Appendices for RFP Template Table of Contents Appendix A: Sample Language - Overview of Penn.................................................................................................. 2 Appendix B: Sample Language - Purpose of the RFP ................................................................................................ 3 Appendix C: Functional Requirements Questionnaire Sample ........................................................................... 4 Appendix D: Technical Requirements Questionnaire Sample ............................................................................. 5 Appendix E: Data Requirements Questionnaire Sample ......................................................................................... 6 Appendix F: Confidentiality Statement ......................................................................................................................... 7 Appendix G: Vendor Questionnaire ................................................................................................................................ 8 A PPENDIX A: S AMPLE L ANGUAGE - O VERVIEW OF P ENN [Feel free to use any or all of this language in your RFP.] The University of Pennsylvania (Penn) is among the nation's most selective and competitive universities. Students who apply for admission typically have outstanding records of academic and extracurricular achievement. About 95 percent of the students in each new class have ranked in the top 10 percent of their secondary school classes. There are approximately 10,000 undergraduate students from around the world enrolled in Penn's four undergraduate schools and approximately 10,000 students enrolled in twelve graduate and professional schools. In addition, Penn offers innovative opportunities for lifelong learning through the College of Liberal and Professional Studies. The University of Pennsylvania is an Ivy League research university located in Philadelphia. It was founded by Benjamin Franklin in the mid-18th century. Penn has approximately 3,800 faculty, 1,000 postdoctoral fellows and 16,000 administrative staff. Today, Penn offers over 90 undergraduate majors and is regarded as a national leader in programs that cross traditional disciplinary boundaries and combine liberal learning with practical application. Penn offers flexible options to students by providing a broad array of courses and program options including double majors, accelerated programs, dual-degree programs, and joint-degree programs that enable students to learn from and work with some of the finest leaders and researchers in the nation. Submatriculation, another option, makes it possible for undergraduates to begin graduate programs at Penn while completing their baccalaureate degrees. At the graduate level, Penn also offers interdisciplinary options including joint degrees such as a JD/MBA, MD/MBA and MBA/MS in International Studies. Several of its professional Schools, including the Perelman School of Medicine and the Wharton School, are consistently ranked among the top three in the nation in their fields. Penn is also a major recipient of research funding from the National Institutes of Health (NIH) and the National Science Foundation (NSF). Penn offers numerous opportunities for executive-level and post-degree education, including executive education through the Wharton School and the Graduate School of Education. In addition, both the Law School and the Perelman School of Medicine provide continuing education sessions to fulfill ongoing professional requirements. The University of Pennsylvania is unique among its Ivy League peers in having all of its undergraduate and graduate schools located on its 262-acre West Philadelphia campus, facilitating interdisciplinary discourse and research. The University’s twelve Schools are: Annenberg School for Communication School of Arts and Sciences School of Dental Medicine School of Design Graduate School of Education School of Engineering and Applied Science School of Law School of Nursing Perelman School of Medicine School of Social Policy and Practice School of Veterinary Medicine Wharton School Additional information on the University may be obtained through Penn’s web site: www.upenn.edu. A PPENDIX B: S AMPLE L ANGUAGE - P URPOSE OF THE RFP This Request for Proposal (RFP) provides vendors with the information necessary to respond with a proposal and bid for XXX that will fulfill the XXX requirements at the University of Pennsylvania. This RFP is intended to allow vendors to respond with accurate proposals and bids which address both software and related service alternatives with estimated time lines and price ranges, to deliver the XXX system consistent with the requirements described in this RFP. Vendors should provide information, if possible, about various deployment options, including on-premise, mixed or vendor-hosted Software-asa- Service (SaaS) solutions. If a vendor bids on part of this RFP, the proposal should include a detailed description of software offerings and related service alternatives, with price ranges, to deliver the proposed components of the XXX system consistent with the requirements described in this RFP. For each of the project components, the vendor should propose a range of service alternatives, with corresponding price points, addressing different levels of support for project management, additional clarification of requirements where necessary, installation, implementation, training, and/or other related project activities. A PPENDIX C: F UNCTIONAL R EQUIREMENTS Q UESTIONNAIRE S AMPLE [This form, or something like it, may be used to request the vendor’s responses concerning the requested functional requirements.] Response Column Definitions: Yes The vendor solution fully supports this requirement Partially The vendor solution partially supports this requirement. Provide comments to clarify what is supported (see Comments). Future The functionality is planned as a future enhancement. Provide the scheduled date for availability in the comments column. No The vendor solution does not support this requirement Comments The vendor may provide clarification using this column. In the Yes, Partially, Future columns the vendor must respond with one of the following codes: ‘O’ ‘C’ ‘P’ Indicates that the function is currently available “out of the box” Indicates that some configuration is necessary Indicates that the function is available through a partnership with another vendor. Provide partner name and details in comments. ID # Header The application must . . . Yes 1. 1 Biographical: Names enable wildcard searches on any name type O 1. 2 Biographical: Address support international address and telephone formatting rules 2. 1 Contact Center/Outgoing enable telephone solicitation tracking and management Partially Future C P No Comments This is planned for release in the 3rd quarter of 2002, and will require minimal configuration. This function is provided by a software partner, Corporation X. A PPENDIX D: T ECHNICAL R EQUIREMENTS Q UESTIONNAIRE S AMPLE [These are some sample questions that may be included as part of a Technical Requirements questionnaire the vendor is asked to complete.] Desktop 1) Does the desktop environment described in Section VI. B. 1. meet your application requirements? If not, please explain. Architecture 2) Please list all hardware and operating system platforms currently supported by your product, as well as those planned for support within the next year. 3) Describe the overall architecture of the proposed system and on what tier the major processing functions occur. Please include diagrams or charts to depict the architecture and processing functions as well as a list of all modules that the product requires in order to operate the various components of your system. 4) Are any other third party products required to run the proposed software? If so, please indicate which products are required and describe the requirements associated with these products including version numbers. 5) What RDBMS is used in your product? If your product supports multiple RDBMS’s, which one is recommended and why? A PPENDIX E: D ATA R EQUIREMENTS Q UESTIONNAIRE S AMPLE [This form, or something like it, may be used to request the vendor’s responses concerning the requested data model and/or data requirements.] Instructions for Response Columns: Response Column Definitions: Yes Partially Future No Comments The vendor solution fully supports this requirement The vendor solution partially supports this requirement. Provide comments to clarify what is supported (see Comments). The functionality is planned as a future enhancement. Provide the scheduled date for availability in the comments column. The vendor solution does not support this requirement The vendor may provide clarification using this column. In the Yes, Partially, Future columns the vendor must respond with one of the following codes: ‘O’ Indicates that the function is currently available “out of the box” ‘C’ Indicates that some configuration is necessary ‘P’ Indicates that the function is available through a partnership with another vendor. Provide partner name and details in comments. ID # The application must . . . Yes D.1.1 Support international names with special characters. O D.1.2 Support the identification of required data elements. D.1.3 Support case sensitivity. D.1.4 Support definition of valid values for data elements. Partiall y Future C P O No Comments A PPENDIX F: C ONFIDENTIALITY S TATEMENT As an authorized representative or corporate officer of the company named below, I warrant my company and its successors, assigns, trustees, directors, officers, employees and agents will not disclose any documents, diagrams, information, and information storage media made available to us by the University of Pennsylvania for the purposes of responding to this RFP or in conjunction with any contract arising therefrom. I warrant that only those successors, assigns, trustees, directors, officers, employees and agents who are authorized and required to use such materials will have access to them. I further warrant that all materials provided to us by the University of Pennsylvania will be returned to the university promptly after use, and that all copies or derivations of the materials will be physically and/or electronically destroyed. I will include with the returned materials a letter attesting to the complete return of the materials, and document the destruction of any copies of derivations. Failure to comply will subject this company to liability, both criminal and civil, including all damages to the university and third parties. I authorize the University of Pennsylvania to inspect and verify the above. I warrant that if my company is awarded this contract, it will not enter into any agreements or discussions with a third party concerning such materials prior to receiving written confirmation from the University of Pennsylvania that such third party has an agreement with the university similar in nature to this one. _____________________________________________________________________________ (Signature of Representative) _____________________________________________________________________________ (Typed name of Representative) _____________________________________________________________________________ (Typed name of Company) _____________________________________________________________________________ (Date) _________________________________________________________________ A PPENDIX G: V ENDOR Q UESTIONNAIRE [This is a sample questionnaire that allows the vendor to provide information about their company, its current relationships and its products.] Corporate Profile 1. What is the full legal name of your company? 2. If you are a subsidiary, what is the full legal name of your parent company? 3. What is the ownership structure of your company? 4. Who are any major investors and stakeholders in your company? 5. What is the location of your corporate headquarters? 6. What are your major locations in the U.S.? Internationally? 7. How many full-time employees do you have currently? 8. In what year was your company founded in its current form? 9. If your company has history pre-dating its current form, please describe that history along with relevant dates. 10. What were your company’s annual revenues in, 2008, 2009, 2010 and 2011? 11. What was your company’s net profit (loss) in 2008, 2009, 2010 and 2011? Company Management Team 12. What are the names of your company’s major officers? 13. If there are any special biographical details you would like to provide on officers and management team members (industry accomplishments, relationships, etc.), please do so. Existing Penn Relationships 14. Are you doing business with Penn currently, or have you ever done business with Penn in the past? 15. If yes to either of the questions above, please identify the Penn parties who bought your products and/or services, the nature of the products and/or services provided, the dates of the agreements, and any other supplemental information you believe may be important. 16. Are you currently pursuing any other business opportunities with Penn? 17. If yes, please identify the Penn parties who are considering your services, the nature of the services that would be provided, and any other supplemental information you believe may be important. Clients Note: If the clients identified in your answers to questions 17, 18, and 19 overlap (because these clients have purchased more than one type of product or service from you) that is acceptable. 18. Please identify your top 2-3 U.S. clients who use your Student Systems software. Please identify the clients directly by name or indirectly through description (specific industry, revenue size, number of employees). Partnerships 19. Do you have any partnerships with other technology companies that you believe might be of particular interest to Penn? 20. If so, please identify and explain these technology partnerships. 21. Do you have any partnerships with nontechnology companies (service providers, content providers, BPO services firms, etc.) that you believe might be of interest to Penn? 22. If so, please identify and explain these nontechnology partnerships. Competitors 23. Please identify who you would consider to be your main competitor(s) in this product area. Products 24. Please identify and describe your company’s major components within its Student Systems product line. If your products are sold as suites or on a modular basis, please identify the major suites and modules. 25. Please identify and describe your company’s other related products, and describe how they integrate (in a business sense) with your Student Systems modules. 26. Please identify and describe the institutions (customer councils, user groups, etc.) and processes (customer suggestions, feature evaluation) you have for evaluating and incorporating user feedback into the development of your products. References 27. Please provide the names, phone numbers, e-mail addresses and street addresses of three (3) references who can speak to their experience with your company’s Student Systems product(s). Security and Privacy Impact Assessment 28. Do you have a SAS 70 Type II certification or other third party certification of your information security controls? How recently was the review performed? How regularly are reviews performed? Can we get a copy? 29. Do you have an established Information Security Program, including an Incident Response process? Your response should refer where applicable to the title of the employee in charge of the program, the number of employees in the program, any credentials or special skills, the organizations incident response program, any security policies or procedures. 30. Do you have any certifications for any compliance frameworks such as FISMA, HIPAA, PCI, etc.? If custom application developed, describe any security frameworks (e.g., OWASP) used or formal processes (e.g., SDLC) in place: 31. Please describe controls to address the threat of information being compromised by an external hacker or malicious software. Your response should refer where applicable to safeguards such as intrusion detection, antivirus, firewalls, vulnerability scanning, penetration testing, encryption, authentication and authorization protections and policies, including those involving system hardening, such as passwords, removal of unnecessary network services, limiting of administrative access, code review, logging, employee training and other relevant safeguards. 32. Please describe controls to address the threat of information being intercepted in transit by unauthorized persons. Your response should refer where applicable to safeguards such as encryption during transmission, availability and/or encryption of wireless traffic, physically securing devices in transit, network traffic segregation, and other relevant safeguards, and include descriptions of encryption protocols and algorithms used. 33. Please describe controls to address the threat of information being mistakenly disclosed to unauthorized persons. Your response should refer where applicable to issues of awareness and training, removal of unnecessary data (electronic and paper), use of screen savers and lockouts, limiting storage of confidential data on remote devices, verification of identity of individuals requesting access, and other relevant safeguards that enforce “need to know”. 34. Please describe controls to address the threat of information knowingly being misused by your workforce and contractors. Your responses should refer where applicable to issues of strong sanctions policy and practice, background checks, role-based access to information, oversight of data authorization by supervisor, terminating access to data for terminated employees and employees changing job functions, prohibition on sharing passwords, and other relevant safeguards. 35. Please describe controls to address the threat of physical theft or loss of data. Your responses should refer where applicable to policies on the storage of confidential data on laptops, PDAs, USB drives and other portable devices, encryption of data on portable devices, two factor authentication, removal of unnecessary information, physical protection of desktops and servers, and other relevant safeguards. 36. Please describe controls to address community concerns regarding privacy practices. Your responses should refer where applicable to privacy statements, opt-in or opt-out consents, compliance with applicable privacy rules, and other relevant safeguards. 37. Please describe controls to address the use, handling, protection and sharing of confidential data shared with subcontractors. Your responses should state any relevant relationships that may induce additional risk to the safe storage of sensitive data (such as outsourcing of key services, use of sub-contractors or cloud services for hosting, etc.) and refer where applicable to contractual safeguards and reviews of security programs/practices. 38. Please describe controls to address threats to the availability of data based on inadequate business continuity procedures. Your responses should refer to business continuity and disaster recovery plans and procedures, regular testing, routine data backups and offsite storage.