1 Data Center Requirements

---

MASSDOT AET CSC RFR 201401AETCSC Appendix V

1

Data Center Requirements

The following are MassDOT’s standard Data Center requirements. 1.1

Data Center General Requirements

1.1.1

The CSC Operator shall furnish, or contract with a third-party provider for, a Data Center and associated operating system software to satisfy the requirements detailed herein. The CSC Operator, in its Proposal, shall detail how it will comply with these requirements.

1.1.2

If Data Center services are provided by a third-party, MassDOT strongly prefers the Data Center should be in operation for at least the last five (5) years. The CSC Operator shall provide documentation to substantiate this.

1.1.3

The CSC Operator, or third-party, shall directly own and manage or have a long-term lease of a data center facility for ten (10) years or more.

1.1.4

If Data Center services are provided by a third-party, the Data Center shall manage at least two Tier-III data center facilities and provide documentation to substantiate this.

1.1.5

The Data Center shall have multiple independent distribution paths serving the IT equipment.

1.1.6

All IT equipment shall be dual-powered and fully compatible with the topology of a site's architecture.

1.1.7

Concurrently maintainable site infrastructure guaranteeing 99.99% availability

1.1.8

The Data Center must provide Disaster Recovery capabilities to fail over to a second Data Center.

1.1.9

The Data Center must be ISO 9000 (process) & ISO 27000 (security) Certified.

1.1.10

The Data Center must have industry certified on-site staff for Administration, Management and Monitoring available 7/24/365.

1.1.11

Data Center shall provide all necessary hardware to support the CSC System requirements.

1.1.12

Data Center must be capable of providing Statement on Auditing Standards (SSAE 16) towards current PCI-DSS merchant compliance and certify such compliance per SLA requirements.

Appendix V - Page 1 of 6

MASSDOT AET CSC RFR 201401AETCSC Appendix V

1.2

Firewall, Load Balancer and Intrusion Prevention Services

1.2.1

The Data Center must be capable of providing dedicated/shared firewall services on a managed basis.

1.2.2

The firewall shall be configurable with up to unlimited custom policies.

1.2.3

The Data Center shall provide and set default policies for the protection of the servers, wherever custom policies are not set by MassDOT.

1.2.4

The firewall services must be capable of providing: • • • •

A sustained data throughput at a rate of 2 gigabits per second (Gb/s) Rule based logging and alerting Log reports to MassDOT on demand High Availability (HA)

1.2.5

Auditable change management procedures shall be followed for all firewall changes.

1.2.6

The Data Center shall utilize load-balancing technologies to ensure that requests for services may be balanced across several servers.

1.2.7

The Data Center shall use the application layer firewall capabilities of load balancers to further protect MassDOT’s information assets.

1.2.8

The Data Center must be capable of providing dedicated load balancing services to the hosted servers and applications. Load balancing service must include: • • • • •

SSL off loading including re-encryption to back-end servers Session and/or cookie based persistence Server, application and service health checking and load monitoring Layer 7 Firewall Scriptable reactions to health check and load monitoring results

1.2.9

Modification of load balancing services shall follow change control procedures.

1.2.10

Auditable change management procedures shall be followed for all load balancer configuration changes.

1.2.11

The Data Center must provide anti-virus services (host based).

1.2.12

The CSC Operator shall provide maintenance and scheduling procedures to MassDOT upon request.

1.2.13

The Data Center shall provide Intrusion Detection and Prevention (IDP) services (preferably utilizing a Unified Threat Management System (UTM)) to alert system administrators of possible active threats.

Appendix V - Page 2 of 6

MASSDOT AET CSC RFR 201401AETCSC Appendix V

1.2.14

The IDP system shall be configured to take preventative measures such as redirecting questionable source requests.

1.2.15

The IDP system shall log all events and be able to produce a report for auditing purposes.

1.2.16

The IDP service shall include TCP/IP and application signature awareness configurable for alert and/or suppression modes based on services and applications.

1.2.17

IDP services shall be wire speed and located in-line with the application server hosting segments.

1.2.18

IDP hardware must fail open in the event of failure.

1.2.19

Auditable change management procedures must be followed for all IDP configuration changes.

1.2.20

The proposed service levels for firewall, load balancing and intrusion detection/prevention services shall be submitted to MASSDOT for evaluation and approval.

1.3

Network Connectivity

1.3.1

The CSC Operator supplied High Availability (HA) network connections to MassDOT shall be included in calculations and evaluations of compliance with 99.99% SLAs, including but not limited to response to end user response time (equal to or less than 1 -1.5 seconds)

1.3.2

The CSC Operator shall provide network connections with Redundant Capability.

1.3.3

The Data Center shall be capable of providing routing and switching infrastructure that meets the following requirements: • • • • • • •

802.1Q VLAN tagging and trunking 10/100/1000 full and half duplex interfaces Copper and fiber handoffs Fiber channel handoff for SAN services Traffic prioritization and shaping capabilities Port monitoring/mirroring capabilities Routers must be capable of BGP routing and BGP failover

1.3.4

The Data Center must employ network monitoring on a 7/24/365 basis.

1.3.5

The Data Center shall provide operating systems for all servers. The Data Center shall be responsible for:

Appendix V - Page 3 of 6

MASSDOT AET CSC RFR 201401AETCSC Appendix V

• • • • • • 1.3.6

The Data Center shall be responsible for administration of updates and patches to production systems including, but not limited to: • • • •

1.3.7

Loading agreed base and operational images onto servers Tracking available updates and patches Providing image version control and image storage Notifying MassDOT about critical patches Reviewing updates with MassDOT to determine if applicable service levels will be impacted Testing updates in a quality assurance environment before administering to production systems

Monitoring server health via automated tools and reacting to alert notifications Providing per server OS version reports on a monthly basis and ondemand Conversion of respondent managed physical images for use in respondent managed virtual environments Documentation of the Base Environment on commencement of the contract followed by monthly updates.

The Data Center shall be responsible for administration and monitoring of systems and services including, but not limited to: • •

Monitor server health via automated tools. Vendor staff must react within 15 minutes to alert notifications and must notify MassDOT of issues within 15 minutes. Document the base environment upon commencement of the contract, followed by monthly updates, e.g., OS version, patch levels, change management, physical configuration (memory, CPU, disk space), etc.

1.3.8

The Data Center shall have a customer interface to manage virtual machines and storage.

1.3.9

The Data Center shall use high availability capability for VMs (or approved equal).

1.3.10

The Data Center shall have procedures and software/hardware available to back up all systems on a regular basis.

1.3.11

The Utility Software shall include, the packages such as service management agents and antivirus software.

1.3.12

The management and maintenance for utility software shall include: • •

Tracking available updates and patches Notifying MassDOT about critical patches

Appendix V - Page 4 of 6

MASSDOT AET CSC RFR 201401AETCSC Appendix V

• • • • •

Reviewing updates with MassDOT to determine if application service levels will be impacted Testing updates in a quality assurance environment before administering to production systems (excluding virus definition signature updates) Administration of updates and patches to production systems Monitoring and reacting to antivirus alerts Providing per server utility software version reports on a monthly basis and on demand

1.3.13

Critical security patches must be applied on a monthly basis and or emergency basis upon request from MassDOT.

1.3.14

Operating System and Database patches shall be applied on a monthly basis and or emergency basis upon request from MassDOT.

1.3.15

All patches shall follow the MassDOT approved change management process.

1.4

Server Hardware Management and Maintenance

The goal of server hardware management and maintenance is to keep hardware functioning at optimal levels and add capacity as needed. 1.4.1

The Data Center shall be responsible for assembling, racking and cabling servers.

1.4.2

The Data Center shall provide remote hands services including, but not limited to: • • • • • •

1.5

Break/fix Integration support Software updates Off-hours support Failure response Migration support

Systems Backup, Recovery and Offsite Storage Management

1.5.1

Backup and recovery services must be provided to recover failed systems or to retrieve data for other purposes. The frequency and type of backup performed will be defined by MassDOT during design stage.

1.5.2

The Data Center must be capable of providing physical and virtual tape backup and recovery services.

1.5.3

All backup and recovery activities shall be logged.

1.5.4

The Data Center shall be capable of providing exports of the log data to MassDOT on demand. All backup, recovery and media logs shall be available upon request to MassDOT and identified auditors.

Appendix V - Page 5 of 6

MASSDOT AET CSC RFR 201401AETCSC Appendix V

1.5.5

The Data Center shall have in place provisions for off premise media storage and shall provide retrieval times.

1.5.6

The Data Center shall provide service level agreement offerings for backup, restore and recovery services (including RTO and RPO values) to be approved by MassDOT.

1.5.7

The Data Center shall employ a MassDOT approved media rotation cycle.

1.6

Services

1.6.1

Data Center shall have qualified technical support staff and Administrator site support available on a 7/24/365 basis.

1.6.2

Maintenance windows must be prescheduled so as not to interfere with normal operations.

1.6.3

The Data Center shall employ an electronic change and incident management system.

1.6.4

The Data Center shall utilize a MassDOT approved incident escalation process.

1.6.5

The Data Center shall have in place Level 2 Senior and Level 3 Vendor Technical Support (Example: HP, EMC, etc.) as needed in escalation 7/24/365 with 2 hour response time.

Appendix V - Page 6 of 6