Appendices for RFP Template
Table of Contents
Appendix A: Sample Language - Overview of Penn.................................................................................................. 2
Appendix B: Sample Language - Purpose of the RFP ................................................................................................ 3
Appendix C: Functional Requirements Questionnaire Sample ........................................................................... 4
Appendix D: Technical Requirements Questionnaire Sample ............................................................................. 5
Appendix E: Data Requirements Questionnaire Sample ......................................................................................... 6
Appendix F: Confidentiality Statement ......................................................................................................................... 7
Appendix G: Vendor Questionnaire ................................................................................................................................ 8
A PPENDIX A: S AMPLE L ANGUAGE - O VERVIEW OF P ENN
[Feel free to use any or all of this language in your RFP.]
The University of Pennsylvania (Penn) is among the nation's most selective and competitive universities. Students
who apply for admission typically have outstanding records of academic and extracurricular achievement. About
95 percent of the students in each new class have ranked in the top 10 percent of their secondary school classes.
There are approximately 10,000 undergraduate students from around the world enrolled in Penn's four
undergraduate schools and approximately 10,000 students enrolled in twelve graduate and professional schools.
In addition, Penn offers innovative opportunities for lifelong learning through the College of Liberal and
Professional Studies.
The University of Pennsylvania is an Ivy League research university located in Philadelphia. It was founded by
Benjamin Franklin in the mid-18th century. Penn has approximately 3,800 faculty, 1,000 postdoctoral fellows and
16,000 administrative staff.
Today, Penn offers over 90 undergraduate majors and is regarded as a national leader in programs that cross
traditional disciplinary boundaries and combine liberal learning with practical application. Penn offers flexible
options to students by providing a broad array of courses and program options including double majors,
accelerated programs, dual-degree programs, and joint-degree programs that enable students to learn from and
work with some of the finest leaders and researchers in the nation. Submatriculation, another option, makes it
possible for undergraduates to begin graduate programs at Penn while completing their baccalaureate degrees.
At the graduate level, Penn also offers interdisciplinary options including joint degrees such as a JD/MBA, MD/MBA
and MBA/MS in International Studies. Several of its professional Schools, including the Perelman School of
Medicine and the Wharton School, are consistently ranked among the top three in the nation in their fields. Penn
is also a major recipient of research funding from the National Institutes of Health (NIH) and the National Science
Foundation (NSF).
Penn offers numerous opportunities for executive-level and post-degree education, including executive education
through the Wharton School and the Graduate School of Education. In addition, both the Law School and the
Perelman School of Medicine provide continuing education sessions to fulfill ongoing professional requirements.
The University of Pennsylvania is unique among its Ivy League peers in having all of its undergraduate and graduate
schools located on its 262-acre West Philadelphia campus, facilitating interdisciplinary discourse and research.
The University’s twelve Schools are:
Annenberg School for Communication
School of Arts and Sciences
School of Dental Medicine
School of Design
Graduate School of Education
School of Engineering and Applied Science
School of Law
School of Nursing
Perelman School of Medicine
School of Social Policy and Practice
School of Veterinary Medicine
Wharton School
Additional information on the University may be obtained through Penn’s web site: www.upenn.edu.
A PPENDIX B: S AMPLE L ANGUAGE - P URPOSE OF THE RFP
This Request for Proposal (RFP) provides vendors with the information necessary to respond
with a proposal and bid for XXX that will fulfill the XXX requirements at the University of
Pennsylvania.
This RFP is intended to allow vendors to respond with accurate proposals and bids which address both
software and related service alternatives with estimated time lines and price ranges, to deliver the XXX
system consistent with the requirements described in this RFP. Vendors should provide information, if
possible, about various deployment options, including on-premise, mixed or vendor-hosted Software-asa- Service (SaaS) solutions.
If a vendor bids on part of this RFP, the proposal should include a detailed description of software
offerings and related service alternatives, with price ranges, to deliver the proposed components of the
XXX system consistent with the requirements described in this RFP.
For each of the project components, the vendor should propose a range of service alternatives, with
corresponding price points, addressing different levels of support for project management, additional
clarification of requirements where necessary, installation, implementation, training, and/or other related
project activities.
A PPENDIX C: F UNCTIONAL R EQUIREMENTS Q UESTIONNAIRE S AMPLE
[This form, or something like it, may be used to request the vendor’s responses concerning the requested functional requirements.]
Response Column Definitions:
Yes
The vendor solution fully supports this requirement
Partially The vendor solution partially supports this requirement. Provide comments to clarify what is supported (see Comments).
Future
The functionality is planned as a future enhancement. Provide the scheduled date for availability in the comments column.
No
The vendor solution does not support this requirement
Comments
The vendor may provide clarification using this column.
In the Yes, Partially, Future columns the vendor must respond with one of the following codes:
‘O’
‘C’
‘P’
Indicates that the function is currently available “out of the box”
Indicates that some configuration is necessary
Indicates that the function is available through a partnership with another vendor. Provide partner name and details in
comments.
ID
#
Header
The application must . . .
Yes
1.
1
Biographical: Names
enable wildcard searches on any
name type
O
1.
2
Biographical: Address
support international address and
telephone formatting rules
2.
1
Contact Center/Outgoing
enable telephone solicitation
tracking and management
Partially
Future
C
P
No
Comments
This is planned for release in the 3rd
quarter of 2002, and will require
minimal configuration.
This function is provided by a
software partner, Corporation X.
A PPENDIX D: T ECHNICAL R EQUIREMENTS Q UESTIONNAIRE S AMPLE
[These are some sample questions that may be included as part of a Technical Requirements questionnaire the vendor is asked to complete.]
Desktop
1)
Does the desktop environment described in Section VI. B. 1. meet your application requirements? If not, please explain.
Architecture
2) Please list all hardware and operating system platforms currently supported by your product, as well as those planned for support within the
next year.
3) Describe the overall architecture of the proposed system and on what tier the major processing functions occur. Please include diagrams or
charts to depict the architecture and processing functions as well as a list of all modules that the product requires in order to operate the
various components of your system.
4) Are any other third party products required to run the proposed software? If so, please indicate which products are required and describe
the requirements associated with these products including version numbers.
5) What RDBMS is used in your product? If your product supports multiple RDBMS’s, which one is recommended and why?
A PPENDIX E: D ATA R EQUIREMENTS Q UESTIONNAIRE S AMPLE
[This form, or something like it, may be used to request the vendor’s responses concerning the requested data model and/or data
requirements.]
Instructions for Response Columns:
Response Column Definitions:
Yes
Partially
Future
No
Comments
The vendor solution fully supports this requirement
The vendor solution partially supports this requirement. Provide comments to clarify what is supported (see Comments).
The functionality is planned as a future enhancement. Provide the scheduled date for availability in the comments column.
The vendor solution does not support this requirement
The vendor may provide clarification using this column.
In the Yes, Partially, Future columns the vendor must respond with one of the following codes:
‘O’
Indicates that the function is currently available “out of the box”
‘C’
Indicates that some configuration is necessary
‘P’
Indicates that the function is available through a partnership with another vendor. Provide partner name and details in
comments.
ID #
The application must . . .
Yes
D.1.1
Support international names with special
characters.
O
D.1.2
Support the identification of required data
elements.
D.1.3
Support case sensitivity.
D.1.4
Support definition of valid values for data
elements.
Partiall
y
Future
C
P
O
No
Comments
A PPENDIX F: C ONFIDENTIALITY S TATEMENT
As an authorized representative or corporate officer of the company named below, I warrant my
company and its successors, assigns, trustees, directors, officers, employees and agents will not disclose
any documents, diagrams, information, and information storage media made available to us by the
University of Pennsylvania for the purposes of responding to this RFP or in conjunction with any contract
arising therefrom. I warrant that only those successors, assigns, trustees, directors, officers, employees
and agents who are authorized and required to use such materials will have access to them.
I further warrant that all materials provided to us by the University of Pennsylvania will be returned to
the university promptly after use, and that all copies or derivations of the materials will be physically
and/or electronically destroyed. I will include with the returned materials a letter attesting to the
complete return of the materials, and document the destruction of any copies of derivations. Failure to
comply will subject this company to liability, both criminal and civil, including all damages to the
university and third parties. I authorize the University of Pennsylvania to inspect and verify the above. I
warrant that if my company is awarded this contract, it will not enter into any agreements or discussions
with a third party concerning such materials prior to receiving written confirmation from the University
of Pennsylvania that such third party has an agreement with the university similar in nature to this one.
_____________________________________________________________________________
(Signature of Representative)
_____________________________________________________________________________
(Typed name of Representative)
_____________________________________________________________________________
(Typed name of Company)
_____________________________________________________________________________
(Date)
_________________________________________________________________
A PPENDIX G: V ENDOR Q UESTIONNAIRE
[This is a sample questionnaire that allows the vendor to provide information about their company, its
current relationships and its products.]
Corporate Profile
1. What is the full legal name of your company?
2.
If you are a subsidiary, what is the full legal name
of your parent company?
3.
What is the ownership structure of your
company?
4.
Who are any major investors and stakeholders in
your company?
5.
What is the location of your corporate
headquarters?
6.
What are your major locations in the U.S.?
Internationally?
7.
How many full-time employees do you have
currently?
8.
In what year was your company founded in its
current form?
9.
If your company has history pre-dating its current
form, please describe that history along with
relevant dates.
10. What were your company’s annual revenues in,
2008, 2009, 2010 and 2011?
11. What was your company’s net profit (loss) in
2008, 2009, 2010 and 2011?
Company Management Team
12. What are the names of your company’s major
officers?
13. If there are any special biographical details you
would like to provide on officers and management
team members (industry accomplishments,
relationships, etc.), please do so.
Existing Penn Relationships
14. Are you doing business with Penn currently, or
have you ever done business with Penn in the
past?
15. If yes to either of the questions above, please
identify the Penn parties who bought your
products and/or services, the nature of the
products and/or services provided, the dates of
the agreements, and any other supplemental
information you believe may be important.
16. Are you currently pursuing any other business
opportunities with Penn?
17. If yes, please identify the Penn parties who are
considering your services, the nature of the
services that would be provided, and any other
supplemental information you believe may be
important.
Clients
Note: If the clients identified in your answers to questions 17, 18, and 19 overlap
(because these clients have purchased more than one type of product or service from
you) that is acceptable.
18. Please identify your top 2-3 U.S. clients who use
your Student Systems software. Please identify
the clients directly by name or indirectly through
description (specific industry, revenue size,
number of employees).
Partnerships
19. Do you have any partnerships with other
technology companies that you believe might be
of particular interest to Penn?
20. If so, please identify and explain these technology
partnerships.
21. Do you have any partnerships with nontechnology companies (service providers, content
providers, BPO services firms, etc.) that you
believe might be of interest to Penn?
22. If so, please identify and explain these nontechnology partnerships.
Competitors
23. Please identify who you would consider to be
your main competitor(s) in this product area.
Products
24. Please identify and describe your company’s
major components within its Student Systems
product line. If your products are sold as suites or
on a modular basis, please identify the major
suites and modules.
25. Please identify and describe your company’s other
related products, and describe how they integrate
(in a business sense) with your Student Systems
modules.
26. Please identify and describe the institutions
(customer councils, user groups, etc.) and
processes (customer suggestions, feature
evaluation) you have for evaluating and
incorporating user feedback into the development
of your products.
References
27. Please provide the names, phone numbers, e-mail
addresses and street addresses of three (3)
references who can speak to their experience
with your company’s Student Systems product(s).
Security and Privacy Impact Assessment
28. Do you have a SAS 70 Type II certification or other
third party certification of your information
security controls? How recently was the review
performed? How regularly are reviews
performed? Can we get a copy?
29. Do you have an established Information Security
Program, including an Incident Response process?
Your response should refer where applicable to
the title of the employee in charge of the
program, the number of employees in the
program, any credentials or special skills, the
organizations incident response program, any
security policies or procedures.
30. Do you have any certifications for any compliance
frameworks such as FISMA, HIPAA, PCI, etc.? If
custom application developed, describe any
security frameworks (e.g., OWASP) used or formal
processes (e.g., SDLC) in place:
31. Please describe controls to address the threat of
information being compromised by an external
hacker or malicious software. Your response
should refer where applicable to safeguards such
as intrusion detection, antivirus, firewalls,
vulnerability scanning, penetration testing,
encryption, authentication and authorization
protections and policies, including those involving
system hardening, such as passwords, removal of
unnecessary network services, limiting of
administrative access, code review, logging,
employee training and other relevant safeguards.
32. Please describe controls to address the threat of
information being intercepted in transit by
unauthorized persons. Your response should refer
where applicable to safeguards such as encryption
during transmission, availability and/or encryption
of wireless traffic, physically securing devices in
transit, network traffic segregation, and other
relevant safeguards, and include descriptions of
encryption protocols and algorithms used.
33. Please describe controls to address the threat of
information being mistakenly disclosed to
unauthorized persons. Your response should refer
where applicable to issues of awareness and
training, removal of unnecessary data (electronic
and paper), use of screen savers and lockouts,
limiting storage of confidential data on remote
devices, verification of identity of individuals
requesting access, and other relevant safeguards
that enforce “need to know”.
34. Please describe controls to address the threat of
information knowingly being misused by your
workforce and contractors. Your responses should
refer where applicable to issues of strong
sanctions policy and practice, background checks,
role-based access to information, oversight of
data authorization by supervisor, terminating
access to data for terminated employees and
employees changing job functions, prohibition on
sharing passwords, and other relevant safeguards.
35. Please describe controls to address the threat of
physical theft or loss of data. Your responses
should refer where applicable to policies on the
storage of confidential data on laptops, PDAs, USB
drives and other portable devices, encryption of
data on portable devices, two factor
authentication, removal of unnecessary
information, physical protection of desktops and
servers, and other relevant safeguards.
36. Please describe controls to address community
concerns regarding privacy practices. Your
responses should refer where applicable to
privacy statements, opt-in or opt-out consents,
compliance with applicable privacy rules, and
other relevant safeguards.
37. Please describe controls to address the use,
handling, protection and sharing of confidential
data shared with subcontractors. Your responses
should state any relevant relationships that may
induce additional risk to the safe storage of
sensitive data (such as outsourcing of key
services, use of sub-contractors or cloud services
for hosting, etc.) and refer where applicable to
contractual safeguards and reviews of security
programs/practices.
38. Please describe controls to address threats to the
availability of data based on inadequate business
continuity procedures. Your responses should
refer to business continuity and disaster recovery
plans and procedures, regular testing, routine
data backups and offsite storage.