Provision for a Contract Management Solution

1. GENERAL
SriLankan Airlines is the flagship carrier of Sri Lanka, headquartered in Colombo, the capital
city. Founded in 1979 as Air Lanka, the airline operates a fleet of modern aircraft to over 100
destinations worldwide, including Europe, Asia, the Middle East, and the Indian subcontinent.
With a focus on providing exceptional customer service, SriLankan Airlines has won
numerous awards for its in-flight experience, including "Best Airline in South Asia" at the
Skytrax World Airline Awards.
The airline is also committed to sustainability and has implemented various initiatives to
reduce its environmental impact. As a member of the oneworld alliance, SriLankan Airlines
offers passengers access to a vast network of airlines, lounges, and travel benefits.

2. OVERVIEW
SriLankan Airlines seeks to implement a Contract Management Solution to streamline and
automate the entire contract review and negotiation process for both internal and external
stakeholders. The goal is to establish a comprehensive solution capable of managing all
phases of contract handling—from initiation through internal and external review,
negotiation, signing, and the ongoing management and storage of agreements.

3. GENERAL REQUIRMEENTS

1. The proposed solution shall provide an end-to-end solution covering the entire contract
management lifecycle for a period of three (03) years.

2. Interested parties shall agree to provide the necessary integration support, should it be
required during the term of the proposed implementation.

3. Interested parties are required to provide a project implementation plan not exceeding 8
weeks.

4. The successful bidder is required to complete the implementation and project management
of their proposed solution within 8 weeks or less.

5. All payments will be made 100% after the successful completion of the Project and the
User Acceptance Test (UAT).

6. Proposed solutions may include Software as a Service (SaaS) or a managed service

(including hardware), subject to meeting the requirements outlined in this RFP.

7. Regardless of the solution model proposed, the vendor shall assume end-to-end
responsibility for the software and related hardware for the duration of the service agreement.

8. Interested parties shall provide maintenance and support for a period of three (03) years.

[confidential] 1
Provision for a Contract Management Solution

4. SCOPE OF WORK

1. Agreement Creation: The proposed solution shall allow the creation of agreements, both
using predefined templates and non-template-based agreements as required.

2. Automated Workflows: The proposed solution shall enable user engagement through
automated workflows for both predefined workflows and custom user lists, as necessary for
each agreement.

3. Collaboration: The proposed solution shall support seamless collaboration between internal
and external parties involved in the contract negotiation process.

4. Version History: The proposed solution shall maintain and collate changes to the document,
along with version history and should centralize contract negotiations, offer detailed audit
trails, and support distinct internal and external versions for effective collaboration and
change tracking.

5. Comment History: The solution should provide a detailed history of individual comments
and follow-up comments for each reviewer until the agreement is finalized. Additionally, it
should specify the actions taken to address any open items or queries before the agreement is
signed.

6. Document Storage: The proposed solution shall have the ability to store finalized
agreements.

7. Automated Notifications: The proposed solution shall provide automatic notifications to

prompt pending agreements, renewals, and reminders to collaborators.

8. Intuitive Dashboard: The proposed solution shall provide an intuitive dashboard for users to
view active agreements, agreements due for renewal, and the status of draft agreements, etc.,
to facilitate necessary decisions.

9. Training: The proposed solution shall provide hands-on training for nominated personnel.

10. Self-Learning: The proposed solution shall offer an on-demand facility for self-learning the
features of the solution.

11. Support and Maintenance: The proposed solution shall include support and maintenance
during the tenure of the service agreement.

12. Track Changes and Comments: The proposed solution shall track and manage review
comments and document changes.

13. Review Sign-Off: The proposed solution shall facilitate review sign-off by designated
stakeholders.

14. Electronic Signatures: The proposed solution shall enable electronic signatures that are valid
globally and ensure that only authorized signatories can sign agreements.

15. Secure Document Storage: The proposed solution shall securely upload and store
agreements in the system and ensure only authorized personnel can access them.

16. Customizable Notifications: The proposed solution shall have customizable notification
settings for different stakeholders.

[confidential] 2
Provision for a Contract Management Solution

17. Reporting: The proposed solution shall generate comprehensive reports on agreement status,
review history, and changes, with customizable reporting templates.

18. Audit Access: The proposed solution shall allow easy access to review history for audit
purposes.

19. Transparency and Security: The proposed solution shall ensure transparency, accountability,
and security in the review process, with robust measures to protect sensitive information.

20. Implementation Team: The proposal should also include details of the implementation
team/resources, along with the proposed timeline and a comprehensive implementation plan.

21. New Requests and Enhancements: The procedure for accommodating new requests or
enhancements should also be outlined, along with details of support and maintenance
services.

22. Signature Integration: The proposed solution shall be able to integrate with the signature
platform currently used by SriLankan Airlines Ltd.

23. Global Signature Recognition: If using in-built signatures, those signatures should be
globally recognized, especially in legal contexts such as courts.

24. AI/ML Capabilities (Optional): As an optional service, it is preferable if the solution has
inbuilt AI/ML capabilities to perform contract classification and search for specific clauses in
contracts to confirm their presence.

25. Document Access Control:

The proposed solution shall include strict document access controls as follows:

 During the Review Process:

o The initiator of the contract.

o The assigned reviewers.

o Designated signatories who are part of the review process.

 Post-Sign-Off:
After the contract has been signed off, the uploaded documents shall be accessible only to:

o The uploader (the user who initially uploaded the contract).

o The nominated person specified by the uploader.

26. User Experience and Accessibility:

 Intuitive Interface: Ensure the solution has a user-friendly and intuitive interface for both
technical and non-technical users. The system should be easy to navigate for all user levels.

27. Advanced Search and Filtering Capabilities: (Optional)

o Advanced Search Features: In addition to simple search functions, the system

should support advanced filtering options such as metadata, date ranges, keywords,
clause types, document statuses, and contract terms.

[confidential] 3
Provision for a Contract Management Solution

o Natural Language Processing (NLP) Capabilities: Ability to identify and classify

contracts or clauses more effectively by analyzing text in a human-like manner.

28. Performance and Reliability Monitoring:

 Real-Time System Performance Monitoring: The solution should include real-time

performance monitoring to track server health, document load times, and system
responsiveness, ensuring that users do not experience delays, especially when handling large
documents.

 Disaster Recovery and Business Continuity: The vendor’s disaster recovery and business
continuity plan should be included to ensure the organization can maintain operations even in
the event of unforeseen circumstances.

29. Security and Privacy Enhancements:

 Two-Factor Authentication (2FA): Implementing 2FA in addition to role-based access

control would add an additional layer of security to prevent unauthorized access, especially
for users handling sensitive contracts.

 Data Masking and Redaction: (Optional) For contracts containing sensitive information,
the system could allow for automatic redaction or data masking of sensitive fields (e.g.,
financial details or personally identifiable information).

30. Vendor Support and SLAs:

 Vendor Roadmap and Future Enhancements: In addition to outlining the vendor's support
services, the proposal should provide information on the vendor's roadmap for future
upgrades or enhancements. This will provide visibility into how the solution will evolve and
ensure that the vendor is committed to continuous improvement.

 Dedicated Account Management: A dedicated account manager or technical liaison to work

closely with your team for smooth implementation and ongoing optimization would be an
added benefit.

31. Customizable Workflows and Approvals:

 Custom Workflow Templates: The solution should include the ability to create highly
customizable workflows that can be tailored to different departments or contract types,
allowing you to automate and streamline your unique processes.

 Approval Hierarchy: The solution should support multi-level approval hierarchies where
different levels of stakeholders can be defined for approvals based on contract value, type, or
other criteria.

32. Intelligent Alerts and Notifications:

 Proactive Alerts: Introduce intelligent, proactive alerts for contract milestones, such as when
contracts are close to expiry, when they need to be renegotiated, or when a clause is missing
or needs updating based on predefined compliance standards.

[confidential] 4
Provision for a Contract Management Solution

 Escalation Notifications: Include automated escalation alerts to ensure timely attention to

stalled reviews, approvals, or signed contracts.

33. Support for Large-Scale Enterprise Use Cases: The system should be capable of handling
large-scale enterprise requirements, including high-volume contract workflows, multi-
department collaboration, and global operations.

34. Enhanced Compliance Features: The system must offer advanced compliance
functionalities tailored to meet the regulatory standards of highly regulated industries,
ensuring robust audit trails, risk assessments, and adherence to legal requirements.

35. Comprehensive Clause Library and Conditional Rules: The system should provide a
robust clause library to manage pre-approved contract terms and allow for conditional rules to
address non-standard terms, ensuring consistency and efficiency in contract drafting and
review.

36. Support for Independent SBUs with Separate Administration

The solution must support SriLankan Airlines' Strategic Business Units (SBUs), which
operate as distinct entities with potentially separate Active Directory tenants. Each SBU
should function independently within the system, with dedicated administrative controls for
each unit.

37. Reassignment of Documents Upon Resignation or Transfer

The system must allow the administrator to reassign documents or workflows from an
initiator or uploader who has resigned or been transferred to another user without
granting the administrator access to view the documents.

38. Privacy and Confidentiality During Reassignment

The reassignment process must ensure that the contents of the documents remain
confidential, accessible only to the authorized users as defined by the original
initiator.

39. Browser-based Redlining

The proposed contract management system must include a browser-based redlining

feature, enabling real-time contract negotiations. This functionality should eliminate
the need for teams to switch between different tools (such as Word, email, and PDF)
to negotiate contracts, thereby streamlining the process and reducing delays.

40. Mobile Compatibility

The system must be compatible with mobile devices, allowing users to access, review,
and collaborate on contracts while on the go. This feature should support mobile

[confidential] 5
Provision for a Contract Management Solution

workflows, ensuring that contract management tasks can be completed efficiently and
securely from any location, enhancing flexibility and responsiveness.

5. PROPOSAL REQUIREMENTS

The proposal should include (but is not limited to):

A. Solution Overview: A comprehensive overview of the proposed Contract Management
Solution, including core features, capabilities, and technologies used to support the full
contract lifecycle.
B. Implementation Plan: A detailed project plan outlining the implementation process,
including timelines, key milestones, and any resources required.
C. Pricing and Cost Structure: A clear breakdown of the pricing model, including all
upfront, ongoing, and any additional fees associated with the solution.
D. Vendor Experience and References: Information on the vendor’s experience and track
record in delivering similar solutions, with references or case studies from previous clients.
E. Additional Services and Features: Details of any additional services or optional features
included in the solution, such as customization options, integrations, or advanced analytics.

6. SERVICE LEVEL AGREEMENT (SLA)

The vendor shall adhere to the following Service Level Agreement (SLA) to ensure optimal
performance, availability, and support.

1. System Availability
 Uptime Guarantee: The system shall maintain a minimum uptime of 99.95% on a monthly
basis, excluding scheduled maintenance.
 Measurement and Reporting: Uptime is calculated as the percentage of time that the system
is fully functional and accessible within the scheduled service hours.
 Penalties for Non-Compliance: Failure to meet the uptime requirement will incur service
credits, to be defined based on the severity and frequency of downtime.

2. Support and Response Times

The vendor shall provide dedicated support with the following response times based on the issue
severity level:
Severity Definition Initial Resolution
Level Response Time Time
Critical Major system failure or outage impacting all 15 minutes 4 hours
(P1) users and core functionality
High (P2) Significant functionality loss affecting a large 1 hour 8 hours
number of users or critical operations
Medium Minor system issues that affect some users or 4 hours 24 hours
(P3) non-critical functions

[confidential] 6
Provision for a Contract Management Solution

Low (P4) Minor issues or inquiries that do not impact the 24 hours 3 business
overall system performance days
 Support Availability: Support shall be available 24/7 for critical issues and during business
hours for non-critical issues.
 Escalation Procedures: Clear escalation processes shall be in place, ensuring critical issues
receive priority handling and rapid resolution.

3. Scheduled Maintenance
 Maintenance Windows: Routine maintenance shall be scheduled during off-peak hours, with
prior notification to SriLankan Airlines at least 5 business days in advance.
 Emergency Maintenance: In the event of an urgent need for maintenance, the vendor shall
notify SriLankan Airlines as early as possible and outline the anticipated impact.

4. Data Backup and Recovery

 Data Backup Frequency: All data shall be backed up at least daily to ensure data integrity
and availability.
 Data Retention and Recovery Time Objective (RTO): Backups shall be retained for a
minimum of 30 days, and in the event of data loss, recovery shall be completed within 4
hours.
 Disaster Recovery: The vendor shall implement disaster recovery protocols to restore full
functionality within 24 hours in case of a major system failure.

5. Security and Compliance

 Data Encryption: All data, both in transit and at rest, shall be encrypted with industry-
standard protocols
 Access Control and Authentication: The system shall support multi-factor authentication
(MFA) and role-based access controls (RBAC) to secure access.
 Compliance: The vendor shall ensure compliance with relevant data protection regulations
and provide evidence of security audits on request.
 Incident Response: In the event of a data breach or security incident, the vendor shall notify
SriLankan Airlines within 1 hour and provide regular updates on incident handling and
remediation.

6. Performance Monitoring and Reporting

 Performance Reports: The vendor shall provide monthly performance reports covering
uptime, response times, and any incidents.
 SLA Review: The SLA will be reviewed monthly to ensure alignment with SriLankan
Airlines' evolving requirements and service quality expectations.

7. Service Credits
 Service Credits for Non-Compliance: If the vendor fails to meet the agreed SLA standards
for uptime, support response times, or data recovery, SriLankan Airlines will be entitled to

[confidential] 7
Provision for a Contract Management Solution

service credits. The specific credit amounts will be agreed upon during contract negotiation
and will vary based on the extent of non-compliance.
7. EVALUATION CRITERIA
The vendor will be evaluated based on their response to the requirements outlined above,
including the following:

1. Solution Ability to Meet RFP Requirements and Functionality:

o The proposed solution’s ability to meet the detailed requirements specified in this
RFP.
o Customization options and flexibility to accommodate future needs or changes in
requirements.
o Integration Capability: Ability of the solution to integrate with existing systems,
Active Directory, e-signature solution, or other relevant enterprise applications.
o AI/ML Features (Optional) The presence of artificial intelligence or machine
learning capabilities (if applicable) for automation, classification, and contract clause
identification.
2. Vendor Experience and Track Record:
o The vendor's experience and proven track record in delivering similar solutions,
particularly for large-scale organizations in the airline or other regulated industries.
Preference will be given to vendors who can demonstrate the number of contracts
managed and scenarios handled for such organizations.
o Client references and case studies demonstrating successful implementations of
comparable solutions.
o Market Reputation: The vendor’s reputation within the industry, including any
awards or certifications.
3. Implementation Plan and Timeline:
o The proposed timeline for deployment, including key milestones and deliverables.
o A clear, step-by-step implementation plan, including any anticipated risks and
mitigation strategies.
o Resource Allocation: The vendor's proposed implementation team and their
expertise, including any subcontractors or partners involved.
o Post-Implementation Support: Strategy for ongoing support post-implementation,
including troubleshooting and system optimization.
4. Support, Maintenance, and Training Services:
o Proposed support and maintenance services, including availability, response times,
and escalation procedures.
o Provision for user training, onboarding, and ongoing training resources.
o Service Level Agreements (SLAs): Detailed SLAs for support and maintenance,
specifying response and resolution times.
o User Self-Support Tools: Availability of self-service options, such as knowledge
bases, FAQs, or automated help features.
5. Security and Compliance:

[confidential] 8
Provision for a Contract Management Solution

o Adherence to data security, privacy, and compliance standards (e.g., encryption, data
retention policies, GDPR).
o Measures for secure access, data protection, and user authentication (e.g., Two-Factor
Authentication, role-based access control).
o Disaster Recovery and Business Continuity: Vendor’s disaster recovery plan and
the solution's ability to support business continuity in case of a crisis.
o Regulatory Compliance: Alignment with relevant local and international
regulations, such as aviation, financial, and data privacy laws.
6. Total Cost of Ownership (TCO) and Pricing:
o Total Cost of Ownership (TCO), including all upfront costs, licensing fees, and
maintenance costs for up to 100 users.
o Clear breakdown of the proposed pricing structure and any additional costs, such as
for optional features, storage, or third-party integrations.
o Cost Flexibility: The vendor’s ability to offer flexible pricing options, such as tiered
pricing based on usage or contract length.
7. Scalability and Future-Readiness:
o Solution’s scalability to accommodate potential growth in users, contract volume, or
features.
o Vendor’s commitment to updates, enhancements, and technological advancements to
keep the solution up-to-date.
o Cloud Infrastructure & Availability: If SaaS, assess the vendor’s cloud
infrastructure, uptime guarantees, and redundancy measures for system availability.
8. Ease of Use and User Experience:
o Solution’s user interface, intuitiveness, and ease of use for various user roles.
o Availability of a demo, trial version, or prototype to assess usability and fit as per the
response to this bid.
o User Feedback: The vendor’s approach to incorporating user feedback and
continuous improvement in user experience.
9. Vendor Support for Innovation and Customization:
o The vendor's ability to support and implement customizations and innovations
requested by the organization during the term of the contract.
o Innovative Features: Evidence of the vendor’s ability to innovate or provide unique
features (e.g., AI-driven contract analysis, automated risk assessments).
10. Customer Success and References:
o Vendor’s customer success program, including ongoing customer engagement and
proactive account management.
o Feedback from previous clients, particularly those in similar industries, to assess the
vendor’s long-term reliability and support quality.
11. Trial Period or Proof of Concept (PoC):
o Availability of a trial period or Proof of Concept (PoC) to evaluate the solution's
practical applicability within the organization's environment.

[confidential] 9
Provision for a Contract Management Solution

o PoC Success Criteria: Clearly defined success criteria for the PoC to ensure the
solution meets requirements before full deployment.

8. INFORMATION SECURITY AND DATA PROTECTION

Compliance
#  Check List Remarks
Yes | No
1 Privacy Policies
The Service Provider shall comply with the
obligations under the EU General Data Protection
Regulation (GDPR) as morefully set out in
1.1
[https://gdpr.eu/tag/gdpr/] in relation to any
Personal Data of customers, employees, and the
Board of Directors of SriLankan Airlines.
The Service Provider shall process any Personal
1.2 Data solely for the purposes identified by the
relevant Agreement.
The Service Provider shall have in place
appropriate technical and organizational measures
to ensure a level of security commensurate with
the risks associated with the Processing of
1.3
Personal Data, such measures shall be appropriate
to protect against accidental or unlawful
destruction, loss, alteration, or unauthorized
disclosure of or access to Personal Data.
The Service Provider shall notify SriLankan
promptly and without undue delay and in any
event within 24 hours of becoming aware of any
breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to Personal Data
1.4 ("Personal Data Breach") of the existence, nature,
and scale of the Personal Data Breach and shall
comply with its obligations under the EU GDPR in
respect of the Personal fine; and co-operate with
SriLankan to make any reasonable changes to its
processes or procedures to prevent a reoccurrence
of the Personal Data Breach.
1.5 The Service Provider shall not engage any third
parties or non-employees to process Personal Data
unless SriLankan has expressly consented in
writing in advance to the use of such third parties.
The Service Provider shall ensure that any person
acting under its authority in relation to the Personal
Data, including a Data Processor, is obligated to
Process the Personal Data only on the instructions
of SriLankan and have in place appropriate
technical and organizational measures to ensure a
level of security commensurate with the risks

[confidential] 10
Provision for a Contract Management Solution

associated with the Processing.

2 Security Governance
The Solution and the Service Provider should be
certified with the ISO/IEC 27001:2013
2.1
Information Security Management System (ISMS)
standard and the certification should be up to date.
The Service Provider shall designate a named
individual or a team with overall accountability for
Information Security, to review compliance and
2.2 enforce information security requirements in the
agreement with SriLankan Airlines and liaise with
the SriLankan Information Security team as
required.
3 Security Risk and Compliance
The Service Provider shall perform Information
Security risk assessments periodically and
maintain a register of security risks related to the
3.1
provision of its services to SriLankan and the
processing of SriLankan information and/or
information systems.
The Service Provider shall comply with all
3.2 applicable SriLankan corporate and Information
Security policies, standards, and procedures.
The Service Provider shall notify SriLankan
Airlines where the sub-contractor is engaged to
3.3
provide services and shall ensure that the
subcontractor also abides by this policy.
The Service Provider shall abide by the contractual
agreements put in place with respect to SriLankan
3.4 Airlines requirements which includes but is not
limited to data ownership and intellectual property
rights.
The Service Provider agreed that SriLankan
Airlines may perform a periodic assessment of the
Service Provider’s publicly visible security posture
where necessary and the results will be,

3.5.1. Shared with the Service Provider and the

3.5
Service Provider shall take reasonable action to fix
the anomalies/vulnerabilities within an agreed
timeline by both parties.

3.5.2. Considered in the future engagement with

the SriLankan Airlines.
4 Personnel and Physical Security
The Service Provider shall implement all
applicable physical and environmental security
4.1
controls to provide adequate protection to
SriLankan information & information systems.
The Service Provider shall maintain a formal
employee separation process which includes but is
4.2
not limited to revocation of access, return of assets,
and exit interview.

[confidential] 11
Provision for a Contract Management Solution

Security in Applications, Systems, and

5
Networks
The Service Provider shall ensure that SriLankan
information and/or information systems are
5.1
physically or logically segregated from other
customers.
The Service Provider shall design, implement, and
operate suitable controls to ensure continuity of
5.2 services in accordance with system uptime and
performance requirements, Recovery Time
Objective, and Recover Point Objective.
The Service Provider shall maintain an established
process to provision, review access rights of, and
5.3 de-provision user and service accounts. Periodic
access review reports shall be submitted to
SriLankan.
The Service Provider shall implement and operate
a robust network, system, and application access
controls to authenticate, authorize, and log all
5.4 access attempts pertaining to SriLankan
information and information systems. This applies
to access attempts made by users, services, and
devices.
The Service Provider shall not process or store
SriLankan information on end-user systems like
laptops, desktops, mobile devices, etc. Where this
5.5 is a legitimate requirement, adequate security
controls including but not limited to encryption,
access control, and Mobile Device Management
shall be implemented and operated.
The Service Provider shall conduct annual
vulnerability assessments and/or penetration tests
on applications, systems, and networks that
transmit, process, or store SriLankan information.
5.6
Reports shall be shared with relevant stakeholders
in SriLankan. The Service Provider shall apply
security patches in a mutually agreed timeline
without any cost escalation.
SriLankan Airlines may perform Vulnerability
Scans at least annually and findings will be
notified to The Service Provider. If any
5.7
vulnerability is found, The Service Provider shall
agree to apply security patches in a mutually
agreed timeline without any cost escalation.
5.8 The Service Provider should provide to SriLankan
Airlines on request, the status of the closure of
high vulnerabilities.
6 Security in System Delivery Lifecycle
The Service Provider shall have an established
Software/Systems delivery Lifecycle process
6.1 embedding adequate security at all stages,
including but not limited to secure by design,
secure by default, and security in deployment in

[confidential] 12
Provision for a Contract Management Solution

accordance with the applicable external standards,

regulations, and SriLankan requirements.
The Service Provider shall conduct security code
reviews for all versions of the application prior to
6.2
release. Reports shall be shared with relevant
stakeholders in SriLankan.
The Service Provider ensures that access to
6.3 program source code is restricted and strictly
controlled.
The Service Provider shall conduct security code
reviews for all versions of the application prior to
6.4
release. Reports shall be shared with relevant
stakeholders on a request basis.
7 Data Security
The Service Provider shall design, implement, and
operate adequate security controls to protect the
confidentiality, integrity, and availability of
7.1
SriLankan data and/or information in accordance
with the classification levels (As mentioned at the
end of the document).
Security controls for adequate protection shall
include but not be limited to access control,
7.2
cryptography, data backups, Data Loss Prevention,
Digital Rights Management, and Anti-Malware.
The Service Provider shall retain SriLankan data
and/or information based on SriLankan data
7.3
retention policy which is 12 years as per the Right
to Information Act, No. 12 of 2016.
8 Backups
Scheduled data backups should be available within
8.1 the solution and the backup retention period should
be 12 years for all SriLankan/service-related data.
9 Authentication & Password Compliance
The Solution should be capable of integrating with
Microsoft Active Directory or The Service
Provider shall use Role Based Access and
workflow Approvals (Segregation of Duties)
within the solution. The Service Provider shall
apply the following minimum of the Password
Policy rules within the solution; Password age – 90
9.1
Days, Minimum password length – 8 Characters,
Password change at initial login, Password
Complexity (at least one ‘UPPERCASE’ character,
at least one ‘lowercase’ character, mixture of
numbers and/or symbols), lockout after 5
unsuccessful attempts, 30 minutes lockout
duration, password history – 8 passwords)
9.2 The Service Provider shall transfer Authentication
information through secure protocols.
The solution should be able to display the time and
9.3 date of the last successful login, and any failed
login attempts to the user.

[confidential] 13
Provision for a Contract Management Solution

10 Audit & Event Logs

Application Audit Logs (including transaction
logs), Database Level Audit Logs, and Event Logs
10.1
(including successful/unsuccessful login attempts)
should be available within the solution.
The solution should be capable of keeping logs for
all user activities, including administrative and
10.2
privileged user activities, and system configuration
changes.
Solution and/or Service Provider(s) shall agree to
10.3 transmit collected audit, security, and transaction
logs to SriLankan Airlines on demand.
11 Encryption
The Service Provider shall use industry-standard
11.1 encryption to encrypt data in transit and Data at
rest.
12 Connectivity and Access Control
The solution should be enabled with current TLS
12.1
version certificates.
The Service Provider shall protect Remote
12.2
diagnostic and configuration ports.
The Service Provider shall configure inactive
12.3 Session timeout (for Application, Database, OS,
Console)
Service Continuity (The following values are
13 expected minimum, and this is subject to
change based on the criticality of the solution)
13.1 Availability - 99.95% or higher
13.2 Recovery Time Objective - 1 hour or less
13.3 Recovery Point Objective - 1 hour or less
14 Right to Audit & Monitor
The Service Provider shall agree that the
14.1 performance of the Services will be subject to
audit and monitoring by SriLankan Airlines.
Legislative, Standards & Regulatory
15
Compliance
The Service Provider shall agree to sign a
15.1 Reciprocal Non-Disclosure Agreement with
SriLankan Airlines
Information shared or services obtained as part of
SriLankan Airlines engagement The Service
Provider will be governed by requirements set
15.2 forth in ISO/IEC 27001:2013 Information Security
Management System (ISMS) and subjected to
signing this policy which will become an integral
part of the Service Agreement(s).
In the event that the Solution and/or Service
Provider(s) handle payment card information, the
Solution and/or Service Provider(s) should be
15.3
compliant with PCI DSS (Payment Card Industry
Data Security Standard) standard and the
certification should be up to date.

[confidential] 14
Provision for a Contract Management Solution

Solution and/or Service Provider(s) shall comply

with acts, regulations, circulars, and guidelines
related to eLaws and policies of the Sri Lanka
government (published on
15.4
https://www.icta.lk/act/), including and not limited
to, Sri Lanka Computer Crime Act No 24 of 2007
and Information and Communication Technology
Act No.27 of 2003.
Evaluation of The Service Provider/Cloud
16
Service Provider (CSP)
16.1 SriLankan may perform periodic assessments of
the Cloud Security Provider’s security posture
where necessary.
The Service Provider/CSP hosting SriLankan data
shall maintain a certification in good standing
against an approved Information Assurance
16.2 Framework. The certification by an independent
and recognized third party may be required to get a
reasonable assurance that security controls are
planned and properly implemented.
Protection of SriLankan Data in Cloud
17
Environment
The Service Provider must operate a Layered
Security model at the perimeter, core network,
17.1
systems, application, and data layers to adequately
protect SriLankan data.
17.2 SriLankan data and application environment must
be segregated from other entities’ environments.
18 Compliance and Audit in Cloud Environment
The Service Provider must demonstrate
compliance against SriLankan Extended
18.1 Information Security policy, relevant contractual
requirements, and applicable external standards
and regulations.
18.2 SriLankan shall conduct security reviews where
necessary on the cloud environment on an ongoing
basis to verify compliance.

Information Classification Matrix

Classification Level: Public
Classification Criteria: Making the information public cannot harm SriLankan Airlines in any way
Access Restriction: Information is available to the public
Classification Level: Internal use
Classification Criteria: Unauthorized access to information may cause minor damage and/or
inconvenience to SriLankan Airlines
Access Restriction: Information is available to all employees and selected third parties
Classification Level: Restricted
Classification Criteria: Unauthorized access to information may considerably damage the business
and/or SriLankan Airlines' reputation
Access Restriction: Information is available only to a specific group of employees and authorized
third parties

[confidential] 15
Provision for a Contract Management Solution

Classification Level: Confidential

Classification Criteria: Unauthorized access to information may cause catastrophic (irreparable)
damage to business and/or to SriLankan Airlines’ reputation
Access Restriction: Information is available only to individuals in SriLankan Airlines

[confidential] 16