Ict Support Services and Licensing - Cape Agulhas

Returnable Documents: 2 Advert 4 3 Invitation to Bid CAMBD 1 (Compulsory Returnable Document) 5 - 6 4 Specification / Terms of reference 7 – 41 5 Annexure B – Technical Evaluation 42 – 59 6 Pricing schedules 60 – 79 7 Compulsory Conditions 80 Tax Compliance Status Pin Requirements CAMBD 2 8 81 – 82 (Compulsory Returnable Document) Authority of Signatory (Schedule 1 A) 9 83 – 84 (Compulsory Returnable Document) Compulsory Enterprise Questionnaire (Schedule 1B) 10 85 (Compulsory Returnable Document) 11 Documents of Incorporation (Schedule 1C) (Compulsory Returnable Document) 86 Payment of Municipal Accounts (Schedule 1D) 12 87– 88 (Compulsory Returnable Document) Broad-Based Black Economic Empowerment (B-BBEE) Status Level Certificates (Schedule 1D) (Compulsory Returnable Document) 89 – 90 Work satisfactorily carried out by the tenderer (Schedule 1F) 14 91-92 (Compulsory Returnable Document) 15 Special Condition 93– 96 16 Form of Acceptance & Contract Data 97 – 99 17 General Conditions of Contract 100– 105 18 Declaration of Interest CAMBD 4 (Compulsory Returnable Document) 106 – 109 Declaration For Procurement Above R10 Million (All Applicable Taxes Included 19 110-111 CAMBD 4 (Compulsory Returnable Document) Procurement Points Claim Forms in terms of the Preferential Procurement 20 112– 116 Regulations 2001. CAMBD 6.1 (Compulsory Returnable Document) Contract Rendering of Services CAMBD 7.2 21 117 – 118 (Compulsory Returnable Document) Declaration of Bidder’s Past Supply Chain Management Practices CAMBD 8 22 119– 120 (Compulsory Returnable Document) Certificate of Independent Bid Determination CAMBD 9 23 121 – 123 (Compulsory Returnable Document) CHECK LIST FOR COMPLETENESS OF BID DOCUMENT Reference nr: SCM41/2025/26 2 | P a g e The bidder MUST ENSURE that the following checklist is competed, that the necessary documentation is attached to this bid document and that all declarations are signed:, Completed page containing the details of bidder Yes No, Yes No Specifications & Pricing Schedules - Is the form duly completed and signed?, (CAMBD 2) Are a Tax Compliance status pin attached? Yes No, Yes No (Schedule 1 A) Authority of Signatory - Is the form duly completed and signed?, (Schedule 1B) Enterprise Questionnaire -Is the form duly completed and signed? Yes No, (Schedule 1C) Documents of Incorporation - Is the form duly completed and signed? Yes No, (Schedule 1D) Payment of Municipal Accounts - Is the form duly completed and Yes No signed?, (Schedule 1E) B-BBEE certificate - Is the form duly completed and signed? Is a Yes No certified or an original certificate attached, (Schedule 1F) Schedule of work experience of tenderer- Is the form duly completed Yes No and signed?, Yes No (Schedule 1G) Document/S to Prove the Company Is A Registered ICT Based Entity, (Schedule 1H) Local I.T. Sales and Support Office (WESTERN CAPE) Is the proof Yes No attached?, Schedule 1I) Letter from the “Brand House - Is the proof attached? Yes No, Form of Offer - Is the form duly completed and signed? Yes No, Contract data - Is the form duly completed and signed? Yes No, (CAMBD 4) declaration of interest- Is the form duly completed and signed? Yes No, Yes No (CAMBD 6.1) Preference points claimed- Is the form duly completed and signed?, (CAMBD 8) Signed declaration of bidder's past supply chain management Yes No practices, (CAMBD 9) Prohibition of Restrictive Practices be completed and signed. Yes No, All bids must be submitted in writing on the official forms (not re-typed). Yes No, Bidder must initial every page of this bid document. Yes No CERTIFICATION I, THE UNDERSIGNED (FULL NAME) ............................................................... CERTIFY THAT THE INFORMATION FURNISHED ON THIS CHECK LIST IS TRUE AND CORRECT. Signed ........................................................ Date ................................................. Name ....................................................... Position ................................................. Tenderer ........................................................................................................................................ Reference nr: SCM41/2025/26 3 | P a g e CAPE AGULHAS MUNICIPALITY REQUEST FOR TENDERS MUNICIPAL NOTICE BOARD; MUNICIPAL WEBSITE; NATIONAL TREASURY ADVERTISED ON e-TENDER TENDER NO: SCM41/2025/26 Tenders are hereby ICT SUPPORT SERVICES AND LICENSING FOR A PERIOD OF 3 YEARS invited for: PUBLISHED DATE: 12 December 2025 CLOSING DATE: 13 February 2026 No later than 12H00. Tenders will be opened immediately thereafter, in public at the Cape Agulhas Municipality, CLOSING TIME: 1 Dirkie Uys Street, Bredasdorp. AVAILABILITY OF BID DOCUMENTS: Tender documents are available from Me G Koopman at telephone number 028-425-5500 during office hours or email at geraldinek@capeagulhas.gov.za. Date Available: 12 December 2025 Non-refundable Fee: R 0. 00 BID RULES:, Tenders are to be completed in accordance with the conditions and Tender rules contained in the Tender document., The Tender Document & supporting documents must be placed in a sealed envelope and externally endorsed with: THE TENDER NUMBER; DESCRIPTION & CLOSING DATE OF TENDER., Tender Documents must be deposited in the Tender Box, at Municipal Offices, 1 Dirkie Uys Street, Bredasdorp or posted to reach the Municipal Manager, Cape Agulhas Municipality, PO Box 51, Bredasdorp, 7280., Tenders may only be submitted on the Tender documentation issued by the Municipality., A Tax Compliance status pin as issued by the South African Revenue Service, must be submitted together with the tender., The two-stage bidding process will be followed in evaluating this tender. Firstly, it will be evaluated for functionality and thereafter for price and preference., The Cape Agulhas Municipality does not bind itself to accept the lowest or any tender and reserves the right to accept ant tender, as it may deem expedient., Tenderers are required to be registered on the Accredited Supplier Database (CSD) from the website https://secure.csd.gov.za Suppliers may claim preference points in terms of the 80/20. Price: 80Tenders shall be evaluated in terms of the Cape Specific Goals: (20) Agulhas Municipality Supply Chain Management, B-BBEE Status Level contributor: 10 Policy & Preferential Procurement b) Locality of Supplier: 10 Total Points: 100 Site Meeting / Information Session n/a Validity Period 90 days ANY ENQUIRES REGARDING TECHNICAL ANY ENQUIRES REGARDING THE QUOTING PROCEDURE MAY BE INFORMATION MAY BE DIRECTED TO: DIRECTED TO: Division ICT Division Supply Chain Management Contact Person: Mr Kevin Fourie Contact Person: Ms. G Koopman Tel: e-mail Enquires Only Tel: e-mail Enquires Only E-mail: kevinf@capeagulhas.gov.za E-mail: geraldinek@capeagulhas.gov.za WP RABBETS MUNICIPAL MANAGER PO BOX 51 BREDASDORP 7280 Reference nr: SCM41/2025/26 4 | P a g e CAMBD1 PART A INVITATION TO BID YOU ARE HEREBY INVITED TO BID FOR REQUIREMENTS OF THE CAPE AGULHAS MUNICIPALITY BID NUMBER: SCM41/2025/26 CLOSING DATE: 13 February 2026 CLOSING TIME: 12:00 DESCRIPTION ICT SUPPORT SERVICES AND LICENSING FOR A PERIOD OF 3 YEARS THE SUCCESSFUL BIDDER WILL BE REQUIRED TO FILL IN AND SIGN A WRITTEN CONTRACT FORM (MBD7). BID RESPONSE DOCUMENTS MAY BE DEPOSITED IN THE BID BOX SITUATED AT (STREET ADDRESS CAPE AGULHAS MUNICIALITY 1 DIRKIE UYS STREET BREDASDORP 7280 SUPPLIER INFORMATION NAME OF BIDDER POSTAL ADDRESS STREET ADDRESS TELEPHONE NUMBER CODE NUMBER CELLPHONE NUMBER FACSIMILE NUMBER CODE NUMBER E-MAIL ADDRESS VAT REGISTRATION NUMBER TAX COMPLIANCE STATUS TCS PIN: OR CSD No: B-BBEE STATUS LEVEL B-BBEE STATUS Yes Yes VERIFICATION CERTIFICATE LEVEL SWORN [TICK APPLICABLE BOX] AFFIDAVIT No No [A B-BBEE STATUS LEVEL VERIFICATION CERTIFICATE/ SWORN AFFIDAVIT (FOR EMES & QSEs) MUST BE SUBMITTED IN ORDER TO QUALIFY FOR PREFERENCE POINTS FOR B-BBEE] ARE YOU A ARE YOU THE ACCREDITED FOREIGN BASED REPRESENTATIVE IN SOUTH Yes No SUPPLIER FOR THE Yes No AFRICA FOR THE GOODS GOODS /SERVICES /SERVICES /WORKS OFFERED? [IF YES ENCLOSE PROOF] /WORKS OFFERED? [IF YES, ANSWER PART B:3] TOTAL NUMBER OF ITEMS OFFERED TOTAL BID PRICE R SIGNATURE OF BIDDER .................................... DATE CAPAMUNICIPALITY UNDER WHICH THIS BID IS SIGNED BIDDING PROCEDURE ENQUIRIES MAY BE DIRECTED TO: TECHNICAL INFORMATION MAY BE DIRECTED TO: DEPARTMENT FINANCE: SCM DEPARTMENT ICT CONTACT PERSON Geraldine Koopman CONTACT PERSON Mr Kevin Fourie TELEPHONE NUMBER 028 425 5500 TELEPHONE NUMBER 028 425 5500 E-MAIL ADDRESS geraldinek@capeagulhas.gov.za E-MAIL ADDRESS kevinf@capeagulhas.gov.za Reference nr: SCM41/2025/26 5 | P a g e PART B TERMS AND CONDITIONS FOR BIDDING, BID SUBMISSION: 1.1. BIDS MUST BE DELIVERED BY THE STIPULATED TIME TO THE CORRECT ADDRESS. LATE BIDS WILL NOT BE ACCEPTED FOR CONSIDERATION. 1.2. ALL BIDS MUST BE SUBMITTED ON THE OFFICIAL FORMS PROVIDED– (NOT TO BE RE-TYPED) OR ONLINE 1.3. THIS BID IS SUBJECT TO THE PREFERENTIAL PROCUREMENT POLICY FRAMEWORK ACT AND THE PREFERENTIAL PROCUREMENT REGULATIONS, 2022, THE GENERAL CONDITIONS OF CONTRACT (GCC) AND, IF APPLICABLE, ANY OTHER SPECIAL CONDITIONS OF CONTRACT., TAX COMPLIANCE REQUIREMENTS 2.1 BIDDERS MUST ENSURE COMPLIANCE WITH THEIR TAX OBLIGATIONS. 2.2 BIDDERS ARE REQUIRED TO SUBMIT THEIR UNIQUE PERSONAL IDENTIFICATION NUMBER (PIN) ISSUED BY SARS TO ENABLE THE ORGAN OF STATE TO VIEW THE TAXPAYER’S PROFILE AND TAX STATUS. 2.3 APPLICATION FOR THE TAX COMPLIANCE STATUS (TCS) CERTIFICATE OR PIN MAY ALSO BE MADE VIA E- FILING. IN ORDER TO USE THIS PROVISION, TAXPAYERS WILL NEED TO REGISTER WITH SARS AS E-FILERS THROUGH THE WEBSITE WWW.SARS.GOV.ZA. 2.4 FOREIGN SUPPLIERS MUST COMPLETE THE PRE-AWARD QUESTIONNAIRE IN PART B:3. 2.5 BIDDERS MAY ALSO SUBMIT A PRINTED TCS CERTIFICATE TOGETHER WITH THE BID. 2.6 IN BIDS WHERE CONSORTIA / JOINT VENTURES / SUB-CONTRACTORS ARE INVOLVED; EACH PARTY MUST SUBMIT A SEPARATE TCS CERTIFICATE / PIN / CSD NUMBER. 2.7 WHERE NO TCS IS AVAILABLE BUT THE BIDDER IS REGISTERED ON THE CENTRAL SUPPLIER DATABASE (CSD), A CSD NUMBER MUST BE PROVIDED., QUESTIONNAIRE TO BIDDING FOREIGN SUPPLIERS 3.1. IS THE ENTITY A RESIDENT OF THE REPUBLIC OF SOUTH AFRICA (RSA)? YES NO 3.2. DOES THE ENTITY HAVE A BRANCH IN THE RSA? YES NO 3.3. DOES THE ENTITY HAVE A PERMANENT ESTABLISHMENT IN THE RSA? YES NO 3.4. DOES THE ENTITY HAVE ANY SOURCE OF INCOME IN THE RSA? YES NO 3.5. IS THE ENTITY LIABLE IN THE RSA FOR ANY FORM OF TAXATION? YES NO IF THE ANSWER IS “NO” TO ALL OF THE ABOVE, THEN IT IS NOT A REQUIREMENT TO REGISTER FOR A TAX COMPLIANCE STATUS SYSTEM PIN CODE FROM THE SOUTH AFRICAN REVENUE SERVICE (SARS) AND IF NOT REGISTER AS PER 2.3 ABOVE. NB: FAILURE TO PROVIDE ANY OF THE ABOVE PARTICULARS MAY RENDER THE BID INVALID. NO BIDS WILL BE CONSIDERED FROM PERSONS IN THE SERVICE OF THE STATE. SIGNATURE OF BIDDER: ................................................... CAPAMUNICIPALITY UNDER WHICH THIS BID IS SIGNED: ................................................... DATE: ........................... Reference nr: SCM41/2025/26 6 | P a g e Contents 1 SCHEDULE A – SCOPE OF SERVICES................................................................................................. 9 2 ICT PROFESSIONAL SUPPORT AGREEMENT .................................................................................... 9 3 Support Fees ................................................................................................................................. 11 4 Security ......................................................................................................................................... 12 4.1 Network security, management, monitoring, reporting and notifications services. ........... 12 4.1.1 Network access policy system. ..................................................................................... 12 4.1.2 Cloud Assessment and Monitoring Tool ....................................................................... 16 4.1.3 Cloud Application Activity & Security Monitoring ........................................................ 18 4.2 Compliance ........................................................................................................................... 19 4.2.1 Cyber Security Framework management tool .............................................................. 19 4.3 Dark Web monitoring ........................................................................................................... 22 4.4 Security Audit ........................................................................................................................ 22 4.5 Security Awareness Training & Phishing Simulation Requirements ..................................... 23 4.6 Vulnerability Scanning Tool .................................................................................................. 25 4.7 Penetration Testing ............................................................................................................... 26 4.7.1 PROJECT BACKGROUND ................................................................................................ 26 4.7.2 PURPOSE ....................................................................................................................... 27 4.7.3 SCOPE OF WORK ........................................................................................................... 27 4.7.4 PROJECT DESIGN ........................................................................................................... 29 4.7.5 CONTRACT TERM .......................................................................................................... 30 4.7.6 PROJECT MANAGEMENT ARRANGEMENTS .................................................................. 30 4.8 Security Operations Centre (SOC) ......................................................................................... 30 4.8.1 SPECIFICATION OF REQUIREMENTS .............................................................................. 30 4.8.2 Approach to the delivery of the SOC Managed Service ................................................ 31 4.8.3 Technical Requirements of SOC Solution ...................................................................... 31 4.8.4 Implementation/Project Take-on ................................................................................. 34 4.9 SIEM, Log Management & Security Automation Requirements........................................... 34 4.10 IT Documentation & Knowledge Management Platform Requirements ............................. 35 4.11 Security Component Project Requirements ......................................................................... 35 5 Monitoring, management, and Audit system ............................................................................... 35 SCHEDULE B – TECHNICAL EVALUATION .............................................................................................. 42 1 Organisational requirements ........................................................................................................ 42 1.1 Company requirements ........................................................................................................ 42 1.2 Support staff requirements .................................................................................................. 43 Reference nr: SCM41/2025/26 7 | P a g e 2 Network Access & Security Assessment Tool ............................................................................... 45 3 Cloud Application Activity & Security Monitoring ........................................................................ 46 4 Dark Web Monitoring ................................................................................................................... 48 5 Security Awareness Training & Phishing Simulation Requirements ............................................. 48 6 Penetration Testing functional requirements............................................................................... 50 7 Security Operations Centre (SOC) ................................................................................................. 51 8 SIEM, Log Management & Security Automation Requirements................................................... 52 9 IT Documentation & Knowledge Management Platform Requirements ..................................... 53 SCHEDULE C – FUNCTIONAL REQUIREMENTS ...................................................................................... 56 1 Project approach and technical evaluation .................................................................................. 56 2 The scoring of the tenderer’s experience will be as follows. ........................................................ 59 3 Functionality Criteria evaluation ................................................................................................... 59 SCHEDULE D - PRICING .......................................................................................................................... 60 1 Support Fees ................................................................................................................................. 61 2 Network access policy system. ..................................................................................................... 64 3 Cloud assessment and monitoring tool ........................................................................................ 65 4 Cloud Application Activity & Security Monitoring ........................................................................ 66 5 Compliance ................................................................................................................................... 67 5.1 Cyber Security Framework management tool ...................................................................... 67 6 Dark Web monitoring ................................................................................................................... 68 7 Security Audit ................................................................................................................................ 69 8 Security Awareness Training & Phishing Simulation Requirements ............................................. 70 9 Vulnerability Scanning Tool .......................................................................................................... 71 10 Penetration Testing ................................................................................................................... 72 11 SIEM, Log Management & Security Automation Requirements............................................... 73 12 IT Documentation & Knowledge Management Platform Requirements ................................. 74 13 Security Operations Centre (SOC) ............................................................................................. 75 14 Monitoring, management, and Audit system ........................................................................... 76 15 Pricing Summarized .................................................................................................................. 79 Reference nr: SCM41/2025/26 8 | P a g e ICT SUPPORT SERVICES AND LICENSING, SCHEDULE A – SCOPE OF SERVICES, This tender is based on rates for the period of 36-months., Pricing will be used for evaluation purposes and is estimated based on current ICT network environment., ICT PROFESSIONAL SUPPORT AGREEMENT Cape Agulhas Municipality is awaiting bids on the supplying of ICT Systems / Software and services. These services are inclusive of a range of various ICT related services, and the successful bidder will become the ICT service provider as defined in this document for a term of 36 months starting 1 March 2026. 1.1 SCOPE OF SERVICES – Services, Software & Support must include:, On-site support – including Cyber Security support, 24-hour response time, Hardware Infrastructure, Software Infrastructure (operating systems and the operation of core server/desktop productivity applications on quotation basis)., Access and Authorization (user account and password help, application-level access problem determination, desktop/client security configuration support. E mail and Internet access support in liaison/conjunction with the relevant ISP or any other Service Provider, Local area network design, Wide area network design, Campus area network design, Metropolitan area network design, Other types of network design as may be required., Network Infrastructure – Check and verify basic network connectivity. Cabling, router and switch configurations are excluded., Installation, setup and deployment of new equipment, systems and services., The successful Tenderer must take responsibility for carry-in and carryout of equipment that do not have on-site warranty against the SLA should it be required., Scheduled meetings/reports with nominated ICT personnel to review the SLA performance and usage., Governance Services should include but not be limited the review of, and establishment of policies and procedures inclusive of the following existing: o ICT policies and procedures o ICT Audits – Governance and security audits o ICT Disaster recovery plans o Enterprise Architecture o ICT Maintenance plan o ICT Strategy and implementation plans o Cyber security policies, procedures, strategies and plan development o Public Key Certificates o Mail certificates. o Web certificates o Wild card certificates Reference nr: SCM41/2025/26 9 | P a g e In order to adhere to the Municipalities` policy “ICT Service Level Agreement Management Policy - External Service Provider” the Municipality views end user desktop and server support as a critical component to a client’s business. To achieve and maintain service delivery we have set a generic impact level analysis approach to our support. DEFINITIONS OF IMPACT LEVELS: Impact Level 1 Multiple users are directly affected. Loss of function has a serious and immediate negative impact on the business. Furthermore, no temporary and workable alternative is available to carry on the disrupted activity. Impact Level 2 Limited (two or less) users are directly affected. A temporary and workable alternative is available to carry on the disrupted activity. The disruption of activity/function may have some operational impact, but it is not highly critical. Impact Level 3 New computer, server or system setup to replace an older but still operational. It is a known fact that a system, or component, or software upgrade is required, but the computer is still functional. Setup of computer peripherals, which has no critical impact on the daily activities of users. SERVICE RESPONSE TO EACH IMPACT LEVEL: Response to Impact Level 1 Upon receipt of service call to Help Desk, its staff must attempt to resolve the reported problem over the phone. If the problem is not resolved immediately by the Help Desk, its staff must then immediately contact the Desktop Support Service staff via e mail and cell phone. The assignee of this service call will respond telephonically within one hour or less depending on the degree of emergency. Once the service assignee has assessed the situation, he/she will proceed to attempt remote procedure assistance. Should the situation still remain unresolved the tenderer will send a suitable technician to the site. If the problem is not resolved by the assignee within four hours, the Help Desk staff will escalate the call to the next level by alerting the Coordinator of Desktop Support Service to the situation and the possible need for assistance and/or consultation. The targeted time for problem resolution is regarded as extremely urgent but dependent on mitigating circumstances like client approval, spare parts, equipment availability etc. Response to Impact Level 2 The first response by an assignee from the Desktop Support Service staff must occur within the 4-hour window after the initial service call to the Help Desk, if the problem is not resolved over the phone immediately by the Help Desk staff. The maximum time targeted for problem resolution is within 24 hours (or 3 workdays) by the assignee after the initial service call to the Help Desk. If the problem is not resolved by the assignee within the allowed maximum time, the Help Desk staff must escalate the call to the next level by alerting the Coordinator of the Desktop Support Service to the situation and the possible need for assistance and/or consultation. Reference nr: SCM41/2025/26 10 | P a g e Response to Impact Level 3, The first response by an assignee from the Desktop Support Service must occur within 4 hours after the initial service call to the Help Desk., Subject to the client’s approval, equipment and spare part availability, the specific targeted maximum time for problem resolution or service request is 5 working days (40 hours)., An e-mail reminder must be sent to the assignee of the Desktop Support Staff and its Coordinator at the end of day one after the initial service call to the Help Desk, regardless of if the problem or service request has been taken care of. The customer will be kept duly informed by the account manager of the status quo., If the problem or service request has not been addressed in 5 working days after the initial service call to the Help Desk, this open ticket must be escalated to the attention of the Director of the successful company for his/her action. OTHER INFORMATION:, Hours of operation of the Help Desk must be at least: 8:00 A.M. to 5:00 P.M., Monday to Friday., For after hour emergencies including weekends the Municipality must be provided with contact names and cell numbers., Users must be able to contact the Help Desk via telephone, voice mail, e-mail or ticketing system in person at any time including after hours., Such service calls should be automatically queued and handled in the sequence of their occurrence., The Help Desk must be responsible for assigning each unresolved service call ticket to a staff member of the Desktop Support Service and for logging and tracking of each assignment., The assignee of each service call ticket must inform the user through phone or e-mail of the status of the problem resolution. Server crash and software reloads must be done on a quotation basis and in accordance with the Municipalities` procurement policies., IT Support Call Logging procedure –must be clearly identified and communicated to the Municipality. A username (which must be provided) is required when logging a call via email. Login details must be given to Municipal users via email, WhatsApp and/or SMS., Support Fees ICT Support may be required from time to time covering the Scope of work and any other ICT related professional, security, audit or Governance support services, evaluations, or implementation plans. In lieu of these requirements rates are required for these services. Ad hoc projects may be required from time to time to which to following will then apply: (ii) The successful Tenderer must submit a quotation for approval before commencement of any chargeable service linked to the tendered amounts as per section above. Reference nr: SCM41/2025/26 11 | P a g e, Security 4.1 Network security, management, monitoring, reporting and notifications services. 4.1.1 Network access policy system. Cape Agulhas Municipality is awaiting a proposal on ICT security services, including best efforts detection, investigation, monitoring and remediation of misuse and abuse of network resources occurring behind the corporate firewall based upon agreement and implementation of a set of best practices security Policies and Procedures. These monitoring Policies and Procedures should include but may not necessarily be limited to the following: Access Control Policies, Authorization of new Devices to be Added to Restricted Networks Restricted networks should be tightly controlled to conform to strict network change management policies and procedures. Implementing security controls and applying consistent policies can help protect the organization from these security threats. We need to receive an alert with recommended actions to be taken when new devices have been added to any network segment designated as restricted., Investigate Suspicious Logons by Users Computer user login attempts by a particular user that are made outside of normal time frame patterns or from an unusual location indicates behaviour consistent with unauthorized user access or malicious software. When this event is detected, we need to receive an email alert warning of the suspicious activity with recommended actions to be taken. It is possible that an account may have been compromised., Investigate Suspicious Logons to Computers Attempts to access a computer using login credentials not normally associated with that particular computer could point to unauthorized user access or use of malicious software. When this event is detected, we need to receive an email alert warning of the suspicious activity with recommended actions to be taken. In such an instance it is possible that an account may have been compromised., Strictly Control the Addition of Printers Network printers are vulnerable to security risks just like computers. Connecting to and printing from an unauthorized printer can lead to information loss. Anytime a new printer is found on the network, we need to receive an alert notifying us with recommended actions to be taken to ensure that it is authorized to prevent any potential threat., Restrict Access to Computers with specified roles viz, financial to Authorized Users Computers in the network that are used to transmit, process, or store accounting/financial information and other sensitive financial records should only be accessed by authorized users. Trying to prevent users from accessing these resources through group policies, restricted logons and other network "hardening" is best practice. However, we still need to know when unauthorized users attempt to access sensitive systems and login to one of these machines. We need to receive an email alert when unauthorized user attempts to login to one of these accounting/financial computers with recommended actions to be taken., Restrict Access to IT Admin Only Restricted Computers to IT Administrators Domain controllers, web servers, database servers, and mail servers should only be accessed by users who are IT Administrators. These devices are critical to the normal operation of the business. Trying to prevent users from accessing these resources through group policies, restricted logons and other network "hardening" is best practice. We need to receive an alert with recommended actions when a user who is not an IT Administrator attempts a login to a computer designated for only IT Administrator access., Restrict Access to Business Owner Type Computers to Authorized Users Computers in the network that are designated as "Business Owner Type Computers" may only be accessed by authorized users. These devices often contain confidential, privileged, and other private and sensitive records and should only be accessed by authorized users. Trying to prevent users from accessing these resources through group policies, restricted logons and other network "hardening" is best practice. We need receive an email alert with recommended actions when unauthorized users attempt to login to one of these computers that are designated as a "Business Owner Computer." Reference nr: SCM41/2025/26 12 | P a g e, Restrict Access to Systems in the Cardholder Data Environment (CDE) to Authorized Users Cardholder Data Environment (CDE) system components that access, use, or maintain Cardholder Data. Only workforce members or business associates who have been authorized to have access to specified Cardholder Data, in accordance with the requirements set forth may access and work with the associated Cardholder Data. We need to receive email alerts with recommended actions to be taken when suspicious or potentially unauthorized users log into computer designated as containing Cardholder Data., Restrict IT Administrative Access to a Minimum Administrator access rights to computers and other IT resources should be limited to users who have been authorized to this level of system access to perform their role. The Administrator account is the most powerful account on the network, holding the "keys" to the business infrastructure. We need to receive an alert with recommended actions to be taken after a user account has been provided with Administrator rights on the network or a new user has been created with administrator rights. This is to ensure we can verify authenticity of the user access level and minimize Administrator level access to the minimum number of people necessary., Restrict Users that are Not Authorized to Log into Multiple Computer Systems Computer users, in general, are assigned a specific machine for use in performing their business duties. We need to identify users who should only log into a single computer. When a single desktop user logs into multiple computers, their behaviour is viewed as suspicious and should be investigated further. We need to start receiving email alerts with recommended actions to be taken when tagged users log into more than one computer., Strictly Control the Addition of New Local Computer Administrators An important part of securing our network is managing the users and groups that have administrative access. When a user account is added to a computer and this account is assigned administrator rights, we need to receive an email alert with recommended actions., Strictly Control the Addition of New Users to the Domain The addition of new users to the network should be strictly controlled. An important part of securing our network is managing the addition of new users. Any time a new user account has been identified as being added to the network, verify that the new account was authorized. We need to receive an email alert with recommenced actions when a new user account has been added to the network., Strictly Control the Removal of Users from the Domain The removal of users from the network is to be strictly controlled. Any time a user account has been identified as being removed from the network, we need to receive an email alert with recommended action when a user account has been removed from the network., Strictly Control the Creation of New User Profiles User profiles are created when users access systems for the first time. The appearance of new user profiles indicates successful access to systems. Monitoring the creation of new profiles allows detection of access. Any time a new user profile has been identified as being added to the network we need to receive an email alert with recommended action. Computer Policies, Changes on Locked Down Computers should be Strictly Controlled. There are some computers in a network where we want to be alerted of any changes to the system that are significant. These can be important systems like Domain Controllers, Exchange Servers, or servers where we have strict change management. We need to receive email alerts with recommended actions of computers designated as "locked down" meaning they should not be tampered with., Install Critical Patches for DMZ Computers within 30 Days Computers in the DMZ are highly susceptible to malicious attacks and software if left vulnerable due to critical patches not being applied on a timely basis. We need to receive an email alert with recommendations when a threat to a DMZ Computer, results from critical patches not being installed. Reference nr: SCM41/2025/26 13 | P a g e, Install Critical Patches on Network Computers within 30 Days Computers on the network are highly susceptible to malicious attacks and software if left vulnerable due to critical patches not being applied on a timely basis. A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes security vulnerabilities and other bugs to improve the usability or performance of the program. We need to receive an email alert arising from vulnerabilities that are a result of critical patches not being timely installed., Restrict Internet Access for Computers that are Not Authorized to Access the Internet Directly Computers on a network should be prevented from having direct access to the Internet. These can be important systems like accounting systems, systems storing PII, or Cardholder Data, or computers used to perform other sensitive business functions. We need to receive an email alert with recommended actions if at any time designated computers can access the Internet directly and not via the authorized network and Firewall., Strictly Control the Clearing of System and Audit Logs The clearing of logs can be used a forensic countermeasure and should be strictly controlled. Only authorized personnel with a justifiable reason should ever clear event logs manually. Any clearing of an event log should be verified to determine if it was authorized. We need to receive an email alert with recommended action when any system or audit log is cleared., Enable automatic screen lock on computers with sensitive information. Automatic screen lock should be enabled on all computers containing sensitive information to prevent unauthorized access. We need to receive an email alert with recommended action if there are devices with sensitive information that does not have the Automatic screen lock enabled., Enable automatic screen lock for users with access to sensitive information. Automatic screen lock should be enabled on all computers accessed by users who have access to sensitive information. We need to receive an email alert with recommended action if there are users that have access to sensitive information that does not have the Automatic screen lock enabled on their device. Data Security Policies, Only store Personally Identifiable Information (PII) on systems marked as sensitive. Personally Identifiable Information (PII) should only be stored on systems specifically marked as containing sensitive information. These systems should have additional safeguards and controls to prevent unauthorized access. We need to receive an email alert with recommended action if there are any devices that are marked sensitive without the additional safeguards and controls in place. We need to receive an email alert with recommended action if there are any devices that are not marked as sensitive but has PII data stored on it., Only store cardholder data on designated systems Cardholder Data should only be stored on systems specifically marked as part of the Cardholder Data Environment (CDE). These systems should have additional safeguards and controls to prevent unauthorized access. We need to receive an email alert with recommended action if there are any devices that are marked sensitive without the additional safeguards and controls in place. We need to receive an email alert with recommended action if there are any devices that are not marked as sensitive but has Card Holder data stored on it., Detect malicious software and potential security breaches (Breach Detection System) We currently have Sophos Central Intercept X Advanced for Endpoint. However, as an additional layer of security we require an independent scan to detect any possible malicious software and potential security breaches. If any detections are detected, we need to receive an email alert with recommended action. Network Security Policies, Detect Network Changes to Internal Networks Monitoring changes to a private network assist in identifying potential security concerns. Anytime a new device is connected to or disconnected from a network, we need to receive an email alert with recommendation notifying us of the potential rogue device connection or possible theft of equipment. Reference nr: SCM41/2025/26 14 | P a g e, Detect Network Changes to Internal Wireless Networks Monitoring changes to a private wireless network assist in identifying potential security concerns. Anytime a new device is connected to or disconnected from a wireless network, we need to receive an email alert with recommendation notifying us of the potential rogue device connection or potential theft of equipment. Identified "guest" wireless networks should not generate alerts., Only Connect to Authorized Wireless Networks Connections to "unauthorized" wireless networks may lead to data loss from unwanted information disclosure. Any time a user connects to a network using an "unauthorized" wireless connection, we need to receive an email alert with recommendation., Remediate High Severity Internal Vulnerabilities Immediately (CVSS > 7.0) Any identified Internal Vulnerabilities assigned a CVSS Score of 7.0, or higher, represent potential high severity threats and should be remediated immediately. The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of computer system security vulnerabilities. CVSS assigns severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores range from 0 to 10, with 10 being the most severe. When high severity internal vulnerabilities are found, we need to be notified with an email alert with recommendation to resolve., Remediate Medium Severity Internal Vulnerabilities (CVSS > 4.0) Any identified Internal Vulnerabilities assigned a CVSS Score of 4.0, or higher, represent potential medium severity threats and should be remediated as soon as possible. The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of computer system security vulnerabilities. CVSS assigns severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores range from 0 to 10, with 10 being the most severe. When medium severity internal vulnerabilities are found, we need to be notified with an email alert with recommendation to resolve., Strictly control DNS on Locked Down Networks Changes in DNS entries in networks that are locked down should be strictly controlled. Additions may indicate unauthorized devices connecting to the network. Other changes may indicate other issues including theft and should be investigated. We need to be notified with an email alert with recommendation to resolve., Strictly control changes to Group Policy Group Policies are used to configure computer and user settings. Due to their ability to affect the security settings throughout the network, any changes to Group Policy Objects (GPOs) should be strictly controlled. We need to be notified with an email alert with recommendation to resolve., Strictly control changes to the Default Domain Policy The Default Domain Policy is applied to all computers and users in the domain by default. New computers and users will be assigned the Default Domain Policy until they are assigned specific policies. Any changes to the Default Domain Policy should be strictly controlled to prevent introducing security vulnerabilities. We need to be notified with an email alert with recommendation to resolve. Reference nr: SCM41/2025/26 15 | P a g e 4.1.2 Cloud Assessment and Monitoring Tool Cape Agulhas Municipality is awaiting a proposal on Microsoft Cloud assessment and monitoring system as a service. This is required to manage and assess risk across our entire Microsoft Cloud Environment. 1 The system should assess and document at least the following components:, Microsoft 365 Cloud Services o Office 365 o Teams o SharePoint o OneDrive (no need to scan file content) o Outlook/Exchange (no need scan email content), Microsoft Azure Cloud Services o Azure Active Directory 2 Reporting Reporting is required on at least the following areas is required through this system., Assessments on Azure AD The Azure AD Detail Report must go through the entire Azure Active Directory environment and document all organizations, domains and support services that are turned on for the AD environment. Every detail must be presented in line-item fashion in an editable report document including installed special applications, web URLs to those apps, organizational contacts, distribution lists, proxy addresses, Microsoft service plans and SKUs being used, groups, users, permissions, devices and more. The report must be organized by section with a table of contents to help us locate the specific findings of interest and problem areas must be highlighted in red, making it easy to spot individual problems to be rectified., SharePoint assessments The SharePoint Assessment Report must be a detailed assessment that shows the total number of sites started under management, how many active SharePoint sites there are, what storage requirements there are and include daily trends in the number of sites and storage usage. It should then take the site collections and breaks down all the individual sites so that we can understand what is being published in each, how they are organized, and even what groups they contain. Among other things, the report must help us understand growth trends and better predicts backup needs., One Drive Usage reports The OneDrive Assessment Report must provide a high-level summary report of all OneDrive usage. This overview report must give us a solid handle on how the OneDrive platform is growing and look for spikes in that growth that need to be managed. It also need to look for spikes in activity that may need to be investigated. The report must provide trends over of 30-, 60-, and 90-day increments to give us a solid indicator of storage and bandwidth utilization., Outlook Mail Activity reports The Outlook Mail Activity Report must provide deep dive information about Office 365 usage. The Outlook Mail Activity Report must provide a high-level summary of what emails are being sent and received by our top 10 active senders and active receivers for the reporting period. This report is meant to be run month- over-month to identify the power users who may need more capacity and which mailboxes are not being read at all and likely represent recently inactive users that need to be cleaned up. Reference nr: SCM41/2025/26 16 | P a g e, Microsoft Teams assessments The Microsoft Teams Assessment Report must provide detail about each team in the system, including who the owners are, what channels they have and what kind of user identity audits have been conducted on the channels. There must be individual entries that can be used for audits of the member settings, the guest settings, the message settings, the fun settings and the tab settings. This information must include other types of misconfigurations that might cause security problems, such as having guest members that may have the ability to remove and delete channels., Microsoft Cloud Security Assessments The Microsoft Cloud Security Assessment report must bring together all the security aspects of Microsoft Cloud under one umbrella. It should not only include our own Microsoft Control Score and Secure Score from Microsoft but also show our trending against the average score of our peers., Microsoft Cloud Configuration Change reports The Microsoft Cloud Configuration Change Report must be a very detailed technical report that identifies entity and configuration changes. The changes must be grouped by properties, showing the old values vs. the new values, and then the changes must be grouped together into bands. This report must give us the ability to look at a group of changes together, as well as see how all the properties have changed for that time-period., Cloud Risk report The Cloud Risk Report must span over all the Microsoft Cloud components. It must include an overall Risk Score, an overall Issues Score, as well as a summary list of issues discovered. The issues must come from both the Microsoft controls as well as other best practices. It must identify specific risks that are due to misconfigurations as well as risks created from turning on or off specific running components., Cloud Management plan The Cloud Management Plan must take issues identified in the Risk Report, organizes them by severity and includes specific recommendations on how to remediate them. The report’s information must be pulled directly from the Microsoft controls from multiple Cloud components, including SharePoint, OneDrive, Teams, Azure AD itself. It must also identify other types of issues related to misconfigurations and operations., Compensating Control Worksheets The report is required to present the details associated with security exceptions and how Compensating Controls will be or have been implemented to mitigate risks in the cloud environment. This is required to explain and document why various discovered items are possible false positives. The Compensating Controls Worksheet does not alleviate the need for safeguards but must allow for describing of alternative means of mitigating the identified security risk as reference. Reference nr: SCM41/2025/26 17 | P a g e 4.1.3 Cloud Application Activity & Security Monitoring The Municipality requires a comprehensive cloud application activity and security monitoring service to provide continuous visibility, alerts, and reporting across their cloud environment. The service should detect, investigate, and report on unauthorized, anomalous, or risky activity related to user accounts, privileged roles, authentication events, and sensitive data handling. The following features must form part of the solution. User & Identity Monitoring It must have the ability to tracks user account creation, login activity, privileged account changes, and account credentials usage across cloud applications. The platform must collect behavioural telemetry to detect anomalies and unauthorized access. Threat Detection It must provide for pattern-based detection and machine learning to identify threats such as compromised credentials, impossible travel logins, external device access, shadow accounts and risky file activity. Automated Remediation The solution must make provision for automated responses: locking compromised accounts, terminating risky file shares, and enforcing policy driven actions to stop threats swiftly. Event Logging & Application Monitoring It must have the ability to monitor SaaS application usage and logging across integrations with major platforms (e.g., Microsoft 365, Google Workspace, Salesforce, Okta). Enables visibility into events across organisational SaaS estate. Reporting & Visibility It must provide dashboards and reporting aligned to user behaviour, risk posture and threat events. Enables demonstration of security value and oversight of cloud application security posture. Integration & Extensibility It must integrate with major SaaS platforms, identity systems, RMM/PSA tools (including that on offer in section 4; Monitoring, management, and Audit system, of this tender request), and security stacks. It must support workflow integration and centralised investigation and response. Architecture requirements The solution must be provided as a cloud service, accessible anywhere, to make provision for scalability, continuous updates, and centralised management of SaaS application security. Reference nr: SCM41/2025/26 18 | P a g e 4.2 Compliance 4.2.1 Cyber Security Framework management tool Cape Agulhas Municipalities’ Information Security approach serves as a comprehensive framework aimed at safeguarding our digital landscape and preserving the integrity of sensitive information. Aligned with the principles of Enterprise Architecture (EA), our approach ensures a cohesive integration of information security practices within our broader ICT Strategy. In line with this Cyber Security Framework (CSF) approach the Municipality wish to obtain a Cyber Security Framework Management Tool to include from a CSF perspective at least NIST CSF, NIST 800-171, CIS Controls V8, and others. The system must show a clear alignment of best practices, and other standards to the likes of at least ISO 27001, ITIL and COBIT. The system must also show alignment between the CSF and POPIA., Standards The System and Support Services related to this must allow for at least the following standards:, CIS Controls v8, Cyber Insurance Readiness, Essential 8, ISO 27001 & 27002, NIST CSF 2.0, System functional requirements The system must provide for a logical workflow for assessment purposes of compliance against the standard or set of standards chosen by the Municipality, considering the standards above., Standards Assessment Progress, Control Assessment Progress, Task summary of completed and outstanding actions., Show a list of tasks with details as to what it entails, with links to correspondent section in workflow., Controls and Standards selected. Each Control have a set of requirements to comply thereto. The online system and portal provided must cater for a set of requirements that each Control must adhere to. These requirements must clearly be defined to facilitate in the compliance of the relevant Standard., Controls section, Here the standards selected must be shown, information included must at least be:, Identifiable key or ID, Name of each Control Brief Description thereof., Alignment to relevant Standard/requirement ID must be shown. ii. Provide in this section the ability to add own controls., Requirements Section, Each requirement standard as aligned to the control must provide information and guidance to include the following: Reference nr: SCM41/2025/26 19 | P a g e

2. Policy aligned to the control. 3. Guidance on how to address the control. 4. Controls related to others must be shown here as well. 4. Baseline Assessment / GAP Analysis a. This section must allow for a baseline assessment of current environment against the Controls of the selected standard(s). b. This is to provide enough information to the individual doing the assessment to establish a baseline of the Municipalities’ current state as measured against the selected standard(s). c. This section must allow for a selection of response, i.e. Fully, partially, No (None) or uncertain. d. It should also allow for comments to be made per Control or for evidence to be uploaded. e. Allow for assessment owners to assign task(s) to other users of the system. 5. Data Collection a. LAN Discovery tool i. This tool must consist of both a network scan and a push scan that can collect data from individual endpoints. ii. It must allow for configuration of both Active Directory and workgroup environments. b. Agents i. The system must allow for discovery agents to be deployed locally on a network if required. c. Cloud scans i. These scans must allow for scanning of Microsoft Cloud assets. d. Device scans and data collector i. This collector must allow for scanning of devices which cannot be accessed remotely. Therefore, the data collector must have the ability to scan devices locally and import the information into the system afterwards. e. External Vulnerability scan i. The Municipality have externally hosted systems and services which may be required to be scanned for vulnerabilities from time to time. The system must allow to import externally scanned systems data from the Network Access policy system into the compliance system. f. Internal Vulnerability scan i. The vulnerability scan results from the Network Access policy system into the compliance system must be imported into the compliance system. g. Scan results / outcome data. i. Scan results from all the data collected in this section must be summarised here. 6. Technical revision The Technical revision must combine collected data with manual input to identify technical issues and provide evidence of compliance. Focus areas must include at least the following: a. User Access Review b. Inventory of Assets c. Inventory of Applications d. Azure Enterprise Inventory of Applications e. External Information System inventory f. External Port use g. Identification of Shared files h. Assessment of sensitive data as classified by system in terms of the relevant Standard(s). Reference nr: SCM41/2025/26 20 | P a g e 7. Assessment of Controls a. This Assessment must help the Municipality to establish evidence of compliance for each control applied to the assessment environment. b. It should have the ability to import the data from the Baseline Assessment. c. It must show the status of related requirements with the ability to drill down into these related requirements. d. This section must allow for a selection of response, i.e. Fully, partially, No (None) or uncertain. e. It should also allow for comments to be made per Control or for evidence to be uploaded. f. Allow for assessment owners to assign task(s) to other users of the system. 8. Assessment of Requirements a. This Assessment must audit the compliance status of individual requirements for the selected Standard(s). 9. Action / Project plan section a. This section must list all discovered issues. Issues must be categorized by Technical, Control and Requirements. This section should be initially created after completion of the entire assessment process. It is used to track progress toward issue remediation pending the next assessment. 10. Outcome Section a. This section of the compliance system must provide reports that gives a snapshot of the Evidence of Compliance at a point in time. b. The system must cater for Reports that can be repeatedly generated for the current assessment until they are archived. At which point, a snapshot of the report set must be saved. c. The following reports type must be available: i. Policies and Procedures on Standards, Controls and requirements ii. Standards Assessor Checklist, based on selected Standard(s). iii. Status of each control and standard selected. iv. Technical review reports 1. Technical assessment(s) 2. Technical Risk Analysis 3. Technical Risk Treatment Plan v. Other supporting documents 1. Application Inventory Review 2. Asset Inventory Review 3. Asset Inventory 4. Drive Encryption Report 5. External Information Systems Review 6. External Vulnerability Scan Results 7. Internal Vulnerability Scan Results 8. Security Policy Assessment 9. Sensitive Data File Scan Report 10. Share Permission Report 11. User Access Review 12. Windows Patch Assurance Report 11. Employee portal a. User creation b. User permission must be set according to the Municipalities’ policies. 12. Audit Logs 13. General functionality a. Allow for multiple users to work on the same investigation / assessment. b. Allow for assessment owner to assign workload to system users. c. Track who is responsible for relevant control and who assigned the task(s). d. Keep a database of all data inputs and file uploads. e. Provide online portal or website for referencing of system functionality and or implementation guidelines. Reference nr: SCM41/2025/26 21 | P a g e 4.3 Dark Web monitoring Cape Agulhas Municipality is awaiting a bid for this service and should include a proposal document or brochure detailing the solution including the following: 1. Corporate Domain Monitoring Monitor the Dark Web for Stolen user credentials (emails/passwords) found indicating the Municipality or a 3rd party application/website that our employees use may have been compromised. 2. Email Monitoring To monitor the personal mail addresses of our executive Management and administrative users, in addition to their Municipal email accounts. The preferred system will need to monitor up to at least 10 personal emails, in addition to those within the Municipal network. 4.4 Security Audit The Municipality await a proposal for the performing of an ICT Security Audit focusing on the elements as seen below. The intent of this section is to evaluate if the bidder can successfully assist the Municipality with Risk based ICT Audits in order to contribute to a safe and conducive ICT environment. 1. Security Assessment Methodology • Provide a high-level security risk assessment looking at technology, processes, and people that support the business. • Build a Business Risk Profile (BRP), measuring the risk of doing business the Municipality face due to the industry and business model chosen. • Evaluate and list the current security measures the Municipality has deployed. Focusing on Defence-in- Depth Indix (DiDI). • Measure risk distribution across the area of analysis (AoAs), infrastructure, applications, operations, and people. • Measure the security maturity of the Municipality. • Provide Risk Management recommendations taking into account existing technology deployments, currents security posture and defense-in-depth strategies in order to ensure the Municipality move toward recognized best practice. • The assessment must cover broad areas of potential risk across our environment rather than an in-depth analysis of a particular technology or process. The information we require here is to guide us to help focus on specific areas that require more rigorous attention. 2. Vulnerability Assessments Focus areas. a. External Internet facing Infrastructure. This section should consider at least: • Vulnerabilities • Data breaches • Compliance b. At the Gateway of the organisation viz, all traffic passing in and out of the organisation. • Cape Agulhas Municipality has external facing network utilities and hardware to as gateway. c. Internal Server Infrastructure • Cape Agulhas Municipality has a range of Information Systems hosted internally. d. Wireless Network Infrastructure • Integrity of Wi-Fi networks must be tested and reported on. Reference nr: SCM41/2025/26 22 | P a g e 3. Network Assessment a. Network reconnaissance using a scanning tool to identify potentially unauthorized devices connected to the network. b. Network vulnerability and penetration testing of a sample of hosts (i.e. Servers, web application servers, network infrastructure and end user PC’s/ laptops. 4. Reporting A Security Analysis Report and Scorecard that measures risk distribution across the areas of analysis (AoAs)—infrastructure, applications, operations, and people must be made available. The Scorecard must list items that have met best practise, items that need improvement and items that are severely lacking. This report must also allow for a security plan to be devised that can be constantly measured to ensure successful implementation, revisited, and maintained. 5. Additional information • Approximately 210 users • SQL Databases, Linux servers and Microsoft based applications • Scanning of Official websites must be included. • The maximum hours of the audit should not exceed 200 hours. • This service may be required on request after the initial appointment period. 4.5 Security Awareness Training & Phishing Simulation Requirements 1. Scope Cape Agulhas Municipality has a requirement for a Cybersecurity Awareness Training program as part of a strategy to improve the organisations security posture and security culture. The two main objectives of the program are to promote behaviour change and to educate the user by creating awareness regarding the ever‐changing world of Cybersecurity. The successful bidder is required to provide a training methodology by aligning to standards as set out by the SANS (SysAdmin, Audit, Network, Security) Institute. https://www.sans.org/. The Cybersecurity Awareness Training Program must be a combination of various tool sets and incorporates Instructor led Live Classrooms as least 2 sessions per employee per annum, as well as Computer Based Training combined with Awareness material and constant communication mechanisms. The program must contain measurable metrics that can be reported on. Key focus areas must include: • Impact Metrics on behaviour • Strategic Impact Metrics • Compliance Metrics • Ambassador Program Metrics Physical training facilities with ICT equipment, computers, internet access, projectors etc. to be supplied by Cape Agulhas Municipality in Bredasdorp, Western Cape. A draft training project plan submitted to Chief Information Officer within 3 months of tender award. The Cybersecurity Awareness Program at a high level must address the following objectives: • Securing the Human Factor – Creating awareness and keeping the user informed. • Reduce risk to the organization – What we do not know we can’t manage. • Maintain compliancy – In terms of Condition 7 of the POPI Act Section 19 D) which is to: Reference nr: SCM41/2025/26 23 | P a g e o Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. [This is a continual obligation to identify security risks on an ongoing basis and implement measures to reduce risks so identified.] • Reduce costs ‐ freeing up IT security resources to focus on more advanced threats. • Promote and Protect ‐ the Municipalities` brand and reputation thereby giving ratepayers confidence in dealing with the Municipality. • Educate the user – Continuous training provided in an easy, non‐obtrusive and seamless fashion. • Training to target 200 users / Officials. 2. Project requirements Meet with the Municipalities` stakeholders to: • Determine Organisational Structure. • Identify Departments and Department Heads. • Appoint Ambassadors to the program from the Municipality. • Share the program with the relevant stake holders. • Introduce the methodology, approach, and tools to be utilized. • Set Training dates for the Ambassadors on the CBT (Computer Based Training Program) • Set Campaign milestone dates. • Set the Computer Based Training curriculum per user role for the 12 months. • Determine Monthly, Quarterly and Annual Review dates. • Produce a high-level project plan document. • Conduct Cybersecurity introductory Workshops. • Distribute Awareness Literature via different mechanisms. • Ambassadors to demonstrate the Computer Based Training functionality. 3. Required outputs. CREATE MORE RESPONSIBLE BEHAVIOUR BY EMPLOYEES BY: • Creating Phishing Campaigns – Before and after training to measure the effectiveness of the training. • Conduct Surveys – Before and after training to measure the effectiveness of the program. • Behaviour Change metrics by measuring against the 15 Baseline objectives as set out in the SANS.ORG SAM (Security Awareness Module). • Video Training – Using a system to measure the modules by checking on the progress per candidate, number of views, answers provided and the number of attempts to answer. • Scheduled Live interaction sessions with employees ‐ Are the employees’ questions becoming more sophisticated over time? Are there some security areas that they are resistant to understanding, even after repeated training? • Instructor led Classroom training. At least twice per annum. • Quarterly Security Awareness emails to all users • Provision of Security Awareness collateral in electronic or print format. • Monthly/Quarterly meetings, as required by the municipality, with Security Awareness Ambassadors • Provide quarterly updates on security awareness topics. Reference nr: SCM41/2025/26 24 | P a g e 4. Reporting • Quarterly feedback reports required with recommendations on outcomes as per training results. • Identify risk areas or risk profiles per user type or category. I.e., Executive, low end-user etc. • Present quarterly program status report to ICT Steering Committee • Post security training review with ICT Steering Committee Licensing per user must include all requirements as set out in this section. 4.6 Vulnerability Scanning Tool Vulnerability Scanning Solution/Tool should include on-prem internal network scanners, computer-based discovery agents, remote internal scanning by proxy, and hosted external scanners to scan public facing IPs/resources for comprehensive vulnerability management. The vulnerability scanning tool should be able to Manage multiple network environments at scale with no limits on the number of scanners you can use on each environment, to manage multiple networks of any size. Vulnerability Assessment Scans: The Vulnerability assessment services, and solution is expected to assist in proactively closing any gaps and maintain a strong security environment for our systems, data, employees, creditors and clients. Data breaches are often the result of unpatched vulnerabilities or misconfigurations, so identifying and eliminating these security gaps, removes that attack vector. SCHEDULED NETWORK VULNERABILITY SCANNING The Solution should allow for each scanner to be configured to run on its own schedule, based on the frequency and time that you want it to run. Ability to use custom scan tasks to set up variable schedules. BUILT-IN SCAN PROFILES Pre-set scans for “Low Impact,” “Standard,” and “Comprehensive” scanning options. There should also be a separate option for creating custom scan profiles to meet specific use-case needs, such as the ability to create scan profiles to target specific TCP and/or UDP ports. AUTHENTICATED SCANS / CREDENTIALED SCANS The solution should be able to Use credentialed/authenticated scans to access an account on a network endpoint. COMMON VULNERABILITIES AND EXPOSURES SUPPORT The Solution should have the ability to search Scan Results for discovered vulnerabilities by Common Vulnerabilities (CVE) ID. REPORTING Vulnerability Assessment Solution needs to provide both summary and high- level reports to enable remediation. These reports assist the ICT department in identifying and tracking security issues in all phases of the cyber exposure lifecycle, translating raw security data into a common language for communicating risk back to the organization. The Vulnerability Assessment solution must provide capabilities to produce detailed reports that must include date of vulnerability discovery, score of the based on common vulnerability and exposures, detailed description of vulnerabilities. Reference nr: SCM41/2025/26 25 | P a g e 4.7 Penetration Testing The Municipality requires an automated Penetration Testing (Pen Test) service as a SaaS model, that replicates manual internal and external network penetration testing, to evaluate real-time cybersecurity risks monthly. For internal scans, a local device may be installed and configured to facilitate this service. External scans must be provided for in the SaaS model. General Requirements • Provide a snapshot of a moment in time. • Alert to issues on network. • Provide remediation plans. • Remediation support in the form of professional services. • Egress filtering testing. • Authentication attack testing • Privilege escalation and lateral movement testing. • Data exfiltration analysis • Simulated malware testing • MITRE ATT&CK Framework mappings and analysis • Identify reputational threat exposure. Reporting • Rank threat severity from Critical to informative. • Summarize discovered threats. 4.7.1 PROJECT BACKGROUND The Municipality wish to source Vulnerability Assessments and Penetration test services to enable the Municipality to proactively identify threats. This will enable the Municipality to put measures in place that mitigate against the identified vulnerabilities and risks. The Municipality requires an automated Penetration Testing (Pen Test) service as a SaaS model, that replicates manual internal and external network penetration testing, to evaluate real-time cybersecurity risks monthly. For internal scans, a local device may be installed and configured to facilitate this service. External scans must be provided for in the SaaS model. The benefits that will contribute to the Municipality with regard to the Vulnerability Assessment and Penetration Test services include: • Detection of security weaknesses before attackers do. • Testing of the Municipalities` cyber security posture. • Producing a list of vulnerabilities on devices. • Producing a defined risk assessment for the Municipalities` respective networks. • Establishing security record with recommendations on how to mitigate against the identified risks. • Producing a plan for the risks vs. benefits of optimizing the Municipalities` security investments. Due to the rise of cyber security attacks that Municipalities face, it is becoming increasingly necessary to put controls that will allow for the prevention of attacks. One of the measures in the prevention of attacks is identifying control weakness in the systems such as the networks, applications and databases. Once weaknesses are identified the organisation can put in place measures to close or mitigate against them. The approach that the Municipality will use in this regard is implementing Vulnerability Assessments and Penetration Tests in its ICT environment. Reference nr: SCM41/2025/26 26 | P a g e 4.7.2 PURPOSE The purpose of this is to solicit proposals from potential bidders for the Provision of Vulnerability Assessments and Penetration Test Services to the Municipality. This bid document details and incorporates, as far as possible, the tasks and responsibilities of the potential bidder required for the Provision of Vulnerability Assessments and Penetration Test Services. 4.7.3 SCOPE OF WORK The Vulnerability Assessment and Penetration Test Services program must include the following in scope items: • Municipal Asset Discovery: The ability to have a current, updated enterprise asset inventory is critical to the success of the Vulnerability Assessment program. The service provider is expected to assist the Municipality in the completion of an inventory and blueprint of the Municipalities` networked technology assets. This will be completed through a network discovery process, which is expected to produce a comprehensive inventory detailing the organization’s services, workstations and network devices. • Vulnerability Assessment Scans: The Vulnerability assessment services, and solution is expected to assist in proactively closing any gaps and maintain a strong security environment for our systems, data, employees, creditors and clients. Data breaches are often the result of unpatched vulnerabilities or misconfigurations, so identifying and eliminating these security gaps, removes that attack vector. • Reporting: Vulnerability Assessment Solution needs to provide both summary and high- level reports to enable remediation. These reports assist the ICT department in identifying and tracking security issues in all phases of the cyber exposure lifecycle, translating raw security data into a common language for communicating risk back to the organization. • The Vulnerability Assessment solution must provide capabilities to produce detailed reports that must include date of vulnerability discovery, score of the based on common vulnerability and exposures, detailed description of vulnerabilities. • Support: The bidder is expected to provide support of the vulnerability services software over a period of 36 months. • Penetration Tests: The service provider is expected to include the performance of Penetration testing of all public facing systems. This will be handled on a case by case during scoping sessions for penetration testing. Four (4) Penetration tests will be performed every year, for a period of 36 months. The project will include the following: • Delivery, configuration, deployment and operation of the Vulnerability Assessment and Penetration Testing Services. • Provide an implementation plan covering service, deliverables and skills. • Provide comprehensive reporting on the discovery and result inclusive of mitigating recommendations. • Comply with internal policies and audit controls. • Provide Change Management service to the Municipality; and • Training of personnel. Reference nr: SCM41/2025/26 27 | P a g e The project is expected to deliver the following: NO DESCRIPTION BUSINESS REQUIREMENTS 1. The proposed solution should have automated asset discovery capabilities for the following assets. • Servers • PC’s and Laptops • Network devices 2. The solution should provide an ability to scan the network for vulnerabilities using: - Authenticated Scan: authenticated scan is a vulnerability scan that is performed by an authenticated user– a user with login credentials with capabilities to run deep scanning; and - Non-authenticated Scan: non- authenticated scan performs a vulnerability scan by not using usernames or passwords during the scanning which has capabilities to detect expired certificates, unpatched software, weak passwords, and poor encryption protocols. 3. Vulnerability scanning on all Network Devices including Cloud implementations (External and Internal Vulnerability scanning). 4. Uncover all application vulnerabilities but not limited to, cross-site scripting, command injections, code injections, misconfigurations, insecure cookies and flaws. 5. The solution must have the functionality to search for vulnerabilities and assign a risk score continuously. 6. Deliver alerting capabilities for when a scan reveals new security risks and vulnerabilities on the Municipalities` ICT infrastructure. 7. Provide capabilities to identify false positives vs real vulnerabilities. 8. Provide a solution that has capabilities to monitor vulnerabilities introduced by applications installed on Municipalities` infrastructure components such as desktop or laptop computers. 9. Provide allowance for flexible vulnerability assessment schedules. 10. The solution must be able to provide a holistic view of the environment where the Municipalities` ICT team is able to drill down at any stage to explore: • Assets. • Vulnerabilities. • Exploits. • Policies. 11. The vulnerability management solution should also be setup to allow to run ad- hoc vulnerability scans on the environment, to scan new devices, web applications and systems. 12. Provide penetration testing services for Municipal infrastructure that include: • Internal Network (LAN). • Externally facing Public IP addresses and systems; and • Municipal Websites, both Cloud hosted and internally hosted. • Other hosted or cloud services or systems 13. The services must support standard and customized reporting functionality for penetration testing related reports. 14. Provision of reporting capabilities with a dashboard that highlights the risk scores (i.e. Business Critical, high, medium, low, and informative) for all vulnerabilities but also provide the Municipality with an overall risk score based on the volume and severity of vulnerabilities found within the network, applications, and ICT assets and devices. Reference nr: SCM41/2025/26 28 | P a g e NO DESCRIPTION 15. Reporting function of the solution must have the following reports but not limited to: • Automated and comprehensive devices discovery report. • Scheduled comprehensive vulnerability scanning reports; and • Dashboards reports. 16. The Bidder must be proficient in information security with an excellent knowledge and practice of ICT Vulnerability Assessment and Penetration testing. 17. The Bidder must provide advisory services on the remediation of vulnerabilities strategies. 18. The bidder must supply, install, customize, integrate, test and troubleshoot the tools in scope for vulnerability and penetration testing services. 19. The Bidder should supply, install, customize, integrate, test and troubleshoot the tools in scope for vulnerability assessment and penetration testing services.

20 Penetration Testing (Pen Test) service as a SaaS model AUDIT REQUIREMENTS Keep an audit trail of all vulnerabilities and applied remediation steps. 4.7.4 PROJECT DESIGN 4.7.4.1 Methodology and approach The service provider must provide Project Management Services for the full implementation of the solution. The Bidder must also provide detailed description of their Project Management process/ methodology in sufficient detail to convey to the Municipality that it is capable of implementing its proposed service on time and on budget. The methodology must indicate clear stage gates which require approval and signoff, triggering payment on completion of key milestones. The Municipality expects the service provider to provide project documentation, from Project initiation document, project plan, requirements analysis, system architecture, solution documentation and design documents, test plans, training and technical documentation. The Bidder shall clearly specify the proposed approach, methodology and plan for the implementation of the Vulnerability Assessment and Penetration Testing Services. These include but are not limited to the following: Delivery, configuration, deployment and operation of the Vulnerability Assessment and Penetration Testing Services. Provide an implementation plan covering service, deliverables and skills. Provide comprehensive reporting on the discovery and result inclusive of mitigating recommendations. Comply with internal policies and audit controls. Provide Change Management service to the Municipality; and Training of Municipal personnel. Reference nr: SCM41/2025/26 29 | P a g e 4.7.5 CONTRACT TERM The successful bidder will be appointed for a period of thirty-six (36) months or three (3) years. Duration of contract/ Service Level Agreement will be based on performance which will be reviewed monthly. 4.7.6 PROJECT MANAGEMENT ARRANGEMENTS 4.7.6.1 Management The Municipality will appoint the service provider in line with its SCM Policy. The Municipality will manage and oversee the project and establish a Project Steering Committee for this purpose. The Service Provider will be expected to present the inception report, project plan, draft project report to the Project Steering committee and other relevant stakeholders. Thereafter, the service provider will incorporate comments and inputs before presenting the final project report. Supplier performance will be conducted in line with SCM policy and Provincial and National Treasury Regulations. 4.8 Security Operations Centre (SOC) The Municipality wishes to engage a suitable vendor to provide a 24 x 7 x 365 Managed Security Service encompassing a Security Operations Centre (SOC). 4.8.1 SPECIFICATION OF REQUIREMENTS Tenderers must address each of the requirements in this part of the tender and submit a detailed description in each case which demonstrates how these requirements will be met and their approach to the proposed delivery of the Services. A mere affirmative statement by the Tenderer that it can/will do so, or a reiteration of the tender requirements is NOT sufficient in this regard. The Municipality wishes to engage a suitable vendor to provide a a 24 x 7 x 365 Managed Security Service encompassing a Security Operations Centre (SOC) solution which it is proposed to implement on a phased basis as described in 4.10.4 below. The purpose of the SOC will be to monitor and analyse the municipalities` data environment and to alert and advise on remediation. The proposed solution must be capable of operating across firewall zones and provide support for Cloud services incl. Azure. The objectives from a Municipal perspective include the following: To implement a solution to detect and respond to threats, while maintaining all systems and network data in a secure manner. To increase resilience by learning about the changing threat landscape (both malicious and non-malicious, internal and external) To identify and address negligent or criminal behaviour. To derive business intelligence about user behaviour to shape and prioritise the development of technologies. Reference nr: SCM41/2025/26 30 | P a g e B-BBEE Minimum Level: 10