Tenders in Gauteng

Returnable Documents: 2 Advert 4 3 Invitation to Bid CAMBD 1 (Compulsory Returnable Document) 5 - 6 4 Specification / Terms of reference 7 – 41 5 Annexure B – Technical Evaluation 42 – 59 6 Pricing schedules 60 – 79 7 Compulsory Conditions 80 Tax Compliance Status Pin Requirements CAMBD 2 8 81 – 82 (Compulsory Returnable Document) Authority of Signatory (Schedule 1 A) 9 83 – 84 (Compulsory Returnable Document) Compulsory Enterprise Questionnaire (Schedule 1B) 10 85 (Compulsory Returnable Document) 11 Documents of Incorporation (Schedule 1C) (Compulsory Returnable Document) 86 Payment of Municipal Accounts (Schedule 1D) 12 87– 88 (Compulsory Returnable Document) Broad-Based Black Economic Empowerment (B-BBEE) Status Level Certificates (Schedule 1D) (Compulsory Returnable Document) 89 – 90 Work satisfactorily carried out by the tenderer (Schedule 1F) 14 91-92 (Compulsory Returnable Document) 15 Special Condition 93– 96 16 Form of Acceptance & Contract Data 97 – 99 17 General Conditions of Contract 100– 105 18 Declaration of Interest CAMBD 4 (Compulsory Returnable Document) 106 – 109 Declaration For Procurement Above R10 Million (All Applicable Taxes Included 19 110-111 CAMBD 4 (Compulsory Returnable Document) Procurement Points Claim Forms in terms of the Preferential Procurement 20 112– 116 Regulations 2001. CAMBD 6.1 (Compulsory Returnable Document) Contract Rendering of Services CAMBD 7.2 21 117 – 118 (Compulsory Returnable Document) Declaration of Bidder’s Past Supply Chain Management Practices CAMBD 8 22 119– 120 (Compulsory Returnable Document) Certificate of Independent Bid Determination CAMBD 9 23 121 – 123 (Compulsory Returnable Document) CHECK LIST FOR COMPLETENESS OF BID DOCUMENT Reference nr: SCM41/2025/26 2 | P a g e The bidder MUST ENSURE that the following checklist is competed, that the necessary documentation is attached to this bid document and that all declarations are signed:, Completed page containing the details of bidder Yes No, Yes No Specifications & Pricing Schedules - Is the form duly completed and signed?, (CAMBD 2) Are a Tax Compliance status pin attached? Yes No, Yes No (Schedule 1 A) Authority of Signatory - Is the form duly completed and signed?, (Schedule 1B) Enterprise Questionnaire -Is the form duly completed and signed? Yes No, (Schedule 1C) Documents of Incorporation - Is the form duly completed and signed? Yes No, (Schedule 1D) Payment of Municipal Accounts - Is the form duly completed and Yes No signed?, (Schedule 1E) B-BBEE certificate - Is the form duly completed and signed? Is a Yes No certified or an original certificate attached, (Schedule 1F) Schedule of work experience of tenderer- Is the form duly completed Yes No and signed?, Yes No (Schedule 1G) Document/S to Prove the Company Is A Registered ICT Based Entity, (Schedule 1H) Local I.T. Sales and Support Office (WESTERN CAPE) Is the proof Yes No attached?, Schedule 1I) Letter from the “Brand House - Is the proof attached? Yes No, Form of Offer - Is the form duly completed and signed? Yes No, Contract data - Is the form duly completed and signed? Yes No, (CAMBD 4) declaration of interest- Is the form duly completed and signed? Yes No, Yes No (CAMBD 6.1) Preference points claimed- Is the form duly completed and signed?, (CAMBD 8) Signed declaration of bidder's past supply chain management Yes No practices, (CAMBD 9) Prohibition of Restrictive Practices be completed and signed. Yes No, All bids must be submitted in writing on the official forms (not re-typed). Yes No, Bidder must initial every page of this bid document. Yes No CERTIFICATION I, THE UNDERSIGNED (FULL NAME) ............................................................... CERTIFY THAT THE INFORMATION FURNISHED ON THIS CHECK LIST IS TRUE AND CORRECT. Signed ........................................................ Date ................................................. Name ....................................................... Position ................................................. Tenderer ........................................................................................................................................ Reference nr: SCM41/2025/26 3 | P a g e CAPE AGULHAS MUNICIPALITY REQUEST FOR TENDERS MUNICIPAL NOTICE BOARD; MUNICIPAL WEBSITE; NATIONAL TREASURY ADVERTISED ON e-TENDER TENDER NO: SCM41/2025/26 Tenders are hereby ICT SUPPORT SERVICES AND LICENSING FOR A PERIOD OF 3 YEARS invited for: PUBLISHED DATE: 12 December 2025 CLOSING DATE: 13 February 2026 No later than 12H00. Tenders will be opened immediately thereafter, in public at the Cape Agulhas Municipality, CLOSING TIME: 1 Dirkie Uys Street, Bredasdorp. AVAILABILITY OF BID DOCUMENTS: Tender documents are available from Me G Koopman at telephone number 028-425-5500 during office hours or email at geraldinek@capeagulhas.gov.za. Date Available: 12 December 2025 Non-refundable Fee: R 0. 00 BID RULES:, Tenders are to be completed in accordance with the conditions and Tender rules contained in the Tender document., The Tender Document & supporting documents must be placed in a sealed envelope and externally endorsed with: THE TENDER NUMBER; DESCRIPTION & CLOSING DATE OF TENDER., Tender Documents must be deposited in the Tender Box, at Municipal Offices, 1 Dirkie Uys Street, Bredasdorp or posted to reach the Municipal Manager, Cape Agulhas Municipality, PO Box 51, Bredasdorp, 7280., Tenders may only be submitted on the Tender documentation issued by the Municipality., A Tax Compliance status pin as issued by the South African Revenue Service, must be submitted together with the tender., The two-stage bidding process will be followed in evaluating this tender. Firstly, it will be evaluated for functionality and thereafter for price and preference., The Cape Agulhas Municipality does not bind itself to accept the lowest or any tender and reserves the right to accept ant tender, as it may deem expedient., Tenderers are required to be registered on the Accredited Supplier Database (CSD) from the website https://secure.csd.gov.za Suppliers may claim preference points in terms of the 80/20. Price: 80Tenders shall be evaluated in terms of the Cape Specific Goals: (20) Agulhas Municipality Supply Chain Management, B-BBEE Status Level contributor: 10 Policy & Preferential Procurement b) Locality of Supplier: 10 Total Points: 100 Site Meeting / Information Session n/a Validity Period 90 days ANY ENQUIRES REGARDING TECHNICAL ANY ENQUIRES REGARDING THE QUOTING PROCEDURE MAY BE INFORMATION MAY BE DIRECTED TO: DIRECTED TO: Division ICT Division Supply Chain Management Contact Person: Mr Kevin Fourie Contact Person: Ms. G Koopman Tel: e-mail Enquires Only Tel: e-mail Enquires Only E-mail: kevinf@capeagulhas.gov.za E-mail: geraldinek@capeagulhas.gov.za WP RABBETS MUNICIPAL MANAGER PO BOX 51 BREDASDORP 7280 Reference nr: SCM41/2025/26 4 | P a g e CAMBD1 PART A INVITATION TO BID YOU ARE HEREBY INVITED TO BID FOR REQUIREMENTS OF THE CAPE AGULHAS MUNICIPALITY BID NUMBER: SCM41/2025/26 CLOSING DATE: 13 February 2026 CLOSING TIME: 12:00 DESCRIPTION ICT SUPPORT SERVICES AND LICENSING FOR A PERIOD OF 3 YEARS THE SUCCESSFUL BIDDER WILL BE REQUIRED TO FILL IN AND SIGN A WRITTEN CONTRACT FORM (MBD7). BID RESPONSE DOCUMENTS MAY BE DEPOSITED IN THE BID BOX SITUATED AT (STREET ADDRESS CAPE AGULHAS MUNICIALITY 1 DIRKIE UYS STREET BREDASDORP 7280 SUPPLIER INFORMATION NAME OF BIDDER POSTAL ADDRESS STREET ADDRESS TELEPHONE NUMBER CODE NUMBER CELLPHONE NUMBER FACSIMILE NUMBER CODE NUMBER E-MAIL ADDRESS VAT REGISTRATION NUMBER TAX COMPLIANCE STATUS TCS PIN: OR CSD No: B-BBEE STATUS LEVEL B-BBEE STATUS Yes Yes VERIFICATION CERTIFICATE LEVEL SWORN [TICK APPLICABLE BOX] AFFIDAVIT No No [A B-BBEE STATUS LEVEL VERIFICATION CERTIFICATE/ SWORN AFFIDAVIT (FOR EMES & QSEs) MUST BE SUBMITTED IN ORDER TO QUALIFY FOR PREFERENCE POINTS FOR B-BBEE] ARE YOU A ARE YOU THE ACCREDITED FOREIGN BASED REPRESENTATIVE IN SOUTH Yes No SUPPLIER FOR THE Yes No AFRICA FOR THE GOODS GOODS /SERVICES /SERVICES /WORKS OFFERED? [IF YES ENCLOSE PROOF] /WORKS OFFERED? [IF YES, ANSWER PART B:3] TOTAL NUMBER OF ITEMS OFFERED TOTAL BID PRICE R SIGNATURE OF BIDDER .................................... DATE CAPAMUNICIPALITY UNDER WHICH THIS BID IS SIGNED BIDDING PROCEDURE ENQUIRIES MAY BE DIRECTED TO: TECHNICAL INFORMATION MAY BE DIRECTED TO: DEPARTMENT FINANCE: SCM DEPARTMENT ICT CONTACT PERSON Geraldine Koopman CONTACT PERSON Mr Kevin Fourie TELEPHONE NUMBER 028 425 5500 TELEPHONE NUMBER 028 425 5500 E-MAIL ADDRESS geraldinek@capeagulhas.gov.za E-MAIL ADDRESS kevinf@capeagulhas.gov.za Reference nr: SCM41/2025/26 5 | P a g e PART B TERMS AND CONDITIONS FOR BIDDING, BID SUBMISSION: 1.1. BIDS MUST BE DELIVERED BY THE STIPULATED TIME TO THE CORRECT ADDRESS. LATE BIDS WILL NOT BE ACCEPTED FOR CONSIDERATION. 1.2. ALL BIDS MUST BE SUBMITTED ON THE OFFICIAL FORMS PROVIDED– (NOT TO BE RE-TYPED) OR ONLINE 1.3. THIS BID IS SUBJECT TO THE PREFERENTIAL PROCUREMENT POLICY FRAMEWORK ACT AND THE PREFERENTIAL PROCUREMENT REGULATIONS, 2022, THE GENERAL CONDITIONS OF CONTRACT (GCC) AND, IF APPLICABLE, ANY OTHER SPECIAL CONDITIONS OF CONTRACT., TAX COMPLIANCE REQUIREMENTS 2.1 BIDDERS MUST ENSURE COMPLIANCE WITH THEIR TAX OBLIGATIONS. 2.2 BIDDERS ARE REQUIRED TO SUBMIT THEIR UNIQUE PERSONAL IDENTIFICATION NUMBER (PIN) ISSUED BY SARS TO ENABLE THE ORGAN OF STATE TO VIEW THE TAXPAYER’S PROFILE AND TAX STATUS. 2.3 APPLICATION FOR THE TAX COMPLIANCE STATUS (TCS) CERTIFICATE OR PIN MAY ALSO BE MADE VIA E- FILING. IN ORDER TO USE THIS PROVISION, TAXPAYERS WILL NEED TO REGISTER WITH SARS AS E-FILERS THROUGH THE WEBSITE WWW.SARS.GOV.ZA. 2.4 FOREIGN SUPPLIERS MUST COMPLETE THE PRE-AWARD QUESTIONNAIRE IN PART B:3. 2.5 BIDDERS MAY ALSO SUBMIT A PRINTED TCS CERTIFICATE TOGETHER WITH THE BID. 2.6 IN BIDS WHERE CONSORTIA / JOINT VENTURES / SUB-CONTRACTORS ARE INVOLVED; EACH PARTY MUST SUBMIT A SEPARATE TCS CERTIFICATE / PIN / CSD NUMBER. 2.7 WHERE NO TCS IS AVAILABLE BUT THE BIDDER IS REGISTERED ON THE CENTRAL SUPPLIER DATABASE (CSD), A CSD NUMBER MUST BE PROVIDED., QUESTIONNAIRE TO BIDDING FOREIGN SUPPLIERS 3.1. IS THE ENTITY A RESIDENT OF THE REPUBLIC OF SOUTH AFRICA (RSA)? YES NO 3.2. DOES THE ENTITY HAVE A BRANCH IN THE RSA? YES NO 3.3. DOES THE ENTITY HAVE A PERMANENT ESTABLISHMENT IN THE RSA? YES NO 3.4. DOES THE ENTITY HAVE ANY SOURCE OF INCOME IN THE RSA? YES NO 3.5. IS THE ENTITY LIABLE IN THE RSA FOR ANY FORM OF TAXATION? YES NO IF THE ANSWER IS “NO” TO ALL OF THE ABOVE, THEN IT IS NOT A REQUIREMENT TO REGISTER FOR A TAX COMPLIANCE STATUS SYSTEM PIN CODE FROM THE SOUTH AFRICAN REVENUE SERVICE (SARS) AND IF NOT REGISTER AS PER 2.3 ABOVE. NB: FAILURE TO PROVIDE ANY OF THE ABOVE PARTICULARS MAY RENDER THE BID INVALID. NO BIDS WILL BE CONSIDERED FROM PERSONS IN THE SERVICE OF THE STATE. SIGNATURE OF BIDDER: ................................................... CAPAMUNICIPALITY UNDER WHICH THIS BID IS SIGNED: ................................................... DATE: ........................... Reference nr: SCM41/2025/26 6 | P a g e Contents 1 SCHEDULE A – SCOPE OF SERVICES................................................................................................. 9 2 ICT PROFESSIONAL SUPPORT AGREEMENT .................................................................................... 9 3 Support Fees ................................................................................................................................. 11 4 Security ......................................................................................................................................... 12 4.1 Network security, management, monitoring, reporting and notifications services. ........... 12 4.1.1 Network access policy system. ..................................................................................... 12 4.1.2 Cloud Assessment and Monitoring Tool ....................................................................... 16 4.1.3 Cloud Application Activity & Security Monitoring ........................................................ 18 4.2 Compliance ........................................................................................................................... 19 4.2.1 Cyber Security Framework management tool .............................................................. 19 4.3 Dark Web monitoring ........................................................................................................... 22 4.4 Security Audit ........................................................................................................................ 22 4.5 Security Awareness Training & Phishing Simulation Requirements ..................................... 23 4.6 Vulnerability Scanning Tool .................................................................................................. 25 4.7 Penetration Testing ............................................................................................................... 26 4.7.1 PROJECT BACKGROUND ................................................................................................ 26 4.7.2 PURPOSE ....................................................................................................................... 27 4.7.3 SCOPE OF WORK ........................................................................................................... 27 4.7.4 PROJECT DESIGN ........................................................................................................... 29 4.7.5 CONTRACT TERM .......................................................................................................... 30 4.7.6 PROJECT MANAGEMENT ARRANGEMENTS .................................................................. 30 4.8 Security Operations Centre (SOC) ......................................................................................... 30 4.8.1 SPECIFICATION OF REQUIREMENTS .............................................................................. 30 4.8.2 Approach to the delivery of the SOC Managed Service ................................................ 31 4.8.3 Technical Requirements of SOC Solution ...................................................................... 31 4.8.4 Implementation/Project Take-on ................................................................................. 34 4.9 SIEM, Log Management & Security Automation Requirements........................................... 34 4.10 IT Documentation & Knowledge Management Platform Requirements ............................. 35 4.11 Security Component Project Requirements ......................................................................... 35 5 Monitoring, management, and Audit system ............................................................................... 35 SCHEDULE B – TECHNICAL EVALUATION .............................................................................................. 42 1 Organisational requirements ........................................................................................................ 42 1.1 Company requirements ........................................................................................................ 42 1.2 Support staff requirements .................................................................................................. 43 Reference nr: SCM41/2025/26 7 | P a g e 2 Network Access & Security Assessment Tool ............................................................................... 45 3 Cloud Application Activity & Security Monitoring ........................................................................ 46 4 Dark Web Monitoring ................................................................................................................... 48 5 Security Awareness Training & Phishing Simulation Requirements ............................................. 48 6 Penetration Testing functional requirements............................................................................... 50 7 Security Operations Centre (SOC) ................................................................................................. 51 8 SIEM, Log Management & Security Automation Requirements................................................... 52 9 IT Documentation & Knowledge Management Platform Requirements ..................................... 53 SCHEDULE C – FUNCTIONAL REQUIREMENTS ...................................................................................... 56 1 Project approach and technical evaluation .................................................................................. 56 2 The scoring of the tenderer’s experience will be as follows. ........................................................ 59 3 Functionality Criteria evaluation ................................................................................................... 59 SCHEDULE D - PRICING .......................................................................................................................... 60 1 Support Fees ................................................................................................................................. 61 2 Network access policy system. ..................................................................................................... 64 3 Cloud assessment and monitoring tool ........................................................................................ 65 4 Cloud Application Activity & Security Monitoring ........................................................................ 66 5 Compliance ................................................................................................................................... 67 5.1 Cyber Security Framework management tool ...................................................................... 67 6 Dark Web monitoring ................................................................................................................... 68 7 Security Audit ................................................................................................................................ 69 8 Security Awareness Training & Phishing Simulation Requirements ............................................. 70 9 Vulnerability Scanning Tool .......................................................................................................... 71 10 Penetration Testing ................................................................................................................... 72 11 SIEM, Log Management & Security Automation Requirements............................................... 73 12 IT Documentation & Knowledge Management Platform Requirements ................................. 74 13 Security Operations Centre (SOC) ............................................................................................. 75 14 Monitoring, management, and Audit system ........................................................................... 76 15 Pricing Summarized .................................................................................................................. 79 Reference nr: SCM41/2025/26 8 | P a g e ICT SUPPORT SERVICES AND LICENSING, SCHEDULE A – SCOPE OF SERVICES, This tender is based on rates for the period of 36-months., Pricing will be used for evaluation purposes and is estimated based on current ICT network environment., ICT PROFESSIONAL SUPPORT AGREEMENT Cape Agulhas Municipality is awaiting bids on the supplying of ICT Systems / Software and services. These services are inclusive of a range of various ICT related services, and the successful bidder will become the ICT service provider as defined in this document for a term of 36 months starting 1 March 2026. 1.1 SCOPE OF SERVICES – Services, Software & Support must include:, On-site support – including Cyber Security support, 24-hour response time, Hardware Infrastructure, Software Infrastructure (operating systems and the operation of core server/desktop productivity applications on quotation basis)., Access and Authorization (user account and password help, application-level access problem determination, desktop/client security configuration support. E mail and Internet access support in liaison/conjunction with the relevant ISP or any other Service Provider, Local area network design, Wide area network design, Campus area network design, Metropolitan area network design, Other types of network design as may be required., Network Infrastructure – Check and verify basic network connectivity. Cabling, router and switch configurations are excluded., Installation, setup and deployment of new equipment, systems and services., The successful Tenderer must take responsibility for carry-in and carryout of equipment that do not have on-site warranty against the SLA should it be required., Scheduled meetings/reports with nominated ICT personnel to review the SLA performance and usage., Governance Services should include but not be limited the review of, and establishment of policies and procedures inclusive of the following existing: o ICT policies and procedures o ICT Audits – Governance and security audits o ICT Disaster recovery plans o Enterprise Architecture o ICT Maintenance plan o ICT Strategy and implementation plans o Cyber security policies, procedures, strategies and plan development o Public Key Certificates o Mail certificates. o Web certificates o Wild card certificates Reference nr: SCM41/2025/26 9 | P a g e In order to adhere to the Municipalities` policy “ICT Service Level Agreement Management Policy - External Service Provider” the Municipality views end user desktop and server support as a critical component to a client’s business. To achieve and maintain service delivery we have set a generic impact level analysis approach to our support. DEFINITIONS OF IMPACT LEVELS: Impact Level 1 Multiple users are directly affected. Loss of function has a serious and immediate negative impact on the business. Furthermore, no temporary and workable alternative is available to carry on the disrupted activity. Impact Level 2 Limited (two or less) users are directly affected. A temporary and workable alternative is available to carry on the disrupted activity. The disruption of activity/function may have some operational impact, but it is not highly critical. Impact Level 3 New computer, server or system setup to replace an older but still operational. It is a known fact that a system, or component, or software upgrade is required, but the computer is still functional. Setup of computer peripherals, which has no critical impact on the daily activities of users. SERVICE RESPONSE TO EACH IMPACT LEVEL: Response to Impact Level 1 Upon receipt of service call to Help Desk, its staff must attempt to resolve the reported problem over the phone. If the problem is not resolved immediately by the Help Desk, its staff must then immediately contact the Desktop Support Service staff via e mail and cell phone. The assignee of this service call will respond telephonically within one hour or less depending on the degree of emergency. Once the service assignee has assessed the situation, he/she will proceed to attempt remote procedure assistance. Should the situation still remain unresolved the tenderer will send a suitable technician to the site. If the problem is not resolved by the assignee within four hours, the Help Desk staff will escalate the call to the next level by alerting the Coordinator of Desktop Support Service to the situation and the possible need for assistance and/or consultation. The targeted time for problem resolution is regarded as extremely urgent but dependent on mitigating circumstances like client approval, spare parts, equipment availability etc. Response to Impact Level 2 The first response by an assignee from the Desktop Support Service staff must occur within the 4-hour window after the initial service call to the Help Desk, if the problem is not resolved over the phone immediately by the Help Desk staff. The maximum time targeted for problem resolution is within 24 hours (or 3 workdays) by the assignee after the initial service call to the Help Desk. If the problem is not resolved by the assignee within the allowed maximum time, the Help Desk staff must escalate the call to the next level by alerting the Coordinator of the Desktop Support Service to the situation and the possible need for assistance and/or consultation. Reference nr: SCM41/2025/26 10 | P a g e Response to Impact Level 3, The first response by an assignee from the Desktop Support Service must occur within 4 hours after the initial service call to the Help Desk., Subject to the client’s approval, equipment and spare part availability, the specific targeted maximum time for problem resolution or service request is 5 working days (40 hours)., An e-mail reminder must be sent to the assignee of the Desktop Support Staff and its Coordinator at the end of day one after the initial service call to the Help Desk, regardless of if the problem or service request has been taken care of. The customer will be kept duly informed by the account manager of the status quo., If the problem or service request has not been addressed in 5 working days after the initial service call to the Help Desk, this open ticket must be escalated to the attention of the Director of the successful company for his/her action. OTHER INFORMATION:, Hours of operation of the Help Desk must be at least: 8:00 A.M. to 5:00 P.M., Monday to Friday., For after hour emergencies including weekends the Municipality must be provided with contact names and cell numbers., Users must be able to contact the Help Desk via telephone, voice mail, e-mail or ticketing system in person at any time including after hours., Such service calls should be automatically queued and handled in the sequence of their occurrence., The Help Desk must be responsible for assigning each unresolved service call ticket to a staff member of the Desktop Support Service and for logging and tracking of each assignment., The assignee of each service call ticket must inform the user through phone or e-mail of the status of the problem resolution. Server crash and software reloads must be done on a quotation basis and in accordance with the Municipalities` procurement policies., IT Support Call Logging procedure –must be clearly identified and communicated to the Municipality. A username (which must be provided) is required when logging a call via email. Login details must be given to Municipal users via email, WhatsApp and/or SMS., Support Fees ICT Support may be required from time to time covering the Scope of work and any other ICT related professional, security, audit or Governance support services, evaluations, or implementation plans. In lieu of these requirements rates are required for these services. Ad hoc projects may be required from time to time to which to following will then apply: (ii) The successful Tenderer must submit a quotation for approval before commencement of any chargeable service linked to the tendered amounts as per section above. Reference nr: SCM41/2025/26 11 | P a g e, Security 4.1 Network security, management, monitoring, reporting and notifications services. 4.1.1 Network access policy system. Cape Agulhas Municipality is awaiting a proposal on ICT security services, including best efforts detection, investigation, monitoring and remediation of misuse and abuse of network resources occurring behind the corporate firewall based upon agreement and implementation of a set of best practices security Policies and Procedures. These monitoring Policies and Procedures should include but may not necessarily be limited to the following: Access Control Policies, Authorization of new Devices to be Added to Restricted Networks Restricted networks should be tightly controlled to conform to strict network change management policies and procedures. Implementing security controls and applying consistent policies can help protect the organization from these security threats. We need to receive an alert with recommended actions to be taken when new devices have been added to any network segment designated as restricted., Investigate Suspicious Logons by Users Computer user login attempts by a particular user that are made outside of normal time frame patterns or from an unusual location indicates behaviour consistent with unauthorized user access or malicious software. When this event is detected, we need to receive an email alert warning of the suspicious activity with recommended actions to be taken. It is possible that an account may have been compromised., Investigate Suspicious Logons to Computers Attempts to access a computer using login credentials not normally associated with that particular computer could point to unauthorized user access or use of malicious software. When this event is detected, we need to receive an email alert warning of the suspicious activity with recommended actions to be taken. In such an instance it is possible that an account may have been compromised., Strictly Control the Addition of Printers Network printers are vulnerable to security risks just like computers. Connecting to and printing from an unauthorized printer can lead to information loss. Anytime a new printer is found on the network, we need to receive an alert notifying us with recommended actions to be taken to ensure that it is authorized to prevent any potential threat., Restrict Access to Computers with specified roles viz, financial to Authorized Users Computers in the network that are used to transmit, process, or store accounting/financial information and other sensitive financial records should only be accessed by authorized users. Trying to prevent users from accessing these resources through group policies, restricted logons and other network "hardening" is best practice. However, we still need to know when unauthorized users attempt to access sensitive systems and login to one of these machines. We need to receive an email alert when unauthorized user attempts to login to one of these accounting/financial computers with recommended actions to be taken., Restrict Access to IT Admin Only Restricted Computers to IT Administrators Domain controllers, web servers, database servers, and mail servers should only be accessed by users who are IT Administrators. These devices are critical to the normal operation of the business. Trying to prevent users from accessing these resources through group policies, restricted logons and other network "hardening" is best practice. We need to receive an alert with recommended actions when a user who is not an IT Administrator attempts a login to a computer designated for only IT Administrator access., Restrict Access to Business Owner Type Computers to Authorized Users Computers in the network that are designated as "Business Owner Type Computers" may only be accessed by authorized users. These devices often contain confidential, privileged, and other private and sensitive records and should only be accessed by authorized users. Trying to prevent users from accessing these resources through group policies, restricted logons and other network "hardening" is best practice. We need receive an email alert with recommended actions when unauthorized users attempt to login to one of these computers that are designated as a "Business Owner Computer." Reference nr: SCM41/2025/26 12 | P a g e, Restrict Access to Systems in the Cardholder Data Environment (CDE) to Authorized Users Cardholder Data Environment (CDE) system components that access, use, or maintain Cardholder Data. Only workforce members or business associates who have been authorized to have access to specified Cardholder Data, in accordance with the requirements set forth may access and work with the associated Cardholder Data. We need to receive email alerts with recommended actions to be taken when suspicious or potentially unauthorized users log into computer designated as containing Cardholder Data., Restrict IT Administrative Access to a Minimum Administrator access rights to computers and other IT resources should be limited to users who have been authorized to this level of system access to perform their role. The Administrator account is the most powerful account on the network, holding the "keys" to the business infrastructure. We need to receive an alert with recommended actions to be taken after a user account has been provided with Administrator rights on the network or a new user has been created with administrator rights. This is to ensure we can verify authenticity of the user access level and minimize Administrator level access to the minimum number of people necessary., Restrict Users that are Not Authorized to Log into Multiple Computer Systems Computer users, in general, are assigned a specific machine for use in performing their business duties. We need to identify users who should only log into a single computer. When a single desktop user logs into multiple computers, their behaviour is viewed as suspicious and should be investigated further. We need to start receiving email alerts with recommended actions to be taken when tagged users log into more than one computer., Strictly Control the Addition of New Local Computer Administrators An important part of securing our network is managing the users and groups that have administrative access. When a user account is added to a computer and this account is assigned administrator rights, we need to receive an email alert with recommended actions., Strictly Control the Addition of New Users to the Domain The addition of new users to the network should be strictly controlled. An important part of securing our network is managing the addition of new users. Any time a new user account has been identified as being added to the network, verify that the new account was authorized. We need to receive an email alert with recommenced actions when a new user account has been added to the network., Strictly Control the Removal of Users from the Domain The removal of users from the network is to be strictly controlled. Any time a user account has been identified as being removed from the network, we need to receive an email alert with recommended action when a user account has been removed from the network., Strictly Control the Creation of New User Profiles User profiles are created when users access systems for the first time. The appearance of new user profiles indicates successful access to systems. Monitoring the creation of new profiles allows detection of access. Any time a new user profile has been identified as being added to the network we need to receive an email alert with recommended action. Computer Policies, Changes on Locked Down Computers should be Strictly Controlled. There are some computers in a network where we want to be alerted of any changes to the system that are significant. These can be important systems like Domain Controllers, Exchange Servers, or servers where we have strict change management. We need to receive email alerts with recommended actions of computers designated as "locked down" meaning they should not be tampered with., Install Critical Patches for DMZ Computers within 30 Days Computers in the DMZ are highly susceptible to malicious attacks and software if left vulnerable due to critical patches not being applied on a timely basis. We need to receive an email alert with recommendations when a threat to a DMZ Computer, results from critical patches not being installed. Reference nr: SCM41/2025/26 13 | P a g e, Install Critical Patches on Network Computers within 30 Days Computers on the network are highly susceptible to malicious attacks and software if left vulnerable due to critical patches not being applied on a timely basis. A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes security vulnerabilities and other bugs to improve the usability or performance of the program. We need to receive an email alert arising from vulnerabilities that are a result of critical patches not being timely installed., Restrict Internet Access for Computers that are Not Authorized to Access the Internet Directly Computers on a network should be prevented from having direct access to the Internet. These can be important systems like accounting systems, systems storing PII, or Cardholder Data, or computers used to perform other sensitive business functions. We need to receive an email alert with recommended actions if at any time designated computers can access the Internet directly and not via the authorized network and Firewall., Strictly Control the Clearing of System and Audit Logs The clearing of logs can be used a forensic countermeasure and should be strictly controlled. Only authorized personnel with a justifiable reason should ever clear event logs manually. Any clearing of an event log should be verified to determine if it was authorized. We need to receive an email alert with recommended action when any system or audit log is cleared., Enable automatic screen lock on computers with sensitive information. Automatic screen lock should be enabled on all computers containing sensitive information to prevent unauthorized access. We need to receive an email alert with recommended action if there are devices with sensitive information that does not have the Automatic screen lock enabled., Enable automatic screen lock for users with access to sensitive information. Automatic screen lock should be enabled on all computers accessed by users who have access to sensitive information. We need to receive an email alert with recommended action if there are users that have access to sensitive information that does not have the Automatic screen lock enabled on their device. Data Security Policies, Only store Personally Identifiable Information (PII) on systems marked as sensitive. Personally Identifiable Information (PII) should only be stored on systems specifically marked as containing sensitive information. These systems should have additional safeguards and controls to prevent unauthorized access. We need to receive an email alert with recommended action if there are any devices that are marked sensitive without the additional safeguards and controls in place. We need to receive an email alert with recommended action if there are any devices that are not marked as sensitive but has PII data stored on it., Only store cardholder data on designated systems Cardholder Data should only be stored on systems specifically marked as part of the Cardholder Data Environment (CDE). These systems should have additional safeguards and controls to prevent unauthorized access. We need to receive an email alert with recommended action if there are any devices that are marked sensitive without the additional safeguards and controls in place. We need to receive an email alert with recommended action if there are any devices that are not marked as sensitive but has Card Holder data stored on it., Detect malicious software and potential security breaches (Breach Detection System) We currently have Sophos Central Intercept X Advanced for Endpoint. However, as an additional layer of security we require an independent scan to detect any possible malicious software and potential security breaches. If any detections are detected, we need to receive an email alert with recommended action. Network Security Policies, Detect Network Changes to Internal Networks Monitoring changes to a private network assist in identifying potential security concerns. Anytime a new device is connected to or disconnected from a network, we need to receive an email alert with recommendation notifying us of the potential rogue device connection or possible theft of equipment. Reference nr: SCM41/2025/26 14 | P a g e, Detect Network Changes to Internal Wireless Networks Monitoring changes to a private wireless network assist in identifying potential security concerns. Anytime a new device is connected to or disconnected from a wireless network, we need to receive an email alert with recommendation notifying us of the potential rogue device connection or potential theft of equipment. Identified "guest" wireless networks should not generate alerts., Only Connect to Authorized Wireless Networks Connections to "unauthorized" wireless networks may lead to data loss from unwanted information disclosure. Any time a user connects to a network using an "unauthorized" wireless connection, we need to receive an email alert with recommendation., Remediate High Severity Internal Vulnerabilities Immediately (CVSS > 7.0) Any identified Internal Vulnerabilities assigned a CVSS Score of 7.0, or higher, represent potential high severity threats and should be remediated immediately. The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of computer system security vulnerabilities. CVSS assigns severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores range from 0 to 10, with 10 being the most severe. When high severity internal vulnerabilities are found, we need to be notified with an email alert with recommendation to resolve., Remediate Medium Severity Internal Vulnerabilities (CVSS > 4.0) Any identified Internal Vulnerabilities assigned a CVSS Score of 4.0, or higher, represent potential medium severity threats and should be remediated as soon as possible. The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of computer system security vulnerabilities. CVSS assigns severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores range from 0 to 10, with 10 being the most severe. When medium severity internal vulnerabilities are found, we need to be notified with an email alert with recommendation to resolve., Strictly control DNS on Locked Down Networks Changes in DNS entries in networks that are locked down should be strictly controlled. Additions may indicate unauthorized devices connecting to the network. Other changes may indicate other issues including theft and should be investigated. We need to be notified with an email alert with recommendation to resolve., Strictly control changes to Group Policy Group Policies are used to configure computer and user settings. Due to their ability to affect the security settings throughout the network, any changes to Group Policy Objects (GPOs) should be strictly controlled. We need to be notified with an email alert with recommendation to resolve., Strictly control changes to the Default Domain Policy The Default Domain Policy is applied to all computers and users in the domain by default. New computers and users will be assigned the Default Domain Policy until they are assigned specific policies. Any changes to the Default Domain Policy should be strictly controlled to prevent introducing security vulnerabilities. We need to be notified with an email alert with recommendation to resolve. Reference nr: SCM41/2025/26 15 | P a g e 4.1.2 Cloud Assessment and Monitoring Tool Cape Agulhas Municipality is awaiting a proposal on Microsoft Cloud assessment and monitoring system as a service. This is required to manage and assess risk across our entire Microsoft Cloud Environment. 1 The system should assess and document at least the following components:, Microsoft 365 Cloud Services o Office 365 o Teams o SharePoint o OneDrive (no need to scan file content) o Outlook/Exchange (no need scan email content), Microsoft Azure Cloud Services o Azure Active Directory 2 Reporting Reporting is required on at least the following areas is required through this system., Assessments on Azure AD The Azure AD Detail Report must go through the entire Azure Active Directory environment and document all organizations, domains and support services that are turned on for the AD environment. Every detail must be presented in line-item fashion in an editable report document including installed special applications, web URLs to those apps, organizational contacts, distribution lists, proxy addresses, Microsoft service plans and SKUs being used, groups, users, permissions, devices and more. The report must be organized by section with a table of contents to help us locate the specific findings of interest and problem areas must be highlighted in red, making it easy to spot individual problems to be rectified., SharePoint assessments The SharePoint Assessment Report must be a detailed assessment that shows the total number of sites started under management, how many active SharePoint sites there are, what storage requirements there are and include daily trends in the number of sites and storage usage. It should then take the site collections and breaks down all the individual sites so that we can understand what is being published in each, how they are organized, and even what groups they contain. Among other things, the report must help us understand growth trends and better predicts backup needs., One Drive Usage reports The OneDrive Assessment Report must provide a high-level summary report of all OneDrive usage. This overview report must give us a solid handle on how the OneDrive platform is growing and look for spikes in that growth that need to be managed. It also need to look for spikes in activity that may need to be investigated. The report must provide trends over of 30-, 60-, and 90-day increments to give us a solid indicator of storage and bandwidth utilization., Outlook Mail Activity reports The Outlook Mail Activity Report must provide deep dive information about Office 365 usage. The Outlook Mail Activity Report must provide a high-level summary of what emails are being sent and received by our top 10 active senders and active receivers for the reporting period. This report is meant to be run month- over-month to identify the power users who may need more capacity and which mailboxes are not being read at all and likely represent recently inactive users that need to be cleaned up. Reference nr: SCM41/2025/26 16 | P a g e, Microsoft Teams assessments The Microsoft Teams Assessment Report must provide detail about each team in the system, including who the owners are, what channels they have and what kind of user identity audits have been conducted on the channels. There must be individual entries that can be used for audits of the member settings, the guest settings, the message settings, the fun settings and the tab settings. This information must include other types of misconfigurations that might cause security problems, such as having guest members that may have the ability to remove and delete channels., Microsoft Cloud Security Assessments The Microsoft Cloud Security Assessment report must bring together all the security aspects of Microsoft Cloud under one umbrella. It should not only include our own Microsoft Control Score and Secure Score from Microsoft but also show our trending against the average score of our peers., Microsoft Cloud Configuration Change reports The Microsoft Cloud Configuration Change Report must be a very detailed technical report that identifies entity and configuration changes. The changes must be grouped by properties, showing the old values vs. the new values, and then the changes must be grouped together into bands. This report must give us the ability to look at a group of changes together, as well as see how all the properties have changed for that time-period., Cloud Risk report The Cloud Risk Report must span over all the Microsoft Cloud components. It must include an overall Risk Score, an overall Issues Score, as well as a summary list of issues discovered. The issues must come from both the Microsoft controls as well as other best practices. It must identify specific risks that are due to misconfigurations as well as risks created from turning on or off specific running components., Cloud Management plan The Cloud Management Plan must take issues identified in the Risk Report, organizes them by severity and includes specific recommendations on how to remediate them. The report’s information must be pulled directly from the Microsoft controls from multiple Cloud components, including SharePoint, OneDrive, Teams, Azure AD itself. It must also identify other types of issues related to misconfigurations and operations., Compensating Control Worksheets The report is required to present the details associated with security exceptions and how Compensating Controls will be or have been implemented to mitigate risks in the cloud environment. This is required to explain and document why various discovered items are possible false positives. The Compensating Controls Worksheet does not alleviate the need for safeguards but must allow for describing of alternative means of mitigating the identified security risk as reference. Reference nr: SCM41/2025/26 17 | P a g e 4.1.3 Cloud Application Activity & Security Monitoring The Municipality requires a comprehensive cloud application activity and security monitoring service to provide continuous visibility, alerts, and reporting across their cloud environment. The service should detect, investigate, and report on unauthorized, anomalous, or risky activity related to user accounts, privileged roles, authentication events, and sensitive data handling. The following features must form part of the solution. User & Identity Monitoring It must have the ability to tracks user account creation, login activity, privileged account changes, and account credentials usage across cloud applications. The platform must collect behavioural telemetry to detect anomalies and unauthorized access. Threat Detection It must provide for pattern-based detection and machine learning to identify threats such as compromised credentials, impossible travel logins, external device access, shadow accounts and risky file activity. Automated Remediation The solution must make provision for automated responses: locking compromised accounts, terminating risky file shares, and enforcing policy driven actions to stop threats swiftly. Event Logging & Application Monitoring It must have the ability to monitor SaaS application usage and logging across integrations with major platforms (e.g., Microsoft 365, Google Workspace, Salesforce, Okta). Enables visibility into events across organisational SaaS estate. Reporting & Visibility It must provide dashboards and reporting aligned to user behaviour, risk posture and threat events. Enables demonstration of security value and oversight of cloud application security posture. Integration & Extensibility It must integrate with major SaaS platforms, identity systems, RMM/PSA tools (including that on offer in section 4; Monitoring, management, and Audit system, of this tender request), and security stacks. It must support workflow integration and centralised investigation and response. Architecture requirements The solution must be provided as a cloud service, accessible anywhere, to make provision for scalability, continuous updates, and centralised management of SaaS application security. Reference nr: SCM41/2025/26 18 | P a g e 4.2 Compliance 4.2.1 Cyber Security Framework management tool Cape Agulhas Municipalities’ Information Security approach serves as a comprehensive framework aimed at safeguarding our digital landscape and preserving the integrity of sensitive information. Aligned with the principles of Enterprise Architecture (EA), our approach ensures a cohesive integration of information security practices within our broader ICT Strategy. In line with this Cyber Security Framework (CSF) approach the Municipality wish to obtain a Cyber Security Framework Management Tool to include from a CSF perspective at least NIST CSF, NIST 800-171, CIS Controls V8, and others. The system must show a clear alignment of best practices, and other standards to the likes of at least ISO 27001, ITIL and COBIT. The system must also show alignment between the CSF and POPIA., Standards The System and Support Services related to this must allow for at least the following standards:, CIS Controls v8, Cyber Insurance Readiness, Essential 8, ISO 27001 & 27002, NIST CSF 2.0, System functional requirements The system must provide for a logical workflow for assessment purposes of compliance against the standard or set of standards chosen by the Municipality, considering the standards above., Standards Assessment Progress, Control Assessment Progress, Task summary of completed and outstanding actions., Show a list of tasks with details as to what it entails, with links to correspondent section in workflow., Controls and Standards selected. Each Control have a set of requirements to comply thereto. The online system and portal provided must cater for a set of requirements that each Control must adhere to. These requirements must clearly be defined to facilitate in the compliance of the relevant Standard., Controls section, Here the standards selected must be shown, information included must at least be:, Identifiable key or ID, Name of each Control Brief Description thereof., Alignment to relevant Standard/requirement ID must be shown. ii. Provide in this section the ability to add own controls., Requirements Section, Each requirement standard as aligned to the control must provide information and guidance to include the following: Reference nr: SCM41/2025/26 19 | P a g e

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents: