ID Requirement
SE-1 The system must support role based security. Please describe the following per SE-1.1 to 1.4:
SE-1.1 How the role based security works. SE-1.2 Who defines the roles?
SE-1.3 Is there a limit to the number of roles that may be held by one person? SE-1.4 Is there a limit to the number of roles that may be held by one person?
SE-2 The system must have a means by which a security administrator can limit users' access to screens, reports,
and data. Explain the means by which the security administrator can limit users' access (e.g. by person, by role, by other measures, and how accomplished?)
SE-3 The system must support multiple authentication methods. Describe how the software supports all of the
following mandatory authentication mechanisms: LDAP authentication
CAS
SE-4 The system must be able to communicate over SSL.
SE-5 The system must provide options to control password security, and must include a method to reset user
passwords. Please describe them.
SE-6 The system must provide options to control password security, including encryption, complexity, and change
password intervals. Describe your password capabilities.
SE-7 The system must have options to control the period when passwords expire.
SE-8 The system must not allow the reuse of prior passwords.
SE-9 The system must restrict access to a specific employee's data to only those users authorized to view that
employee's data. Describe how the solution restricts access to employee data. SE-10 The system should allow only client-defined users to view sensitive information. SE-11 The system should allow administrators the ability to override system policies.
SE-12 The system should provide application-level User ID's and passwords for stand-alone operation.
SE-13 The system should provide single sign-on capabilities to interface with the current OSU password scheme. Please explain the systems ability to support single sign-on.
SE-14 The system should provide a full audit trail of all system modifications and database changes. The audit trail should be printable and viewable online.
SE-15 The system should provide data validation abilities for all non-free form data fields.
SE-16 The system should provide the ability to create and expire user passwords, and group users under one group type, but with individual user passwords.
SE-17 The system should provide data locking in a multi-user environment.
SE-18 How does the system security function restrict entry to the database, so unauthorized entry is not possible through a third party application?
SE-19 How does the system include data recovery and data restore within the application? SE-20 How does the system include database backup within the application?
SE-21 The system should support free form fields. Describe any size limitations.
SE-22 Do the system data fields use basic word processing features such as spell check, word-wrap, cut, copy and paste?
SE-23 Please describe your archival process to get records out of the active database. SE-24 Please describe your purge process to remove records from the system.
SE-25 The system should use SSL to encrypt data for secure access over the Internet. Please explain in detail the security architecture around any technical file transfer options.
SE-26 Please describe in some detail how you will be protecting the information that will be used by the system. SE-27 The system must support database encryption. Describe in some detail how you will protect the information in
the data base, including database encryption support and impact on performance.
SE-28 The system must support session time-outs, and time-out periods should be definable by the administrator. SE-29 The system must support the ability to view vs. update or edit data for users by role or profile.
SE-30 The system must support delegation of access from one user to another, for example when a supervisor is on vacation and another supervisor must manage those employees.
SE-31 The system must provide for logs of user activity in the solution.
SE-32 The system must clearly record the user associated with an entry, including date/time stamp.
ID Requirement
DC-1 The system must support multiple data collection methods. Please list them.
DC-2 What is technology of badge reader clocks?
DC-3 What is lifespan of clocks (any planned obsolescence?)
DC-4 The system timesheets must be accessible through multiple web browsers.
DC-5 The system must have web-based screens to allow employees to electronically clock in/out.
DC-6 The system time will automatically be recorded.
DC-7 How does the system handle multiple off-campus/remote locations?
ID Requirement
HS-1 Who is the hosting system and is it owned and operated by your company or managed by a third party?
HS-2 The system host must describe the system maintenance process and schedule. Response must include
supplier's process for verifying that the site is up and running on daily basis and must include a communication plan for system downtime notification. State if internal or external personnel provide maintenance.
HS-3 Please describe in some detail how you will be protecting the information that will be collected and used by
your system.
HS-4 The system host is requested to provide a detailed description of its disaster recovery process for all locations,
equipment and information systems relating to, but not limited to: power interruptions
strikes or work stoppages natural disasters
supply interruptions
HS-5 The system host must provide back-up support and locations that would be utilized to support the
requirements in this RFP in the event of a disaster.
HS-6 Provide pathway proposal from vendor hosted service model to a University hosted model in these situations:
If OSU decides later to host the system or the Supplier company goes out of business. OSU no longer desires the Supplier as their vendor.
HS-7 Hosting must be available in a subscription based model, with an option to purchase licenses after 2 years
HS-8 Hosting services must include Service Packs and version upgrades.
HS-9 Hosting facility must be SAS70 audited at least annually (or audited by regulations anticipated to replace
SAS70).
HS-10 The Supplier hosted database must be segregated from other customer's data. HS-11 Intrusion detection must be active in the Hosting data center.
HS-12 Anti-virus software must be running on all Hosted servers.
HS-13 All Hosted solutions must include both a production and a non-production instances with independent databases.
HS-14 Hosted solutions must include guaranteed uptime of at least 99.50%.
HS-15 For hosted solutions describe the subscription model, and future options to purchase license. HS-16 The supplier must describe all data security measures employed in their hosted model.