The URL can be used to link to this page

6804-4 ETRM Technical QuestionnaireTechnical requirement, objective, or question Upgrades and Maintenance - Onpremise or Cloud 1 2 3 4 Hosting Infrastructure, Backup and Disaster Recovery - Cloud 5 6 7 8 9 10 Integration, Data Import, Export and Location - Onpremise or Cloud 11 12 13 14 15 16 17 18 Performance and Benchmarking - Onpremise or Cloud 19 Architecture and Supported Platforms - Onpremise and Cloud 20 21 22 23 24 25 26 Security 27 28 29 30 31 32 33 34 35 36 37 38 39 40 Secondary (Non-Production) Environments 41 42 43 Required:Please submit your response to the following items with your proposal. Does your service have regular maintenance windows, and if so, what are they? What services are impacted or unavailable during these times? Do you have a regular update and patching cycle? If so please outline the general cycle and schedule and describe the types of changes typically released in major and minor revisions. Can clients opt in or out of service pack upgrades? Are some upgrades mandatory and others optional? What measures are in place to prevent upgrades from breaking client integrations? Do you issue release notes and recommendations in advance of each upgrade (for example: guidelines on where, when, and how to perform regression testing)? Please describe the types of data center facilities in which your solution is located. Are your data center facilities rated using Uptime Institute tier ratings? If so: 1) describe the ratings they have achieved, and 2) identify the party who conducted the rating and provide a website or other contact information for that party in your response. Are third parties involved in your provisioning of data center services? If yes, please identify those third parties and provide websites and/or other contact information. What documented plans do you have for recovering data center operations and network connectivity in the event of a local or regional disaster? How often are your DR plans refreshed and updated? Can you provide any third-party corroboration or certification of your DR plan quality? What are the Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for your SaaS solution customers’ hosted instances? What is the schedule and the format for backups from your solution? Are restorations from backup regularly tested? With what frequency and with what validation? Does your solution support web services (SOAP, REST, XML) for exchanging structured information both into and out of your system? Explain the general mechanism and standards supported. What data elements can be manipulated via web services? What approach do you most recommend for sending inbound data to your service from City of Denton systems and/or 3rd party providers? Does your solution support one or more secure varieties of Secure File Transfer Protocol (SFTP)? Explain the general mechanism and standards supported. What types of Application Programming Interfaces (APIs) does your solution expose for data extraction? Please identify other general functional areas exposed via your solution’s APIs. What technical documentation can you provide clients for your solution’s APIs? Can your clients export data from your solution to their own cloud solutions and if so how ? Please indicate if data in your solution is ever stored or moved outside the US, and if so what type of data is stored outside the US (e.g. images, cached data, data in transit). Uptime Metrics and service level reporting measured against agreed SLAs What published performance benchmarks does your solution have for any or all of the following? • Application response times (separate by module if appropriate) • Speed of individual transactions • Speed of mass transactions • Speed of mass data imports and data exports • Data storage limits • Other If benchmarks are available, for each benchmark please cite the benchmarking organization, the date and other relevant details and assumptions. What client PC/laptop operating systems (Windows, Macintosh, etc.) does your solution support? Differentiate by OS version if/where appropriate. What client PC/laptop browsers (Internet Explorer, Firefox, Safari, etc.) does your solution support? Differentiate by browser version if/where appropriate. What client smartphone and tablet operating systems (iPhone, iPad, Droid, Android, etc.) does your solution support? Differentiate by smartphone and tablet OS version if/where appropriate. What server operating system(s) (Windows, Linux, other flavors of UNIX, other) does your SaaS solution run on? Differentiate by OS version if/where appropriate. Are certain application functions limited to certain platforms? What application server environment(s) (WebLogic, WebSphere, other) does your solution run in? Differentiate by application server version if/where appropriate. What web server(s) (Apache, IIS, other) does your solution run on? Differentiate by web server version if/where appropriate. What database management system(s) (Oracle, SQL Server, DB2, other) does your solution run on? Differentiate by DBMS version if/where appropriate. In your SaaS implementations, do you typically support clients’ own internal Single Sign-On (SSO) infrastructures? What types of SSO mechanisms can you support? Are there any SSO variations you cannot support? Does your system provide tokens as secondary authentication for read-and-signs or electronic signatures for certificates? If data is clustered, mirrored, duplicated or otherwise distributed, can the physical location of data be changed without City of Denton’s knowledge or consent? If so, in the event that City of Denton needs to recall, delete, or otherwise modify distributed data, can you furnish all the location(s) of all such distributed data to City of Denton for those purposes? What mechanisms, policies and procedures are used to safeguard stored data? Be sure to cite your use or non-use of intrusion detection, anti-virus, firewalls, vulnerability scanning, penetration testing, encryption, authentication and authorization protections and policies, including those involving passwords, removal of unnecessary network services, limiting of administrative access, code review, logging, employee training and other relevant safeguards. What mechanisms are used to transport data? What methods are used to safeguard data during transport? Be sure to cite your use or non-use of encryption during transmission, encrypting wireless traffic, physically securing devices in transit, network traffic segregation, and other relevant safeguards. Where relevant, include descriptions of the encryption protocols and algorithms used. Please identify any subcontracted parties who are involved in your handling of stored data as described in questions 39 and 40. Please provide a website address and/or other contact information for each. Please identify any compliance frameworks for which your product has been certified, such as HIPAA, FISMA, FERPA, PCI, and so on. For each, provide the date of the last certification. Do your hosting environments provide redundancy and load balancing for firewalls, intrusion prevention and other critical security elements? Do you provide protection (or receive protection from a third party) for denial-of-service attacks against your hosted solutions? Can you provide documented policies for OS hardening for your web, application, database and other hosting-related servers? Do you use content monitoring and filtering or data leak prevention processes and controls to detect inappropriate data flows? Can you provide documented procedures for configuration management (including installation of security patches) for all applications? Can you provide documented procedures for vulnerability management, intrusion prevention, incident response, and incident escalation and investigation? Can you provide documented identity management and help-desk procedures for authenticating callers and resetting access controls, as well as establishing and deleting accounts when help-desk service is provided? Do you provide SaaS customers with a standard set of secondary non-production environments (staging, test, and so on)? If so, which types of environments? Are there any limitations on access to and usage of these environments? If you answered yes to question 69, above, can data in these secondary environments be synched with production data? If so, is there a fee for this synchronization? If not, what type of data is provided in these supporting environments? If you answered yes to question 69, above, can changes made in secondary environments be migrated to production automatically?