At the earliest stage of the project, EIF will lead discussions to setup a clear and documented governance for all services. Across the Terms of Reference, EIF specifies the expected security controls.
Here is the high-level list of direct services that EIF expects to receive from the successful service provider:
• a common cloud-based Identity and Access Management (IAM) solution, simple to administer, that offers Single Sign-On (SSO) in order to ensure the necessary interoperability for all its solutions hosted on Amazon Web Services (AWS), Microsoft Azure or any other cloud provider, including multi-factor authentication mechanisms;
• a solution to collect application and system logs centrally, store them with appropriate retention, monitor events and escalate relevant incidents to EIF and its involved services providers;
• a vulnerability management tool/service to scan all EIF Cloud platforms to provide monthly and quarterly aggregated reports on vulnerability;
• an advanced system and file encryption/exchange services to protect EIF data;
• a ticketing system to handle support cases, change, release management of specific EIF core Cloud applications (EIF does not necessarily expect this solution to be used for the management of the relationship between EIF and the Cloud Services Broker);
• an SFTP service for secure integration/files transfers between EIF solutions or with counterparts;
• advisory services on different technology aspects (cost monitoring and optimisation, cloud related, security and architecture review, etc.);
• penetration testing services to assess the security of EIF Cloud solutions.
Through this Call for Tender, the EIF expects to find a central service provider for the scope of services defined in the Terms of Reference.
The duration of the framework agreement is as follows:an initial period of 3 years with the possibility to be extended thereafter for 4 consecutive 1-year periods, upon the EIF’s discretion (3 + 1 + 1 + 1 + 1).