DC HEALTH BENEFITS EXCHANGE AUTHORITY

---

DC HEALTH BENEFITS EXCHANGE AUTHORITY (DCHBX) STATEMENT OF WORK (SOW) Oracle Licenses and Support

SCOPE Introduction The purpose of this Statement of Work (SOW) details DCAS Operations and Maintenance (O&M) requirement for Oracle Enterprise Manager (OEM) Tuning Packs. The following OEM packs will improve the O&M Database Administrators ability to manage the DCAS production database servers. Packs O&M Requirements

1. Oracle Enterprise Manager Database Diagnostics Pack

2. Oracle Enterprise Manager Database Lifecycle Management Pack 3. Real Application Testing Pack for Oracle Enterprise Manager 4. Identity Management Pack Plus OEM Pack Descriptions 1) Oracle Enterprise Manager Database Diagnostics Pack

The Oracle Diagnostic Pack provides automatic performance diagnostic and advanced system monitoring functionality. The Diagnostic Pack includes the following features: · · · ·

Automatic Workload Repository. Automatic Database Diagnostic Monitor (ADDM). Performance monitoring (database and host). Event notifications: notification methods, rules, and schedules. Event history and metric history (database and host).

When problems occur with a system, it is important to perform accurate and timely diagnosis of the problem before making any changes to the system. The Database Diagnostics Pack provides an accurate diagnosis of the actual problem in the initial stage significantly increases the probability of success in resolving the problem. Oracle Enterprise Manager Database Tuning Pack The Oracle Tuning Pack provides database administrators with expert performance management for the Oracle environment, including SQL tuning and storage optimizations. 1|Page

The Tuning Pack includes the following features: · · · ·

SQL Access Advisor SQL Tuning Advisor SQL Tuning Sets Reorganize objects

The output of these advisory tools is in the form of recommendations, along with a rationale for each recommendation and its expected performance benefit. The SQL Tuning Advisor also runs in automatic mode. In this mode, the advisor runs automatically during system maintenance windows as a maintenance task. During each run, the advisor selects high-load SQL queries in the system and generates recommendations on how to tune them. 2) Oracle Enterprise Manager Database Lifecycle Management Pack

The Database Lifecycle Management Pack is a comprehensive solution that automates the processes required to manage the Oracle Database Lifecycle. It eliminates manual and timeconsuming tasks related to discovery, initial provisioning, patching, configuration management, ongoing change management and Disaster protection automation. In addition, the Database Lifecycle Management pack provides compliance frameworks for reporting and management of industry and regulatory compliance standards. 3) Real Application Testing Pack for Oracle Enterprise Manager

Oracle Real Application Testing combines a workload capture and replay feature with an SQL performance analyzer to help test changes against real-life workloads, and then helps fine-tune them before putting them into production. Key benefits include:

• Increased business productivity through automation and zero scripting

• Increased business uptime by proactively identifying and remediating potential issues

• Enables business agility through significantly reduced risk and costs • Highest quality production-scale secure testing solution 4) Identity Management Pack Plus:

This tool helps to establish a centralized performance monitoring and diagnostics engine specifically for the full Oracle Identity Management (IdM) stack (OIM, OAM, Directory Services, etc.). It provides a broad set of capabilities around configuration management and service level management to be proactive in ensuring the different components of IdM stay up and running at optimal performance levels. This tool also helps to diagnose issues after the fact so that system admins can be quicker to identify and fix problems that occur. The tool leverages the standard 2|Page

Oracle Enterprise Manager (OEM) platform include performance dashboards and “point and click” fixes.

Audit & Accountability: with successive revisions of Special Publication 800-53, NIST has acknowledged the importance of “continuous monitoring” in the enterprise. Previously, systems were required to audit sensitive actions & data. It became apparent that collected audit data was seldom utilized to detect intrusions, and sophisticated attackers were often cleansing audit records to reduce the value of audit records for forensic use. With revision 4 of 800-53, NIST now prescribes:

Audit their data but provide a proactive alerting capability that detects and alerts on anomalous or suspicious audit information.

Provide logical security & non-repudiation of the audit logs themselves to prevent sophisticated attackers from sanitizing audit logs to prevent detection.

Security of Data at Rest: For Public Sector, the encryption, obfuscation or protection of PII data has become a de facto best practice. In the case of grants & programs, it has become a requirement. For systems, 800-53 allows for a number of different approaches to securing data at rest. But data encryption (especially using FIPS 140 validated algorithms) and an appropriately secure encryption key management scheme is considered best and appropriate practices.

Masking: This is primarily a concern for test & development environments, but occasionally is applied by auditors to end user visibility to sensitive rows/data. The main change in NIST prescriptions addresses the fact that many organizations use copies of production data in lower environments. That doesn’t employ the same security controls to ensure that sensitive information stays confidential as they do in production. The vast majority of 1075 auditees surveyed reported that they received findings for sensitive data being exposed in lower environments. While masking of sensitive data is the most common finding related to lower environments, auditors have noted that all moderate/high impact security prescriptions enforced. Both in lower and backup environments that house/transact sensitive information as well.

3|Page

REQUIREMENTS

The vendor will be required to provide the products and services identified in Table 1 below:

Database Management Pack Term Line No 1. 2. 3. 4.

Description Diagnostic Pack Turning Pack Database Lifecycle Management Real Application Testing for Oracle Enterprise Manager

Perpetual Perpetual Perpetual Perpetual

Oracle License Type Processor Processor Processor Processor

Number of Licenses 20 20 20 20

Oracle License Type Processor Processor Processor

Number of Licenses 30 12 24

Security Management Packs Term Line No 5. 6. 7.

Description Audit Vault and Database Firewall Management Pack Plus for Identity Management Data Masking and Subsetting Pack

Perpetual Perpetual Perpetual

CONTRACT TERM AND DELIVERY DATE The term of this contract is one year. Delivery request by January 15, 2015 ESTIMATED CONTRACT AMOUNT

4|Page