Specifications include, but are not limited to: The privileged access management solution shall: Support multiple Active Directory forests and domains. Support multiple access protocols: Remote Desktop Protocol (RDP), Secure Shell (SSH), Hypertext Transfer Protocol Secure (HTTPS). Offer console-based access protection. Support Microsoft Server clients 2008 R2 and above. Support Linux servers. Support integration with Enterprise Storage platforms. Support integration with cloud infrastructure. Supports Integration with Azure Active Directory. Supports Security Information and Event Management (SIEM) integration. Offer role-based access control. The solution’s role-based access control can be defined at both Active Directory Forest and Organization Unit (OU) level. Offer break glass capabilities (offline access). Be both backed up and recovered. Contain encrypted password vault (if vault). Be IRS 1075 compliant. Be HIPAA compliant. Technical Capabilities Elevation request workflow across Active Directory, Azure AD, and LDAP. Ability to configure workflows to support both manual and automatic approvals. Elevation of access, after approval, to be entirely automated. Detection and rollback of unauthorized access changes. Leverage vendor agnostic MFA (preferably Azure). Local administrator password management. Service account management. Solutions featuring proxy/jump box/Bastion host must have method to prevent users from bypassing the solution. Integration for Ivanti Help Desk system desired. Alerting Alerting of non-standard access patterns. Alerting of brute force attempts. Alerting for resource access escalation. Alerting for endpoint rights escalation. Alerting regarding system version updates and patches. Alerting regarding system security updates and patches. Analytics Provide ability to audit user sessions and all interactions. Provide delegated access to analytics and reporting. Delegated analytics and reporting can be restricted to individual forests and/or OUs in that forest. Provide ability to export reports to a variety of formats. Provide ability to schedule and email reports. Provide ability to create customized reports. Provide ability to report on Windows server access escalations. Availability/Resiliency Support 99.99% uptime. Support remote access. Implementation Contractor shall be responsible for implementation of chosen solution. Self-sufficiency training to be included from Contractor. Contractor shall provide primary support for the life of the contract. Twenty-four (24) hour, seven (7) days a week support shall be provided by the Contractor to the County. There shall be a maximum four (4)-hour response time on severity A incidents. Severity A incidents can be defined as the County having experienced a significant loss or degradation of services, requiring immediate attention. Project Management Contractor shall provide a dedicated project manager to manage implementation for duration of engagement. Contractor shall provide standard project management documentation, such as Communication Plan, Change Control & Management, Risk Management, Training Plan, Roles & Responsibilities Matrix, and Project Status Reports.
