`Case 4:18-cv-07229—YGR Document 108-5 Filed 09/24/20 Page 1 of 23
`
`EXHIBIT 8
`
`
`
`
`EXHIBIT 8
`
`REDACTED VERSION OF
`DOCUMENT SOUGHT TO
`BE SEALED
`
`REDACTED VERSION OF
`
`DOCUMENT SOUGHT TO
`
`BE SEALED
`
`
`
`
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 2 of 23
`Qualys
`
`Continuous Security
`
`Qualys Response to:
`
`Request for Proposal
`
`By: Tobias Harsch
`Date: 20 September 2017
`
`Qualys Confidential — Not for redistribution beyond intended recipient
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033323
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 3 of 23
`
`
`Dear
`Qualys, Inc. is pleased to submit this document for your review. This document outlines the
`services provided by Qualys and how they can assist
` to
`enhance its Information Security, Vulnerability Management, Policy/Configuration Compliance,
`and Web Application Scanning programs.
`
`
`
`
`
`
`
`
`
`
`
`The Qualys Cloud Plafform is unlike any other solution in the IT security risk and compliance
`management market. The most important differentiator of the Qualys solution, versus a
`software and appliance approach, is
`, has emerged as the new model for the software industry, with
`customers benefiting from lower deployment and maintenance costs, unmatched global
`scalability, instant implementation, improved usability, and better interoperability. This is
`particularly important to enterprise customers faced with resource and budget constraints and
`who cannot afford the costly deployment and ongoing human resource costs of managing and
`maintaining traditional enterprise software solutions.
`
`
`
`
`
`
`
`
`
`
`•
`
` will uniquely provide:
`The Qualys'
`• Accuracy- The highest accuracy, measuring software quality leveraging Six Sigma quality
`metrics.
`• Lowest TCO- The ability to deploy and administer the solution globally, without the technology
`challenges and cost of traditional enterprise software.
`Instantly Deployable- Qualys Cloud Platform solutions can be deployed globally in minutes
`versus days or weeks with software or appliance based solutions.
`• Scalability/Ease of Use- An enterprise-capable solution that is easy to use for both internal and
`external scanning, and has proven to scale to the largest enterprise customers.
`Interoperability- A solution that is interoperable with the existing security infrastructure through
`a fully documented set of XML APIs.
`• Security- The most secure solution in the marketplace with data encrypted end-to-end in transit
`and storage and a secure platform that is proactively managed and monitored 24x7x365.
`We look forward to working with you as we proceed through the procurement process.
`
`•
`
`Sincerely,
`
`Tobias Harsch
`Technical Account Manager
`Qualys SA. I Continuous Security
`Email: THarsch@Qualys.com
`Phone: +49 15 1157 98952
`
`Joerg Vollmer
`Country Manager, DACH>
`Qualys SA. I Continuous Security
`Email: .Nollmer@Qualys.com
`Phone: +49 745 591 008
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`Q UALYS02033324
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 4 of 23
`
`Qualys.
`
`Continuous Security
`
`
`
`Contents
`Executive Summary — Value Proposition for
`Asset Management
`IT Security
`Web App Security
`Compliance Monitoring
`Leverage Components
`Operational & Technical Advantages of Qualys Cloud Platform
`Qualys Cloud Platform a SaaS Delivery Model
`Ease of Deployment
`Qualys Scanner Appliance
`Qualys Cloud Agent
`Amazon Web Services Support
`Lower Total Cost of Ownership (TCO)
`Parallel/Load balanced scanning
`True Distributed Scanning
`Qualys Cloud Platform End-to-End Security
`Naturally Self Improving Application
`Integrated Self-Certification for Payment Card Industry (PCI) Scanning
`Scanning Technology
`Accuracy/Service Discovery
`Efficiency
`Reporting and Data Model
`Results by Scan and by Host
`Automated Data Consolidation
`Custom Reporting and Collaboration
`Vulnerability State Tracking
`Patch Supercedence
`Policy Compliance and Regulatory Reporting
`Administration
`Modular Configuration
`Hierarchical User Management
`Asset Groups
`Flexibility to assign a risk-based vulnerability severity
`The Qualys API — Integration
`Customer Driven, Singularly Focused Company
`Platforms Supported
`Additional Information — As Detailed by
`4.1
`Available Resources
`4.2
`Customer / Client References
`
`
`
`3
`3
` 3
` 4
` 4
`5
`5
`5
`5
`5
`
`5
`6
`6
`7
`7
`7
`8
`8
`9
`9
`9
` 10
` 10
` 10
` 10
` 10
` 11
` 11
` 11
` 11
` 12
` 12
` 12
` 12
`14
`15
`16
` 16
` 16
`
`Qualys Confidential — Not for Redistribution Beyond intended Recipient
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033325
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 5 of 23
`
`Qualys®
`
`Continuous Security
`
`Software License
`4.3
`Project Risk
`4.4
`Freedom to Operate
`4.5
`4.5.1 Freedom to Operate Requirement
`4.5.2 Freedom to Operate Requirement —Licenses
`4.6
`Services Overview
`4.6A
`Locations and Resources
`4.6.2 Transition & Implementation Planning
`4.7
`Services Performance
`4.7.1 Service Level Commitments and Measurement
`4.7.2 Customer Satisfaction Commitments and Measurement
`4.7.3 Continuous Improvement Processes and Commitment
`4.7.4 Penalties Structure and Measurement
`4.8 Management and Governance
`4.8.1 Supplier Management Plan and Procedures
`4.8.2 Supplier Management Organization
`4.8.3 Key Personnel, Roles and Responsibilities, Training, Resources
`4.8.4 Delivery Support Processes
`4.8.5 Contract Change Control and Management
`4.8.6 Management of Security Requirements and Industry Compliance
`4.8.7 Assets
`General Qualys Pricing information — Charging model
`Costing and efficiency
`
`Figures
`Figure 1. Enterprise Suite of Integrated Solutions
`Figure 2. Global 24x7 Technical Support Organization
`Figure 3. Global Cloud Infrastructure
`Figure 4. Integrations with 3rd Party Solutions
`
` 16
` 16
` 16
` 16
` 17
` 17
` 17
` 17
` 17
` 17
` 17
` 17
` 18
` 18
` 18
` 18
` 18
` 19
` 19
` 19
` 19
`19
`20
`
`3
`7
`8
` 13
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`ii
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033326
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 6 of 23
`Qualys.
`
`Continuous Security
`
`Executive Summary — Value Proposition for
`
`
`
`Qualys enables your organization to use the solutions you need, when you need them and pay
`for only what you use. Your organization can subscribe to one or more of our security and
`compliance solutions, and over time expand your use. The Qualys Cloud Platform provides the
`following solutions to our customers:
`
`Qualys Enterprise Suite of Integrated Solutions
`
`1=2
`
`0
`
`IIIEi
`o
`
`CM
`Continuous
`Monitoring
`
`VM
`Vulnerability
`Management
`
`PC
`Policy
`Complia •,
`
`,QS
`Questionnaire
`nr ice
`
`PCI
`PCI
`Compliance
`
`MD
`WAS
`Web Application Maiware
`Scanning
`Detection
`
`WAF
`Web Application
`Firewall
`
`SEAL
`Qua lys
`SECURE Seal
`
`Figure 1. Enterprise Suite of Integrated Solutions
`
`Asset Management
`
`IT Security
`
`Vulnerability Management (VM) - Qualys VM is an industry leading and award-winning solution
`that automates network auditing and vulnerability management across an organization,
`including network discovery and mapping, asset management, vulnerability reporting and
`remediation tracking. Driven by our comprehensive
` of known vulnerabilities,
`Qualys VM enables cost-effective protection against vulnerabilities without substantial resource
`deployment.
`
` Qualys recognizes not all vulnerabilities are created equal.
`
`Qualys Confidential — Not For Redistribution Beyond intended Recipient
`
`
`
`
`
`
`
`3
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033327
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 7 of 23
`Qualys®
`
`Continuous Security
`
`against your vulnerabilities.
`
` How? By correlating active threats
`
`
`
`
`
`
`
`
` You never know
`when and where an attack is coming, but you can always know you'll be ready.
`
`
`
`
`
`
`
`
`
`
`
`.
`
`Web App Security
`
`
`
`
`
`Compliance Monitoring
`
`
`
`
`
`
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`4
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033328
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 8 of 23
`Qualys®
`
`Continuous Security
`
`
`
`
`
`
`
`Leverage Components
`
`While each of these solutions can be purchased individually many clients leverage various
`components to develop a complete understanding of systems or applications in their
`environment.
`
`Operational & Technical Advantages of Qualys Cloud Platform
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Qualys Cloud Platform a
`
`
`
`Pioneered by Qualys, Inc. more than ten years ago,
`
`Ease of Deployment
`
`Qualys Scanner Appliance
`
`
`
`Qualys Cloud Agent
`
`
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`5
`
`
`
`
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033329
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 9 of 23
`Qualys®
`Amazon Web Services Support
`
`Continuous Security
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Lower Total Cost of Ownership (TCO)
`
`
`
` Although open source scanners are free; the deployment, management,
`maintenance, and use are not free. There are many soft costs involved in managing enterprise
`vulnerability management solutions that should be considered including: Hardware, Software
`Licenses (OS/DB), Database Management, HW/SW/VM Application Maintenance, Upgrading
`the Application, training, re-training, and Customization.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` When factoring in all the hard and soft costs,
`Qualys provides an application of the highest quality, combined with a lower TCO and
`predictable cost structure. This is backed up by industry analyst research from Gartner and
`others.
`
`
`
`
`
`
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`6
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033330
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 10 of 23
`Qualys®
`
`Continuous Security
`
`—
`
`Reading, UK
`
`Redwood City, CA
`
`Raleigh, NC
`
`Pune, India
`
`w
`
`Japan
`
`Philippines (2015)
`
`Figure 2. Global 24x7 Technical Support Organization
`
`Parallel/Load balanced scanning
`
`
` Most other
`solutions are limited to running one scan from one scanner at a time. In addition to running a
`load balanced scan;
`
`
`
`
`
`
`
`
`
`
`
`
`True Distributed Scanning
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Other solutions have a separate Internet Scanning offering that isn't integrated or requires
`periodic manual integration with the inside the enterprise scanning results. Still others have no
`Internet offering or require a customer to host one of the vendor's scanning devices on their
`Internet presence, which is not a true Internet-perspective scan. Often these scanning devices
`or so called appliances are Windows-based, raising the concern over possible compromise to
`the Internet deployed scanning device.
`
`Qualys Cloud Platform End-to-End Security
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`
`
`
`
`
`
`
`
`
`
`7
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033331
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 11 of 23
`Qualys®
`
`Continuous Security
`
`Naturally Self Improving Application
`
`
`
`Integrated Self-Certification for Payment Card Industry (PCI) Scanning
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`8
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033332
`
`
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 12 of 23
`Qualys®
`Scanning Technology
`
`Continuous Security
`
`Example:
`
`Accuracy/Service Discovery
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Efficiency
`Scanning quality should not be solely measured in terms of scan speed or number of
`vulnerability checks in the database, as many vendors will claim. Quality should be measured in
`terms of how a scan engine balances scan performance, network/host impact, accuracy, and
`comprehensiveness—the overall efficiency of the scan.
`
`
`
`
`
`
`The other important component to scanning efficiency is a comprehensive vulnerability
`database. By comprehensive, the database should be both deep (e.g. cover All Microsoft
`checks) and broad (e.g. able to scan any device for vulnerabilities). Some vulnerability
`management vendors argue that their database of vulnerabilities is the largest in terms of
`number of checks.
`
`Reporting and Data Model
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Many of the vulnerability scanning solutions require that the scan report options be configured
`prior to running the scan. If the report requires any modification or was incorrectly configured, a
`new scan must be run.
`
`
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`
`
`
`
`9
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033333
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 13 of 23
`Qualys®
`Results by Scan and by Host
`
`Continuous Security
`
`
` Even when other vendor solutions can modify the report format, they only store data by
`scan, which also greatly limits reporting capability.
`
`
`
`
`
`
`
`
`
`Automated Data Consolidation
`
`
`
`
`
`
`
`
`Other vendors' solutions force single scanner, centralized scanning so that reporting can be
`consolidated or they tie a database to each scanning device making the consolidation of scan
`data a significant challenge. To overcome such a limitation and as an afterthought, many
`vendors have hastily developed a centralized reporting product that requires customer
`deployment, administration, backup, and security of a large database of vulnerability scan data.
`The soft costs incurred in overcoming this architecture design challenge are substantial and
`should not be ignored.
`
`Custom Reporting and Collaboration
`
`
`
`Vulnerability State Tracking
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Patch Supercedence
`
` This ensures clients do not waste time
`trying to figure out which patch is the most current or how it may affect your environment.
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`
`
`10
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033334
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 14 of 23
`Qualys®
`
`Continuous Security
`
`
`
`Policy Compliance and Regulatory Reporting
`
`
`
`
`
`
`
`
`• Reported in understandable format, easily accessible by business stakeholders
`• Workflow and exception management allows organizations to easily produce compliance reports
`for internal configuration and regulatory requirements
`
`•
`
`
`
`
`Using Qualys PC an organization can reduce the risk of internal and external threats, while at
`the same time provide proof of compliance demanded by auditors across multiple compliance
`initiatives.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Administration
`
`
`
`Qualys Cloud Plafform includes key features that significantly reduce administration and
`configuration time.
`
`
`
`
`
`
`
`Modular Configuration
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` Other solutions
`in this situation would require time-consuming manual adjustments to every scan job.
`
`Hierarchical User Management
`Organizations can provide access to its data and security stakeholders through hierarchical role-
`based user access:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`11
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033335
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 15 of 23
`Qualys®
`
`Continuous Security
`
`
`
`Asset Groups
`While other solutions might have similar looking functionality (sites, regions or other),
`
`
`
`.
`
`Flexibility to assign a risk-based vulnerability severity
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` This is part of the core functionality and
`does not require any customization or professional services.
`
`The Qualys API - Integration
`
`
`
`
`
`
`
`
`
`
`Most other solutions are built on a proprietary language, which locks clients into specific solution
`sets rather than working with existing technology within the client environment.
`
`
`
`
`
`
`
`
`
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`12
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033336
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 16 of 23
`Qualys®
`
`Continuous Security
`
`As you can see, leading technology partners have integrated their products with Qualys' cloud
`platform to deliver a wide variety of high-value, differentiated security solutions. More
`information regarding Qualys technology partners, please see our website:
`http://www.qualys.com/partners/solution-technology/
`Qualys Cloud Platform is currently integrated with leading security solutions and technologies in
`the spaces below and continues to add additional technologies. Refer to the following table for a
`sample of existing integration capabilities.
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`13
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033337
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 17 of 23
`
`$ Qualys®
`
`Continuous Security
`
`Customer Driven, Singularly Focused Company
`
`Qualys only provides Qualys Cloud Platform—an integrated enterprise vulnerability
`management and policy compliance solution. With many of the other vendors, their vulnerability
`management solution came through acquisition and it is just one of many products and services
`that competes for internal product management, development, and support resources.
`Approximately half of Qualys 500 total employees are engineers who work on the Qualys Cloud
`Platform application in one of the following teams—Product Engineering, Vulnerability Research,
`Quality Assurance, Platform Operations, and Customer Support. No other vendor can claim
`anywhere close to such a human investment in their solution.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`14
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033338
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 18 of 23
`Qualys®
`
`Continuous Security
`
`Platforms Supported
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`15
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033339
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 19 of 23
`Qualys.
`Additional Information — As Detailed by
`
`
`
`4.1 Available Resources
`
`Please provide an overview of the resources (staff, facilities, ramp up plan etc.) available for the
`realization of this RFP's content. How many and what type of resources are available for
`Software Development & Maintenance at your company and at
` locations to
`support the specific efforts and functions required by this RFP?
`Answer:
`
`4.2 Customer/ Client References
`
`Please provide three customer references wherein you have delivered projects similar to the
`requirements mentioned under this RFP. In the RFP response please indicate in case Roche
`can reach to these clients to obtain feedback.
`Answer:
`Client 1:
`Client 2:
`Client 3:
`
`4.3 Software License
`
`Please share details in the RFP response around the licensing model, key conditions for use,
`license terms and conditions.
`Answer:
`
`
`
`
`4.4 Project Risk
`
`Please share details in the RFP response on what risks you foresee in delivering the project and
`the likely impact.
`Answer:
`
`
`
`
`
`
`
`
`
`
`
`
`
`4.5 Freedom to Operate
`
`
`
`4.5.1 Freedom to Operate Requirement
`The Vendors are expected to ensure that the Services as well as the use of the Work Results for
`requirements listed under this RFP do not infringe the copyright, trademark, trade secrets,
`patents or other registered or unregistered intellectual property rights of any third parties.
`Answer:
`
`
`
`
`
`4.5.2 Freedom to Operate Requirement —Licenses
`The Vendors are expected to share details of any patent license(s) — existing or planned — which
`the Vendor deems necessary for providing the Services as well as the use of the Work Results
`for requirements listed under this RFP.
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`16
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033340
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 20 of 23
`Qualys.
`Answer:
`
`Continuous Security
`
`
`
`4.6 Services Overview
`
`4.6.1 Locations and Resources
`Only approved
` locations will be used for this RFP. Discuss your approach to obtaining
`additional resources, and the availability/recommendation within your company of other
`locations, which may be proposed over the course of this contract term.
`Answer:
`
`
`
`
`
`4.6.2 Transition & Implementation Planning
`Provide a detailed transition and implementation plan. This plan must clearly spell out the
`envisioned roles and responsibilities of the Respondents and
` Provide an
`estimated timeline for completion of transition activities. Explain your view regarding the risks
`associated with transition, and describe your approach to minimizing or mitigating those risks.
`Answer:
`
`4.7 Services Performance
`
`4.7.1 Service Level Commitments and Measurement
`As part of delivery of the service, the
`
`
`
`
`
` is interested in minimizing
`the number of reports, preferring instead to focus on those critical reports relevant to ensuring
`service and relationship management. List and describe management reports to be provided,
`including all service level agreement (SLA) reporting. Describe how each report will be used to
`effectively manage the contract, monitor service quality, and achieve customer satisfaction.
`Answer: Qualys has a documented Service Level Agreement (SLA) policy published on our
`web for all customers to review (https://www.Qualys.com/SLA).
`
`4.7.2 Customer Satisfaction Commitments and Measurement
` requires that the Respondents conduct a formal process for measuring the
` internal stakeholder& Please describe your process for measuring and
`satisfaction of
`reporting customer satisfaction including how you will set measurement thresholds and goals.
`Describe the process for measurement, as well as the corrective actions and escalation process
`should customer satisfaction not meet stated goals.
`Answer:
`
`
`
`
`
`
`
`4.7.3 Continuous Improvement Processes and Commitment
`Explain your corporate approach and commitment to continuous process improvement.
`Specifically describe how this corporate approach translates to the
` contract,
`environment and reduction in costs over time. In addition, please describe how you plan to
`measure productivity and quality as it relates to the work delivered under this agreement.
`Answer:
`
`
`
`
`
`
`
`4.7.4 Penalties Structure and Measurement
`All critical service levels and customer satisfaction metrics will have penalties that apply for not
`meeting the required goals or thresholds. Please describe, based upon your experiences with
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`17
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033341
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 21 of 23
`Qualys.
` what you propose as a
`companies and contracts of the scope and scale of
`meaningful contract penalties structure. Include specific penalty amounts for relevant service
`level targets.
`Answer:
`
`C nnf r,Inus
`
`witv
`
`
`
`4.8 Management and Governance
`
`4.8.1 Supplier Management Plan and Procedures
`Describe in detail your plan, policies, and procedures for managing this contract. Specifically
`describe processes for communications with
` management, and escalation
`procedures for disputes and problem resolution. Please explain all planned recurring meetings,
`management reports, and other contract oversight processes.
`
`
`
`4.8.2 Supplier Management Organization
`Provide an organization chart depicting your envisioned program management team. Include all
`key account and functional management positions and roles, including the names and titles of
`proposed staff. Display lines of communications and accountability between the Respondents
`and
` State clearly your expectations and requirements for
`
` personnel participating in the governance process. In the event of an offshore
`solution, please indicate the staff and titles of personnel who will be located in Country.
`
`4.8.3 Key Personnel, Roles and Responsibilities, Training, Resources
`Please identify, within your program management organization, those individuals you consider
`to be "key personnel." At a minimum,
` requires that the account manager
`and the senior operational managers for the various functional areas be designated as key
`personnel.
`
`For each position and individual identified as key, please provide a position description including
`the minimum education and experience requirements for an individual assigned to that role, and
`a single page resume for the individuals specifically proposed.
`Please explain specifically how the staff assigned to this contract will be trained and kept
`abreast of marketplace innovations and technologies.
`Answer:
`
`
`
`
`
`
`Describe in detail the resources you will use to fulfill this contract. Discuss your approach to
`obtaining additional resources, and the availability within your company of other locations, which
`may be used over the course of this contract term.
`Answer:
`
`
`
`4.8.4 Delivery Support Processes
`Please describe your support processes utilized for delivery of described services and the
`support you require from
` to ensure delivery of the services.
`Answer: Qualys provides Free Global support 24x7x365 days a year. We provide both
`Telephone Support as well as Online Support. Refer to: https://www.qualys.com/support/ for
`additional information.
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`18
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033342
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 22 of 23
`Qualys.
`
`COf1f. r9 IOUS SPCUfity
`
`4.8.5 Contract Change Control and Management
` recognizes that, over the term of this contract, changes will be required, both
`to the technology environment under management, as well as to the contractual agreement
`between R
` and the Respondents. Please describe your processes for
`controlling and managing these changes.
`Answer: Qualys has a dedicated legal staff always willing to engage with customers to resolve
`any issue or concern. The Technical Account Manager (TAM) will support you in this interface.
`Changes may occur either at the request of
`, or through proposals submitted
`by the Respondents. The Respondent is encouraged to identify and propose change
`
`opportunities that may be of benefit to
`. However,
`reserves the exclusive right to accept or refuse any such proposal from the Respondents.
`
`4.8.6 Management of Security Requirements and Industry Compliance
` business requires a high level of security and needs compliance. Please
`describe how you fulfill these requirements like compliance, data protection and risk mitigation of
`security breaches.
`Answer:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`4.8.7 Assets
`Assets (hardware, software, facilities) currently employed for delivery of the described services
`are property of
`. In general,
` believes that it should own
`assets that reside on its floor space, and that the Respondents should own assets that reside on
`any Respondent's floor space. Respondents desiring to propose an alternate approach must, in
`this section of the proposal, clearly state the terms and process associated with the alternative.
`Answer:
`
`
`General Qualys Pricing information — Charging model
`
`Qualys Cloud Platform is priced as a prepaid annual subscription based on the number of active
`modules (e.g. Vulnerability Management), the number of appliances, the number of LIVE IPs
`scanned (or the number of web applications scanned for WAS customers).
`Our pricing includes:
`• Unlimited scans per live IP address purchased in subscription.
`• Blended pricing for Internal IPs using Cloud Agent and over the network scans
`• Distributed scanning capabilities.
`• Unlimited user accounts with multiple roles.
`• Qualys PCI is bundled at no additional cost with Qualys Enterprise Suite.
`• All Qualys platform software and content updates are managed and delivered by Qualys
`transparent to customer at no additional charge.
`• 24x7x365 technical support at no additional charge by email and over the phone
`•
`Instructor-led, Lab-based, Certification Training for any customers at no additional charge.
`• Free TAM and SME support
`• Unlimited use of Cloud Agent for Assets Inventory purposes
`• Free Community to Collaborate with other Customers and Qualys Employees
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`19
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033343
`
`
`
`Case 4:18-cv-07229-YGR Document 108-5 Filed 09/24/20 Page 23 of 23
`
`O Qualys.
`
`With a single plafform, Qualys provides services that have traditionally required three or more
`separate software purchases, running on separate infrastructures, requiring different skill sets
`and all the costs associated with managing and supporting all these separate systems.
`Qualys has included the following solutions in the pricing calculations:
`1. QualysGuard Enterprise Vulnerability Management, including the following free of
`charge:
`
`
`
`
`
`
`
`Notes:
`1. An External IP is a publicly facing device that is scanned using Qualys' Internet Remote
`Scanners.
`2. An Internal IP is any network device, laptop, server, printer, etc.
`3. A web application is defined as a starting URL with a port.
`4. Scanner Appliances required for scanning internal devices are available under prepaid
`annual subscriptions as a hardware appliance or a virtual appliance.
`With a single plafform, Qualys provides services that have traditionally required three or more
`separate software purchases, running on separate infrastructures, requiring different skill sets
`and all the costs associated with managing and supporting all these separate systems.
`QualysGuard Private Cloud Platform is sold as an annual subscription.
`
`Costing and efficiency
`
`The solution can be designed to scale up/down to deliver efficiency in a true
`
` sense.
`
`
`
`
`
`
`
`
`Qualys Confidential — Not for Redistribution Beyond Intended Recipient
`
`20
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS02033344
`
`