6804-4 ETRM Technical QuestionnaireTechnical requirement, objective, or question
Upgrades and Maintenance - Onpremise or Cloud
1
2
3
4
Hosting Infrastructure, Backup and Disaster Recovery - Cloud
5
6
7
8
9
10
Integration, Data Import, Export and Location - Onpremise or Cloud
11
12
13
14
15
16
17
18
Performance and Benchmarking - Onpremise or Cloud
19
Architecture and Supported Platforms - Onpremise and Cloud
20
21
22
23
24
25
26
Security
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Secondary (Non-Production) Environments
41
42
43
Required:Please submit your response to the following items with your proposal.
Does your service have regular maintenance windows, and if so, what are they? What services are impacted or unavailable during these times?
Do you have a regular update and patching cycle? If so please outline the general cycle and schedule and describe the types of changes typically released in major and minor revisions.
Can clients opt in or out of service pack upgrades? Are some upgrades mandatory and others optional?
What measures are in place to prevent upgrades from breaking client integrations? Do you issue release notes and recommendations in advance of each upgrade (for example: guidelines on
where, when, and how to perform regression testing)?
Please describe the types of data center facilities in which your solution is located. Are your data center facilities rated using Uptime Institute tier ratings? If so: 1) describe
the ratings they have achieved, and 2) identify the party who conducted the rating and provide a website or other contact information for that party in your response.
Are third parties involved in your provisioning of data center services? If yes, please identify those third parties and provide websites and/or other contact information.
What documented plans do you have for recovering data center operations and network connectivity in the event of a local or regional disaster? How often are your DR plans refreshed and
updated? Can you provide any third-party corroboration or certification of your DR plan quality?
What are the Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for your SaaS solution customers’ hosted instances?
What is the schedule and the format for backups from your solution?
Are restorations from backup regularly tested? With what frequency and with what validation?
Does your solution support web services (SOAP, REST, XML) for exchanging structured information both into and out of your system? Explain the general mechanism and standards supported.
What data elements can be manipulated via web services?
What approach do you most recommend for sending inbound data to your service from City of Denton systems and/or 3rd party providers?
Does your solution support one or more secure varieties of Secure File Transfer Protocol (SFTP)? Explain the general mechanism and standards supported.
What types of Application Programming Interfaces (APIs) does your solution expose for data extraction?
Please identify other general functional areas exposed via your solution’s APIs.
What technical documentation can you provide clients for your solution’s APIs?
Can your clients export data from your solution to their own cloud solutions and if so how ?
Please indicate if data in your solution is ever stored or moved outside the US, and if so what type of data is stored outside the US (e.g. images, cached data, data in transit).
Uptime Metrics and service level reporting measured against agreed SLAs
What published performance benchmarks does your solution have for any or all of the following?
• Application response times (separate by module if appropriate)
• Speed of individual transactions
• Speed of mass transactions
• Speed of mass data imports and data exports
• Data storage limits
• Other
If benchmarks are available, for each benchmark please cite the benchmarking organization, the date and other relevant details and assumptions.
What client PC/laptop operating systems (Windows, Macintosh, etc.) does your solution support? Differentiate by OS version if/where appropriate.
What client PC/laptop browsers (Internet Explorer, Firefox, Safari, etc.) does your solution support? Differentiate by browser version if/where appropriate.
What client smartphone and tablet operating systems (iPhone, iPad, Droid, Android, etc.) does your solution support? Differentiate by smartphone and tablet OS version if/where appropriate.
What server operating system(s) (Windows, Linux, other flavors of UNIX, other) does your SaaS solution run on? Differentiate by OS version if/where appropriate. Are certain application
functions limited to certain platforms?
What application server environment(s) (WebLogic, WebSphere, other) does your solution run in? Differentiate by application server version if/where appropriate.
What web server(s) (Apache, IIS, other) does your solution run on? Differentiate by web server version if/where appropriate.
What database management system(s) (Oracle, SQL Server, DB2, other) does your solution run on? Differentiate by DBMS version if/where appropriate.
In your SaaS implementations, do you typically support clients’ own internal Single Sign-On (SSO) infrastructures? What types of SSO mechanisms can you support? Are there any SSO variations
you cannot support?
Does your system provide tokens as secondary authentication for read-and-signs or electronic signatures for certificates?
If data is clustered, mirrored, duplicated or otherwise distributed, can the physical location of data be changed without City of Denton’s knowledge or consent? If so, in the event that
City of Denton needs to recall, delete, or otherwise modify distributed data, can you furnish all the location(s) of all such distributed data to City of Denton for those purposes?
What mechanisms, policies and procedures are used to safeguard stored data? Be sure to cite your use or non-use of intrusion detection, anti-virus, firewalls, vulnerability scanning,
penetration testing, encryption, authentication and authorization protections and policies, including those involving passwords, removal of unnecessary network services, limiting of
administrative access, code review, logging, employee training and other relevant safeguards.
What mechanisms are used to transport data? What methods are used to safeguard data during transport? Be sure to cite your use or non-use of encryption during transmission, encrypting
wireless traffic, physically securing devices in transit, network traffic segregation, and other relevant safeguards. Where relevant, include descriptions of the encryption protocols
and algorithms used.
Please identify any subcontracted parties who are involved in your handling of stored data as described in questions 39 and 40. Please provide a website address and/or other contact
information for each.
Please identify any compliance frameworks for which your product has been certified, such as HIPAA, FISMA, FERPA, PCI, and so on. For each, provide the date of the last certification.
Do your hosting environments provide redundancy and load balancing for firewalls, intrusion prevention and other critical security elements?
Do you provide protection (or receive protection from a third party) for denial-of-service attacks against your hosted solutions?
Can you provide documented policies for OS hardening for your web, application, database and other hosting-related servers?
Do you use content monitoring and filtering or data leak prevention processes and controls to detect inappropriate data flows?
Can you provide documented procedures for configuration management (including installation of security patches) for all applications?
Can you provide documented procedures for vulnerability management, intrusion prevention, incident response, and incident escalation and investigation?
Can you provide documented identity management and help-desk procedures for authenticating callers and resetting access controls, as well as establishing and deleting accounts when help-desk
service is provided?
Do you provide SaaS customers with a standard set of secondary non-production environments (staging, test, and so on)? If so, which types of environments? Are there any limitations on
access to and usage of these environments?
If you answered yes to question 69, above, can data in these secondary environments be synched with production data? If so, is there a fee for this synchronization? If not, what type
of data is provided in these supporting environments?
If you answered yes to question 69, above, can changes made in secondary environments be migrated to production automatically?