Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Operating Systems

its-check-list-template-v1

advertisement 
ITS RFP Check List Template
INF 1.1
INF 1.2
INF 1.3
INF 1.4
INF 1.5
INF 1.6
INF 1.7
INF 1.8
INF 1.9
[Type text]
Infrastructure
Provide infrastructure requirements (or options) and specification including storage
requirements and ports for app/web servers
Provide list of supported Operating systems/Versions and upgrade/certification process
Provide list of supported Web Browsers/Versions and upgrade/certification process
Provide full inventory of all software needed for your system
Provide recommended OS/Hardware Upgrade Policy - For internally hosted
Describe Mobile devices (smartphones, tablets) support
Describe deployment process of Application fixes/enhancements - For internally hosted
Describe Application Upgrade Process - For internally hosted
Explain ability to refresh data and configuration on demand for non-production
environment – For internally hosted
Page 1
ITS RFP Check List Template
SEC 1.1
SEC 1.2
SEC 1.3
SEC 1.4
SEC 1.5
SEC 1.6
SEC 1.7
SEC 1.8
SEC 1.9
SEC 1.10
SEC 1.11
SEC 1.12
SEC 1.13
SEC 1.14
SEC 1.15
SEC 1.16
SEC 1.17
SEC 1.18
SEC 1.19
SEC 1.20
SEC 1.21
SEC 1.22
SEC 1.23
SEC 1.24
SEC 1.25
SEC 1.26
SEC 1.1
SEC 1.2
SEC 1.3
SEC 1.4
SEC 1.5
SEC 1.6
SEC 1.7
SEC 1.8
SEC 1.9
SEC 1.10
[Type text]
Security
Ability to provide Application for UCSF operating system vulnerability scan
What are your authentication protocols?
Describe SSO solutions and ability to integrate with Shibboleth
Describe Application Access Audit and monitoring capability
Describe any server/application configuration options for security (i.e. timeout, lockout)
Describe how security configuration is managed for hardware and/or software (including
OS)
Provide Security risk/vulnerability assessment Results
Describe continuous security vulnerability assessment & Remediation process
Describe methodology on staying current with latest security standards
Describe Security Patch process
Describe authenticated (Privileged) scan process
Describe User Account provision/de-provision/change Process (include infrastructure,
configuration management and software)
Describe User Account review process
Describe intrusion detection process
Describe password mandates
Describe data encryptions for all sensitive data
Describe password/passphrase complexity
Describe encryption in Transit between all devices and servers
Describe encryption on Mobile devices and removable storage media
Describe secure deletion process upon decommission
Describe control access to the application via its incorporated interface
Describe control access to the underlying data via direct and third-party tools
Describe control access across different user roles
Describe security at the field level, screen level and user role level
Describe privacy and security training in your organization
Describe reports available for all audits within the system
Ability to provide Application for UCSF operating system vulnerability scan (authenticated
at all privilege levels and unauthenticated)
Ability to provide Application for UCSF application vulnerability scan (authenticated at all
privilege levels and unauthenticated)
What are your authentication protocols?
Describe SSO solutions and ability to integrate with Shibboleth
Describe Application Access Audit and monitoring capability
Describe any server/application configuration options for security (i.e. timeout, lockout)
Describe how security configuration is managed for hardware and/or software (including
OS)
Provide Security risk/vulnerability assessment Results
Describe continuous security vulnerability assessment & Remediation process
Describe methodology on staying current with latest security standards
Page 2
ITS RFP Check List Template
SEC 1.11
SEC 1.12
SEC 1.13
SEC 1.14
SEC 1.15
SEC 1.16
SEC 1.17
SEC 1.18
SEC 1.19
SEC 1.20
SEC 1.21
SEC 1.22
SEC 1.23
SEC 1.24
SEC 1.25
SEC 1.26
SEC 1.27
SEC 1.28
SEC 1.29
SEC 1.30
SEC 1.31
SEC 1.32
SEC 1.33
SEC 1.34
SEC 1.35
SEC 1.36
SEC 1.37
SEC 1.38
SEC 1.39
SEC 1.40
SEC 1.41
SEC 1.42
SEC 1.43
SEC 1.44
SEC 1.45
[Type text]
Describe Security Patch process
Describe authenticated (Privileged) scan process
Describe User Account provision/de-provision/change Process (include infrastructure,
configuration management and software)
Describe User Account review process
Describe intrusion detection process
Describe password mandates
Describe data encryption for all restricted data in transmission
Describe password/passphrase complexity
Describe encryption in Transit between all devices and servers
Describe encryption on Mobile devices and removable storage media
Describe secure deletion process upon decommission
Describe control access to the application via its incorporated interface
Describe control access to the underlying data via direct and third-party tools
Describe control access across different user roles
Describe security at the field level, screen level and user role level
Describe privacy and security training in your organization
Describe reports available for all audits within the system
Describe data encryption for all restricted data at rest
Describe data encryption for all restricted data during process
Describe key management capabilities and lifecycle (key storage, use, distribution,
destruction, archiving, offline availability, generation, etc.)
Describe encryption algorithms
Describe key exchange capabilities
Please describe Active Directory integration and support capabilities (leverage LDAP, Active
Directory services, forest aware, federated services, non-contiguous DNS domain Active
Directory forest of trees, etc.)
Describe user account provisioning API's and automation capabilities
Describe HIPAA compliance with the security rule administrative safeguards (required and
addressable elements)
Describe HIPAA compliance with the security rule technical safeguards (required and
addressable elements)
Describe HIPAA compliance with the security rule physical safeguards (required and
addressable elements)
Describe your companies risk analysis and risk management processes
Describe any audit or certification (e.g. SOC 2 type 2, ISO, etc.)
Describe PCI compliance capabilities
Describe FERPA compliance capabilities
Describe adherence to SB1386 regulatory compliance
Describe user ID/password expiration options (date based, lack of activity based, brute
force lock out) and if the solution can meet UCSF policies and standards
Does the solution require password changes? Please describe
Does the service offer self-service for user based password self-service and/or security
Page 3
ITS RFP Check List Template
SEC 1.46
SEC 1.47
SEC 1.48
SEC 1.49
SEC 1.50
SEC 1.51
SEC 1.52
SEC 1.53
SEC 1.54
SEC 1.55
SEC 1.56
SEC 1.57
SEC 1.58
SEC 1.59
SEC 1.60
SEC 1.61
SEC 1.62
SEC 1.63
SEC 1.64
SEC 1.65
questions? Please describe
Can your solution provide automatic logoff based on time and/or activity? Please describe
Can you solution provide login activity (frequency and anomaly detection? Please describe
Can you solution provide login geographic anomaly detection? Please describe
Does your solution provide two-factor authentication, partner-based integration with
another two-factor authentication solution or a best practice integration reference
Are passwords masked when entered in the password field? Please describe
Are passwords removed on page reload or when selecting the "back button"? Please
describe
Does the solution provide user activity reporting? Please describe
Does the solution provide administrative roles based access control with pre-built
templates? Please describe
Does the solution provide user-based roles based access control with pre-built templates?
Please describe
Describe login auditing detail available in solution.
Does the solution provide external/federated authentication or public userID capabilities?
Please describe
Is data encrypted between application tiers and/or different elements of a distributed
system (e.g. encrypted when transmitting information between the web server, the
application server, and the web server)? Please describe
Does the solution offer offline media encryption? Please describe
Describe the log retention capabilities.
Please describe the system recovery options for the solution and any customer provided
pre-requisites.
Does the vendor provide documentation describing best practice architecture and
guidance for various recovery time objectives and recovery point objectives?
Please describe the software development lifecycle model and or any standards followed
in creating, maintaining, and versioning software.
Please describe adherence to development for best practices and to mitigate common
vulnerabilities such as XSS, XSRF, SQL injection , etc.
Please describe programming practices to protect against buffer overflows, format string
attacks, in-memory data exfiltration attacks, etc.
Please describe reference deployment/architecture/configuration penetration and
vulnerability testing
Note from UCSF IT Security:
This check list is not meant to replace meaningful analysis based on the product and/or service being
acquired in the RFP. It is to serve as a base method for common security controls and capabilities for
software and hardware solutions. This does not address “X as a service” RFP’s in totality and special
attention should be paid to these solutions and something similar to NIST’s NIST Publishes Draft Cloud
Computing Security or CSA’s CCM should be leveraged to identify and characterize the cloud service
being reviewed so that appropriate levels of diligence can be addressed. For further detail please
reference NIST guidelines for the specific technological area being reviewed. For all solutions a review of
[Type text]
Page 4
ITS RFP Check List Template
UC and UCSF policies, guidelines, standards, and procedures should be reviewed to ensure appropriate
RFP questions are added in. Lastly, all local, state, and federal regulatory requirements should be
addressed based on the data type, business function, and/or solution target for the solution being
purchased.
DEV 1.1
DEV 1.2
DEV 1.3
DEV 1.4
DEV 1.5
DEV 1.6
DEV 1.7
DEV 1.8
DEV 1.9
DEV 1.10
DEV 1.11
DEV 1.12
DEV 1.13
DEV 1.14
DEV 1.15
DEV 1.16
DEV 1.17
DEV 1.18
DEV 1.19
[Type text]
Development
Describe how application is certified in new release of OS or RDBMS
Describe Development platform (Programming languages, Frameworks etc.)
Describe customer’s ability to customize/extend applications
Describe Application Enhancement/Upgrade Process
Describe Development/Testing Process
Describe Application patch/fix
Describe archive methodology and retrieval of archived data procedure
Explain Performance Testing process and Benchmark
Describe ability to export data and configurations
Describe ability to refresh Dev/Test database on-demand from production DB
Describe Data Conversion/migration utility/tools
Describe Source Code availability
Provide published and documented API
Provide Development road map
Describe Reporting Solutions
Describe how system is Accessibility Compliant
Describe experience with integrating with ERP Systems (give specific examples)
Describe Application Support process (hours, methods) - For internally hosted
Describe Technical Training availability
Page 5
ITS RFP Check List Template
SaaS 1.1
SaaS 1.2
SaaS 1.3
SaaS 1.4
SaaS 1.5
SaaS 1.6
SaaS 1.7
SaaS 1.8
SaaS 1.9
SaaS 1.10
SaaS 1.11
SaaS 1.12
SaaS 1.13
SaaS 1.14
SaaS 1.15
SaaS 1.16
SaaS 1.17
SaaS 1.18
SaaS 1.19
SaaS 1.20
SaaS 1.21
SaaS 1.22
SaaS 1.23
[Type text]
SaaS
Describe data center physical security
Describe Disaster Recovery/Testing process and provide documentation
Describe how security configuration is managed for hardware, software (including OS)
Describe your environment’s systems firewall configurations
Describe how the infrastructure of the system is separated from other unrelated systems
What control is in place to prevent non-essential staff from accessing customer data
Describe solution to ensure use of authentication on all devices and protects from
unauthorized access
Describe available environments (Dev, QA, STG, TRN, PROD etc.)
Explain BAA procedure with Customer
Describe backup/recovery procedures (failover process/procedure)
Describe Technical Support process (hours, methods)
Explain how SaaS can be converted to in-house hosted solution and vice-versa
Explain OS/HW Upgrade Process/Procedures
Describe system availability (24x7) and explain any required downtime
Describe Server maintenance process/procedure
Describe Server and Application Monitoring Process/Procedures
Explain a method for data transfer and destruction in case of conversion to other system
Describe how UCSF personnel can access data
Describe experience with integrating with Shibboleth (UCSF SSO) solution
Describe deployment process of Application fixes/enhancements
Describe Application Upgrade Process
Explain how System environment documents are kept current
Explain ability to refresh data and configuration on demand for non-production
environment
Page 6
ITS RFP Check List Template
[Type text]
Page 7
Related documents
Lessinger v. Commissioner
Lessinger v. Commissioner
Notes Power Point
Notes Power Point
Honors PreCalculus Mrs. Dobbert
Honors PreCalculus Mrs. Dobbert
Today in Pre
Today in Pre
example
example
Lecture 32
Lecture 32
Physics Challenge Question 2: Displacement and velocity
Physics Challenge Question 2: Displacement and velocity
AdvancedAlgebra2T1W1
AdvancedAlgebra2T1W1
Pre-CalculusTT2W11
Pre-CalculusTT2W11
Worksheet 2-6
Worksheet 2-6
Download
advertisement