State of Connecticut



Board of Regents for Higher Education

Request for Proposal (RFP) BOR-1511

FEDERATED IDENTITY SERVICES

Due date: Friday, February 27, 2015, by 2:00 PM EST

Table of Contents:

I. Statement of Objectives

II. Background

III. Scope of Project

IV. Proposal Submission Requirements

V. Format of Proposals

VI. Evaluation of Proposals

VII. Time Frames

VIII. Conditions

IX. Insurance

X. Freedom of Information

Attachments

Attachment A - Contract Proposal

Attachment B - Gift and Campaign Contribution Certification

Attachment C - Consulting Agreement Affidavit

Attachment D - Affirmation of Receipt of State Ethics Laws Summary

Attachment E - Iran Certification Form

Attachment F - Nondiscrimination Certification Affidavit Form C

Attachment G - Commission on Human Rights and Opportunities Form

Attachment H - SEEC Notice to Executive Branch State Contractors and Prospective State Contractors of Campaign Contribution and Solicitation Limitations

Attachment I - Contract Provisions

Attachment J - Connecticut General Statute Sec. 36a-701b

I. STATEMENT OF OBJECTIVES

Connecticut’s Board of Regents for Higher Education (“BOR” or “Board”) on behalf of the Connecticut State Colleges and Universities (“CSCU” or “ConnSCU”), is seeking proposals from vendors to provide and implement an out-of-the-box, cloud-based software-as-a-service (SaaS) solution that provides federated single sign-on (SSO), entitlement fulfillment (identity governance and administration, or IGA) and business intelligence related to internal and external application services (taken together, “federated identity services”). The implementation of such solution is a high priority initiative of CSCU.

II. BACKGROUND

In 2011, Public Acts 11-48 and 11-61 instituted consolidated governance of Connecticut higher education, creating the Connecticut State College and University (CSCU) system. The Board of Regents for Higher Education serves as the governing body for CSCU, which comprises the regional community-technical college system, the Connecticut State University System and Charter Oak State College pursuant to Subsection (a) of Section 211 of PA 11-48. On January 1, 2012, the Board of Regents is also authorized to act, as necessary, as the Board of Trustees for the Community-Technical Colleges, the Board of Trustees for the Connecticut State University System and the Board for State Academic Awards (which is the Board for Charter Oak State College) pursuant to sections 10a-71, 10a-88 and 10a-143 of the Connecticut General Statutes, as amended. The specific powers and duties of the Board are prescribed in Title 10a of the Connecticut General Statutes and are further delineated in policies adopted by the Board from time to time.

Collectively known as ConnSCU or CSCU, the Connecticut State Colleges and Universities maintain distinct mission statements to serve their constituents while collectively working to achieve a system-wide vision and mission. Together, the current colleges and universities employ approximately 11,400 full- and part-time staff, and provide instruction to approximately 90,000 students (55,000 full-time enrolled). In addition, the colleges and universities maintain the identity of alumni and inactive students to provide transcript request and other less-frequently used services to a large community of former affiliates. The CSCU institutions are located throughout the State of Connecticut:

• BOR System Office Hartford

• Asnuntuck Community College Enfield

• Capital Community College Hartford

• Central Connecticut State University New Britain

• Charter Oak State College New Britain

• Eastern Connecticut State University Willimantic

• Gateway Community College New Haven

• Housatonic Community College Bridgeport

• Manchester Community College Manchester

• Middlesex Community College Middletown

• Naugatuck Valley Community College Waterbury

• Northwestern CT Community College Winsted

• Norwalk Community College Norwalk

• Quinebaug Valley Community College Danielson

• Southern Connecticut State University New Haven

• Three Rivers Community College Norwich

• Tunxis Community College Farmington

• Western Connecticut State University Danbury

For additional information, please visit our website: ct.edu

III. SCOPE OF PROJECT

A. The Federated Identity Services initiative has eight goals:

1. Create a system-wide identity for students, faculty, and staff

2. Reduce solution complexity (taken as a whole across the system)

3. Improve the availability of services

4. Enable system-wide single sign-on (SSO)

5. Support inter-institutional activities and resource sharing

6. Reduce IAM-associated workloads on IT staff

7. Improve security

8. Improve efficiency through optimized processes and support

B. Installed Technical Base

The colleges and universities operate multiple installations of ERP systems, each currently considered an authoritative source of identity information for its respective institution, and have separate authentication and entitlement fulfillment workflows.

1. Each of the four state universities has an installation of Ellucian Banner ERP and its own MS Active Directory service used to authenticate users.

2. The twelve community colleges share a common instance of Banner ERP and MS AD to serve its users.

3. Charter Oak State College maintains an instance of Jenzabar Higher Education Management Software and MS AD for its student base.

4. Several of the institutions run independent portals that provide limited single sign-on and entitlement fulfillment workflows.

The six identity management regimes have developed in independent silos, according to the needs and capabilities of their respective institutions. As a result, a single person may have identities duplicated at multiple institutions.

C. Technical Requirements

To be considered, please affirm that your proposed solution offering meets the following minimum requirements:

1. The solution provides single sign-on to application services hosted internal and external to our on-site technical environment.

2. The solution is cloud-based software-as-a-service, requiring minimal or no on-site footprint and maintenance requirements.

3. The solution provides the CSCU institutions with the ability to login through individually branded portals hosted on-premise.

4. The solution provides the CSCU institutions with the ability to login through individually branded portals hosted by the company as part of the offering.

5. The solution can provide a self-service password reset function.

6. The solution is capable of using the most recent versions of Security Assertion Markup Language (SAML) to create a sign-on to internal or external services.

8. The solution can provide out-of-the-box SSO to Ellucian Banner Self-Service, Ellucian Internet Native Banner, Blackboard Learning Management System, Office 365, Microsoft Exchange (hosted on-premise).

9. The solution can connect to and interoperate with on-premise instances of Microsoft Active Directory in a multi-forest, multi-domain at separate and distinct data centers.

10. The solution can provide role-based, rule-based and attribute-based authentication for dependent applications.

11. The solution may be used to implement multi-factor authentication to specific applications designated as requiring more restricted access.

12. The solution can automate synchronization (adds, changes and deletions) of identities to target applications and other repositories.

13. The solution can automate provisioning and de-provisioning of accounts across systems.

14. The solution provides an administrative interface for CSCU staff to administer identities directly.

15. The solution provides out-of-the-box reports on access events, per system and per date.

16. The solution provides out-of-the-box reports on IGA events, per system and per date.

17. The solution provides out-of-the-box reports on role membership.

18. The solution provides ad hoc reporting on some or all of these items.

19. The solution is supported through a technical support service level agreement that defines support hours, availability targets and provides reported metrics on service availability, responsiveness and resource utilization.

20. The solution is browser neutral and platform agnostic.

21. The solution is compliant with Section 508 of the Americans with Disabilities Act (ADA).

D. Security Requirements

1. Security Program

a. Please provide an overview of your information security program architecture and, if applicable, describe how it is designed to meet a recognized standard (e.g. NIST, ISO 27000, etc).

i. If the program is not designed to a commonly recognized standard, please provide a program mapping to NIST controls.

b. Please describe your information security program and the implemented security controls of the program.

c. Please describe how your service is updated to meet changing standards, requirements, and best practices.

2 Applications and Data

a. Please describe the information necessary to your service.

ii. Of that information, identify those elements that would be subject to security protections and restrictions.

b. Please describe how information necessary to the service will be exchanged securely and if it meets FIPS encryption standards.

c. Please describe how information necessary to the service will be stored securely. Specifically,

i. Is data in storage encrypted?

ii. Is data in memory encrypted?

iii. How is data in transport protected?

iv. How are encryption keys secured and escrowed?

v. What encryption algorithm is used to encrypt data?

d. Please describe how our information is kept separate from the information of other customers.

e. Briefly describe the application architecture. Include a description of architecture components and design aimed toward high-availability, survivability against denial-of-service, and application performance.

f. Does your company use content monitoring and filtering and/or data loss prevention (DLP) processes and controls to detect inappropriate data flows?

g. Describe how the security of applications you develop or use (including supporting code, such as Ajax, ActiveX controls, and Java applets) is evaluated?

h. Does your company have documented procedures for system hardening and configuration management, including installing security patches, for all applications?

i. Can your company show a documented process for evaluating and remediating security alerts from operating system and application vendors? If possible, please provide a narrative of how you handled a recent alert.

j. Please describe how our information will be transferred to CSCU and purged from your systems after contractual services end. Include reference to encrypted data and keys.

3 Operations

a. Please provide information on policies regarding

iii. the conduct of administrators who will have access to our information.

iv. the process for CSCU approval/authorization.

b. Does your company perform background checks on personnel with administrative access to servers, applications, and customer data? If yes, please provide relevant details on the background checking process.

c. Does your company require the use of two-factor authentication for the administrative control of your infrastructure (e.g. servers, routers, etc.)?

d. Please provide information as to the experience and certification of individuals at your company that develop and implement security policies and controls.

e. Please provide and/or demonstrate your company’s procedures for vulnerability management, intrusion prevention, incident response, and incident escalation and investigation?

f. Describe your process for determining the specific likelihood and business impact of vulnerabilities you discover.

g. Do you perform the following security verifications? How often is each performed? How do you limit reporting of false positives? Address each individually.

h. Please provide information on policies regarding

i. Dynamic vulnerability scanning.

ii. Static analysis.

iii. Manual penetration testing.

iv. Manual code review.

v. Threat modeling.

vi. Security architecture review.

vii. Malicious code analysis.

.i. Please provide and/or demonstrate your company’s procedures for business continuity and disaster recovery that include your applications and data, as well as evidence to when those procedures have been tested most recently?

.j. Please provide and/or demonstrate documented identity management and help-desk procedures for authenticating callers and resetting access controls, as well as establishing and deleting accounts?

k. Describe any other relevant background information about your company with respect to security.

4 Audit

a. Describe your assurance and audit process to ensure your service is meeting your security program requirements.

b. Are you required to perform independent audits to meet any legal/regulatory requirements? If yes, what is the legal/regulatory requirement.

c. How and by whom is compliance audited?

d. How often are formal audits conducted?

e. What audit and security information is reported as part of your standard Service Level Agreements?

5 Incident Handling

a. Describe your company’s incident handling process.

b. Describe how your company protects and stores incident data (e.g. audit trails, logs, etc).

c. If Personally Identifiable Information (PII) with confidential data is breached describe the data notification and any identity theft protection your company provides as part of the service.

d. What are the notifications standards by which security breaches are communicated to clients?

i. Triggers

ii. Time frames

iii. Others?

6 Legal and Regulatory

a. Please provide a list of regulatory requirements your service is required to comply with and how your security program is designed to meet the requirements.

b. What control does CSCU have over the retention of data records used within your service?

c. If relevant to your service, describe how your organization can support requests for data retention under e-Discovery and/or FOIA regulations.

.i. How can data be protected from manual or automatic deletion/modification after a litigation hold has been issued?

.ii. How is data provided or access granted to process an e-discovery requirement?

.iii. If this is not relevant to your service, explain why it is not.

d. Our organizational information is subject to regulation under FERPA. Do you represent that your services meet FERPA regulations with regard to the protection of educational records?

e. Our organizational information is subject to regulation under Red Flag Rule based on sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Do you represent that your services meet Red Flag Rule regulations with regard to a written identity theft protection program?

f. Services using PII and confidential data must comply with Connecticut General Statute Sec. 36a-701b. Breach of security re: computerized data containing personal information. Do you represent that your services meet Connecticut General Statute Sec. 36a-701b. (see Attachment J).

IV. PROPOSAL Submission Requirments

A. Business Information

1. Please provide

a. Company Name

b. Primary Contact at the Company

c. Location

d. Year business started

e. Year that company began providing identity services

f. Year that company began providing cloud-based identity services

2. Is the provision of cloud-based identity services your primary business?

3. What percentage of your business revenue is earned from providing cloud-based identity services?

4. What is your company’s annual revenue from developing, licensing and maintaining deployments of cloud-based identity services?

5. Please provide the names of any companies or subcontractors that your company employs to provide:

a. Development of identity services software

b. Maintenance of identity services

c. Hosting of servers providing identity services

d. Services or tools for identity de-duplication/matching

e. Development or installation services for on-boarding clients

6. Where are your physical data centers providing your service offering located?

7. Please describe your company’s experience with clients in higher education. Include at least three years’ worth of examples.

8. Please list between three and five references of clients using the solution being offered in your response to this RFP. Preference will be given to higher education clients that have contracted for your solution for at least three years. Additional consideration will be given to examples demonstrating a solution to our specific need for merging multiple identity practices.

9. Please quantify how many of your current clients are using your service as their primary source of identity services for web-based applications in a production setting.

10. Please describe the current financial status of your company, listing total liabilities, total assets and total revenues for the last two years.

11. Please provide a project staffing plan that defines all proposed full- and part-time employees that will work to provide and maintain the solution offering to CSCU, if awarded. Include in this context a description for each employee/resource of the type of professional services (i.e., design, development, implementation, project management, et al) in which to be engaged in the project.

12. Please provide a list of specific individuals expected to work on the account being proposed. Include each such employee’s name, title, duration of employment with the company, and a brief list of degrees and certifications earned.

B. Scope of Services

1. Please describe in detail how the solution offering meets each of the eight goals listed in section III.A above.

2. Please describe in detail the limitations to which your solution be subject in interacting with the installed technical base, as described in section III.B above?

3. How, in detail, would your company propose to transition CSCU into a contract for services with your company, if awarded? Provide a list of major tasks and milestones with dates relative to the execution of a contract (Day 0).

4. Please describe in detail the minimum requirements for our installed technical base to be eligible for full deployment of your solution offering. Include the installation or upgrade of any on-site components specific to your service, and any minimum versions of critical applications that need to be met. Examples include:

a. Operating systems

b. Databases

c. Applications

d. Agent software

e. Network and firewall requirements (including any protocols, ports or other resources that must be opened for you to provide your service).

5. Please describe in detail how your solution will integrate with authoritative data sources and application systems hosted and managed by the CSCU institutions. Include the following considerations:

a. Security

b. Installed agents

c. Data transfer protocols

d. Scheduling/frequency of transfer

6. Please describe how your service can de-duplicate identity data provided by different sources within our installed technical base.

7. Please provide a copy of the standard technical support service level agreement that you provide your clients. It should, at minimum, include:

a. Support hours

b. Response times

c. Description of incidents and outages

d. Other metrics

C. Cost/Value

1. Please describe your pricing model for the solution offering. Please provide an estimate of costs based on the following estimates of usage:

a. Active individuals: student, faculty and staff: 100,000

b. Full-time enrollment equivalent: 55,000

c. Inactive individuals (infrequent access, low turnover): 300,000

2. Please describe any costs for installation, account establishment, initial deployment, project support, or any other one-time costs required for us to adopt the solution offering.

3. Can you affirm that there are no other costs (capital, licensing, maintenance, labor) required to make on-going use of the solution offering as described in this RFP and in your response?

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download