Enterprise Secure Remote Access
Request for Proposal
May 18th, 2015
Presented by:
NYU Hospitals Center
NYU Hospitals Center
Table of Contents
Overview ............................................................................................................ 3
Milestone Calendar ............................................................................................... 3
Required RFP Response Format .............................................................................. 3
Proposal Due-Date, Delivery Instruction and Communication ..................................... 4
Proprietary Information, Non-Disclosure ................................................................. 4
Costs Incurred ..................................................................................................... 4
NYUHC Reserves Right to Reject Any and All Bids ..................................................... 4
Effective Period of Prices ....................................................................................... 5
Functional Requirements ....................................................................................... 5
Technology Roadmap ........................................................................................ 11
Professional Services and Customer Support ........................................................ 11
Regulatory & Compliance .................................................................................. 12
Training .......................................................................................................... 12
Pricing ............................................................................................................ 13
Implementation Timeline ................................................................................... 13
Description of Company .................................................................................... 14
Past performance and References ....................................................................... 15
Evaluation Criteria ............................................................................................ 15
3/15/16
Secure Privileged Access Proposal
Page 2 of 16
NYU Hospitals Center
Overview
NYUHC is soliciting this RFP in order for vendors to provide a secure
privileged access solution for both internal and external users. The solution
will become a critical component of NYUHC’s infrastructure and application
access strategy, focused on a robust, secure and auditable mechanism to
access privileged accounts throughout the organization.
NYUHC is seeking a supplier with:
 Healthcare experience willing to manage and supply an enterprise
privileged access solution
 Proven track record in regulated environments
 Monitoring and reporting capabilities
 Guaranteed dedicated, high quality resources
 Quick turnaround times for requests
 Competitive pricing
 Bring value to NYUHC
Milestone Calendar
The following calendar of events is based on planned New York University
Hospital Centers (NYUHC) activities and anticipated Supplier delivery
capabilities. It is presented for illustrative purposes only. These milestones
will be reviewed as necessary at the time a contract is awarded to a Supplier.
Milestone
Request for Proposal Published
Additional Questions due by 12:00 PM EST
Answer to Suppliers due by 12:00 PM EST
Proposals due from Suppliers by 12:00 PM EST
Suppliers meetings (short list only)
Date
May 18th 2015
May 23nd 2015
May 27th 2015
June 1st 2015
Week of June 8th 2015
Please also refer to section 15 below for further details on Implementation
Timeline and section 18 for Evaluation Criteria.
Required RFP Response Format
Suppliers are required to submit their Proposal in the specified electronic
format. Supplier will submit their entire RFP response and all completed
forms electronically via e-mail with Supplier’s information and responses
3/15/16
Secure Privileged Access Proposal
Page 3 of 16
NYU Hospitals Center
provided in the appropriate places therein. The required electronic
applications formats are Microsoft Word and Microsoft Excel. Any supporting
graphic or presentation-based slides may be submitted in a separate
PowerPoint file. PDF format is not acceptable for any submitted text,
graphics or slides.
Proposal Due-Date, Delivery Instruction and
Communication
All Proposals are due by June 1st 2015 no later than 12:00 P.M. EST.
Send your complete electronic response via email to: ITSourcing@nyumc.org
Bidders Note: All questions regarding interpretation or specifications must
be submitted in writing to Atul Panchal only with a copy to Christie LoFaro.
Under no circumstances shall Supplier contact any employee of NYUHC. Any
dialogue initiated by the bidder not addressed to contacts above will result in
an immediate disqualification. Discussions on other business matters and not
related to this RFP are permitted.
Proprietary Information, Non-Disclosure
Supplier shall have no rights in this document or the information contained
therein and shall not duplicate or disseminate said document or information
outside the Supplier's organization without the prior written consent of
NYUHC.
Costs Incurred
All costs incurred in the preparation of the Proposal shall be borne by
Supplier. By submitting a Proposal, Supplier agrees that the rejection of any
Proposal in whole or in part will not render NYUHC liable for incurred costs
and damages.
NYUHC Reserves Right to Reject Any and All Bids
Nothing in this RFP shall create any binding obligation upon NYUHC.
Moreover, NYUHC, at its sole discretion, reserves the right to reject any and
all bids as well as the right not to award any contract under this bid process.
NYUHC reserves the right to award portion of this bid. All bids should be
governed by NYUHC standard Policy and Procedure and Terms and
Conditions.
3/15/16
Secure Privileged Access Proposal
Page 4 of 16
NYU Hospitals Center
Effective Period of Prices
All pricing quoted by Supplier will remain fixed and firm until June 2016
Functional Requirements
9.1. Introduction
NYUHC is in the process of strengthening and streamlining its portfolio of
security capabilities to better serve upcoming new IT services and business
models. Central to this strategy is the definition and deployment of an
Enterprise Secure Privileged Access Solution to be rolled out to manage and
control user access to critical IT functions, including infrastructure, platforms
and applications.
Currently this function is offered and deployed in an ad hoc basis, however in
order to support the institution goals for new advanced applications and
capabilities, it is now necessary to offer a secure, flexible, scalable service
portfolio to manage access to critical core resources. This should be applied
in a standard way to different use cases regardless of their complexity and
the service should provide differentiated levels of access depending on the
specific role and capabilities being requested:
External and internal users would access the core environment via standard
protocols and mechanisms (e.g. RDP, SSH). The Enterprise Secure Privileged
Access Solution would mediate, control and manage access to critical
applications, internal devices (including appliances) and infrastructure
platforms. At a high level, the Solution would provide:
3/15/16
Secure Privileged Access Proposal
Page 5 of 16
NYU Hospitals Center




User authentication and authorization
Session control and monitoring
Session recording and logs
Auditing and forensic tools
It is important to note that the Solution is meant to be a service capability
and not necessarily one single product or system although preference may
be given to fully integrated solutions. The functions identified could be
provided by a solution involving a number or products that integrate within
the existing ecosystem and could be dependent on these enterprise platforms
9.2. Use Cases
9.2.1. Remote Device and Appliance Control: Ability for an
authorized person to access remotely internal control devices,
mechanisms or applications. Examples include alarm systems,
building temperature and power controls systems, or security
applications.
9.2.2. Remote Application (Device) Maintenance: Ability for an
authorized person to perform maintenance functions on a
vendor supported platform in NYULMC. The platform could be an
application, device or infrastructure component.
9.2.3. Secure Remote Access to User Workstation: Ability for an
authorized person to access remotely a personal workstation or
server. This need could be part of a “work at home” setting.
9.2.4. Remote Application (Device) Maintenance via dedicated
VPN: Ability for an authorized person to perform maintenance
functions on a vendor supported platform in NYULMC. Access to
the application would be via dedicated hardware based VPN or
similar mechanism. The target platform could be an application,
infrastructure platform or device.
9.2.5. Internal Data Access: Ability for an authorized person to
remotely access information hosted internally on internal
databases, ETL or other integration systems or sources of data.
The user can extract data following a pre-determined protocol
and send the information using a secure channel back to the
requesting entity.
9.3. System Overview
9.3.1. Please provide a description of the overall architecture of the
remote access solution.
9.3.2. What is the technology being used? How do you utilize existing
standards in networking technologies?
9.3.3. Please provide a detailed list and explanation of the hardware
and software that is required for your solution.
3/15/16
Secure Privileged Access Proposal
Page 6 of 16
NYU Hospitals Center
Supplier Answer: Indicate your compliance with each requirement and
document any exception
9.4. Infrastructure Requirements
9.4.1.
Solution Architecture
9.4.1.1.
9.4.1.2.
9.4.1.3.
9.4.1.4.
9.4.1.5.
9.4.2.
Server
9.4.2.1.
9.4.2.2.
9.4.2.3.
9.4.2.4.
9.4.2.5.
9.4.2.6.
9.4.2.7.
9.4.2.8.
9.4.2.9.
3/15/16
Please provide an architectural overview of the
solution. Indicate where third-party solutions are
required to provide additional capabilities.
Describe the application software that your
company provides.
What protocols are used by your system? Provide a
detailed list of all ports and protocols necessary for
the system to work correctly.
Please provide best practices on how to manage
your
solution,
including
the
roles
and
responsibilities for different teams (eg Information
Security, Network Operations, Server Operations,
etc).
How many major releases per year are expected
with your solution? Do you patch the solution on a
regular basis or on an as needed basis?
Can the client purchase the required server
hardware from a third party?
Can the software be installed in a virtual
environment (e.g. VMware, MS Hyper-V)?
What operating system is the server running?
Please specify all
hardware and software
requirements of the required servers.
How would major release updates/upgrades be
handled?
Are data stores backward/forward compatible?
Provide the frequency of software updates and the
method of delivery.
What is the preferred method for data storage:
server based (direct-attached), storage area
network (SAN), network-attached storage (NAS),
or other (describe the preferred data storage
configuration in detail)?
Describe
your
recommended
approach
to
redundant array of independent/inexpensive disks
(RAID), fault-tolerant disk storage, target system
Secure Privileged Access Proposal
Page 7 of 16
NYU Hospitals Center
9.4.2.10.
9.4.2.11.
9.4.2.12.
9.4.2.13.
9.4.2.14.
9.4.2.15.
9.4.2.16.
9.4.2.17.
9.4.2.18.
9.4.2.19.
9.4.3.
Network
9.4.3.1.
9.4.3.2.
9.4.3.3.
9.4.3.4.
9.4.3.5.
9.4.3.6.
3/15/16
availability and the formula used for calculating
this.
What level of server redundancy is supported, and
is failover an automatic or manual process? Please
describe the failover process in detail.
What database platforms do you support/require?
Do you have an archival strategy for old data, or is
all of the data retained in the main database?
Is a web server required, and if so, what web
service do you use (e.g. IIS, Apache, Tomcat)?
Are there any ActiveX components used by your
system?
What technology platform is the software built on?
Does your solution include a turn-key backup
solution? Please describe the backup process in
detail.
Are any third party backup solutions supported?
Is Citrix Xenapp v6.5/7.5 and Citrix XenDesktop
7.5 supported with your solution?
What is your recommended strategy for a
development/test/production instance?
Please
describe
any
dependencies
and/or
integration with the existing wired or wireless
infrastructure? If none exist, is there any hardware
that is required and what is the cost of the
hardware and licenses (proprietary and nonproprietary)? Identify the minimum and ideal
components wired or wireless components required
to efficiently operate.
What wireless Suppliers does your solution
interoperate with? List Suppliers and respective
solutions that have been verified to work with your
solution.
Include minimum and recommend
versions of associated components.
How
does
your
solution
impact
network
performance? What network variables could impact
your solution’s performance?
How do you guarantee that the system will not
adversely be impacted by other LAN devices on the
network?
How do you guarantee that the system will not
interfere with any medical equipment?
If new infrastructure is required, what are the
cabling requirements for equipment (power,
Ethernet, etc.).
Secure Privileged Access Proposal
Page 8 of 16
NYU Hospitals Center
9.4.4.
End User Access
9.4.4.1.
9.4.4.2.
9.4.5.
Security
9.4.5.1.
9.4.5.2.
9.4.5.3.
9.4.5.4.
9.4.5.5.
9.4.5.6.
9.4.5.7.
9.4.5.8.
9.4.5.9.
9.4.5.10.
3/15/16
What are the client requirements for your solution?
Please list the minimum and recommended
specifications.
Is your solution mobile-friendly? If so, what mobile
platforms are supported? Are there any differences
in functionality with accessing the solution using
the mobile version?
Given the importance of such a system, can you
describe in detail how your system is hardened
against malicious attacks?
What rights/capabilities/responsibilities do system
administrators have? Are there multiple levels of
administrator privileges?
Does the solution interact with directory services
like Active Directory, Kerberos, LDAP or RADIUS? If
so, list level of integration and functionality.
Does the solution integrate with other Enterprise
single sign-on solutions such as Oracle OAM/IAM?
Are multiple-factor solutions supported? If so, list
the vendors and products that have been
successfully deployed.
Does the solution restrict access to subsequent
systems once a session has been established? For
example, a session connected to one system
cannot be used to initiate a session to another
using the same or different protocols.
The system must support the ability to generate
alerts based on pre-defined criteria.
Please describe in detail the log messages
generated by the solution. Does your solution
integrate with SIEM solutions such as Loglogic?
Can you give three examples on how customers
used your log messages to identify attempted
network, system or application intrusion? In each
case, how were the customers notified?
For recent high profile security breaches (Target,
Home Depot, Chase, Blue Cross Blue Shield, etc.),
describe how your solution would have prevented
the security breach, if applicable.
Secure Privileged Access Proposal
Page 9 of 16
NYU Hospitals Center
9.4.6.
Enterprise Architecture
9.4.6.1.
9.4.6.2.
9.4.6.3.
9.4.6.4.
9.4.6.5.
9.4.6.6.
9.4.6.7.
9.4.6.8.
9.4.7.
The system must support multiple sites and
locations. Please describe how the software scales
to multiple facilities.
What is your system licensing model (e.g. per
concurrent user, per site, etc.) and how
expandable is this?
Please describe how will an end user interact with
or configure rules within your tools.
Please describe all enterprise monitoring solutions
your product can integrate with.
Please describe how the solution architecture
components can be centralized in the enterprise
data center.
Is there a requirement for local interfaces and
servers in each facility, and if so what features and
use cases drive the requirement.
What is the process and additional cost of
expanding the system as we expand our facility
through renovations and/or new construction?
Does your provide an API and, if so, what
features/capabilities are supported?
Business Continuity
9.4.7.1. High Availability
9.4.7.1.1.
9.4.7.1.2.
9.4.7.1.3.
9.4.7.1.4.
9.4.7.1.5.
What are your system uptime/availability
guarantees?
Does the client have the ability to dictate or
coordinate the day and time of any necessary
downtimes?
What load balancing or high availability
functions are supported?
Please describe the process of testing your
high availability design.
Describe the monitoring capabilities of the
solution in terms of the ability to monitor:
9.4.7.1.5.1. Complete system failure
9.4.7.1.5.2. Individual service failure
9.4.7.1.5.3. Critical resource status
9.4.7.2. Disaster Recovery
9.4.7.2.1.
3/15/16
What are the disaster recovery capabilities?
Secure Privileged Access Proposal
Page 10 of 16
NYU Hospitals Center
9.4.7.2.2.
9.4.7.2.3.
9.4.7.2.4.
9.4.7.2.5.
Describe all aspects of your architecture
backup/restore process.
How can backup and recovery capabilities be
tested on a regular basis?
Please provide a description of your best
practice comprehensive architecture for a
true disaster recovery solution that consists
of a core data center and disaster recovery
data center.
Please outline system capabilities regarding
Recovery Time Objectives and Recovery Point
Objectives
Supplier Answer: Indicate your compliance with each requirement and
document any exception
Technology Roadmap
Please provide product roadmap for the next 12 and 24 months.
Professional Services and Customer Support
11.1.
11.2.
11.3.
11.4.
11.5.
11.6.
11.7.
3/15/16
Describe your professional services practice.
Describe your experience in providing these types of services.
Highlight company strengths as it relates to the request from
NYUHC.
What personnel will be involved in delivering services both direct
and indirect?
Are you capable of providing implementation and on-site
management services for your Single-Sign-On solution?
Briefly describe your experience in implementing similar
programs. Indicate how you provided support to the company to
facilitate change in its corporate environment(s). Outline any road
blocks you encountered and how they were resolved.
Identify the key owner in your organization who is ultimately
responsible for ensuring the success of this implementation.
Describe your proposed implementation methodology, including:
11.7.1.
Timeline for implementation, key milestones and dates
11.7.2.
Organizational
chart
defining
each
employee’s
responsibilities
11.7.3.
Specify all individuals who will be responsible for
implementation, their functions and responsibilities
11.7.4.
Provide a detailed management plan and outline of the
proposed workflow and any requirements to deliver
services
Secure Privileged Access Proposal
Page 11 of 16
NYU Hospitals Center
11.7.5.
11.7.6.
11.7.7.
11.7.8.
11.7.9.
11.7.10.
11.7.11.
Outline the required NYUHC team members required for a
comprehensive deployment and approach for engagement
Based on past and successful experience who do you
recommend be the champion and/or sponsor for the
solution and why?
Describe your communication methods and processes.
Identify key points of contact necessary in the
performance of this agreement
What types of standard, ad hoc, or query reports can you
and do you provide detailing project status
What types of standard, ad hoc, or query reports can you
and do you provide detailing project status
What service guarantees do you offer?
What penalties have you incurred in the past year?
Regulatory & Compliance
1. How do you manage reporting for joint commission and other
regulatory agencies as it relates to Single-Sign-On monitoring/logging?
2. How does your solution help the organization meet the following
regulatory and industry standards? (Identify specific examples and
include other regulatory entities your product adheres to and/or have
experience with)
 JCAHO (The Joint Commission)
 HIPAA (Health Insurance Portability and Accountability Act)
 HITECH (Health Information Technology for Economic & Clinical
Health Act)
 CMS (Centers for Medicare and Medicaid Services)
 FDA (Food and Drug Administration)
 CCHIT (Certification Commission for Healthcare Information
Technology)
 State specific requirements
Supplier Answer: Indicate your compliance with each requirement and
document any exception
Training
1. Describe technical and administrative training.
2. Describe reporting/database training.
Supplier Answer: Indicate your compliance with each requirement and
document any exception
3/15/16
Secure Privileged Access Proposal
Page 12 of 16
NYU Hospitals Center
Pricing
Please provide pricing information in the enclosed Attachment. All hardware,
support and services should also be included for a five (5) year agreement.
Please see the enclosed Attachment A to provide your pricing information.
Implementation Timeline
15.1.
Overview
NYUHC is looking to implement this solution beginning July 2015 using a
phased approach as follows:
Pilot
Time frame
Description
Q2 2015
Proof of
technology and
integration with
NYUHC systems
Phase 1
Q3 2015 –
Q4 2015
External remote
access
Phase 2
Q1 2016 –
Q2 2016
Privileged
access to
selected
internal
resources
Phase 3
Q3 2016 –
onwards
Full privileged
access
management
Note that all dates are calendar quarters and this timeline may be updated
without notice due to changes in business requirements.
15.2.
Pilot
The goal of the pilot phase is to help NYUHC become familiar with your
solution and confirm the responses in section 9 above. The scope of this pilot
would be to:
 Verify core functionality:
o Active Directory integration
o Provide access controls for a selected subset of users
o Review sessions recorded through the solution
 Validate failover (high availability and disaster recovery)
 Review operational, management and reporting capabilities
Please provide a recommended configuration for the above scenarios,
indicating the resources needed.
In order for your response to this RFP to be given further consideration, you
must state in writing as part of your response that:
 Your willingness to participate and support a pilot phase project at
your own cost.
3/15/16
Secure Privileged Access Proposal
Page 13 of 16
NYU Hospitals Center




You understand that pilot use-case scenarios will be selected based on
responses to this RFP.
Your ability to provide a test system and proposal for the pilot phase
within two (2) weeks after notification, if applicable.
You acknowledge that you may not be the sole vendor to participate in
the pilot phase.
You acknowledge that responding to this RFP and participation in the
pilot does not serve as an indication that NYUHC will take further
action in this matter.
15.3.
Phase 1
This phase will be to implement controlled access to existing systems
through the use of the solution, including potential integration with our portal
infrastructure.
15.4.
Phase 2
Once remote access has been implemented, certain privileged accounts will
then be migrated into the solution that are used internally. Such accounts
may include privileged system, application or device accounts in addition to
certain users that have been identified as requiring additional controls.
15.5.
Phase 3
The final phase will be to integrate all privileged session management into a
single solution for use throughout NYUHC.
Description of Company
The designated Supplier shall have provided privileged access services and
solutions to the public for a minimum of three (3) years. The Supplier will
offer a comprehensive package for privileged access solution and service’s as
specified in this RFP to all NYUHC facilities.
Please provide:
1.
The company’s full name, address, main telephone and appropriate
contact information including e-mail address.
2.
A brief historical perspective on your company (years in the business,
growth via mergers and acquisitions, key industry innovations)
3.
What are your company values?
4.
Describe your corporate culture. Explain how you differentiate yourself
from your competition.
5.
Describe the full range of services your company offers and the
corresponding rates. Include all services that will be available and all
expenses that we would incur under this agreement.
3/15/16
Secure Privileged Access Proposal
Page 14 of 16
NYU Hospitals Center
6.
7.
8.
9.
10.
List office locations and specific responsibilities of each.
Please provide an overview of your company’s growth over the past
five years.
Provide audited financial statement for the two fiscal years
immediately prior to this one.
What percentage of your business is in healthcare?
What is your company’s EPIC experience and differentiators with Epic?
Past performance and References
Provide at least (3) references of past privileged access solutions and
service’s deployments in a healthcare setting of similar size and scope of
NYUHC.
For each reference please include the following:
1.
Healthcare organization name, contact name, title, address and
telephone number.
2.
Describe the relationship and services provided.
3.
If you cannot provide at least one healthcare reference of a similar
size and scope of NYUHC, please explain and indicate the largest
installation you have performed.
4.
Provide current and past account information, of similar size and
configuration. Include:
a. A current, long-term customer
b. A current customer implemented in the past 18 months
c. A former customer terminated within the past 18 months and
reasoning for termination other than consolidation
Failure to provide suitable references to NYUHC will result in the Supplier’s
bid being rejected without further consideration.
Supplier Answer: Indicate your compliance with each requirement and
document any exception
Evaluation Criteria
NYUHC plans to evaluate the supplier’s response based on the following
criteria:
1.
2.
3.
4.
5.
6.
3/15/16
Best solutions to the stated user cases
Existing system capabilities
Forward looking architecture
Compatibility to NYUHC business models
Technological capabilities
Compatibility with NYUHC IT architecture and strategy
Secure Privileged Access Proposal
Page 15 of 16
NYU Hospitals Center
7.
8.
9.
10.
11.
3/15/16
Price competitiveness
Ability to facilitate continuous total cost reduction or revenue increase
Quality of professional services
Service Levels
References
Secure Privileged Access Proposal
Page 16 of 16