastructure.
 ENTITY is looking for an IaaS solution. CSP may provide hosting services with suitable type of infrastructure as
required for the solution.
 The bidder shall address all the errors/bugs/gaps in the functionality offered by the proposed solution at no
additional cost during the operations & maintenance period (i.e 4years from date of LOI and LOA). The bidder
shall identify and resolve application problems like system malfunctions, performance problems, data
corruption etc. due to which the ERP solution is not able to give the desired performance. Performance
means infra related because of which performance of ERP applications is getting affected.
 CSP shall offer DC-DR cloud services with their Data Centre location within India only. All the physical servers,
storage and other IT hardware from where cloud resources are provisioned for ENTITY must be within Indian
Data Centre only. CSP shall ensure that ENTITY data resides within India only. All monitoring, provisioning,
should be within India and 100% isolated from other regions outside India, if in case CSP has Global presence.
5.4. Cloud Service Security Certifications

 ISO 27001 - Data Center and the cloud services should be certified for the latest version of the standards
 ISO/IEC 27017-Code of practice for information security controls based on ISO/IEC 27002 for cloud services
and Information technology.
 ISO 27018 - Code of practice for protection of personally identifiable information (PII) in public clouds.
 ISO 20000-Guidance on the application of ISO/IEC 20000:1 to cloud services.
 ISO 22301:2012 – Business Continuity Management System certificate is desirable.
 PCI DSS - compliant technology infrastructure for storing, processing, and transmitting credit card
information in the cloud – This standard is required if the transactions involve credit card payments.
 SOC 1, SOC 2 & SOC3 – Any 2 compliance report
 Additionally, CSP shall comply to/ follow all applicable standards, policies and guidelines of MeitY, CERT-In, IT
Act 2000, and any other statutory body of the Govt. of India as applicable.
 Bidder must have certifications/ compliances to guidelines as per MietY guidelines for GCC empanelment.
However, other certifications are not mandatory.
5.5. Indicative Application Landscape

Following diagram depicts high level end to end view of overall IT solution with application landscape,
including integration of existing/ legacy applications. The diagram shows tentative flow from one end i.e. end
user to the other, which is the data stores. Bidder is required to provide access control / directory services
(e.g. AD, LDAP etc.) as required for the solution.
Items shown in red font are to be procured through this RFP. This RFP document covers tentative sizing
recommendations for these items. Bidder shall ensure to include all products & services to meet the solution
requirements.
A. Number of Users-
1. Professional Users Nos. 250

2. Employee Self Service Nos. 1250
3. Payroll for No. of Employees Nos. 1500
B. Locations-
a. Corp office at DELHI, Delhi,
b. 6 regional Offices,
c. 34 Indian project locations, and
d. 8 IN. project locations
C. Environments-
a. Development,
b. Quality, and
c. Production
D. Operating System- SAP supported SLES version
E. Database- HANA DB and MaxDB as suggested by SAP and IA for different modules
High level landscape of the application as follows-Landscape
S/4 HANA Total User 250

Concurrent User (30%) 75
Concurrent Low user (46% of Total concurrent user) 35
Concurrent Medium User (33% of Total concurrent user) 25
Concurrent High User (20% of Total concurrent user) 15
ESS-SMALL 200
ESS-MEDIUM 50
MSS-SMALL 10
Payroll User 1500
BW4/HANA
Concurrent User 20
Info user (70%) 14
Business User (26%) 5
Expert User (5%) 1
SAP Landscape
DEVELOPMENT QUALITY PRODUCTION

SAP S/ 4 I S4 Q.S4 f>S4
HANA D BW Q.BW f>BW
SAPBW4 HAMA DBO Q.BO f>BO
SAP Business Ob,jec ts DWD QWD PWD
SAP Web Dispatc her DFS f>FS

Q.FS
SAP FIOR!I FES
/ SAP Gate w a y DEP QEf> PEP
SAP Ente rprise Portal DPO Q.PO f>PO
SAP P'rOcess Orchest ra DMS QMS f>MS
tion SAP Conte nt Se rve r DGlit Q.GR PGR
SAP GRC DDM QDM PDM
SAP IDM DlS Q!LS f>lS
SAP DEN QEN PEN
LSO ASM I JSM PSM / f>S.J
SAP Enable Mmv

So lution Mana ger
CHAPTER 6: Recommended Backup Policy
 CSP shall size the backup (disk to disk) as per the policy defined in the table below and as per their
solution’s requirements.
 Following backup requirement table has been created to help bidder fill the information on backup
storage requirement on disk. Backup policy and retention mechanism is defined for the bidder. Based on
bidder’s backup solution, bidder can come up with backup storage on disk.
Parameter Retention Requirement Unit
Desired Backup Window 8 hours Hours
Envisaged RTO and RPO RTO- 2 Bidder may propose

hours better( please fill)
RPO- 30
Minutes
Total Front end capacity - Bidder to fill (based on TB
above storage inputs)
Rate of Change of data @ 1% 1 week Bidder to fill TB
Weekly Full 4 weeks Bidder to fill TB

Monthly Full 6 months Bidder to fill TB
Yearly Full 4/ 5 years Bidder to fill TB
Total On Disk Capacity - Bidder to fill TB
Note: 30 minutes of RPO, implying permissible loss of data for the said duration, will be ensured by
replication services from DC to DR scheduled at every 30 minutes’ interval
Indicative backup and retention policy is as follows. CSP will come up with an appropriate strategy
during design and implementation
Backup Daily backup Weekly Backup (Incremental) Monthly Full
Policy (Incremental) 8 Backup
Hours
Storag to SAP Windows Configuration File Complete Server

e on VM, DB, SAP &
backup Application and OS
disk Backup
HANA Patch File for Windows and SUSE Linux
Application
File Server
Retention Daily Backup Weekly Backup Retention Policy Monthly Full

Policy Retention Policy Backup Retention
policy
Backup on One Week 8 week 3 Months

disk
Note: 1st installation and configuration of SAN, require complete data backup from
server and the mandatory backup time as per data capacity.
CHAPTER 7: Cloud DC/DR Security Recommendations
The infrastructure Security architecture that has been conceived by ENTITY is detailed keeping in mind the
application layout, domain requirements, quick deployment means, business availability and an integrated
management and monitoring platform. The application layout and its tight integration with the Infrastructure
security layout form the baseline whereas the eminent threats towards the business being hosted and type
of application-hosted forms the advanced design fundamentals.
The below diagram depicts the expected overall high level security architecture to be deployed by the CSP at
its DC and DR Data centers, however the CSP can recommend / optimize the same as per their standards
which still meets the requirements.
Some of the recommendations for security as follows (CSP may have different approaches to address the
security requirements, however in essence the solution shall meet end to end security objectives)-
Security
No. Security Requirements
Domains
 The CSP needs to propose a customized approach on the IT Security
Standards Policy and Framework addressing the unique requirements of
ENTITY for the proposed solution and application environments.
IT Security  Key deliverables of ISMS implementation would be defining security policies
Standards and procedures documentation, controls implementation as per ISMS,
1
Policy and applicable ISO standards, MeitY guidelines and other applicable standards/
Framework guidelines for cloud.
 The CSP is required to provide the risk assessment methodology in
performing the above phased activities and brief on the report that will be
submitted for ENTITY review.
 Server Security should provide comprehensive protection, deployed on
physical servers and security for virtual machines, and should include:
o Anti-Malware
Server
2 o State full Firewall
Security
o Deep Packet Inspection / Intrusion detection and prevention (IDS/IPS) 1
o Application Control
o Log inspection
 All web tier, app tier and backend tier traffic to flow through these Firewalls.
Next
 All branch traffic should flow through Intranet Firewall.
Generation
 All mobile and laptop based internet traffic should flow through Internet
3 Network
Firewall.
Firewalls
 SAP Web Dispatcher and Reverse Proxy to be hosted behind internet Firewall
 SAP Fiori and EP to be hosted behind intranet Firewall
Security
Domains
 Appropriate throughput firewall to be considered for internet facing and
intranet facing segments
 Anti-ransomware shall be part of the solution.
 CSP should provide VPN client for remote users who access the applications
through VPN client (50 users will required for the VPN connection).
 Web Application Firewall is desirable before the Web Servers to protect
them from application attacks like cross site scripting, SQL injection etc.
 CSP shall have anti-DDOS solutions in place to protect from any DDOS attacks
 For data at rest i.e. backup, the backup solution should support encryption.
So while doing backup, data should be encrypted.
Other
4  For the data, which is residing at database level should also be encrypted.
Suggestions
The DB encryption should be end to end (Application to the DB)
 SSL certificate to be proposed for application level encryption of data and
web communication
 CSP shall have security incident response and management process in place.
 CSP shall support Vulnerability assessment and penetration testing services.
 CSP shall allow audit, review, and testing by ENTITY or its authorized partner
for its hosted environment space.
 The bidder solution approach should provide security monitoring services to

ENTITY for the in-scope components.
 Remote monitoring for the security events to detect the known as well as
unknown attacks and raise the alerts for any suspicious events that may
lead to security breach into ENTITY environment.
Security  Ensure compliance of services with ENTITY’s policies, procedures and
5 Monitoring processes
 Escalate open incidents as per escalation matrix till resolution of the same
 Prepare the daily/weekly/monthly-customized reports with a consolidated
dashboard view of SOC to summarize the list of incidents, security
advisories, change management, and other security recommendations.
 The Bidder SOC team to work closely with ENTITY security team and on-site
SME and ensure seamless delivery.
 The bidder need to develop and implement an incident management
process to ensure that security incidents occurring due to misuse of
Information assets/IT support services are detected, escalated and resolved
in timely fashion.
 Incidents should include, but are not limited to:
o any event that is not part of the standard operation of a service and which
causes or may cause an interruption to, or
Security
o a reduction in the quality of that service, the discovery of malicious codes,
Incident
and detection of unauthorized use of computer accounts/computer
Response
6 systems.
and
 As part of regular operations, bidder need to maintain a handover/takeover
Management
log (HOTO) on shift basis. This log will contain all information about the
incident, analysis work that is carried out by the shift team, and most
importantly the categorization of incidents based on the criticality to do
business.
 For all CRITICAL incidents, an L3 level incident handler is assigned to work
on the same till it is satisfactorily mitigated. In that context, the L3 incident
handler to be available in the SOC Monitoring Team and be contactable.
 Bidder should be publishing the list and contact details of all L3 incident
handlers during the transition phase.
 Anti-DDOS solution should proactively detects and identify all type of online
DDOS
attacks.
7 Protection
 It should constantly monitor traffic destined to a protected device (host)
and generate an alert message after comparing to a set of trusted behavior.
Security
Domains
 It should maintain the mirrored copy of traffic flowing through switches and
scans entire traffic against anomaly in traffic.
 The solution should ensure whenever it finds any anomaly in traffic, it
should inject a route in the system and diverts zone traffic to anomaly guard
for mitigation.
 The Anti-DDOS solution should provide the following protection profile
services:
o Signature protection
o SYN Profiles
o DDoS Protection Profiles
 Network-flood protection solution to include the following:
o TCP floods—which include SYN Flood, TCP Fin + ACK Flood, TCP Reset Flood,
TCP SYN + ACK
o Flood, and TCP Fragmentation Flood
o UDP floods—which includes UDP Fragmentation Flood
o ICMP flood
o IGMP flood
 Network DDOS attack (volumetric attack) layer 4 to be addressed at cloud
based scrubbing center of the DDOS protection service provider.
 Application DDOS attack mitigation or Layer 7 to be addressed by
configuring the virtual DDOS appliance in between perimeter firewall and
internet router.
 Bidder need to recommend the hybrid DDOS model solution consisting of
virtual DDOS appliance and cloud based scrubbing center.
 WAF to be placed before the Web Servers to protect them from application
attacks like cross site scripting, SQL injection etc.
 WAF services required in HA at DC & DR to protect application from the
Internet.
 The advanced multi-layered and correlated approach to be used to provide
complete security for the web-based applications from the OWASP Top 10
and many other threats.
 Solution should ensure botnets and other malicious sources are
automatically screened out before they can do any damage.
Web  Any files, attachments or code are scrubbed with WAF built-in antivirus and
Application antimalware services. Solution should review all requests that have passed
Firewalls the tests for known attacks. If the request is outside of user or automatic
8
(WAF) parameters, the request should be blocked.
 WAF to provide a correlation engine where multiple events from different
security layers are correlated to make a more accurate decision and shall
help protect against the most sophisticated attacks. This combination
should provide near-100% protection from any web application attack,
including zero day threats that signature file-based systems can’t detect.
 WAF appliance to be placed on the traffic stream between the client and
the web application acting as a reverse proxy.
 Connections to the web application are intercepted and inspected against
the configured policies and profiles before being forwarded to the DMZ
servers (Web dispatcher and Reverse Proxy)
 Incoming traffic to be modified, blocked or logged.
7.1. DC Network Recommendations as per the MeitY guidelines

This section covers our recommendations for LAN and WAN network setup, including perimeter security
appliances. The diagram below shows the logical connectivity of network and security devices, along with
server farm connectivity, and provides a consolidated view doing away with the need for a separate logical
and physical diagrams.
The bidder may propose multiple diagram as required.

Network Domains Network Requirement
• Cloud DC connected with Cloud DR site via P2P connectivity for

replication.
• Production server replication is required between DC & DR site.
• User Traffic should flow via MPLS/SDWAN for Intranet sites, and via
Internet for remote users. VPN recommended for remote users.
• Core switches should be connected to internal / perimeter FW.
• Traffic destined to/from Internal server farm should go via internal
firewall.
• Both Internal and external firewalls are essential component for
detecting and protecting the network from unwanted traffic
 Server farm should be connected to access switches in high availability
mode.
• Network switching shall have collapsed 2-tier / leaf & spine architecture,
facilitating low latency east west traffic traversal.
Network Architecture Highlights • OOB (Out Of Band) Network infrastructure can be considered to have
remote persist connectivity even if any device failure.
• Out-of-band management should involve the use of a dedicated channel
for managing network devices.
• DMZ dedicated switches should be isolated to have remote access on
DMZ servers / applications.
• Ports from DMZ Switches shall connect to each of Perimeter Firewall.
• DMZ will have dedicated switches to facilitate isolated network from core
internal zone
• DMZ is to be used for assets that are externally shared (either publicly or
to 3rd parties). This includes Traffic originating from untrusted parties
such as the Internet.
Remote Location to DC/DR Connectivity
Remote locations- ENTITY branches, other subsidiary locations etc. will connect to the DC and DR over
MPLS/internet network.
Branch locations will have proper local IT infrastructure, including desktops/laptops, peripherals (printer,
scanner etc., robust high available network, and security solutions.
A significant lot of users will connect to the DC/ DR over Internet through mobile devices/ onsite workstations.
7.2. Tentative Recommended IT Schematic

Following diagram depicts overall schematic of the recommended IT infrastructure solution:
2.1. Response Time of SAP Applications
The response time is usually split into wait time plus execution time. The SAP response time consists of the
following components:
Response time = wait time + execution time
where: execution time =Generation time during the run
 Load time for programs, screens, and graphical user interfaces
 Roll times for rolling in the work data
 ABAP processing time
 Database time
 Enqueue time for logical SAP lock processes
 CPIC/RFC time
 Roll wait time (excluding task types RFC/CPIC/ALE).
Performance Data Time
Average response time Around 1 second (dialog), < 1 second (update)

Average CPU time Around 40% of the average response time
Average wait time < 1% of the average response time
Average load time < 10% of the average response time
Average database time per dialog step Around 40% of the average response time
In addition to the cloud solution for the details mentioned above, bidder shall also quote for-
- MPLS Bandwidth from DC to ENTITY MPLS network on dual links – 50 Mbps

- MPLS Bandwidth from DR to ENTITY MPLS network on dual links – 20 Mbps
- Required Internet bandwidth from DC and DR to ENTITY users for access to web application over
Internet ( through SSL / IPSec VPN) – 30 Mbps. Bidder to insure good quality Internet link with low
contention ratio of better than 5:1..
- P2P replication link between DC to DR site –As required to achieve RTO & RPO. Bidder may propose
bandwidth to meet the replication and RTO/RPO requirements.
- M/s Sify is the existing MPLS provider to ENTITY.
- Rate card for additional VMs on monthly basis-
o VM with 4 Cores (vCPU), 16 GB RAM, 146GB OS Disk and 200 GB Data Disk
o 100 GB additional SSD disk storage
- Professional services for implementation
- O&M services including 24x7 helpdesk for the proposed solution- 4 years from go-live.
Project Timelines
All the servers as per sizing details and BOM should be configured and handed over to ENTITY within 2 months
of placing the Purchase order/Agreement which ever is earlier.
CHAPTER 8: Landscape
Overall Design Considerations
• No single point of failure at production environment DC & DR
• Active & Passive setup between DC & DR
• 3 tier architecture – Web, App & DB
• Physical segregation of servers between the tiers
• Production in Hardware high availability state
• DR prod at 50% of DC prod
• HA not required at DR
• DC with Prod & Non-Prod.
8.1. Landscape for SAP S4 HANA ERP
An indicative Landscape for SAP S4 HANA ERP has been mentioned as below:
On HANA DB On Max DB
Sr.No. SAP Solutions Sr.No. SAP Solutions
1 SAP S/4HANA (BPC,CM, CPM, AM) 1 SAP Content Server
2 SAP BW4HANA
3 SAP Enable Now
4 SAP Business Objects
5 SAP Enterprise Portal (ESS)
6 SAP Solution Manager
7 SAP Fiori Frontend Server
8 SAP Process Orchestration
9 SAP GRC
10 SAP LSO
SIZING CSP BOM
Important Instructions:-
Please provide cost, line item-wise, for 4 years. Cost shall include implementation and comprehensive
support.
This sheet covers sizing of envisaged SAP DB and associated application servers. CSP to include any
additional item/ services to meet overall solution requirements
Security- Please include necessary security solutions (e.g.- Firewalls, anti-DDoS, AV/ HIPS, IPS/IDS etc.).
VAPT of yearly interval shall be included.
Operating System- Windows Server 2012/16 for DMS , Router and Enable Now servers, SUSE Linux 12- for
all other instances. ( Version of OS software mentioned are bare minimum, Latest version Shall be quoted)
For S/4HANA Database (QA and Prod.) - Consider incremental growth as- 50% of mentioned Sizing in 1st
year, 75% in 2nd and 3rd year, and 100% afterwards (4th year). (Pay as you go Model based on SAP Sizing)
For all other component- propose best fit HANA DB instances/ virtual machines as the case may be,
for mentioned sizing from day-1
HA/ clustering- shall be considered as mentioned in the list below, consider minimum 2 instances wherever
HA/clustering is required.
DR- DR shall be considered for production environment. CSP may offer thin provisioning/ minimal
configuration VMs as appropriate at DR for cost optimization
RTO/RPO- Solution shall meet RTO/RPO of 4 hours and 30 minutes respectively. Solution shall be uptime
availability of minimum 99.5%
Helpdesk and Managed Services- Solution shall be comprehensive in nature with all required managed
services and helpdesk covered in CSP scope for the complete solution offered by CSP.
Please refer to RFP / draft/ other relevant discussions more inputs

Min
Base
Addl Internal
%Distribution SAPS Recommended Min Min Disk HA / Proposed
Loading Disk DR Proposed Proposed Proposed Proposed
Landscape / System Details DB over multiple at SAPS at 65% RAM (GB) - Cluster Data
servers
on Base (GB) - Reqd? SAPS CPU Core RAM Boot Disk
65% SAPS CPU (GB) Database Required? Disk
OS &
CPU
SWAP
Development Landscape
SAP S/4HANA HANA DB HANA 256 1024
SAP BW4HANA DB HANA 128 512
SAP LSO HANA DB HANA 256 1024
SAP Enable Now HANA DB HANA 64 256
SAP Fiori FES HANA DB HANA 128 512
SAP Enterprise Portal HANA DB HANA 128 512
SAP Business Objects HANA DB HANA 64 256
SAP PO HANA DB HANA 128 512
SAP GRC HANA DB HANA 128 512
SAP S/4HANA Application System 4000 20 60 100
SAP BW4HANA Application System 3000 16 48 100
SAP LSO Application System 4000 20 60 100
SAP Enable Now Application
16
System 3000 48 100
SAP Fiori FES System 3000 16 48 400
SAP Enterprise Portal System 3000 16 48 400
SAP Business Objects System 6000 32 96 150
16
SAP Process Orchestration Server 3000 48 400
SAP DMS Server 3000 16 48 100
SAP GRC System 3000 16 48 400

%Distri Min
Base
bution Addl Min Interna Min Disk
SAPS Recommende HA /
over Loading RA l Disk (GB) - DR Proposed Proposed Proposed Proposed Proposed
Landscape / System Details DB at d SAPS at 65% Cluster
multipl on Base M (GB) - Databas Reqd? SAPS CPU Core RAM Boot Disk Data Disk
e 65% SAPS CPU Required?
(GB) OS & e
servers CPU
SWAP
Quality Landscape
SAP S/4HANA HANA DB HANA 400 1600
SAP BW4HANA DB HANA 256 1024
SAP LSO HANA DB HANA 284 1136
SAP Enable Now HANA DB HANA 64 256
SAP Fiori FES HANA DB HANA 256 1024
SAP Enterprise Portal HANA DB HANA 128 512
SAP Business Objects HANA DB HANA 128 512
SAP PO HANA DB HANA 128 512
SAP GRC HANA DB HANA 256 1024
SAP S/4HANA Application System 7540 40 120 100
SAP BW4HANA Application System 4000 20 60 100
SAP LSO Application System 4000 20 60 100
SAP Enable Now Application System 3000 16 48 100
SAP Fiori FES System 3000 16 48 400
SAP Enterprise Portal System (ESS) 4000 20 60 400
SAP Business Objects System 6000 32 96 150
SAP Process Orchestration Server 3000 16 48 400
SAP DMS Server 3000 16 48 100
SAP GRC System 3000 16 48 400
Min
Base Addl
%Distributio Min Interna Min Disk HA / Propose
SAPS Loadin Recommende Propose Propose
n over RA l Disk (GB) - Cluster Propose Propose d
Landscape / System Details DB at g on d SAPS at 65% DR Reqd? d CPU d Boot
multiple Base M (GB) - Databas Required d SAPS d RAM Data
servers 65% CPU Core Disk
SAPS (GB) OS & e ? Disk
CPU
SWAP
Production Landscape
SAP S/4HANA System (CPM, BPC, 1160
30% 15080
AM) 0
HANA Database HANA 400 1600 Yes
Application Central Instance 30% 3480 4524 24 72 100 Yes
Application Servers 70% 8120 10556 56 168 150 Yes
SAP BW/4HANA System 4800 30% 6240 Yes, DR
HANA Database HANA 256 1024 Yes required for
30% 1440 1872 16 48 100 Yes
Production
Application Central Instance
systems.
Thin
SAP LSO System (HR) 4300 30% 5590 provisioning
HANA Database HANA 284 1136 / minimal
Application Central Instance 30% 1290 1677 12 36 100 Yes configuratio
n may be
considered
SAP Enable Now System 4000 30% 5200
for cost
HANA Database HANA 64 256 optimized
Application Servers 100% 4000 5200 28 84 200 solution
SAP Fiori FES System 5100 30% 6630
Min
Base Addl Internal
%Distribution SAPS Loading Recommended Min Min Disk HA / Proposed Proposed
Disk DR Proposed Proposed Proposed
Landscape / System Details DB over multiple at on SAPS at 65% RAM (GB) - Cluster Boot Data
servers Base (GB) - Reqd? SAPS CPU Core RAM
65% CPU (GB) Database Required? Disk Disk
SAPS OS &
CPU
SWAP
SAP Enterprise Portal System (ESS) 5400 30% 7020


SAP Business Objects 10000 20% 12000
Intelligence Tier 4000 4800 24 96 150
Multinode
Processing Tier 4000 4800 24 96 150
Cluster
Web Tier 2000 2400 12 48 100
SAP Process Orchestration 4 Cores
HANA Database HANA 128 512
Application Central Instance Yes
Application Servers Yes

SAP Content Server (DMS) 3000 30% 3900
Multi-node
100% 3000 3900 20 60 300
Database Server (Active) cluster/ DB
Database in Active
Server 100% 3000 3900 20 60 300 Passive
(Passive) cluster
Min
Base Addl Internal
%Distribution SAPS Loading Recommended Min Min Disk HA / Proposed Proposed
Disk DR Proposed Proposed Proposed
Landscape / System Details DB over multiple at on SAPS at 65% RAM (GB) - Cluster Boot Data
servers Base (GB) - Reqd? SAPS CPU Core RAM
65% CPU (GB) Database Required? Disk Disk
SAPS OS &
CPU
SWAP
SAP GRC System 5300 30% 6890
SAP Solution Manager 4000 4000
Solman App. Server. (ABAP) 100% 2000 2000 16 48 500 Yes
Solman App. Server. (JAVA) 100% 2000 2000 16 48 400 Yes
Additional Components
Web Dispatcher 4000 16 50 Yes Yes
Reverse proxy 2000 16 50 Yes Yes
SAP Router 2000 16 50 Yes Yes
NOTE:- Scope of CSP is not limited upto this BoM only , ENTITY can add or remove resources as per actual requirement/performance
basis Biddder may add additional lines in CSP sizing BOM to show any item.
The bill of material shown above is minimum. Bidder must assess the requirements diligently and propose
the cloud resources accordingly.
It shall be noted that the bill of material and commercials will be evaluated based on quoted price for 4 years.
However, payments will be done on quarterly basis, on actual usage.
CHAPTER 9: Cloud IaaS Compliance

Bidder must fill up the following compliance table for cloud and website/portal requirements. Compliance
against these heads would imply compliance against all parameters / activities mentioned under respective
heads below. These requirements are mandatory and in case of non-compliance, the Bidder may not be
qualified for commercial evaluation at the discretion of ENTITY
The CSP shall ensure below mentioned requirements while provisioning the Cloud solution for the User Department are met.
1. Provisioning of virtual machines, storage and bandwidth dynamically (or on-demand) on a self-service
mode or as requested.
2. Enable Service Provisioning via Application Programming Interface (API).
3. Secure provisioning, de-provisioning and administering [such as Secure Sockets Layer
(SSL)/Transport Layer Security (TLS) or Secure Shell (SSH)]
4. Support the terms of service requirement of terminating the service at any
time (on- demand).
5. Portal provisioned for the User Departments by the CSP shall also contain the following information:
a. Service Level Agreements (SLAs)
b. Help Desk and Technical Support
c. Resources (Technical Documentation, Articles/Tutorials, etc.).
6. The CSP shall carry out the capacity planning and do the Infrastructure sizing for the User Department
to identify & provision, where necessary, the additional capacity to meet the user growth and / or the peak
load requirements to support the scalability and performance requirements of the solution. There should not
be any constraints on the services.
7. The CSP shall ensure that the effective Remote Management features exist so that issues are addressed
by the CSP in a timely and effective manner.
8. Service Provisioning shall be available with two-factor / multi factor authentication via the
SSL through a web browser.
b) Operational Management
1. The CSP shall ensure that technology refresh cycles are conducted from time to time to meet the
performance requirements and SLAs. The management of network, storage, server, and virtualization layers,
platforms as included by CSP as part of their service offerings etc. shall be complete responsibility of CSP
during the technology refresh cycle.
2. The CSP shall provide a secure, dual factor / multi-factor method of remote access which allows the
Government Department designated personnel (privileged users) the ability to perform duties on the hosted
infrastructure.
3. The CSP shall ensure that Infrastructure is upgraded periodically without any financial impact to the
Government Department(s).
4. The applications / data hosted within the CSP environment shall be immediately deleted/destroyed and
certify the VM and data destruction to the Government Department as per stipulations and shall ensure that
the data cannot be forensically recovered.
5. CSP shall ensure that patch management is performed from time to time or as & when required. CSP
shall alert the User Department in advance of any installation of patches via e-mail and cloud portal.
6. Patch management for OS security patches shall be responsibility of the CSP.
7. CSP shall ensure that all OS images created within the Cloud platform are regularly patched with the
latest security updates.
8. CSP shall monitor availability of the servers, system software’s and its network.
9. CSP shall investigate outages, perform appropriate corrective action to restore the
Infrastructure, software, operating system, and related tools.
10. CSP shall ensure that technology and hardware upgrades of their IT Infrastructure are done before end of
product life cycle and warranty.
11. CSP shall ensure that the software required by the User Department are provided with
latest version. However, if required by the User Department, the operating system and
database may be provisioned with not more than two version old.
c) Data Management
1. CSP shall enforce security controls and policies to secure data from unauthorized access in a multi-tenant
environment
2. CSP shall provide tools and mechanisms to the Government Department or its appointed agency for
defining its backup requirements & policy. The backup policy which is defined and implemented shall be an
automated process and backups should be taken on different mediums.
3. The CSP shall provide tools and mechanisms to the Government Department or
its appointed agency for configuring, scheduling, performing and managing back-ups and
restore activities (when required) of all the data including but not limited to files, folders, images, system
state, databases and enterprise applications in an encrypted manner as per the defined policy.
4. CSP shall be liable to transfer data back in-house or any other Cloud /
physical environment as required by the User Department, either on demand or in case of contract or order
termination for any reason.
5. CSP shall not delete any data at the end of the agreement (for a maximum of 45 days beyond the
expiry of the Agreement) without the express approval of the Government Department.
6. CSP shall ensure minimum 128-bit encryption is used for handling data at rest and in transit.
7. The CSP shall be responsible for deleting or otherwise securing Government Department’s
Content/Data prior to VM deletion and in case deleted, shall ensure that the data cannot be forensically
recovered when the Government Department or CSP (with prior approval of the Government Department)
scales down the services.
d) User/Admin Portal Requirements

The CSP shall be responsible to meet the below requirements:
1. Utilization Monitoring
a. Provide automatic monitoring of resource utilization and other events such as failure of service,
degraded service, etc. via service dashboard or other electronic means.
b. Real time performance thresholds
c. Real time performance health checks
d. Real time performance monitoring & Alerts
e. Historical Performance Monitoring
f. Capacity Utilization statistics
g. Cloud Resource Usage including increase / decrease in resources used during auto-scale
h. Training regarding this portal to manage cloud infrastructure has to be provided to ENTITY team for 7
days.
2. Incident Management
a. Provide Incident Management and Ticketing via web-based portal (tools) for any
incident occurrence during the operations.
b. CSP shall follow and adhere to latest ITIL V3 guidelines and process for the Incident management and
Problem management.
c. CSP shall provide a mechanism to carry out regular health check on Department provisioned cloud
infrastructure and facilitate download of the health check report as per the frequency identified/set by the
User Department.
d. For all Incidents / Issues with Severity ‘Critical and High’, the CSP Incident
Management Team shall be activated to provide resolution as per defined SLA’s by the User Department and
closure of the Incident. The teams shall be responsible to send an Incident Report on daily basis or as
desired by User Department for all such Incidents to all the stake holders including designated officials by
the department.
e. For any re-occurring issue, the Problem Management Process shall be initiated, and problem ticket
shall be created for the same. After permanent resolution of the re- occurring issue / Problem, the Problem
Ticket report should be sent across to all the stake holders.
3. User Profile Management
a. Support maintenance of user profiles

b. CRUD Operations (CREATE, READ, UPDATE, DELETE)
e) Integration Requirements
Provide support to all Application Programming Interfaces (APIs) including REST API that CSP
develops/provides.
f) LAN / WAN Requirements
1. The CSP shall ensure that Local Area Network (LAN) does not impede data transmission.
2. Provide a redundant local area network (LAN) infrastructure and static IP addresses from
customer IP pool or “private” non-internet routable addresses from CSP pool.
3. Ability to deploy VMs in multiple security zones as required for the project, defined by network
isolation layers in the Customer’s local network topology.
4. Provide access to Wide Area Network (WAN).
5. Provide private connectivity between a Government Department’s network and Data Center
Facilities.
6. IP Addressing:
Provide IP address assignment, including Dynamic Host Configuration Protocol
(DHCP).
Provide IP address and IP port assignment on external network interfaces.
Provide dedicated virtual private network (VPN) connectivity.
7. Provide infrastructure that is IPv6 compliant.

8. CSP shall support for providing secure connection to the Data Center and
Disaster Recovery Center (where applicable) from the Government Department Offices.
9. The data center and disaster recovery center facilities (where applicable) should support connection
to the wide area network through high bandwidth links of appropriate capacity to take care of the needs of
various types of user entities. Provision has to be made for segregation of access path among various user
categories.
10. Support dedicated link to the offices of Government Departments to access the data center and a
separate internet link for other external stakeholders to get access to Government Department services.
11. CSP shall have the capability to provide adequate bandwidth between Primary Data Center and
Disaster Recovery Center for data replication.
12. Support network level redundancy through MPLS lines from two different service providers, alternate
routing paths facilitated at ISP backbone (MPLS), redundant network devices etc. These two network service
providers should not share same back end infrastructure. Redundancy in security and load balancers, in high
availability mode will be provided to facilitate alternate paths in the network.
g) Backup Services
1. The CSP shall configure, schedule and manage backups of all the data including but not limited to files,
folders, images, system state, databases and enterprise applications as per the policy defined by MeitY or
the Government Department.
2. The CSP shall be responsible for file system and database backup and restore services.
3. The CSP shall be responsible for back up of virtual machines, storage volumes, file systems,and
databases within the CSP’s own Cloud environment.
4. The CSP shall be responsible for monitoring, reporting, notifications/alerts &
incident management, backup storage, scheduling & retention, restoration, backup data protection, etc.
5. The backup solution shall support retention period of minimum 30 days or as desired by the
User Department as per their needs.
6. The backup solution offered by CSP shall support granular recovery of virtual machines, database
servers, Active Directory including AD objects, etc. Government Organization should be able to recover
individual files, complete folders, entire drive, or complete system to source machine or any other machine
available in network.
7. The backup service must provide following capabilities:
Compression: Support compression of data at source before
backup Encryption: Support at least 128-bit encryption at source
Alert: Support email notification on backup job’s success / failure
File exclusion: Ability to exclude specific files, folders or file extensions from backup
Deduplication: Provide deduplication capabilities
h) Data Center Facilities Requirements

1. The data center facilities shall cater for the space, power, physical infrastructure (hardware).
2. The data center facilities and the physical and virtual Infra should be located within
India.
3. The space allocated for hosting the infrastructure in the Data Center should be secure.
4. The Data Center should be certified with the latest version of ISO 27001 (year 2013) and provide
service assurance and effectiveness of Management.
5. The NOC and SOC facility must be within India for the Cloud Environments
and the managed services quality should be certified for ISO 20000-1:2018 is desirable.
6. For any Government body / organization which shall avail Cloud services under this empanelment
process, the CSP shall be required to provide complete access of the IT Infrastructure to CERT-In.
MeitY or any designated body selected by MeitY / User Department shall be able to carry out SOC and NOC
operations for the MeitY empaneled services.
7. The Data Center should conform to at least Tier III standard (preferably certified under TIA
942 or Uptime Institute certifications by a 3rd party) and implement tool-based processes based on ITIL
standards.
8. All the physical, environmental and security features, compliances and controls of the Data Center
facilities (as required under this application document) shall be enabled for the environment
used for offering Cloud services.
9. Provide staff (technical and supervisory) in sufficient numbers to operate and manage the functioning
of the DC & DR with desired service levels.
10. The data center should comply with the Physical Security Standards as per ISO 27001:2013 standards.
11. CSP shall be required to provide complete access of the Cloud Services to User Department or any
designated body authorized by the User Department to carry out SOC and NOC operations.
12. The Applicant has to provide an undertaking on data center service arrangements as per RFP
i) Cloud Storage Service Requirements
1. The CSP shall ensure that the cloud storage services are made available online, on-demand, and
dynamically scalable up or down as per request from the end users (Government Department or
Government Department’s nominated agencies) with two-factor authentication via the SSL through a web
browser.
2. The CSP shall provide scalable, redundant and dynamic storage facility.
3. The CSP shall provide users with the ability to add / remove storage with two-factor authentication via
the SSL through Cloud management portal and manage storage capabilities remotely via the SSL VPN clients
as against the public internet.
j) Disaster Recovery & Business Continuity Requirements

1. CSP is responsible for Disaster Recovery Services so as to ensure continuity of operations in the event of
failure of primary data center of the Government Department and meet the RPO and RTO requirements.
a. RPO should be equal to 30 min
b. RTO shall be equal to 2 hours
However, the User Department may seek more stringent RTO, RPO, or any other disaster recovery
requirements as per their needs.
2. During the change from Primary DC to DR or vice-versa (regular planned changes), there should be
minimal/no data loss depending on application requirements of the User Department.
3. There shall be asynchronous replication of data between Primary DC and DR .
4. The CSP will be responsible for sizing and providing the DC-DR replication link so as to meet RTO and
RPO requirements
5. Replication Link sizing and provisioning shall be in scope of the CSP.
6. During normal operations, the Primary Cloud Data Center shall serve the requests. The Disaster
Recovery Site will not be performing any work but will remain on standby. During this period, the compute
environment for the application in DR shall be available on demand basis for a functional DR and minimum
compute if required, as per the solution offered by the CSP or as desired by the User
Department. The application environment shall be installed and ready for use.
7. In the event of a site failover or switchover, DR site shall take over the active role, and all the requests
shall be routed through that site. Application data and application states shall be replicated between data
centers so that when an outage occurs, failover to the surviving data center can be accomplished within the
specified RTO. The compute environment for the application shall be equivalent to DC during this period.
8. The installed application instance and the database shall be usable, and the same SLAs as DC shall
be provided. The use of this Full Compute DR environment can be for specific periods during a year for the
purposes of DC failure or DR Drills or DC maintenance.
9. The security provisioned by CSP shall be for full infrastructure i.e. Cloud-DC and Cloud-DR.
10. The CSP shall conduct DR drill once in every six months, of operation wherein the Primary DC shall be
deactivated, and complete operations shall be carried out from the DR Site. However, during the change
from DC to DR-Cloud or vice-versa (or regular planned changes), there should be no/minimal
data loss depending on the application requirements
of the user department.
11. The CSP shall clearly define the procedure for announcing DR based on the proposed DR solution. The
CSP shall also clearly specify the situations in which disaster shall be announced along with the implications
of disaster and the period required for migrating to DR. The CSP shall plan all the activities to be carried out
during the Disaster Drill and issue a notice to the User Department at least 15 working days before such drill.
12. RPO monitoring, Reporting and Events Analytics for the Disaster recovery solutions should be offered as
part of the offering.
13. Any lag in data replication should be clearly visible in dashboard and its alerts should be sent to
respective authorities.
14. The CSP shall provide the solution document of DR to the User Department availing DR
services.
15. The CSP shall have proper escalation procedure and emergency response in case of
failure/disaster at DC.
16. The CSP shall demonstrate the DR site to run on hundred percent capacity for proving successful
implementation of the DR site.
17. H y b r i d ( Auto+Manual) switchover/failover facilities (during DC failure & DR Drills) to be provided and
ensured by the CSP. The switchback mechanism shall also be automated process and no/minimal data
loss depending upon application requirement of the User Department. It should not limit the RPO/RTO
requirements.
k) Security Requirements
1. The CSP shall be responsible for provisioning, securing, monitoring and maintaining the Infrastructure,
network(s), and software that supports the infrastructure and present Virtual Machines (VMs) and IT
resources to the Government Department..
2. The Data Center Facility of the CSP shall at minimum implement the security
toolset: Security & Data Privacy (Data & Network Security including Anti-Virus, Virtual Firewall, Multi Factor
Authentication, VPN, IPS, Log Analyzer / Syslog, SSL, DDoS Protection, HIDS/ NIDS, Rights Management,
SIEM, Integrated Vulnerability Assessment, SOC, Private Virtual Zones, Data Privacy, Data Encryption,
Certifications & Compliance, Authentication & Authorization, and Auditing & Accounting)
3. The CSP shall ensure that they comply to Cloud Security ISO Standard ISO 27017:2015
4. The CSP shall ensure that they comply to Cloud Security ISO Standard Privacy Standard ISO 27018:2019.
5. Meet any security requirements published (or to be published) by MeitY or any standards body setup
/ recognized by Government of India from time to time and notified to the CSP by MeitY as a mandatory
standard.
6. MeitY and Government Department reserves the right to verify the security test results. In case of the
Government Community Cloud, MeitY and Government Department reserves the right to verify the
infrastructure.
7. Implement industry standard storage strategies and controls for securing data in the Storage
Area Network so that clients are restricted to their allocated storage.
8. Ability to create non-production environments and segregate (in a different VLAN) non- production
environments from the production environment such that the users of the environments are in separate
networks.
9. Cloud Offerings should have built-in user-level controls and administrator logs
for transparency and audit control.
10. Cloud Platform should be protected by fully-managed Intrusion detection system
using signature, protocol, and anomaly-based inspection, thus providing network intrusion detection
monitoring.
11. Cloud Platform should provide Edge-to-Edge security, visibility and carrier-class threat management
and remediation against security hazards like Denial of Service (DoS) and Distributed Denial of Service
(DDoS) attacks, botnets, etc. Also, shall provide protection against network issues such as traffic and routing
instability.
12. Cloud Platform should provide Web Application Filter for OWASP Top 10 protection as a service that
can be enabled for Government Departments that require such a service.
13. Access to Government Department provisioned servers on the Cloud should be through SSL VPN
clients only as against the public internet.
14. CSP shall allow audits of all administrator activities performed by Government Department and allow
Government Department to download copies of these logs in CSV or any other desired format.
15. Maintain the security features described below, investigate incidents detected, undertake corrective
action, and report to Government Department, as appropriate.
16. CSP shall deploy and update commercial anti-malware tools (for systems using Microsoft operating
systems), investigate incidents, and undertake remedial action necessary to restore servers
and operating systems to operation.
17. CSP shall provide consolidated view of the availability, integrity and consistency of the
Web/App/DB tiers.
18. CSP shall ensure that password policies adhere to security requirements as defined by
CERT-IN.
19. CSP shall ensure that all GoI IT Security standards, policies, and reporting requirements are met.
20. CSP shall meet and comply with all GoI IT Security Policies and all applicable
GoI standards and guidelines, other Government-wide laws and regulations for protection and security of
Information Technology.
21. CSP shall generally and substantially and in good faith follow GoI guidelines and CERT-In and MeitY
Security guidance. Where there are no procedural guides, generally accepted industry best practices for IT
security shall be used by the CSP.
22. Information systems must be assessed whenever there is a significant change to the system’s
security posture.
23. MeitY or MeitY appointed 3rd party shall conduct regular independent third-party assessments of the
CSP’s security controls to determine the extent to which security controls are implemented correctly,
operating as intended and producing the desired outcome with respect to meeting security requirements
and submit the results to MeitY and User Department.
24. In case CSP has industry standard certifications (assessed by a Third Party Auditor) that verify
compliance against the security requirements of the application document, SLA & MSA, results, relevant
reports, certifications may be provided with evidence along with the mapping of the industry standard
certification controls against the application document requirements. However, if there are any
requirements that do not fall under the industry standard certifications, the CSP shall get the Third Party
Auditor to assess the conformance to the requirements.
25. MeitY reserves the right to perform Penetration Test. If MeitY exercises this right, the CSP shall allow
MeitY’s designated third party auditors to conduct activities to include control reviews that include but are
not limited to operating system vulnerability scanning, web application scanning and database scanning of
applicable systems that support the processing, transportation, storage, or security of Department’s
information. This includes the general support system infrastructure.
26. CSP shall ensure that Identified gaps are tracked for mitigation in a Plan of
Action document.
27. CSP shall be responsible for mitigating all security risks found and continuous monitoring activities. All
high-risk vulnerabilities must be mitigated within 30 days and all moderate risk vulnerabilities must
be mitigated within 90 days from the date vulnerabilities are formally identified. The
Government will determine the risk rating of vulnerabilities.
> Service Level Agreement Management

Cloud Service Provider shall provide the monitoring System including any additional tools required for
measuring and monitoring each of the Service Levels to ENTITY. The uptime availability for solution shall be
at least 99.5% on quarterly basis.
Service outage shall not include down time due to any scheduled maintenance activity or any maintenance
activity requested by or attributable to ENTITY.
The SLA parameters shall be monitored on quarterly basis as per the individual SLA parameter requirements.
However, if the performance of the system/services is degraded significantly at any given point in time during
the contract and if the immediate measures are not implemented and issues are not rectified to the
complete satisfaction of ENTITY, then ENTITY will impose penalties as defined in the SLA table and have the
right to take services from another CSP at the cost of existing CSP and/ or take any other punitive action.
The CSP shall make available the Monitoring tools for measuring and monitoring the SLAs. The bidder may
deploy additional tools and develop additional scripts (if required) for capturing the required data for SLA
report generation in automated way. The tools should generate the SLA Monitoring report at the end of
every month which is to be shared with ENTITY on a monthly basis. ENTITY shall have full access to the
Monitoring Tools/portal to extract data in desired formats/ reports as required during the project.
Penalties will be calculated on quarterly basis and shall not exceed more than 100% of the quarterly O&M
charges.
Parameters SLA/ Delivery Schedule
Availability/Uptime of each Cloud Service Resources (e.g. >=99.5% Availability
VM, OS, Storage, Network and Security Components etc.)
Availability/Uptime of each SAP Application >=99.5% Availability
Availability of Network links provisioned by the bidder >= 99.5% Availability
– MPLS / Internet
Response Time Service level – Critical 10 Minutes
Response Time Service level – Medium 1 Hour
Response Time Service level – Low 12 Hours
Resolution time Service level – Critical Within 1 hour of request
Resolution time Service level – Medium within 4 hours of request
Resolution time Service level – Low Within 24 hours of request
Attend any security incident 2 hours from the time of reporting
Snap shot restore Initiate restore within 2 hours of request
Submission of report for VAPT Within 7 days from date of request
Recovery Time Objective (RTO) RTO <= 2 hours
Recovery Point Objective (RPO) RPO <= 30 Minutes
Security breach including Application Security/Cyber No breach allowed- For each reach/data theft,
Crime / Hacking /Data Theft / Fraud /Data penalty will be levied as per following criteria.
Loss/Corruption - Any incident where in system • Any security incident detected INR Rs. 5lac. This
compromised or any case wherein data theft occurs penalty is applicable per incident.
(including internal incidents)
• These penalties are in addition to the overall SLA
penalties. In case of serious breach of security
wherein the data is stolen or corrupted, ENTITY
reserves the right to terminate the contract
and/or
any other punitive action.
Support Category/ Severity Criteria
Priority 1 (Critical) The system cannot be used for normal business
activities. There is certainty of financial loss to the
company.
Priority 2 (Medium) The efficiency of users is being impacted, but has a
viable workaround.
Priority 3 (Low) A low impact problem that affects the efficiency of

users but has a simple workaround.
1. Provide a robust, fault tolerant infrastructure with enterprise grade SLAs with an assured uptime of
99.5%, SLA measured at the VM Level & SLA measured at the Storage Levels.
2. Service Availability (Measured as Total Uptime Hours / Total Hours within the Month)
displayed as a percentage of availability up to one-tenth of a percent (e.g. 99.5%).
3. Within a month of a major outage occurrence resulting in greater than 1-hour
of unscheduled downtime. Describe the outage including description of root-cause and fix.
4. Service provisioning and de-provisioning times (scale up and down) in near real-
time should be as per the SLA requirement of the Government Department. The provisioning / de-
provisioning SLAs may differ for the different Cloud Deployment Models.
5. Helpdesk and Technical support services to include system maintenance windows.
6. CSP shall implement the monitoring system including any additional tools required for measuring and
monitoring each of the Service Levels as per the SLA between the Government
Department and the CSP.
SLA Response Time and SLA Performance Metrics and related penalty
SLA Response Time
Support Category/ Criteria Response Resolution Time

Severity Time
Priority 1 (Critical) The system cannot be used for 30 Minutes Resolved within 90
normal business activities. There is Minutes
certainty of financial loss to the
company.
Priority 2 (High) There is a problem with part of the 1 Hour Resolved within 4 Hours
system, which impacts on the
company’s decision making. No
viable workaround is available.
There is a likelihood of financial
loss.
Priority 3 (Medium) The efficiency of users is being 4 Hours Resolved within 2 days
impacted, but has a viable
workaround.
Priority 4 (Low) A low impact problem that affects 5 Hours Resolved within 5 days
the efficiency of users but has a
simple workaround.
SLA Performance Matrix
Penalties for non-adherence to Helpdesk SLA parameters
Severity of Violation Measurement

Priority 1 (Critical) The Critical defects should be resolved within 90 Minutes from the time of
reporting full details. For the calculation of penalty, the company will
calculate the number of violations by the successful bidder every month.
The calculation will be done as per the following table:
%defects resolved within 90 No of Violations considered
Minutes
<=100% &>=95% 0
<95% &>=90% 1
<90% &>=85% 2
<85% 3
Priority 2 (High) The High defects shall be resolved within 4 Hours from the time of
reporting full details. This service level will be monitored on a monthly
basis. For calculation of penalty, the company will calculate the
number of violations by the successful bidder over the Quarter. The
calculation will be done as per the following table:
%defects resolved within No of Violations considered
4Hours
<=100% &>=95% 0
<95% &>=90% 1
<90% &>=85% 2
<85% 3
Priority 3 (Medium) The Medium defects shall be resolved within 2 days from the time of
reporting full details. This service level will be monitored on a monthly
basis. For calculation of penalty, the company will calculate the
number of violations by the successful bidder over the Quarter. The
calculation will be done as per the following table:
%defects resolved within No of Violations considered
2Days
<=100% &>=95% 0
<95% &>=90% 1
<90% &>=85% 2
<85% 3
Note: 1. Monthly performance evaluation will be conducted by the Company.
2. Penalty Calculations - The framework for Penalties, as a result of not meeting the Service Level Targets is as
follows:
a) The performance will be measured monthly for each of the defined service level metric against the
minimum/target service level requirements and the violations will be calculated accordingly.
b) The number of violations in the reporting period for each level of severity will be added and used for the
calculation of Penalties.
c) Penalty applicable for each of the Critical, High, & Medium severity violations is INR 10,000 (INR Ten
thousand) per violation.
d) For violation calculation every month, the defects closing date in that particular month will be considered
Commencement of SLA: The SLA shall commence from implementation period itself for
adherence to the implementation plan. The penalty will be deducted from the next
payment milestone during the implementation period. During the O & M period, the
penalty will be deducted from the next payments due.
C)Application Performance post Go Live

Sr. Parameter Target Basis Penalty
No
1. Average Response Less Per Per occurrence
Time during peak than or occurrence. penalty shall be
usage hours as equal This will be Rs.1,000.
measured by EMS to 2 calculated
Maximum
Tools. seconds monthly
penalty of
after the
Rs.10% of
Go-live of
contract bill is
the
permissible,
application.
post which
ENTITY
may
invoke
Annulment of
the contract.
Penalty will be
deducted from
the payments
due.(penalty
applicable only
in case of issues
due to bidders'
scope.)
2. Infra >= Per @1,00,000/-per
Uptime(Application 99.5% occurrence. 0.5% fall in uptime
Uptime) This will be on monthly basis
calculated
□ DatabaseServer
monthly
Uptime
after the
□ Application Server
Go- live of
Uptime
the
□ Web Server Uptime
application.
□ All SAN Storage
Uptime
□ MPLS link uptime
□ Internet link
uptime
□ Any other IT
component in the
Infrastructure
Architecture
C)Disaster Recovery
Sr. Parameter Target Penalty
No
1. RTO <= 2 hours Rs. 10,000 per additional hour of
delay subject to a maximum delay
of 10 hours, post which ENTITY
may invoke annulment of the
contract.
2. RPO <= 30 min The key Rs. 10,000 per additional block of
transaction data shall have 30 minutes subject to a maximum
delay of 5 hours, post which
RPO of 15 minutes
ENTITY may invoke annulment of
the contract.
3. Mock Drill □ To be Rs. 5000 for delay of each week
conducted every 6 subject to a maximum of 10% o
contract value.
months
□ Successful switch over and
operation of application
4. Recovery of T weeks, where T is the time Rs. 5,000 for delay of each week
period mutually agreed subject to a maximum of 10% o
data lost
between ENTITY and CSP for contract value.
during
the 100% recovery of lost
disaster
data
I) Reporting during pre-implementation, implementation and post

implementation phases (including Operations and Maintenance Phase)
Type Measurement Penalty
Weekly Status Delivered on Weekly No Penalty

Basis
Report
Monthly Status Delivered at monthly Rs. 1000 per additional
Report intervals by the 5th of every week’s delay.
month with the details of the
previous month. The format
of the report shall be
mutually agreed between
ENTITY
and the SI
K)Miscellaneous Factors
Type Measurement Penalty
Help desk Weekly per project Cloud Service provider
functioning SLA should prepare and
implement the help desk
100% as per
plan as per ENTITY’s
requirement
modules within one month
timelines
from the date of starting of
contract failing to which
penalty of 0.1% of the yearly
contract value per
week/part thereof for first
two weeks, 0.20% of yearly
contract value per
week/part thereof for every
subsequent week.
Scheduled downtime Per Occurrence Rs. (1, 00,000) per occurrence
for System for unscheduled downtime or
Maintenance per scheduled downtimes
exceeding the specified
Week <= 2 times per
metric.
month
Application Security Per occurrence Depending on the type of

Cyber Crime / Incident and its impact, a
Hacking /Data Theft / penalty of 10% on the entire
Fraud attributable contract value or in case
to the Cloud Service of severe issues ( as defined
provider by ENTITY ) such breach may
lead to termination of
contract
Maximum penalty can be up to 10 % of the contract cost, post which ENTITY may invoke
annulment of the contract.
□ The down time will be calculated on monthly basis. Non-adherence to any of the services
as mentioned below will lead to penalty as per the SLA clause and will be used to calculate
downtime. The downtime calculated shall not include thefollowing
□ Down time due to hardware/software and application which is owned by ENTITY at their
premises
□ Negligence or other conduct of ENTITY or its agents, including a failure or malfunction
resulting from applications or services provided by ENTITY or its vendors.
□ Failure or malfunction of any equipment or services not provided by the Bidder.
However, it is the responsibility/ onus of the selected Bidder to prove that the
outage is attributable to ENTITY. The selected Bidder shall obtain the proof
authenticated by ENTITY’s officialthattheoutage is attributableto ENTITY.
□ The Agency shall deploy sufficient manpower suitably qualified and experienced in shifts to
meet the SLA. Agency shall appoint as many team members as deemed fit by them, to
meet the time Schedule and SLA requirements.
SLA Exclusions: The time lost due to any of the following causes shall not be included in calculating “Resolution
Time”:
a. Time taken for scheduled maintenance/troubleshooting (including backup and restore times) either for
preventive purposes or improvement in function or other purposes.
b. Time taken for reconfiguration or other planned downtime situations.
c. Scheduled shutdowns as required by the company. The successful bidder may also request the company for a
shutdown for maintenance purpose, which request will not be denied unreasonably by the company.
d. Time taken for booting the systems.
e. Time taken to get approval from all stakeholders for the exclusive availability of system for support activities
where the prospective solutions can be tested prior to promotion into production.
f. Time taken for the company to approve the workaround or fix.
g. Time taken by the third-party vendors and service providers for fixing a product related fault/defect,
replacement of part(s), or responding to clarifications.
In the event, the company’s users are not defining the support category/severities, the successful bidder’s team
will analyse the problem and will set appropriate support category/severity to the problem. In case if the
successful bidders support team does not agree with support category/severity defined by the company’s user
then all such disagreements will be discussed with Project Manager from the company.
CHAPTER 10: Commercial Bid Format
Product Description
One Recurring Charges
Time
Charges Year Y Y Y Tota
1 e e e l
a a a
r r r
2 3 4
SAP Cloud DC infrastructure
SAP Cloud infrastructure (Compute,
Hypervisor, OS, Storage, Software’s, Tools
Networking and security etc. as per the
scope mentioned in RFP)
SAP Cloud DR infrastructure

SAP Cloud infrastructure (Compute,
Hypervisor, OS , Storage, Software’s, Tools
Networking and security etc. as per the
scope mentioned in RFP)
Internet Bandwidth for DC
Internet Bandwidth for DR
MPLS Bandwidth for DC
MPLS Bandwidth for DR

Grand Total
Bidder is required to quote for all items required for complete solution, under the applicable line items in price BOM.
The bill of material shown above is minimum. Bidder must assess the requirements diligently and propose
the cloud resources accordingly. It shall be noted that the bill of material and commercials will be evaluated
based on quoted price for 4 years. However, payments will be done on quarterly basis, on actual usage.
Note:
 In technical proposal, the attached format in technical BOM has to used without prices.
 Inclusive of GST will be at actual.
Commercial Proposal Guidelines

Commercial proposal to include the covering letter as given at Form P1: Commercial Proposal Cover Letter
Unless explicitly indicated, the bidder must not include any technical information regarding the services in the
Commercial proposal. As part of the commercial proposal, the bidders shall mandatorily quote for all the
components as mentioned in the RFP. The Commercial proposal must be detailed and must cover each year of
the project term.
1. Commercials for all components should be valid and firm for the entire duration of the project.
2. For preparation of the "Price Proposal”, Bidders are expected to take into account the requirements and
terms & conditions of this RFP. The Price Proposal shall be made in "Bid Proposal Sheet (BPS)", of this
RFP. All prices to be quoted by the Bidders shall be in Indian Rupees only and on firm price basis for the
entire duration of this project.
3. The Bidders are required to quote their rates as per BOQ. These rates, in case of award, shall remain firm
during execution and shall be valid till 4 years.
4. The Bidder shall quote lump sum price against respective areas of work Commercial Bid Proposal Sheets.
The lump sum prices will be inclusive of all expenditures to be incurred by the Bidders towards travelling
to the sites or any office/location of ENTITY, boarding, lodging, local conveyance, incidentals etc. and no
expenditure other than those quoted in the Bid Proposal Sheets will be entertained by the Owner on any
account for the defined ‘Scope of Work’. Boarding/lodging on project sites shall be provided by ENTITY on
chargeable basis subject to availability.
5. The Bidders are also required to quote rate card separately for providing v Core, software licenses,
internet bandwidth, storage supplied. The above rates shall be inclusive of all updates, point & version
upgrades, maintenance and support during this period. For evaluation purpose, and to calculate L1 price
for four (4) years shall be taken in to account.
6. The bidder shall be solely responsible for any financial implications on items not quoted in the proposal
and which are required for implementation and operationalization of the Project.
7. ENTITY reserves the right to procure the components/services listed in this RFP in whole or in part. The
payment by ENTITY to the CSP shall be made only against the actual services availed by ENTITY.
8. The price mentioned in the letter of Acceptance (LoA) issued to CSP shall be the only payment, payable
by ENTITY to the CSP for completion of the obligations by the CSP as per the letter of Acceptance,
subject to the terms of payment specified in the letter of Acceptance issued to the CSP.
9. Cost quoted for the Cloud services must include all cost including the cost of installation, commissioning,
and implementation etc. according to ENTITY requirements and its maintenance for the entire project
duration.
10. Bidders are advised not to indicate any separate discount. Discount, if any, must be merged with the
quoted prices. Discount of any type, indicated separately, shall not be taken into account for evaluation
purpose of this RFP.
11. The bidder must quote the prices strictly in the manner as indicated in the RFP, failing which bid is liable
for rejection. The rate/cost shall be entered in words as well as in figures.
12. The bidders are required to distinctly mention nature, percentage and amount of applicable
tax/duties/levies in appropriate columns.
13. Prices quoted in the bid must be firm and final and shall not be subject to any upward modifications. No
upward adjustment of the commercial price (to be mentioned in the letter of intent) shall be made on
account of any variations except for service tax component. A proposal submitted with an adjustable
price quotation or conditional proposal may be rejected as non-responsive.
14. The rates quoted are exclusive of GST or any other tax levied by the central government in lieu of GST
and the same will be payable by ENTITY over and above the payment schedule.
15. If any of the service component is priced as bundled within any of the other priced component
submitted by the bidder, the bidder cannot un-bundle it and price it separately after the Commercial
bids are opened or during the period of the agreement for implementation of the Upgraded & Enhanced
Solution.
16. Prices must be quoted entirely in Indian Rupees and must be inclusive of applicable rates, taxes & out of
pocket expenses (including travel cost, boarding & lodging, DA, local conveyance etc.) except for GST.
Correction of Error
Bidders are advised to exercise adequate care in quoting the prices. No excuse for corrections in the
quoted figures will be entertained after the proposals are submitted to ENTITY. All corrections, if any,
should be initialed by the person signing the proposal form before submission, failing which the figures
for such items may not be considered.
Arithmetic errors in proposals will be corrected as follows:
1. In case of discrepancy between the amounts mentioned in figures and in words, the amount in words
shall govern.
2. In case of discrepancy between the cost quoted in the pricing summary sheet for a component and the
total cost provided for the component in the detailed cost break up sheet, the detailed cost break up
sheet for the component will be considered.
3. In case of discrepancy between the total price given for a line item / component and the calculated total
price (number of units multiplied by the cost per unit for that line item), the total price given for a line
item / component will be considered.
4. The amount stated in the commercial proposal, adjusted in accordance with the above procedure, shall
be considered as binding, unless it causes the overall proposal price to rise, in which case the proposal
price shall govern.
5. The amount stated in the Commercial proposal will be adjusted by ENTITY in accordance with the above
procedure for the correction of errors and shall be considered as binding upon the Bidder. If the Bidder
does not accept the corrected amount of Financial Proposal, its Proposal will be rejected and EMD of the
bidder will be forfeited.
6. No adjustment of the price quoted in the Commercial proposal shall be made on account of any
variations in costs of labour and materials, currency exchange fluctuations with IN. currency or any other
cost component affecting the total cost in fulfilling the obligations under the agreement. No clauses for
price fluctuations due to fluctuation of the Indian currency against any of foreign currency will be
accepted during the period of the agreement.
7. All costs incurred due to delay of any sort, shall be borne by the Bidder.
8. ENTITY reserves the right to ask the Bidder to submit proof of payment against any of the taxes, duties,
levies indicated within specified time frames.
9. ENTITY reserves the right to ask the Bidder to submit analysis of rate and data sheet for the rates quoted
in the Commercial bid by the bidder
10. If the price for any of the services is not explicitly quoted in the commercial bid or mentioned as zero, it
is assumed that the price for that particular element is absorbed in some other service element for
which a price has been quoted, and ENTITY has the right to source services for which no price was
quoted or quoted as zero, at no additional price.
11. If taxes or any other applicable charges are not indicated explicitly, they are assumed to be bundled
within the prices quoted and unbundling of these charges will not be entertained either during
evaluation or while signing the agreement.
The commercial bid should be provided per the formats below this RFP.
Commercial bid of a bidder will be declared non-responsive if the bidder has proposed components in
the price bid which are different from the solution as mentioned in the technical bid.
1.0 Opening of Commercial Bids
Only those bidders whose technical bids have been found substantially responsive would be intimated
by ENTITY about their responsiveness. The Commercial bids would then be opened in the presence of
the bidders' representatives on a specified date and time to be intimated to the respective bidders. The
bidder names, the bid prices, the total amount of each bid and such other details as ENTITY may
consider appropriate, will be announced and recorded at the opening.
2.0 Evaluation of Commercial Bids
All the technically qualified bidders will be notified to participate in Commercial Bid opening process.
The commercial bids for the technically qualified bidders will then be opened on the notified date and
time and reviewed to determine whether the commercial bids are substantially responsive. Bids that are
not substantially responsive are liable to be disqualified at ENTITY’s discretion. The L1 vendor with total
cost of SAP 4 HANA ERP as per landscape for 4years will be calculated.
The bid price will include all taxes and levies and shall be in Indian Rupees and mentioned separately.
Any conditional bid would be rejected.
2.1 Price Proposal
The Bidder has to quote the rate in the BoQ Spreadsheet available online with this bid. Details to be
filled up for price bid are as below.
The fees shall be inclusive of GST, Income Tax, duties, fees, levies, charges, and commissions as
applicable under the relevant Laws of India. Should there be a change in applicable taxes, the actual
taxes on the date of billing would prevail.
Note:
1. The bidders may visit the site and obtain additional information at their own cost and responsibility.
2. In case Go-Live/Roll-out is advanced or delayed, payment will be on actuals and the corresponding operations
and maintenance phase will start after the Roll-out is completed.
3. All the prices are to be entered in Indian Rupees ONLY.
4. Prices indicated in the schedules shall be inclusive of all taxes, Levies, duties etc. It is mandatory to provide
breakup of all Taxes, Duties and Levies.
5. During the payment stage, ENTITY reserves the right to ask the Bidder to submit proof of payment against any
of the taxes, duties, levies indicated.
6. The Bidder needs to account for all Out of Pocket expenses due to Boarding, Lodging and other related
items. No additional/separate payment shall be made regarding the same.
7. For the purpose of evaluation of Commercial Bids, ENTITY shall make appropriate assumptions to arrive at a
common bid price for all the Bidders. This however shall have no co-relation with the Contract value or actual
payment to be made to theBidder.
8. The Contract Price shall be firm and not subject to any alteration.
9. The CSP shall be deemed to have satisfied itself as to the correctness and sufficiency of the contract price,
which shall, except as otherwise provided for in the contract, cover all its obligations under the contract.
10. All payments shall be made for the corresponding goods or services actually delivered, installed, or
operationally accepted, per the Contract Implementation Schedule, at unit prices and in the currencies
specified in the CommercialBids.
CHAPTER 11: Reporting Services
11.1 Testing Requirements for CSP
Following cloud resource deployment/provisioning, the testing of the same at Cloud site
becomes very important. Therefore, the Cloud Service provider must perform following
testing:
□ Infrastructure testing - The bidder should perform various testing procedures listed
below on infrastructure (server, storage and network infrastructure) provided at Cloud
site.
o VM testing
o Storage/Disk IO testing
o Network throughput testing
o CPU and RAM benchmarkingtesting
o Read/Write latency testing
□ Data Integrity Testing, Reverse Replication Testing and Switch over testing: The Cloud
Service provider will facilitate ENTITY to carry out these testing, whenever required.
11.2 MIS/SLA Reports Required to be submitted by CSP .
Deliverables listed below should be accessible via online interface not later than 10 days
after the end of the calendar month and available for up to one year after creation. The
information shall be available in format approved by Meity. The CSP shall monitor and
maintain the stated service levels as agreed in the Service Level Agreement. The CSP should
configure their tool to track and monitor the SLA and the same system generated SLA
reports should be submitted along with the invoice for payment.
Cloud Service provider shall submit the reports on a regular basis in a mutually decided
format. The Cloud Service provider shall workout the formats for the MIS reports and get
these approved by ENTITY within a month of being awarded the contract. The following is
only an indicative list of MIS reports that may be submitted to ENTITY:
1)Service Level Management

Service Level Management reports to be submitted as mentioned below
a) Service Availability (Measured as Total Uptime Hours / Total Hours within the
Month) displayed as a percentage of availability up to one-tenth of a percent (e.g. 99.5%)
a.Text description of major outages (including description of root-cause and fix) resulting in
greater than 30 minutes of unscheduled downtime within amonth
2)Network and Security Administration (including security breaches with classification,

action taken by the CSP and current status) related reports
3. Help Desk / Trouble Tickets raised by ENTITY
a. Number of Help Desk/customer service requests received.
b. Number of Trouble Tickets Opened
c. Number of trouble ticketsclosed
d. Average mean time to respond to Trouble Tickets (time between trouble ticket opened and
the first contact with customer)
e. Average mean time to resolve troubleticket
4. Monthly utilization (including peak and non-peak volumetric details) of the Service
Offerings
5. Centralized Monitoring & Management and Reporting with:
a. Internet & Intranet Data Transfer
b. MPLS connectivity
c. Virtual Instances (vCPU, vMemory, Storage and Network Port) configuration and utilization
d. Storage Volume (Read/Write and IOPS)
e. Load balancer
f. Application Services
g. Database Monitoring
h. Reports on non-conformance and escalation for privileged access by unauthorized roles/
identities
6. Third Party Audit Certification (at the cost of CSP ) every six months indicating the
conformance to the requirements detailed in this RFP of the empaneled cloud service
offerings which are being used by ENTITY.
7. Any other reports as deemed required by ENTITY from time-to-time.
a. Daily reports
□ Summary of issues / complaints logged at the Help Desk
□ Summary of resolved, unresolved and escalated issues / complaints
□ Summary of resolved, unresolved and escalated issues / complaints to vendors.
□ Log of backup and restoration undertaken.
b. Weekly Reports
□ Summary of systems rebooted.
□ Summary of issues / complaints logged with the OEMs.
□ Summary of changes undertaken in the Data Centre including major changes like
configuration changes, patch upgrades, etc. and minor changes like log truncation, volume
expansion, user creation, user password reset, etc.
□ Report for Security Breaches if any and action taken by CSP .
□ Hypervisor patch update status of all servers including the Virtual Machines running on in
c.Monthly reports
□ Component wise server as well as Virtual machines availability and resource utilization
□ Consolidated SLA / (non)- conformance report.
□ Log of preventive / scheduled maintenance undertaken
□ Log of break-fix maintenance undertaken
□ All relevant reports required for calculation of SLAs
d. Quarterly Reports
□ Consolidated component-wise availability and resource utilization.
□ All relevant reports required for calculation of SLAs
□ The MIS reports shall be in-line with the SLAs and the same shall be scrutinized by ENTITY.
The cloud Cloud Service provider will also provide any other report requested by ENTITY
or any other agency approved and authorized by ENTITY.
11.3 Security Audits
The Cloud Cloud Service provider’s services offerings should be audited and certified by
STQC/MeitY.
The Cloud Service provider’s services offerings shall comply with the audit requirements
defined under the terms and conditions of the Provisional Empanelment of the Cloud Cloud
Service providers (or STQC /MEITY guidelines as and when published).
The Audit, Access and Reporting Requirements should be as per the terms and conditions of
the Provisional Empanelment of the Cloud Service provider .
The Cloud Service provider shall conduct vulnerability and penetration test (from a third
party testing agency which may be empaneled) on the proposed Cloud solution once
before go-live and once every year and reports should be shared. The Cloud Service provider
needs to update the system in response to any adverse findings in the report, without any
additional cost to ENTITY. ENTITY may also depute auditors to conduct security check/
vulnerability test/penetration test.
Additionally, the Cloud Service provider shall ensure all newly deployed Infrastructure is in
compliant with all applicable regulatory requirements and is SAP HANA Certified, and with
ENTITY quality standards including ENTITY IT policies.
6.3.3 Co-ordination, co-operation and support to /from present cloud Service provider of
ENTITY
During all phases of the project, the CSP shall have coordination and full cooperation with
Cloud server provider of ENTITY for Data Migration of existing ENTITY SAP systems to new
SAP HANA Systems.
The Cloud Service provider shall support the team of ENTITY for the following activities:
• Co-ordinating issues for timely resolution.
• Knowledge Transfer of all activities performed by the Cloud Service provider as part of
installation, configuration, setup, operate and maintain.
• Development environment is hosted at a GCC Cloud currently. Bidder to consider any
coordination required for migration of Development environment from current CSP to its
own environment.
11.4 Exit Management and Transition Requirements
Listed below are mandatory requirements applicable for CSP ’s:
1.Continuity and performance of the Services at all times including the duration of the
Agreement and post expiry of the Agreement is a critical requirement of ENTITY. It is the
prime responsibility of CSP to ensure continuity of service at all times of the Agreement
including exit management period and in no way any facility/service shall be
affected/degraded. Further, CSP is also responsible for all activities required to train and
transfer the knowledge to the Replacement Agency (or ENTITY) to ensure similar continuity
and performance of the Services post expiry of the Agreement.
2.At the end of the contract period or upon termination of contract, CSP is required to
provide necessary handholding and transition support to ensure the continuity and
performance of the Services to the complete satisfaction of ENTITY.
3.CSP shall support ENTITY in migration of the VMs, data, content and any other assets
to the new environment created by ENTITY or any Agency on alternate cloud Cloud
Service provider ’s offerings to enable successful deployment and running of ENTITY’s
solution on the new infrastructure. CSP shall certify the VM, Content and data
destruction to ENTITY as per stipulations and shall ensure that the data cannot be
forensically recovered. CSP shall have the responsibility to support and assist ENTITY till
the Department is able to successfully deploy and access the services from the new
environment.
4.CSP shall not delete any data at the end of the agreement (for a maximum of 45 days
beyond the expiry of the Agreement) without the express approval of ENTITY.
5.During the exit/transition management process, it is the responsibility of the CSP to
address and rectify the problems with respect to migration of the Department
application and related IT infrastructure including installation/reinstallation of the
system software etc.
6.The ownership of the data generated upon usage of the system, at any point of time
during the contract or expiry or termination of the contract, shall rest absolutely with
ENTITY.
7.During the contract period, the CSP shall ensure that all the documentation required
by ENTITY for smooth transition including configuration documents are kept up to date
and all such documentation is handed over to ENTITY during the exit management
process.
11.5 Professional Project Management

11.5.1 CSP shall execute the project with complete professionalism and full commitment to the
scope of work and the prescribed service levels. CSP shall attend regular Project Review
Meetings scheduled by ENTITY and shall adhere to the directions given during the meeting.
Following responsibilities are to be executed by the CSP in regular manner to ensure the
proper management of the project:
11.5.1.1 Finalization of the Project plan in consultation with ENTITY and its consultant.
Project Plan should consist of work plan, communication matrix, timelines, Quality Plan,
Configuration Management Plan, etc.
11.5.1.2 Appointment of manager who will act as SPOC for ENTITY.
11.5.1.3 Plan and deploy the resources in conjunction with the Project Plan and to execute
roles and responsibilities against each activity of the project plan
11.5.1.4 Preparation and regular update of the Risk Register and the Mitigation Plan.
Timely communication of the same to all the identified project stakeholders
11.5.1.5 Submission of Weekly Project Progress Reports
11.5.1.6 Monthly Compliance report, which will cover compliances to Project Timelines,
Project Team, Infrastructure and Software delivered, SLAs, etc.
11.5.1.7 Provision of dashboard to check status of progress of maintenance, support,
implementation and customization work.
11.5.1.8 The selected vendor should ensure that the behavior of its staff and other
manpower is decent. The agency will be held responsible for indecent behavior of
manpower, & such employees should be immediately replaced when such matter is
reported. In case, non-availability of personnel, the agency will be penalized as per the SLA.
11.5.1.9 Employees of the Cloud Service provider shall always wear identity card.
11.6 Security and safety

11.6.1.1 The CSP will comply with the directions issued from time to time by ENTITY and the
standards related to the security and safety in so far as it applies to the provision of the
Services
11.6.1.2 Adherence to basic e-Governance Guidelines and Standards for data structure (if any)
shall be adhered to.
11.6.1.3 CSP shall also comply with ENTITY / Government of India’s information technology
security and standard policies in force from time to time as applicable. ENTITY shall share
the relevant guidelines and standards to the CSP upon signing of the Contract Agreement.
11.6.1.4 CSP shall use reasonable endeavors to report forthwith in writing to all the partners
11.6.1.5 / contractors about the civil and criminal liabilities accruing due to any unauthorized
access (including unauthorized persons who are employees of any Party) or interference
with ENTITY’s data, facilities or Confidential Information.
11.6.1.6 The CSP shall upon reasonable request by ENTITY or his/her nominee(s) participate in
regular meetings when safety and information technology security matters are reviewed.
11.6.1.7 Contractor shall promptly report in writing to ENTITY any act or omission which they
are aware that could have an adverse effect on the proper conduct of safety and
information technology security at ENTITY.
Chapter 12 -Deliverables and Timelines
Sl. Activity/Task Deliverables/ Milestone Timelines (In Support from ERP IA of

N weeks) ENTITY
o
1.  Project Award & Contract signing Project Start

between ENTITY and successful Date = T0
CSP
2.  Project Kick-off a) Project Preparation T0 + 2

Report
b) Project Management Plan
3.  DC Implementation for hosting DC Implementation report T0 +5

Development Services
(Development & Quality /
Testing
services)
4.  Complete DC Implementation DC Implementation T0+7 ENTITY along with its IA
(Production Server) (Production) report to review and validate
the system after
migration.
5.  Complete DR Implementation DR Implementation report T0+8 ENTITY along with its IA

to verify the deployed
technical architecture.
6.  Acceptance of Final Go-live Acceptance test report for T0 + 8

Final Go-Live
7. Post Implementation Support SLA adherence report on 48 month after

a Quarterly basis from 3rd migration to
Month production
server
All deliverables will be deemed to have been completed only after approval of authorized personnel of ENTITY. The
tasks that are provided in this document and under “Deliverables” are to be performed by the CSP in such a manner
that it will not affect the Project Schedule. The CSP shall adhere to the above time schedule for timely and successful
completion of the Project and submit the acceptance to this time schedule.
ABBREVIATIONS
BCP Business Continuity Plan

COTS Commercial Off-The-Shelf
CSP Cloud Service Provider
DC Data Centre
DR Disaster Recovery
EMD Earnest Money Deposit
ERP Enterprise Resource Planning
GST Goods & Service Tax
GCC Government Community Cloud
HA High Availability
IPS/IDS Intrusion Prevention/Detection System
ISO IN. Organization for Standardization
LOI/LOA Letter of Intent / Letter of Acceptance
MIS Management Information System
MPLS Multiprotocol Label Switching
NMS Network Monitoring/ Management System
P2P Point to Point
PBG Performance Bank Guarantee
RFP Request for Proposal
RPO Recovery Point Objective
RTO Recovery Time Objective
SAN Storage Area Network
SLA Service Level Agreement
TCO Total Cost of Ownership
TCV Total Contract Value
TDS Tax Deducted at Source
UAT User Acceptance Testing

IRCON_FINAL_05082020

Uploaded by

Copyright:

Available Formats

You might also like

IRCON_FINAL_05082020

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IRCON_FINAL_05082020

Uploaded by

Copyright:

Available Formats

PROJECT DOCUMENT

CHAPTER 5: SCOPE OF WORK

 Ease of management, low total cost of ownership

5.2. Brief Scope of Work

d) Support IA in implementation of SAP system

5.3. Detail Scope of Work

5.4. Cloud Service Security Certifications

5.5. Indicative Application Landscape

1. Professional Users Nos. 250

D. Operating System- SAP supported SLES version

High level landscape of the application as follows-Landscape

S/4 HANA Total User 250

DEVELOPMENT QUALITY PRODUCTION

HANA D BW Q.BW f>BW

SAPBW4 HAMA DBO Q.BO f>BO

SAP Business Ob,jec ts DWD QWD PWD

SAP Web Dispatc her DFS f>FS

SAP Ente rprise Portal DPO Q.PO f>PO

SAP P'rOcess Orchest ra DMS QMS f>MS

tion SAP Conte nt Se rve r DGlit Q.GR PGR

SAP GRC DDM QDM PDM

SAP IDM DlS Q!LS f>lS

SAP DEN QEN PEN

LSO ASM I JSM PSM / f>S.J

SAP Enable Mmv

Envisaged RTO and RPO RTO- 2 Bidder may propose

Rate of Change of data @ 1% 1 week Bidder to fill TB

Weekly Full 4 weeks Bidder to fill TB

Storag to SAP Windows Configuration File Complete Server

Retention Daily Backup Weekly Backup Retention Policy Monthly Full

Backup on One Week 8 week 3 Months

 The bidder solution approach should provide security monitoring services to

7.1. DC Network Recommendations as per the MeitY guidelines

The bidder may propose multiple diagram as required.

• Cloud DC connected with Cloud DR site via P2P connectivity for

• Ports from DMZ Switches shall connect to each of Perimeter Firewall.

7.2. Tentative Recommended IT Schematic

2.1. Response Time of SAP Applications

Performance Data Time

Average response time Around 1 second (dialog), < 1 second (update)

- MPLS Bandwidth from DC to ENTITY MPLS network on dual links – 50 Mbps

SIZING CSP BOM

Please refer to RFP / draft/ other relevant discussions more inputs

SAP DMS Server 3000 16 48 100

SAP GRC System 3000 16 48 400

SAP Enterprise Portal System (ESS) 5400 30% 7020

Application Central Instance 20% 1080 1404 12 36 100 Yes

Application Servers 80% 4320 5616 44 132 150 Yes

Application Central Instance Yes

Application Servers Yes

CHAPTER 9: Cloud IaaS Compliance

d) User/Admin Portal Requirements

3. User Profile Management

a. Support maintenance of user profiles

f) LAN / WAN Requirements

7. Provide infrastructure that is IPv6 compliant.

h) Data Center Facilities Requirements

i) Cloud Storage Service Requirements

j) Disaster Recovery & Business Continuity Requirements