Forcepoint Web Security IAEA Specification

System for Internet Web

Access Dated 2017-01-30

STATEMENT OF WORK

1. Scope
This Statement of Work describes the requirements for the Forcepoint web
security system for Internet web access (the System) at the International Atomic
Energy Agency (IAEA).
The System shall address the following areas:
• Content filtering based on the nature of the content viewed on the Internet;
• Reputation-based filtering which will enable filtering websites based on their
reputation;
• URL filtering which will filter the websites based on their ratings and nature
and categorization (e.g. phishing and hacking websites);
• Virus-protection, protection against malicious content, malwares and Bot
Networks; and
• Reporting capability which will enable IAEA staff to create reports based on
content, source and destination which can be used for analysis and forensic
purposes
The IAEA is currently using the on-premises version of the Forcepoint web
security system however a cloud-based option could also be envisaged.

2. Applicable Documents
N/A

3. Definitions, Acronyms, and Abbreviations

The following definitions, acronyms, and abbreviations shall apply throughout
this:

SoW Statement of Work

SLA Service Level Agreement
QoS Quality of Service
MTIT Division of Information Technology
SSO Single Sign On

Page 1 of 6
Forcepoint Web Security IAEA Specification
System for Internet Web
Access Dated 2017-01-30

4. Requirements
4.1. Functional and Performance Requirements

The proposed System shall:

4.1.1 Support at least 5000 users and 3000 concurrent active sessions and
8000 passive/inactive connections;
4.1.2 Maintain high availability (99.99%);
4.1.3 Provide real time reports and statistics for access log, filtering logs and
scanning logs and alerts;
4.1.4 Provide reports and statistics to be presented in a customizable
dashboard and exportable for investigations
4.1.5 Provide role Based Access for administration;
4.1.6 Provide cache control mechanisms based on categories and type of
websites, content and files;
4.1.7 Provide a minimum of 400mpbs throughput;
4.1.8 Provide major browsers at the client side (i.e. Internet Explorer,
Chrome);
4.1.9 Provide different proxy deployment modes such as web proxy auto
discovery protocols (WPAD, PAC), static proxy, transparent proxy mode
and WCCP;
4.1.10 Provide ICAP Protocol;
4.1.11 Provide web blocking/filtering and access control based on categories;
4.1.12 Provide content blocking/filtering (category-based, content-based,
reputation-based), SSL inspection, protocol filtering. Real-time update
and built URL database;
4.1.13 Provide different authentication methods for clients such as local and
Active Directory (LDAP, LDAPS, Kerberos and SSO);
4.1.14 Provide client access control and authorization based on source
network address, local and AD user and AD group authentication;
4.1.15 Provide different levels of access control for desktops, servers and
appliances;
4.1.16 Scan and block malicious web content (e.g. Malicious JavaScript / VB
Script, Malicious (or unauthorized) ActiveX applications, Block
Potentially Unwanted Programs (PUPs), Malicious Windows
executable) malware and virus protection which must include the
following:
• intelligent scanning for streaming media, file downloads and content
• malware, viruses, trojans, worms and spyware scanning for normal
web-traffic as well as encrypted web traffic
• protection against zero day attacks

Page 2 of 6
Forcepoint Web Security IAEA Specification
System for Internet Web
Access Dated 2017-01-30

• configurable virus signature update frequency check;

4.1.17 Identify http/https tunnelling by non-http applications;
4.1.18 Support SOCKS4, SOCKS5, http, https, ftp and other web protocols;
4.1.19 Provide different types of compression algorithms and scan of nested
compressed files;
4.1.20 Provide file filtering for upload/download;
4.1.21 Provide flexibility to monitor and block instant messaging (IM) based file
transfer and other granular controls in applications;
4.1.22 Ensure stringent security to safeguard itself against any attacks from
Internet or Intranet;
4.1.23 Provide 2FA (two factor authentication), based on Microsoft AD and
RSA tokens for the admin users;
4.1.24 Block and alert the user if the content being
downloaded/uploaded/accessed is found to contain virus/other malware
over HTTP and HTTPS connections;
4.1.25 Ensure dynamic bloc of a legitimate website which has become
infected and dynamic unblock of the site when the threat has been
removed;
4.1.26 Provide dynamic content inspection of web-based content being
accessed from otherwise unblocked websites;
4.1.27 Provide logging features and detailed information on the originating
system to enable identification of infected units for mitigation;
4.1.28 Provide real-time classification of uncategorized websites;
4.1.29 Provide ability to create custom web categories and add URL’s to
categories;
4.1.30 Provide re-categorization of wrongly categorised website within 4
hours;
4.1.31 Be able to detect and block proxy anonymizer services;
4.1.32 Support delegable system administration (ability to create an admin that
can control settings for a specific group of users);
4.1.33 Support the creation of custom policies to be applied for specific user/s,
IP's and group/s;
4.1.34 Provide access schedule control to URL categories for specific
user/users/ group/groups/client/clients to access internet on specific
Time/Day/Date/Weekly /Monthly;
4.1.35 Provide incident access based on role and policy violated;
4.1.36 Support separated roles for technical administration of servers, user
administration, policy creation and editing;
4.1.37 Provide system health alerts to ensure availability;

Page 3 of 6
Forcepoint Web Security IAEA Specification
System for Internet Web
Access Dated 2017-01-30

4.1.38 Poll the Domain controllers to identify users logon information to

transparently identify users;
4.1.39 Provide a real time graphical and chart based dashboard for the
summary of activities over Web;
4.1.40 Provide detailed investigation reports like Risk classes - Security risk,
Legal Liability risk, Bandwidth loss, productivity loss & business loss;
4.1.41 Permit the customization of reports on a granular and/or enterprise
level;
4.1.42 Provide reports via email directly from the UI and should allow
automatic schedule of reports to identified recipients;
4.1.43 Export reports to, at least, CSV, PDF, HTML formats;
4.1.44 Detect custom encrypted payloads, password files and other identified
sensitive information getting stolen through modern malware;
4.1.45 Provide geo destination awareness;
4.1.46 Detect encrypted and password protected files;
4.1.47 Identify malicious traffic pattern generated by Malware infected PC in
order to prevent future data leakage by the malware (act on
behaviours);
4.1.48 Enforce policies by URL's, domains or URL categories;
4.1.49 Integrate with the HP ArcSight SIEM solution;
4.1.50 Have the possibility to be installed (physical appliance or virtual server)
in the Microsoft Azure cloud and provide the same functionalities and
protection features as the on-premises installation to protect cloud
resources (proxy for virtual servers, virtual network appliances, Citrix
farm resources);
4.1.51 Have the possibility to be installed (physical appliance or virtual server)
in the Microsoft Azure cloud to provide protection to laptops when
connected to untrusted networks; and
4.1.52 Have the possibility to be integrated with the Air-Watch MDM to provide
protection to mobile devices.

4.2. Implementation Requirements

The Contractor shall carry out the activities listed below and provide the
deliverables specified:
4.2.1 Ensure that the personnel performing the implementation and advanced
customization include at least one individual with proven experience
and applicable vendor specific technical certification;
4.2.2 Coordinate with IAEA MTIT staff during the course of the installation and
configuration to implement the System in IAEA Vienna headquarters;

Page 4 of 6
Forcepoint Web Security IAEA Specification
System for Internet Web
Access Dated 2017-01-30

4.2.3 Conduct a pre-installation workshop of at least one day with selected

IAEA MTIT technical staff;
4.2.4 Clearly inform the IAEA if the System requires additional software or
hardware (e.g. management server) and provide the corresponding
prerequisites and requirements;

4.2.5 Perform the appropriate installation and configuration of the System in

the IAEA IT environment following the IAEA change management
procedure by conducting changes in IAEA maintenance windows outside
working hours (Thursdays between 19:30 and 22:30 hours and
Saturdays between 08:00 and 20:00 hours).

The changes must be provided as a phased activity including:

 Initial installation/implementation;
 Testing and acceptance (as described in Section 8 below);
 A health check which shall be performed by the Contractor one month
after the acceptance and handover of the System to verify proper
functioning, usage and resource utilization of the System;
4.2.6 Prepare a final report to document all the changes and the installed
status and present and review the final report with MTIT Staff, and
4.2.7 Warrant that the IAEA will be supported by the version of the
hardware/software that effectively and efficiently fulfils the functional
and performance requirements listed in section 4.1.
4.2.8 Should the IAEA require a hybrid or cloud solution, that data is stored in
countries which respect the IAEA’s Privileges and Immunities. A list of
these countries can be found in Annex I. Only those countries where a
date is listed under “Entry into Force” shall be considered as locations
to store IAEA data.

5. Language
All documentation and correspondence must be in English.

6. Packing
The System shall be packed in accordance with international standards.

7. Quality Requirements

7.1. The System shall be manufactured, shipped and installed in

accordance with the Contractor’s ISO quality assurance system or an equivalent
quality assurance system.
7.2. The Contractor shall document the compliance with this quality
assurance system.

Page 5 of 6
Forcepoint Web Security IAEA Specification
System for Internet Web
Access Dated 2017-01-30

8. Testing and Acceptance

8.1. After installation, the System shall be tested by the Contractor together
with MTIT staff to demonstrate that it meets the requirements specified herein.
8.2. The results of the testing of the System must be documented by the
Contractor in an acceptance protocol that must be approved and signed by MTIT.
8.3. Prior to shipment, the System shall be tested for conformance with
manufacturer’s performance specifications and the minimum requirements
specified herein.

9. Installation and Training

9.1. The Contractor shall install, as required, the hybrid or cloud version of
the System at IAEA headquarters in Vienna.

9.2. Should the IAEA require the hybrid or cloud version of the System, the
Contractor shall provide 2 days of training in the operation and maintenance. The
training shall take place at IAEA Headquarters in Vienna.

10. Deliverable Data Items

10.1. The Contractor shall provide a clear description of the service, support
and maintenance levels supplied with the System. It shall include the following:
• Type of support and service
• Guaranteed response time
• Guaranteed resolution time in case of software or equipment failure
• Equipment and software covered.

10.2. The Contractor shall provide two complete sets of operation and
servicing manuals and technical drawings.
______________________________________________________

Page 6 of 6
 International Registration No: 44
Atomic Energy
Agency

Agreement on the Privileges and Immunities of the IAEA

Parties: 84
Last change of status: 05 September 2013

Country/Organization Signature Instrument Date of Declaration etc. Entry

deposit / Withdrawal into force

Afghanistan

Albania acceptance 10 Apr 2003 10 Apr 2003

Algeria

Angola

Argentina acceptance 15 Oct 1963 15 Oct 1963

Armenia

Australia acceptance 09 May 1986 09 May 1986

Austria

Azerbaijan

Bahrain

Bangladesh

Belarus acceptance 02 Dec 1966 02 Dec 1966

Belgium acceptance 26 Oct 1965 26 Oct 1965

Belize

Benin acceptance 30 Jan 2003 30 Jan 2003

Bolivia acceptance 10 Apr 1968 10 Apr 1968

Bosnia and Herzegovina acceptance 11 Jun 2009 11 Jun 2009

Botswana

Brazil acceptance 13 Jun 1966 13 Jun 1966

Bulgaria acceptance 17 Jun 1968 17 Jun 1968

Burkina Faso

Burundi

Cambodia

Cameroon acceptance 22 Sep 1988 22 Sep 1988

Canada acceptance 15 Jun 1966 15 Jun 1966

Central African Republic

Chad

Chile acceptance 08 Dec 1987 08 Dec 1987

China acceptance 16 Jul 1984 16 Jul 1984

Colombia acceptance 01 Jul 1983 01 Jul 1983

13 Sep 2013 10:49 Page 1 of 5

Registration No: 44 Last change of status: 05 September 2013

Agreement on the Privileges and Immunities of the IAEA

Country/Organization Signature Instrument Date of Declaration etc. Entry

deposit / Withdrawal into force

Congo

Costa Rica

Côte d'Ivoire

Croatia succession 12 Feb 1993 12 Feb 1993

Cuba acceptance 24 Aug 1982 24 Aug 1982

Cyprus acceptance 27 Jul 1983 27 Jul 1983

Czech Republic succession 27 Sep 1993 27 Sep 1993

Democratic Rep. of the Congo acceptance 09 Apr 2003 09 Apr 2003

Denmark acceptance 14 Mar 1962 14 Mar 1962

Dominica

Dominican Republic

Ecuador acceptance 16 Apr 1969 16 Apr 1969

Egypt acceptance 12 Feb 1963 12 Feb 1963

El Salvador

Eritrea

Estonia acceptance 12 Feb 1992 12 Feb 1992

Ethiopia

Fiji

Finland acceptance 29 Jul 1960 29 Jul 1960

France

Gabon

Georgia

Germany acceptance 04 Aug 1960 04 Aug 1960

Ghana acceptance 16 Dec 1963 16 Dec 1963

Greece acceptance 02 Nov 1970 02 Nov 1970

Guatemala

Haiti

Holy See acceptance 21 Jan 1986 21 Jan 1986

Honduras

Hungary acceptance 14 Jul 1967 14 Jul 1967

Iceland acceptance 19 Mar 2007 19 Mar 2007

India acceptance 10 Mar 1961 10 Mar 1961

Indonesia acceptance 04 Jun 1971 04 Jun 1971

Iran, Islamic Republic of acceptance 21 May 1974 21 May 1974

Iraq acceptance 23 Nov 1960 23 Nov 1960

13 Sep 2013 10:49 Page 2 of 5

Registration No: 44 Last change of status: 05 September 2013

Agreement on the Privileges and Immunities of the IAEA

Country/Organization Signature Instrument Date of Declaration etc. Entry

deposit / Withdrawal into force

Ireland acceptance 29 Feb 1972 29 Feb 1972

Israel

Italy acceptance 20 Jun 1985 20 Jun 1985

Jamaica acceptance 05 Sep 1967 05 Sep 1967

Japan acceptance 18 Apr 1963 18 Apr 1963

Jordan acceptance 27 Oct 1982 27 Oct 1982

Kazakhstan acceptance 09 Apr 1998 09 Apr 1998

Kenya

Korea, Republic of acceptance 17 Jan 1962 17 Jan 1962

Kuwait acceptance 15 Sep 1998 15 Sep 1998

Kyrgyzstan

Lao P.D.R.

Latvia acceptance 05 Jan 2000 05 Jan 2000

Lebanon

Lesotho

Liberia

Libya

Liechtenstein

Lithuania acceptance 28 Feb 2001 28 Feb 2001

Luxembourg acceptance 24 Mar 1972 24 Mar 1972

Madagascar

Malawi

Malaysia

Mali

Malta

Marshall Islands

Mauritania

Mauritius acceptance 07 Apr 1975 07 Apr 1975

Mexico acceptance 19 Oct 1983 19 Oct 1983

Monaco

Mongolia acceptance 12 Jan 1976 12 Jan 1976

Montenegro succession 21 Mar 2007 30 Oct 2006

Morocco acceptance 30 Mar 1977 30 Mar 1977

Mozambique acceptance 15 Mar 2011 15 Mar 2011

Myanmar

13 Sep 2013 10:49 Page 3 of 5

Registration No: 44 Last change of status: 05 September 2013

Agreement on the Privileges and Immunities of the IAEA

Country/Organization Signature Instrument Date of Declaration etc. Entry

deposit / Withdrawal into force

Namibia

Nepal

Netherlands acceptance 29 Aug 1963 29 Aug 1963

New Zealand acceptance 22 Jun 1961 22 Jun 1961

Nicaragua acceptance 17 Oct 1977 17 Oct 1977

Niger acceptance 17 Jun 1969 17 Jun 1969

Nigeria acceptance 04 Apr 2007 04 Apr 2007

Norway acceptance 10 Oct 1961 10 Oct 1961

Oman acceptance 03 Aug 2010 03 Aug 2010

Pakistan acceptance 16 Apr 1963 16 Apr 1963

Palau acceptance 05 Sep 2013 05 Sep 2013

Panama

Papua New Guinea

Paraguay

Peru

Philippines acceptance 17 Dec 1962 17 Dec 1962

Poland acceptance 24 Jul 1970 24 Jul 1970

Portugal acceptance 27 Nov 2006 27 Nov 2006

Qatar

Republic of Moldova acceptance 22 Dec 2008 22 Dec 2008

Romania acceptance 07 Oct 1970 07 Oct 1970

Russian Federation acceptance 01 Jul 1966 01 Jul 1966

Saudi Arabia

Senegal acceptance 15 Dec 2006 15 Dec 2006

Serbia succession 05 Feb 2002 27 Apr 1992

Seychelles

Sierra Leone

Singapore acceptance 19 Jul 1973 19 Jul 1973

Slovakia succession 27 Sep 1993 27 Sep 1993

Slovenia succession 21 Sep 1992 21 Sep 1992

South Africa acceptance 13 Sep 2002 13 Sep 2002

Spain acceptance 21 May 1984 21 May 1984

Sri Lanka

Sudan

Swaziland

13 Sep 2013 10:49 Page 4 of 5

Registration No: 44 Last change of status: 05 September 2013

Agreement on the Privileges and Immunities of the IAEA

Country/Organization Signature Instrument Date of Declaration etc. Entry

deposit / Withdrawal into force

Sweden acceptance 08 Sep 1961 08 Sep 1961

Switzerland acceptance 16 Sep 1969 16 Sep 1969

Syrian Arab Republic acceptance 18 Dec 1989 18 Dec 1989

Tajikistan acceptance 11 May 2009 11 May 2009

Thailand acceptance 15 May 1962 15 May 1962

The frmr.Yug.Rep. of
Macedonia

Togo

Trinidad and Tobago

Tunisia acceptance 28 Dec 1967 28 Dec 1967

Turkey acceptance 26 Jun 1978 26 Jun 1978

Uganda

Ukraine acceptance 05 Oct 1966 05 Oct 1966

United Arab Emirates

United Kingdom acceptance 19 Sep 1961 19 Sep 1961

United Republic of Tanzania

United States of America

Uruguay

Uzbekistan

Venezuela

Vietnam acceptance 31 Jul 1969 31 Jul 1969

Yemen

Zambia

Zimbabwe

13 Sep 2013 10:49 Page 5 of 5