Event... · Web viewCE Event Management Software. Request for Proposal Number: Issue Date: December 4, 2017. Response Deadline: December 18, 2017. Scope of …

CE Event Management Software

Request for Proposal Number:

Issue Date: December 4, 2017

Response Deadline: December 18, 2017

Scope of Work

The University of Kansas Medical Center (KUMC) is looking to purchase a software application to manage continuing education activities (Live, RSS, MOC, Enduring) for external and internal users.

Administrative

Any questions regarding this Request for Proposal, Vendor Questionnaire, or proposal format must be directed to:

Bryan Thomas, Director of PurchasingKUMC Purchasing3901 Rainbow Blvd. Mailstop 2034Kansas City, KS 66160Phone: 913-588-1115eMail: [email protected]

Due Dates:All proposals are due by 2:00 p.m. CST Monday, December 18, 2017. Any proposal received after the required date specified shall be considered late and non-responsive. Any late proposals will not be evaluated for award. Once all submissions have been received, they will be compiled and forwarded to the requester for review. You will be contacted directly by the Procurement Officer if they wish to interview your representatives.

Schedule of Events:Event DateRFP – Open for Bid December 4, 2017Proposal Due Date December 18, 2017Target Date for Proposal Review January 8, 2018Vendor Demonstrations and Follow Up January 8, 2018 – March 16, 2018KU Decision March 30, 2018

University of Kansas Medical Center

mailto:[email protected]

Proposal Submission:Award of the contract resulting from this RFP will be based upon the most responsive Vendor whose offer will be the most advantageous to KUMC in terms of cost, functionality and other factors as specified in this RFP.

KUMC reserves the right to:

Reject any or all offers and discontinue this RFP process without obligation or liability to any potential Vendor,

Accept a proposal other than the lowest priced offer, and Award a contract on the basis of initial offers received, without discussions or requests for best

and final offers

The response to this RFP will be incorporated into the final agreement between The University of Kansas Medical Center and the selected vendor(s) as an attachment. The proposal shall be submitted in Microsoft Word format as set forth below and will confine submission to those matters sufficient to define its proposal, and to provide an adequate basis for evaluation of the proposal.

1. Executive Summary2. Functionality3. Project Management Approach4. Detailed and Itemized Pricing5. Appendices

1. Executive SummaryThe Executive Summary should be a brief overview, and should identify the main features and benefits of the proposed solution.

2. FunctionalityInclude detailed technical expertise and product functionality. The proposal should reflect ability to meet each of the requirements listed below:


CE Event Management Software

No. Requirement Delivery Method Vendor CommentsRegistrationREG01 Ability to add options to an

event that result in an additional cost (i.e. dinner, merchandise)

□ Out of Box□ Configure□ Custom

REG02 Ability to accept online registration, including e-commerce, discount codes, group registrations, refunds, invoicing and check payments.


REG03 Multiple registration with safeguards against registration for concurrent sessions


REG04 Ability to edit/add to registration information after an initial registration is completed


REG05 Ability to accommodate Early Bird and regular registration fees based on a deadline registration date.


REG06 Automated customizable e-mail registration confirmation with receipt.


REG07 Ability to customize registration form to include special needs of participants (dietary restrictions, special ADA requirements).


REG08 Ability to assign QR code or □ Out of Box

University of Kansas Medical Center Page 3

bar code for electronic check in on-site □ Configure

□ CustomREG09 Ability to assign QR code or

bar code for electronic check out


REG10 Ability to print customizable badges and other sign in materials with QR or bar coding (vendors should be specific about which the offer - QR / bar coding)


REG11 Ability to use one QR code on a name badge to scan in attendance for multiple days


REG12 Ability to register guests of participants that is excluded from PARS reporting


REG13 Ability for participants to audit courses without receiving CE credit - excluded from PARS reporting.


REG14 Allow guest profiles that do not require full profile for non-credit events - excluded from PARS reporting.


No. Requirement Delivery Method Vendor CommentsAdministration/EvaluationsADMIN01 Ability to create complex

events with concurrent sessions and multiple fee options, such as optional social events and products.


ADMIN02 Ability to duplicate recurring events. □ Out of Box


□ Configure□ Custom

ADMIN03 Ability to track multiple credit requirements - i.e., to recognize multiple credentials for one person (RN, EMS) and record all certification hours awarded for all credit types.


ADMIN04 Ability to track multiple clock hours for a course (50 min - 1 hr, 60 min - 1 hr, etc.)


ADMIN05 Ability to award certificates for multiple credit types - Need to be able to differing amount of credit per credit type, per session/course. Ability to add multiple signatures to a certificate (for multiple accred. Bodies).


ADMIN06 Ability to manage exhibitors online (Email invite, complete online applications, payment, confirmation, communications, accounts receivable).


ADMIN07 Customizable online evaluations/tests (pre and post), including multiple question types, for live or enduring materials and independent studies


ADMIN08 Ability to save and duplicate evaluation templates □ Out of Box


ADMIN09 Ability to schedule reminder emails for evaluation/testing emails sent to participants and also ability to set

□ Out of Box□ Configure


deadline to complete the evaluation/testing

□ Custom

ADMIN10 Speaker management - upload/download forms and information such as: disclosure, conflict of interest, honoraria, travel expenses, CV, audiovisual requests, presentation materials, handouts & slides


ADMIN11 Speaker management - Prompt speaker to fill out necessary forms


ADMIN12 Speaker management - Ability for staff to track what is complete/incomplete


ADMIN13 Ability to track/keep copies of previous versions of faculty forms


ADMIN14 Capture topic/specialty for each speaker in order to create a comprehensive list of speakers for future searching.


ADMIN15 Filter speakers lists (RE ADMIN14) by averaged evaluation scores over time


ADMIN16 Mobile technology to allow participant to register, check-in, access session agendas, complete evaluations/tests, and access certificate/transcript - either by mobile app or mobile friendly website


ADMIN17 Ability to have unlimited administrators □ Out of Box



ADMIN18 Ability to create online accredited programs by linking to or uploading online presentations (audio, video) that includes options for registration with payment and links to evaluation, post test and credit certificate issuance (Learning Management System)


ADMIN19 Ability to live stream events through Learning Management System.


ADMIN20 Ability to send MOC applications or worksheets to reviewers in order for reviewers to add comments and have system notify admin user when complete.


ADMIN21 Regarding applications: based on a QI project, reminders would be sent to applicant if project is not completed by a certain deadline. Ability to do this for several additional forms with a parent-child relationship to the initial application.


ADMIN22 Automated messages sent to admin user when each step is completed and to end user when target deadline is not met.


ADMIN23 Ability to make customizations to KUMC system and not have to wait until it is added as an update for all clients



ADMIN24 Customer support response of 24 hrs or less for urgent matters


ADMIN25 Clear communication from vendor regarding product updates & timelines, as well as downtime if product will be unavailable during an update.


No. Requirement Delivery Method Vendor CommentsReportingREPORTS01 Ability to create events that

capture all ACCME requirements needed for PARS annual reporting for ACCME providers and for that reporting to be automated for electronic transfer.


REPORTS02 Automatic system update of ACCME requirements □ Out of Box


REPORTS03 Ability to create events that capture all Allied Health requirements needed for annual reporting for providerships and for that reporting to be automated for electronic transfer.


REPORTS04 Ability to generate various program reports and export select data into Excel formats


REPORTS05 Must be able to produce a Budget Summary Report by event that includes all revenue, all expenses and program net loss or income


REPORTS06 Must be able to produce a □ Out of Box


report by individual event that includes all registration information by registration type (physician, nurses, complimentary, etc.)


REPORTS07 Must be able to produce a report by event that includes all registration information by individual (name, sessions, amount paid, date registered, etc.)


REPORTS08 Evaluation and outcomes reporting capabilities by program and for multiple programs by year


REPORTS09 Must be able to produce attendance lists □ Out of Box


REPORTS10 Ability to generate overall budget (revenue, expenses, balance for all activities)


REPORTS11 Ability to generate report that shows status of application on run date - MOC Specific


No. Requirement Delivery Method Vendor CommentsFinanceFINANCE01 Ability to capture all types of

revenue for an event, including: Registration, Exhibitor, Grant (commercial & non-commercial)


FINANCE02 Must be able to track all expenses for an event □ Out of Box



FINANCE03 Must be able to track income and expenses by funding sources.


FINANCE04 System must be able to invoice and track A/R's for rebilling purposes.


FINANCE05 Ability to send alerts or place holds on accounts (participants & exhibitors) because of balance due from previous events/years.


FINANCE06 Cancellation fees to show on activity budget □ Out of Box


FINANCE07 System must be able to invoice and track A/R's for rebilling purposes.


FINANCE08 Ability to invoice when program net = balance due □ Out of Box


No. Requirement Delivery Method Vendor CommentsInterfacesINTERFACE01 Provide widgets or scripts

for seamless integration of course listings to display on KUMC Continuing Education (KUMC CE) web page. The display of course listings generated must include: Course Title, Course Date(s), Course Description, Course



Location, Registration link so users may easily complete registration for courses in the CE event management system.

INTERFACE02 Ability to sort the display fo courses in a listing by date, ascending or descending should be an option.


INTERFACE03 Ability to limit the display of courses in a listing by type should be an option.


INTERFACE04 The widgets or scripts must be compatible for use in the Ingeniux CMS that hosts the development of the KUMC CE web pages


No. Requirement Delivery Method Vendor CommentsData Fields & SecurityDATA01 Administrator ability to set

user access and security by activity and by task


DATA02 Ability to partition between AHEC/KUMCCE/other activities for distribution lists


DATA03 Ability to capture the following types of data: Member/ParticipantMember/Participants ID (Created by system)SalutationFirst NameM.I.



Last NameSuffixDegreeProfessional TitlePositionCredit eligibility - assigned by system based on credential(s) Specialties (long list with check boxes)

CredentialsNPINursingAllied Health Professional License number(s)- Multiple fields (up to 5)OrganizationHospital (Drop Down)?DepartmentEmail AddressHome addressAddressAddress 2Address 3CityStatePostal CodeCountyCountryWork addressAddressAddress 2Address 3CityStatePostal CodeCountyCountryPreferred address check boxWork Telephone numberExtensionMobile Telephone numberHome Telephone Number


Fax telephone numberAssistant's NameAssistant's TelephoneAssistant's EmailPreferred First NameSpouse NameBirth Month & DayInduction Date (created by system)Paid ThruSpecial accommodations - Food Allergies, ADA to show on registration reportComments System notes (generated by system for user activity)Active/inactive check boxOpt in/out - emailsACTIVITYCode (CM18####)Activity NameLocationCounty LocationBegin Date (Multiple)Ending date (Multiple)Begin Time of program (Multiple)End Time of Program (Multiple)Activity Type (drop down) Live, Enduring, RSS, QI for Portfolio pgm, etc.Description (overall goal of program)In Joint Providership/Direct SponsorshipObjectivesUpload Brochure/BannerCredits types per session(s)Session titleTarget AudienceLength of programProvidership numberCredit hours


Speakers ListHours of instruction by speaker (Nursing and other)GrantsSupportCommercial Sponsor (Contribution Amt or In-Kind)Accreditation StatementPARS ReportingOutcomes (PARS Questions)Interprofessional Education Collaborative ABMS/ACGME/IOM# of Physicians who completed activity# of Other Learners who completed activityHours of instruction (CME)Risk Evaluation and Mitigation StrategyRegistrationList Products and pricing descriptionDownloadable registration formPolicies and cancellation MOCProject TitleType of QI Effort The number of physicians expected to participate in the QI activityPhysician Affiliation with KU School of Medicine ABMS medical Specialties addressed as part of this QI SubspecialtiesProvide anticipated number of Physician Assistants ParticipatingProvide anticipated number of Residents/Fellows participatingProvide anticipated number


of Nurses participatingProvide anticipated number of Allied Health Professionals participatingActivity start dateActivity end dateActivity explicitly addresses on of the following (drop down with choices provided)Project is funded internally Project is funded externally Does funding come from the organization budget What department or program is this QI activity most closely associated?How does the activity align with your clinical system priorities Is the project associated with larger statewide or national initiatives?If yes to the previous question please explainWhich two Institute of Medicine Quality Dimensions of patient care are addresses

Which two ACGME/ABMS competencies are addresses (practice based learning and improvement and systems based practice are both assumed) Relevant topics (all that apply) for this quality improvement effort What is/are the identified problem(s)/gaps in quality that resulted in the development of the activityIdentify the primary underlying cause(s) of the gap, if known or


hypothesizedWhat is the specific aim of the QI effortWhat is the patient populationWhat is the population sampling strategyWhat is the title of this measureType of measure is this Source of measure Is this measure nationally endorsed What is the NumeratorWhat is the DenominatorWhat is the base line rateWhat is it the data source for this measure What is the target rateWhat is the time frame for achieving the targetBenchmark and SourceWhat is the intervention tool type Describe the planned intervention & how it relates to the aimHow will this intervention impact physician practiceHow will this intervention impact patient careDo you have another measure Was a patient survey completed? If pt surveys were completed how manyUpload a sample of the surveyWas a peer survey completed? If peer surveys were completed how many?Upload a sample of the


surveyIs IRB requiredIndicate the requirements for an individual to meaningfully participate in this QI effort. QI Progress to date:Measure baseline practice performance Implement Changes in care processRe-measure practice performance Assess and refine changes in care process Re-measure (after refining) practice performance FinanceBilling address for CC pmtsRegistration fee types and pricing Order # (created by system)Order DateRegistration purchasedPayment DatePromotion codesPayment Method (check, credit card, other)Payment reference #Refund dateRefund amountCancellation Fee (displayed on registration revenue)Status (A/R or Paid)Payer namePayment amountPayment type (Reg Fee, Commercial Support, Balance Due)Program Expense Types (Chart of account)Program Estimate Budget IncomeProgram Estimate Budget Expense


CommentsAccount type (KUEA or RFF)Transcripts/CertificatesCredit specific certificate textsSignature blocks

No. Requirement Delivery Method Vendor CommentsIntegration with KU Systems/StandardsS01 The application allows for

dual sign-in process, where KUMC employees sign on using Single Sign-On (CAS and/or Shibboleth) and external users create their own accounts outside of SSO.


S02 The application allows former KUMC employees to still access their accounts once they have left the University; their information flows from the SSO account into an external account that they create. No information is lost.


S03 Alternately, the application allows for new KUMC employees who previously had external accounts to keep that information once they are have Single Sign-On accounts at KUMC.


S04 Ability to accommodate custom KUMC branding standards (colors and fonts) for all forms, emails, etc.



No. Requirement Delivery Method Vendor CommentsLook and Feel/User ExperienceUI01 Ability for participants to

self-claim credits per activity with safeguard so max credit hours cannot be exceeded


UI02 Allow participant to mark sessions attended & system calculates CE credit.


UI03 Participants ability to create a unique profile □ Out of Box


UI04 Participant self-service to access history, transcripts, complete evaluation, certificate retrieval and printing


UI05 Ability to customize and create email communication with participants, exhibitors, and speakers


UI06 Easy interface to manage internal participant lists (specialties, metadata terms, designation interest codes) to generate mailing lists and email lists, as well as upload outside lists


UI07 Ability to create an online detailed event page/brochure that displays event information on multiple tabs (event



info, faculty, accreditation, parking, hotel information and registration)

UI08 Allow guest profiles that do not require full profile for non-CE events


UI09 Clear instructions/process for forgot user name or password retrieval


UI10 Ability for users to opt-out (or be opted-out by KUMC staff) of mailing list


UI11 Ability to clone or copy previously sent email blasts


UI12 Safeguard against participants to register for same program twice.


UI13 Limit subsequent email blasts to unregistered participants


UI14 Ability for participants to track their progress in LMS


UI15 Please specify limitations on graphics size, number of attachments, size of attachment files in emails. Is rich text formatting available?




3. Project Management ApproachInclude the method and approach used to manage the overall project and client correspondence. Specifically, describe how the engagement proceeds from beginning to end.

4. Detailed and Itemized PricingInclude a fee breakdown by project phase and annual ongoing maintenance fees, Monthly Recurring Charge (MRC), per user charge, or any training or storage costs. Also, provide any reduced pricing options for multi-year contracts.

5. AppendicesA. References

Please provide two (2) current references, preferably from four (4) year higher education institutions (comparable in number of students to the University of Kansas Medical Center), including University name, contact name, title, e-mail address, telephone number that the University of Kansas Medical Center may contact.

B. Company Overview

Official registered name (Corporate, D.B.A., Partnership, etc.), Dun & Bradstreet Number, Primary and secondary SIC numbers, address, main telephone number, toll-free numbers, and facsimile numbers.

Key contact name, title, address (if different from above address), direct telephone and fax numbers.

Person authorized to contractually bind the organization for any proposal against this RFP.

C. Project Team Staffing (only on large projects)Include biographies and relevant experience of key staff. List the personnel who would work on this project along with their qualifications and relevant experience.

Evaluation Criteria:

The University of Kansas Medical Center may, at their discretion and without explanation to the prospective Vendors, at any time choose to discontinue this RFP without obligation to prospective Vendors.

The University of Kansas Medical Center will have no obligation to complete a purchase pursuant to this RFP, even in the event that a preferred vendor is selected. The only obligation for the University of Kansas Medical Center to purchase will arise from a fully executed agreement.

Bidders may be asked to prepare a presentation and demonstration after the RFP closing.



Vendor Questionnaire:

(Project will dictate whether or not this section is necessary.)

This questionnaire asks for information that will enable KUMC to determine how your hardware or software will work in our environment. Please provide an answer to each question.

For any requirement that cannot be met or you believe to be not applicable, provide written explanation and proposed mitigation actions or compensating controls.

Review the Definitions of Secure Information included in Appendix A. If this system/application will be used to store or process protected health information (PHI) then

the attached separate HIPAA Security Checklist for Applications/Devices must also be completed and submitted with this document.

Vendor Name Today’s Date

System/Application Name Software Version Operating System

Dept / Sponsor Contact Contact Title Department

Vendor Sales Representative Contact Title Telephone/Email

Vendor Technical Representative Contact Title Telephone/Email

Vendor Security Representative Contact Title Telephone/Email

State Contract # (if applicable)

NOTE: You do not need to complete the System Questions section of this questionnaire if the product will be hosted off-site (vendor SaaS).


System Questions Response Notes

Describe the primary function of the system.

Is there an appliance option for this system?

Y N NA

Can this be a stand-alone server? Y N NA

Does this system need proprietary hardware?

Y N NA

Can this system be virtualized? Y N NA

Is virtualization fully supported? Y N NA

What virtualization platforms are supported?

Has virtualization been fully tested?

Y N NA

If not a stand-alone server:

How many physical pieces of equipment are required?

What is the total amount of rack space required?

What are the power requirements?

What OS and version does it run (prefer Redhat Linux)?

What is the preferred OS?

Does it run under 32 or 64 bit?

Can the system be made fault tolerant? If yes, how?

Y N NA

What type of storage is supported or required (SAN, iSCSI, Fiberchannel, NSAS, DAS)

Can the system can be load balanced and how?

Y N NA

Does the system have networking real/time/latency requirements? (e.g. streaming voice or video)

Y N NA

What are network speed/bandwidth requirements?

What licenses are included: development,


System Questions Response Notes

testing, QA, production?

Does this system require individual licensing or shared licensing? If shared, does the system require a license server in our infrastructure? If yes, does the server need to be able to host physical USB dongles?

Y N NA

What load can the system handle (i.e., current users)?

What is the recommended configuration for X number of users?

What monitoring can be used (SNMP and what version)?

What training options are available for maintaining the system?

Application Questions Response Notes

Accessibility

Is the product tested for compliance with Section 508 of the Rehabilitation Act of 1973 and the Americans with Disabilities Act?

Y N NA

Does the product comply with the WCAG (Web Content Accessibility Guidelines) 2.0 Level AA?

Y N NA

Is manual usability testing conducted periodically to ensure the pages are accessible to individuals with disabilities?

Y N NA

Has the company completed a VPAT (Voluntary Product Accessibility Template) and will you provide it to us?

Y N NA

Authentication



Which authentication methods are available? CAS, Shibboleth, LDAP, Active Directory, other.

How are users authorized to use the application?

How are groups/roles managed?

Can groups/roles be controlled from outside the system (e.g. LDAP or Active Directory groups)?

Y N NA

User Access

Is user access browser based? If yes, indicate what browsers are supported.

Y N NA

Is user access client based? If yes, what OS does the client require?

Y N NA

Are other methods of remote access allowed? If yes, indicate what methods.

Y N NA

How are user accounts provisioned in the system?

Access Control

Is this system designed to be directly accessible from the entire Internet?

Y N NA

Does the system automatically log users off after a specified period of inactivity?

Y N NA

Does system authentication and authorization integrate with a central user identity vault (LDAP, Active Directory, etc.)? If yes, indicate which.

Y N NA

Will all user login credentials be transmitted in an encrypted format?

Y N NA

Will passwords/PINS be entered into non-displayed fields (masked)?

Y N NA

Will the vendor need remote support access to the system? If yes, describe the method.

Y N NA

Programming



What languages are involved (prefer Java or PHP)?

What kind of Web containers are used? Apache, Tomcat, others?

Is the application JSR 168 or 286 compliant (uPortal)? If yes, indicate which.

Y N NA

Do you provide APIs so that Dashboard can be constructed for utilization on our portal? If so, are there any additional licensing costs for this? If not, are we allowed to access the data, so that we may construct dashboards?

Y N NA

Do you agree to place in escrow (with mutually agreeable entity) the source code for current and two previous versions of the software being proposed, with client being responsible for the account?

Y N NA

Mobile

Is the application accessible via a mobile device? If yes, what devices are supported (e.g. ios/iphone, android, etc.)

Y N NA

Is this a mobile app, or a mobile-friendly website?

App

Website

Neither

How quickly will the application adapt to the latest mobile technology?

Data Management

Where is the data storage location? (Hosted or on-premise)

If this application will contain HIPAA-regulated data, will vendor sign a BAA (Business Associate Agreement)?

Y N NA

How will data associated with this service be backed up? Is this our responsibility or the vendor’s?

Include SLA information on:



Recovery Point Objective (RPO) – the maximum tolerable period in which data might be lost from an IT service due to a major incident OR in the event of a system failure, how much data can a service afford to lose?

Recovery Time Objective (RTO) – the duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity OR how long a service can be down before data is restored.

Does vendor have a disaster recovery plan? Is there off-site storage of data, generators, etc.? Provide details of plan.

Y N NA

Attach a copy of your Business Continuity Plan.

How will vendor return all copies of data to the University at termination of agreement?

Can vendor return the actual hard drive to the University for disposal?

Y N NA

Does vendor have breach notification policy & procedures in place? If so, provide them.

Y N NA

PCI

If the application supports eCommerce, is it PCI compliant?

Y N NA

What PCI standards are followed?

Data Storage

What databases are supported? Include vendor and version (prefer Oracle or MySQL).

Data is moved in and out of the system using:



JSON? XML? CSV? Data exports/imports?

Y N NA

Open database? Y N NA

Web Services (REST, SOAP)? Y N NA

API? Y N NA

Other (If yes, explain) Y N NA

Will passwords/PINS be stored in an encrypted format?

Y N NA

Can this application be hosted? If so, where?

Y N NA

How can this application be monitored? If yes, by what (e.g. Zenoss)?

Will all access to the database system be auditable?

Y N NA

Do database rights and user accounts enforce the principle of least privilege?

Y N NA

Will Sensitive Information be stored in an encrypted format?

Y N NA

Security Administration

Can the system export log files to a central logging repository (e.g. syslog)?

Y N NA

Does the system provide reports of users/groups and their access levels?

Y N NA

Does the system provide varying levels of access within the application (e.g. role-based access)?

Y N NA

Does the system provide the capability to restrict access to particular records within the system based on userid?

Y N NA

What is the strategy for logging access to the system – and how long are the logs retained? Is there a cost for us to obtain the logs?

Activity Logging



Does the system log unauthorized access attempts by date, time, user id, device and location?

Y N NA

Does the system maintain an audit trail of all security maintenance performed by date, time, user id, device and location?

Y N NA

Does the system log all accesses to end user interface and backend data storage systems?

Y N NA

Networking Compatibility

Does the system support encryption of externally transmitted Sensitive Information?

Y N NA

Can the system be placed behind a firewall? Y N NA

Are ports used by the application statically definable and predictable?

Y N NA

What ports are used by the application?

Can the system only be accessed remotely via a secure protocols (SSH, SSL, HTTPS, etc.)?

Y N NA

Written Documentation

Vendor must supply documentation of the format, schema, and data stored by the application.

Does the vendor have written administrative policies & procedures for technical, Physical & Administrative Safeguards? If so, what?

Y N NA

What technical support documentation is available and where is it located?

Is the vendor willing to sign a Confidentiality Agreement as prescribed by the University?

Y N NA

Is the vendor willing to sign a Business Associate Agreement as prescribed by the University (for HIPAA and FERPA)?

Y N NA



Certifications

Has the application been audited by a third party against any industry standard IT security certifications? If so which?

Y N NA

Vendor Support

What platform does vendor do application development on?

What is the vendor support model?

Tier 1/2/3?

What are the support hours?

Are we expected to do first/second level support then call?

Design and Dependencies

Please supply a design block diagram (high level block diagram of service interconnections)

What are your technology dependencies (assumptions about our environment)?

What are your software dependencies (e.g. specific version of Java)?

Patching/Updates/Releases

What is your product SDLC?

When is the next scheduled release of your product?

How often do you issue patches and updates?

What testing and verification of OS patches are done?

What is involved in performing an upgrade

Cloud

Describe in detail how you interact with customer IT teams, and how this process works.

How do we get backups of our data?



When/if this contract ends, provide details on how we get all of our data back, and how the data is destroyed in your location.

Describe what analytics are available and how we get them.

How do we monitor your solution?

Sensitive Information:

The following types of information are considered “Sensitive” by the University of Kansas Medical Center Information Resources, Information Security, and University Compliance & Privacy Offices

Data covered by state and/or federal law requiring the University to restrict access and release Non-directory student records as defined by Family Education Records Privacy Act and

University Student Records Policy (including grades, transcripts, private contact information etc) Social Security Numbers (e.g. faculty, staff, students, alumnae, parents, applicants, etc.) Financial aid and/or scholarship information Human Resource records that contain personally identifiable information about employee

performance, health, and/or benefits Identifier or numbers for students, staff, or faculty KUMC ID numbers Passwords or PIN numbers Digital Signatures Individually identifiable health information (IIHI) protected by state or federal law (including but

not limited to “protected health information” as defined by HIPAA) Individually identifiable information created and collected by research projects Financial account & transaction information (e.g. banking information, credit card transaction

information, credit/debit card information, Track 2 information, etc.) Research data Library transactions (e.g. list of patrons, donors, users, circulation, etc.) Information covered by non-disclosure or confidentiality agreements


Documents

Event... · Web viewCE Event Management Software. Request for Proposal Number: Issue Date: December 4, 2017. Response Deadline: December 18, 2017. Scope of …