Business Expense
Automation Software
Tool:
Technical Requirements
Issue Date: July 10, 2015
IESO Confidential
Table of Contents
No table of figures entries found. .................................................................................................... 3
1. Technical Requirements.............................................................................................................. 4
1.1
Introduction....................................................................................................................... 4
1.2
Technical, Security and Access Control Requirements for SAAS Vendor ............... 5
1.3
IT Architecture for On-premises Software Vendor ................................................... 11
1.4
Integration Capabilities ................................................................................................. 13
1.5
System Administration .................................................................................................. 16
1.6
Training and Knowledge Transfer ............................................................................... 18
Appendix A – IESO IT Supported Platforms .............................................................................. 21
References........................................................................................................................................... 22
Related Documents ........................................................................................................................... 22
IESO Confidential
Page 2 of 22
Table of Figures
No table of figures entries found.
IESO Confidential
Page 3 of 22
1.
Technical Requirements
1.1
Introduction
The purpose of this document is to specify the IESO’s requirements for a Business Expense Tool,
(Tool). The document specifies high level technical requirements for the solution which the IESO is
seeking. The proposed solution can be cloud-based Software as a Service (SAAS) or On-Premises
deployment.
Instructions:

Respondents that are proposing a SaaS solution should complete Section 1.2.

Respondents that are proposing an On-Premises solution should complete Section 1.3.

All Respondents should complete Sections 1.4, 1.5 and 1.6.
IESO Confidential
Page 4 of 22
1.2
Technical, Security and Access Control Requirements for SAAS Vendor
This section needs to be completed by Cloud vendors that are proposing SAAS.
Functional
Existence
Priority
Question
Vendor
Response
Vendor Detailed Description
Yes/No
True/False
Applicable/Non
-applicable
1. Which browsers do you support?
2. Describe how your solution would support testing of
configuration changes.
Critical
Do you provide testing environment for solution?
3. IESO Data Protection;

How do you separate IESO data from other
customers' data?

Describe how third party, (your service providers),
access IESO data?

Can you ensure that all IESO data is erased at the
end of service contract?

Where do you store IESO data, (including backups)?

How do you get data from the IESO to your
environment?

How do you transfer data from one place to
another?

What are your data leak prevention capabilities?
Critical
IESO Confidential
Page 5 of 22
4. Vulnerability Management;

Document previous examples of your vulnerability
management program?

How often do you scan for vulnerabilities on your
network and applications?

What is your vulnerability remediation process?
5. Identity Management ;

Does authentication need to occur before accessing
your offering? Describe the available options.

Can you support federation, and if so which
standard?

Explain how you can integrate directly with IESO
directories? (If you keep your own user accounts:
How do you secure user IDs and access credentials?)

How do you handle user churns (e.g., provision and
de-provision accounts)?

Do you support SSO and which standards?

Do you support Lightweight Directory Services (LDS)
for SSO?

Do you support role-based access control?
6. Physical and Personnel security;

Is there restricted and monitored access to customer
assets 24x7?

If dedicated infrastructure is desired, how would it be
isolated?

Do you perform background checks on all relevant
personnel? How extensive?

Do you document employee access to customer
data?
Critical
Critical
Critical
IESO Confidential
Page 6 of 22
7. Application security;

Do you follow Open Web Application Security Project
(OWASP) guidelines for application development?

Do you prescribe to any of the following software
development life cycle models? SEI CMM, DOD-STD2167A, MIL-STD-498, ISO/IEC/IEEE/EIA J-STD-016 or
12207.

Do you have a testing and acceptance procedure for
outsourced and packaged application code?

What third-party apps, (components), are in use in
your services?

What application security measures, (if any), do you
use in your production environment, (e.g.,
application-level firewall, IPS, database auditing)?
8. Incident response;

What is your procedure for handling a data breach?

Can notification occur within an IESO specified time
period? (e.g., 30 days)

In what format are data breach incident response
(DBIR) notifications published in (e.g., VERIS), and
what information do they contain?
Critical
Critical
IESO Confidential
Page 7 of 22
9. Service Privacy;

How do you protect digital identities and credentials
and use them in Cloud applications?

What data do you collect about the IESO?

How is the data stored?

How is the data used?

How long will the data be stored?

Under what conditions might third parties, including
government agencies, have access to IESO data?

Can you guarantee that third-party access to shared
logs and resources won’t reveal critical information
about the IESO?
Critical
IESO Confidential
Page 8 of 22
10. Service Compliance;

Provide documentation of a SAS 70 or SSAE 16 or
CSAE 3416 audit report.

Can we stipulate in the Service Level Agreement (SLA)
that all IESO data (or applications), including all
replicated and redundant copies, are owned by the
IESO?

Do you have any Disaster Recovery and Business
Continuity planning documents capable of being
shared with the IESO?

Where are your recovery data centers located?

What service-level guarantee can you offer under
Disaster Recovery conditions?

Are there provisions, specifications or metrics in the
SLA for investigations?

How long do you keep logs and audit trails?

How can IESO have dedicated storage of logs and
audit trails?

Can you demonstrate evidence of tamper-proofing
for logs and audit trails?

Can you provide documentation of ISO 27001
compliance?

Can you provide documentation of Payment Card
Industry (PCI) compliance?

What recourse actions, (e.g., financial compensation,
early exit of contracts, etc.), are available in the event
of a security incident?

In the event that the contract is terminated, or the
agreement comes to an end, will data be packaged
and delivered back to the IESO?

Will any remaining copies of data be erased
completely, (including from backups)? If so, how soon
will it happen?
Critical
IESO Confidential
Page 9 of 22
11. Service Availability;

The primary use of the system is during business
hours between 7am and 6pm. There will be no
planned outage during business hours. If there is an
emergency outage required then IESO shall be
notified.

The system’s architecture shall be easily scalable to
increase the number of users in the future.

The system shall be available 24x7x365.

The system shall have a total reliability of 95% uptime
(this excludes planned outages).

The system’s maximum Time to Recovery shall be
four (4) hours at any time.

How many users are allowed to log in concurrently?

What availability measures do you employ to guard
against threats and errors?

Do you use multiple Internet Service Providers?

Do you have Denial-of-Service attack, (DDoS attack)
protection?
12. Service Provider Audit Capability;

Can you offer Audit Logging Capabilities that include
but are not limited to activities of Authentication,
Authorization, (privilege changes), Modification, (of
core components), and User Operations,
(repudiation). Log records include date and time
stamps, name or unique ID of event, specified object,
(user, policy, object, etc.), and severity?

Can you export Audit logs on a continuous basis?
Critical
Desired
IESO Confidential
Page 10 of 22
1.3
IT Architecture for On-premises Software Vendor
This section is to be completed by vendors that are proposing on-premises software.
Requirement
Functional
Existence
Priority
Vendor
Response
Vendor Detailed Description
Yes/No
True/False
Applicable/Non
-applicable
13. The proposed solution shall conform to scalable n-tier
architecture as per IESO IT Standards (Appendix A).
Critical
14. The proposed solution shall be provided for 2 environments
(QA and Production). Two complete (Tool) systems will be
installed to run in parallel.
Critical
15. The (Tool) solution shall provide where indicated in the
requirement immediately above, a full failover / redundancy
compliance and capability potential to meet its availability
requirements (describe functionality and capabilities).
Critical
16. The (Tool) solution shall be able to run in an environment
that is compatible with at least one of the following
operating systems (and permit Integrated Windows
Authentication):
• Microsoft Window Server 2012 R2 (IESO Preference)
• Red Hat Enterprise Linux V7 ES
17. The (Tool) solution database shall be able to run in an
environment that is compatible with at least one of the
following database systems:
• Oracle 11g R2 and above
• MS SQL Server 2008 R2 and above (IESO Preference and
IESO supplied license)
18. The (Tool) servers OS shall be compatible with the other
listed IESO IT Standards (Appendix A).
Critical
Critical
Critical
IESO Confidential
Page 11 of 22
19. The system’s architecture shall be easily scalable to increase
the number of users in the future.
Critical
IESO Confidential
Page 12 of 22
1.4
Integration Capabilities
The proposed solution should provide functionality for supporting integration with IESO systems.
Question
Functional
Existence
Priority
Vendor
Response
Vendor Detailed Description
Yes/No
True/False
Applicable/Non
-applicable
20. The IESO uses Ceridian as its payroll system;
Critical
How would you integrate with the payroll system to obtain
employee information, cost center and organization
hierarchy?
What experience, (if any), do you have in integrating with
Ceridian?
How would you integrate with the Payroll system for
expense reimbursement?
What experience, (if any), do you have with integrating with
Payroll systems?
IESO Confidential
Page 13 of 22
21. The IESO’s current corporate credit card is BMO’s
MasterCard;
Desired
How would you integrate with IESO’s corporate credit card
statements via bank feeds?
How would you load corporate credit card statements and
pre-populate expense items via bank feeds?
What other corporate credit cards do you have experience
integrating with?
Are there any advantages/disadvantages to switching to a
different corporate credit card?
22.The IESO uses Infor Lawson as its finance system;
Critical
How would you integrate with the finance system?
What experience, (if any), do you have with integrating with
IESO’s Finance system?
23. How do you support regulatory, (Office of the Integrity
Commissioner), expense reporting and integrate with the
IESO public website?
Critical
24. How do you integrate application security with Microsoft
Active Directory and support SSO?
Critical
Describe how your solution is able to support the
authentication and authorization integration with AD.
IESO Confidential
Page 14 of 22
25. HRG is the IESO’s travel management provider;
Critical
How do you integrate with travel management providers?
Are you able to integrate with IESO’s travel management
provider?
Describe how your solution is able to support the
integration.
26. Do you offer API access?
Desired
If so, are there any added fees required to access API?
What platforms and programing languages do the APIs
support?
27. Do you partner with any software companies that specialize
in integration?
Desired
IESO Confidential
Page 15 of 22
1.5
System Administration
Question
Functional
Existence
Priority
Vendor
Response
Vendor Detailed Description
Yes/No
True/False
Applicable/Non
-applicable
28. Describe your security model for the proposed solution,
provide documentation if applicable.
Desired
29. Does your solution offer Role-Based Access Control?
(System access based on an individual’s role)?
Desired
30. How does your security model handle the segregation of
duties, for example a user can be an employee and also a
super user of the system?
Desired
31. Explain how the users and security roles are administered?
Desired
32. Can users have more than one security profile?
Desired
33. The solution should enable branding of the IESO logo, the
IESO name and colours that are configurable by IESO system
administrator.
Desired
34. Are system administrators allowed to reset user passwords?
Desired
35. Describe your system’s ability to have customers “configure”
the system to meet their needs instead of having you do it?
Desired
36. Do you provide the ability to audit who has viewed/changed
items in the system (user ID, date & time)?
Desired
IESO Confidential
Page 16 of 22
37. How easy is it to export data from your service when moving
to a new service? Do you offer an option to export the data
in an open data format (e.g., XML)? Are there any added
fees to export data?
Desired
IESO Confidential
Page 17 of 22
1.6
Training and Knowledge Transfer
Question
Functional
Existence
Priority
Vendor
Response
Vendor Detailed Description
Yes/No
True/False
Applicable/Non
-applicable
38. Initial Training;
 Do you do any knowledge transfer at the end of the
implementation?
 Do you provide initial training of the system in terms of
system configuration and application administration?
 Do you provide classroom based, hands-on training with
full documentation of functionality?
Desired
39. Ongoing Training;
 Describe your web based training capability?
 Does your solution offer users “How to” embedded
videos within the key modules?
Desired
IESO Confidential
Page 18 of 22
– End of Section –
IESO Confidential
Page 19 of 22
IESO Confidential
Page 20 of 22
Appendix A – IESO IT Supported Platforms
System Component
Platform (Server)
Standard
Red Hat Enterprise Linux V7 ES
Microsoft Window Server 2012 R2
Platform (Desktop)
Windows 7
Database
Oracle 11g R2 and above
MS SQL Server 2008 R2 and above (Preference and IESO
supplied license)
Web Server
Microsoft IIS 7.5 and above
Apache 2.2 and above
Application server
WebLogic server 10.3
JBoss EAP 5.1
Web Browser
MS Internet Explorer 9.X
Smartphones
Blackberry Classic/Leap, iPhone 5/6
Tablets
Blackberry Passport, iPad
System Interfaces
XML, Web Services, LDAP, JMS, Support for Web Services
standards (SAML, WS Security, SPML (service provisioning
markup language, LIBERTY ID-WSF and ID-FF))
Backup/Restore
Commvault 8.0
LAN/WAN
TCP/IP – ICCP
Enterprise System
Management
Altiris Version 7.1
System Centre
Operations Manager
(SCOM)
7.0.8560
Symantec Management
Agent
Agent version 7.5
IBM Qradar SIEM
Agent Release 29.1
IESO Confidential
Page 21 of 22
References
Document Title
Document ID
Related Documents
Document Title
Document ID
– End of Document –
IESO Confidential
Page 22 of 22