Welcome to the NEW Information Technology Website | UCSF IT



InfrastructureINF 1.1Provide infrastructure requirements (or options) and specification including storage requirements and ports for app/web serversINF 1.2Provide list of supported Operating systems/Versions and upgrade/certification process INF 1.3Provide list of supported Web Browsers/Versions and upgrade/certification processINF 1.4Provide full inventory of all software needed for your systemINF 1.5Provide recommended OS/Hardware Upgrade Policy - For internally hostedINF 1.6Describe Mobile devices (smartphones, tablets) supportINF 1.7Describe deployment process of Application fixes/enhancements - For internally hostedINF 1.8Describe Application Upgrade Process - For internally hostedINF 1.9Explain ability to refresh data and configuration on demand for non-production environment – For internally hosted SecuritySEC 1.1Ability to provide Application for UCSF operating system vulnerability scanSEC 1.2What are your authentication protocols?SEC 1.3Describe SSO solutions and ability to integrate with ShibbolethSEC 1.4Describe Application Access Audit and monitoring capabilitySEC 1.5Describe any server/application configuration options for security (i.e. timeout, lockout)SEC 1.6Describe how security configuration is managed for hardware and/or software (including OS)SEC 1.7Provide Security risk/vulnerability assessment ResultsSEC 1.8Describe continuous security vulnerability assessment & Remediation processSEC 1.9Describe methodology on staying current with latest security standardsSEC 1.10Describe Security Patch processSEC 1.11Describe authenticated (Privileged) scan processSEC 1.12Describe User Account provision/de-provision/change Process (include infrastructure, configuration management and software)SEC 1.13Describe User Account review processSEC 1.14Describe intrusion detection processSEC 1.15Describe password mandatesSEC 1.16Describe data encryptions for all sensitive dataSEC 1.17Describe password/passphrase complexitySEC 1.18Describe encryption in Transit between all devices and serversSEC 1.19Describe encryption on Mobile devices and removable storage mediaSEC 1.20Describe secure deletion process upon decommissionSEC 1.21Describe control access to the application via its incorporated interfaceSEC 1.22Describe control access to the underlying data via direct and third-party toolsSEC 1.23Describe control access across different user rolesSEC 1.24Describe security at the field level, screen level and user role levelSEC 1.25Describe privacy and security training in your organizationSEC 1.26Describe reports available for all audits within the systemSEC 1.1Ability to provide Application for UCSF operating system vulnerability scan (authenticated at all privilege levels and unauthenticated)SEC 1.2Ability to provide Application for UCSF application vulnerability scan (authenticated at all privilege levels and unauthenticated)SEC 1.3What are your authentication protocols?SEC 1.4Describe SSO solutions and ability to integrate with ShibbolethSEC 1.5Describe Application Access Audit and monitoring capabilitySEC 1.6Describe any server/application configuration options for security (i.e. timeout, lockout)SEC 1.7Describe how security configuration is managed for hardware and/or software (including OS)SEC 1.8Provide Security risk/vulnerability assessment ResultsSEC 1.9Describe continuous security vulnerability assessment & Remediation processSEC 1.10Describe methodology on staying current with latest security standardsSEC 1.11Describe Security Patch processSEC 1.12Describe authenticated (Privileged) scan processSEC 1.13Describe User Account provision/de-provision/change Process (include infrastructure, configuration management and software)SEC 1.14Describe User Account review processSEC 1.15Describe intrusion detection processSEC 1.16Describe password mandatesSEC 1.17Describe data encryption for all restricted data in transmissionSEC 1.18Describe password/passphrase complexitySEC 1.19Describe encryption in Transit between all devices and serversSEC 1.20Describe encryption on Mobile devices and removable storage mediaSEC 1.21Describe secure deletion process upon decommissionSEC 1.22Describe control access to the application via its incorporated interfaceSEC 1.23Describe control access to the underlying data via direct and third-party toolsSEC 1.24Describe control access across different user rolesSEC 1.25Describe security at the field level, screen level and user role levelSEC 1.26Describe privacy and security training in your organizationSEC 1.27Describe reports available for all audits within the systemSEC 1.28Describe data encryption for all restricted data at restSEC 1.29Describe data encryption for all restricted data during processSEC 1.30Describe key management capabilities and lifecycle (key storage, use, distribution, destruction, archiving, offline availability, generation, etc.)SEC 1.31Describe encryption algorithmsSEC 1.32Describe key exchange capabilitiesSEC 1.33Please describe Active Directory integration and support capabilities (leverage LDAP, Active Directory services, forest aware, federated services, non-contiguous DNS domain Active Directory forest of trees, etc.)SEC 1.34Describe user account provisioning API's and automation capabilitiesSEC 1.35Describe HIPAA compliance with the security rule administrative safeguards (required and addressable elements)SEC 1.36Describe HIPAA compliance with the security rule technical safeguards (required and addressable elements)SEC 1.37Describe HIPAA compliance with the security rule physical safeguards (required and addressable elements)SEC 1.38Describe your companies risk analysis and risk management processesSEC 1.39Describe any audit or certification (e.g. SOC 2 type 2, ISO, etc.)SEC 1.40Describe PCI compliance capabilitiesSEC 1.41Describe FERPA compliance capabilities SEC 1.42Describe adherence to SB1386 regulatory complianceSEC 1.43Describe user ID/password expiration options (date based, lack of activity based, brute force lock out) and if the solution can meet UCSF policies and standardsSEC 1.44Does the solution require password changes? Please describeSEC 1.45Does the service offer self-service for user based password self-service and/or security questions? Please describeSEC 1.46Can your solution provide automatic logoff based on time and/or activity? Please describeSEC 1.47Can you solution provide login activity (frequency and anomaly detection? Please describeSEC 1.48Can you solution provide login geographic anomaly detection? Please describeSEC 1.49Does your solution provide two-factor authentication, partner-based integration with another two-factor authentication solution or a best practice integration referenceSEC 1.50Are passwords masked when entered in the password field? Please describeSEC 1.51Are passwords removed on page reload or when selecting the "back button"? Please describeSEC 1.52Does the solution provide user activity reporting? Please describeSEC 1.53Does the solution provide administrative roles based access control with pre-built templates? Please describeSEC 1.54Does the solution provide user-based roles based access control with pre-built templates? Please describeSEC 1.55Describe login auditing detail available in solution.SEC 1.56Does the solution provide external/federated authentication or public userID capabilities? Please describeSEC 1.57Is data encrypted between application tiers and/or different elements of a distributed system (e.g. encrypted when transmitting information between the web server, the application server, and the web server)? Please describeSEC 1.58Does the solution offer offline media encryption? Please describeSEC 1.59Describe the log retention capabilities.SEC 1.60Please describe the system recovery options for the solution and any customer provided pre-requisites.SEC 1.61Does the vendor provide documentation describing best practice architecture and guidance for various recovery time objectives and recovery point objectives? SEC 1.62Please describe the software development lifecycle model and or any standards followed in creating, maintaining, and versioning software.SEC 1.63Please describe adherence to development for best practices and to mitigate common vulnerabilities such as XSS, XSRF, SQL injection , etc.SEC 1.64Please describe programming practices to protect against buffer overflows, format string attacks, in-memory data exfiltration attacks, etc. SEC 1.65Please describe reference deployment/architecture/configuration penetration and vulnerability testingNote from UCSF IT Security: This check list is not meant to replace meaningful analysis based on the product and/or service being acquired in the RFP. It is to serve as a base method for common security controls and capabilities for software and hardware solutions. This does not address “X as a service” RFP’s in totality and special attention should be paid to these solutions and something similar to NIST’s NIST Publishes Draft Cloud Computing Security or CSA’s CCM should be leveraged to identify and characterize the cloud service being reviewed so that appropriate levels of diligence can be addressed. For further detail please reference NIST guidelines for the specific technological area being reviewed. For all solutions a review of UC and UCSF policies, guidelines, standards, and procedures should be reviewed to ensure appropriate RFP questions are added in. Lastly, all local, state, and federal regulatory requirements should be addressed based on the data type, business function, and/or solution target for the solution being purchased.DevelopmentDEV 1.1Describe how application is certified in new release of OS or RDBMSDEV 1.2Describe Development platform (Programming languages, Frameworks etc.)DEV 1.3Describe customer’s ability to customize/extend applicationsDEV 1.4Describe Application Enhancement/Upgrade ProcessDEV 1.5Describe Development/Testing Process DEV 1.6Describe Application patch/fixDEV 1.7Describe archive methodology and retrieval of archived data procedureDEV 1.8Explain Performance Testing process and BenchmarkDEV 1.9Describe ability to export data and configurationsDEV 1.10Describe ability to refresh Dev/Test database on-demand from production DBDEV 1.11Describe Data Conversion/migration utility/toolsDEV 1.12Describe Source Code availabilityDEV 1.13Provide published and documented APIDEV 1.14Provide Development road mapDEV 1.15Describe Reporting SolutionsDEV 1.16Describe how system is Accessibility CompliantDEV 1.17Describe experience with integrating with ERP Systems (give specific examples)DEV 1.18Describe Application Support process (hours, methods) - For internally hostedDEV 1.19Describe Technical Training availabilitySaaSSaaS 1.1Describe data center physical securitySaaS 1.2Describe Disaster Recovery/Testing process and provide documentationSaaS 1.3Describe how security configuration is managed for hardware, software (including OS)SaaS 1.4Describe your environment’s systems firewall configurationsSaaS 1.5Describe how the infrastructure of the system is separated from other unrelated systemsSaaS 1.6What control is in place to prevent non-essential staff from accessing customer dataSaaS 1.7Describe solution to ensure use of authentication on all devices and protects from unauthorized accessSaaS 1.8Describe available environments (Dev, QA, STG, TRN, PROD etc.)SaaS 1.9Explain BAA procedure with CustomerSaaS 1.10Describe backup/recovery procedures (failover process/procedure)SaaS 1.11Describe Technical Support process (hours, methods)SaaS 1.12Explain how SaaS can be converted to in-house hosted solution and vice-versaSaaS 1.13Explain OS/HW Upgrade Process/ProceduresSaaS 1.14Describe system availability (24x7) and explain any required downtimeSaaS 1.15Describe Server maintenance process/procedureSaaS 1.16Describe Server and Application Monitoring Process/ProceduresSaaS 1.17Explain a method for data transfer and destruction in case of conversion to other systemSaaS 1.18Describe how UCSF personnel can access dataSaaS 1.19Describe experience with integrating with Shibboleth (UCSF SSO) solutionSaaS 1.20Describe deployment process of Application fixes/enhancementsSaaS 1.21Describe Application Upgrade ProcessSaaS 1.22Explain how System environment documents are kept currentSaaS 1.23Explain ability to refresh data and configuration on demand for non-production environment ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download