Upload
hoangdien
View
213
Download
0
Embed Size (px)
Citation preview
KUMC – New Enterprise Asset Management System (EAMS) Implementation
RFQ 683F19-49
Issue Date 06/14/2019
Response Deadline: 07/05/2019 at 12:00 PM Central time
Scope of Work
The University of Kansas Medical Center (KUMC), Department of Facilities Management, is seeking a vendor to provide, configure and implement an off-premise, fully hosted, cloud/web-based SaaS Enterprise Asset Management System (EAMS) that will replace our current EAMS, IBM Maximo version 7.6
BackgroundCurrently, Facilities Management is using Maximo 7.6.0.1 in Windows OS virtual server environments, on an Oracle 12c database platform. There are no current direct integration points with other external application, and there are no custom developed reports. Below is additional information regarding our current Maximo instance and configuration:
1-Organization with 3-Sites Approximately 40 concurrent users. Current database size is approximately 10GB. Currently utilizing virtual server environments for a Production environment, a Test
environment, and a Development environment. EAMS data is used for interdepartmental billing via an external process. We utilize one internal integration within Maximo that captures billable transactions to be
used in our external interdepartmental billing process. EAMS data is being exported directly from the Maximo Oracle database instance and
integrated with our QlikView system for reporting and interdepartmental billing purposes. Currently, we are utilizing these core applications: Work Order Tracking, Quick
Reporting, Assets, Locations, Preventive Maintenance, Inventory, Job Plans, Purchasing, Assignment Manager, Service Requests.
Administrative
Any questions regarding this Request for Proposal, Vendor Questionnaire, or proposal format must be directed to:
Hayley Unke-Moore, CPSM, Associate Director of PurchasingKUMC Purchasing3901 Rainbow Blvd. Mailstop 2034Kansas City, KS 66160Phone: 913-588-1117email: [email protected]
University of Kansas Medical Center RFQ 683F19-49
Due Date:All proposals are due by 12:00 PM CDT Friday, 07/05/2019. Any proposal received after the required date specified shall be considered late and non-responsive. Any late proposals will not be evaluated for award. Once all submissions have been received, they will be compiled and forwarded to the requester for review. You will be contacted directly by the Procurement Officer if they wish to interview your representatives.
Proposal Submission:Award of the contract resulting from this RFP will be based upon the most responsive Vendor whose offer will be the most advantageous to KUMC in terms of cost, functionality and other factors as specified in this RFP.
KUMC reserves the right to:
Reject any or all offers and discontinue this RFP process without obligation or liability to any potential Vendor,
Accept a proposal other than the lowest priced offer, and Award a contract on the basis of initial offers received, without discussions or requests for best
and final offers
The response to this RFP will be incorporated into the final agreement between The University of Kansas Medical Center and the selected vendor(s) as an attachment. The proposal shall be submitted in Microsoft Word format as set forth below and will confine submission to those matters sufficient to define its proposal, and to provide an adequate basis for evaluation of the proposal.
1. Executive Summary2. Project Scope 3. Project Management Approach4. Detailed and Itemized Pricing5. Appendices
1. Executive SummaryThe Executive Summary should be a brief overview, and should identify the main features and benefits of the proposed solution.
2. Project ScopeThe proposal should reflect ability to meet each of the requirements and/or provide the services and functionality listed below:
A. Configure and implement an off-premise, fully hosted, cloud/web-based SaaS Enterprise Asset Management System (EAMS), as described in this Project Scope, the Functionality/Program Components Requirements (see Appendix I), and the Standard Technical Requirements (see Appendix II).
B. Perform data integrity and validation assessments of existing EAMS data prior to importing/migrating data into new EAMS.
C. Export/Import/migrate required data from existing EAMS into new EAMS.D. Configure application screens and mobile solution UI’s to support EAMS work processes.
University of Kansas Medical Center RFQ 683F19-49
E. Develop identified reports, dashboards and workflows.F. Facilitate user acceptance testing and make appropriate modifications to ensure proper
system operation.G. Provide end-user training, as identified by KUMC. H. Plan & Facilitate cutover to new Production system.I. Provide Go-Live Support.
3. Project Management ApproachInclude the method and approach used to manage the overall project and client correspondence. Specifically, describe how the engagement proceeds from beginning to end.
4. Detailed and Itemized PricingInclude a fee breakdown by project phase and annual ongoing maintenance fees, Monthly Recurring Charge (MRC), per user/license charge, upgrade fees (if any) or any training or storage costs. Also, provide any reduced pricing options for multi-year contracts.
5. AppendicesA. References
Please provide two (2) current references, with a similar project scope, preferably from four (4) year higher education institutions (comparable in number of students to the University of Kansas Medical Center), including University name, contact name, title, e-mail address, telephone number that the University of Kansas Medical Center may contact.
B. Company Overview
Official registered name (Corporate, D.B.A., Partnership, etc.), Dun & Bradstreet Number, Primary and secondary SIC numbers, address, main telephone number, toll-free numbers, and facsimile numbers.
Key contact name, title, address (if different from above address), direct telephone and fax numbers.
Person authorized to contractually bind the organization for any proposal against this RFP.
C. Project Team StaffingInclude biographies and relevant experience of key staff. List the personnel who would work on this project along with their qualifications and relevant experience, in reference to the project scope or system functionality.
Evaluation Criteria:
The University of Kansas Medical Center may, at their discretion and without explanation to the prospective Vendors, at any time choose to discontinue this RFP without obligation to prospective Vendors.
University of Kansas Medical Center RFQ 683F19-49
The University of Kansas Medical Center will have no obligation to complete a purchase pursuant to this RFP, even in the event that a preferred vendor is selected. The only obligation for the University of Kansas Medical Center to purchase will arise from a fully executed agreement.
Bidders may be asked to prepare a presentation and demonstration after the RFP closing.
University of Kansas Medical Center RFQ 683F19-49
Appendix I
EAMS Functionality & Program Components Requirements
General:Provide/specify system/hardware requirements for user workstations.Provide details regarding system support, upgrades, and system maintenance (on-going).Provide database platform (i.e., Oracle, SQL Server, etc.)Provide reporting tools/engine (i.e., Crystal Reports, BIRT, Cognos, etc.)Support Reliability Centered Maintenance (RCM) philosophy and methodologies.
Configurable to utilize RCM best practicesProvide delivered integrations with Workday, QlikView, Mapcom, Akitabox; or similar cloud ERP, business intelligence, and enterprise analytics systems.Support Single Sign-on
Support Staff:All In-House Team (Development, Support, Consulting)
Account Manager Implementation Specialist Sales Technical
Support Type: (24/7, 365) Chat Email Ticketing System online to track support status Phone
Training Methods: (On-going/Accessible)SeminarsBest PracticesOnline LibraryWebinarWorkshops:
Vendor Office Client Office Local Events
Program Components:Integrations:
Workday- Allow integration/import of Time Entry details
University of Kansas Medical Center RFQ 683F19-49
- Time Reporting QlikView MapCom Akitabox Or similar cloud ERP, business intelligence, and enterprise analytics systems.
Asset Management: Asset Reservations Equipment Hierarchy Multiple Languages supported Interactive Maps Ability to track facility, fleet, and different departments Replacement year Stationary Assets Mobile Assets Bar Coding QR Codes
Condition MonitoringPDF Editor within the systemInternal Document StorageContract and Warranty TrackingInventory ManagementProject ManagementBilling Functionality (Import/Export)Calibration MeasurementsInteractive Checklists/Inspection FormsMobile Solution:
Android or iPhone Apple Internet/Email Windows Connected & Disconnected operation Configurable mobile user interface
Preventative Maintenance: Calendar Based Rounds/Inspections Time Based Configure PM Routes
Sandbox practice accountTask Library- both prepopulated in the system and ability to add customVendor:
Contact Information Invoicing Shortcuts to Product
University of Kansas Medical Center RFQ 683F19-49
Contract TrackingWarranteesWork Orders:
Cause Codes Cost Ability to configure Shops/Work Groups/Crews Ability to setup Craft/Labor Codes Damage Codes Estimates Feedback to requester History Entering ID Codes Failure Codes Priority Procedure Link Generate Invoices/Quotes Audit Trails Time Stamps
Work Request Submission: (Configurable) Service Request Application/Module Email Online (application) Log In Account to track Status
Communication Ability to send automated notifications from the system via e-mail or text message
Graphical Work SchedulingProject Management
Operating Support Costs:Backups, updates, upgrades includedSupport for developing/creating new reportsMultiple User Levels:
View Request Edit/Delete Preset User Roles Customizable User Rights Ability to Copy User Rights between users
Program Management:Ability to Change Program LevelApplication/System Availability:
Desktop
University of Kansas Medical Center RFQ 683F19-49
Mobile Device Web
Customize PagesMultiple FormsConfigurable WorkflowsDashboardsData Storage:
Cloud Intranet
Ease of Use (Simplified/Configurable User Interface)Reports:
Asset Based (Asset Downtime) Asset Replacement Cost Category Based Cost Category Cost Total Failures (Failure Reporting) MTTR/MTTF Reporting PM Compliance Scheduling Compliance History Out of Box List of Reports Ability to Create and Customize New Reports Included
Advanced Search CapabilityUpload/Download/Export data via Excel
University of Kansas Medical Center RFQ 683F19-49
Appendix II
Standard Technical Requirements
1. It is highly preferred that user authentication occur via SAML as our current SSO infrastructure is Shibboleth front ended with CAS.
2. Any accounts that cannot use SAML for authentication must meet the following requirements. Password policy should match KUMC password policy. Passwords for access to the KUMC network and computer systems must meet the following requirements: Consist of a minimum of 12 and a maximum of 16 characters. Contain a minimum of one upper-case letters. Contain at least one number. Contain at least one special characters from the following set:! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ { | } ~
Have a maximum password lifetime of 365 days. (Passwords must be changed on an annual basis.)
Passwords must not be reused for a minimum of 10 cycles.3. Provide a data flow diagram4. Identify type(s) of information that are collected either manually or automatically from the
users/application. 5. All data that is transmitted, processed, or stored needs to be encrypted at rest and in transit.
Explain how your solution meets this requirement6. Proposed solution should follow industry standards regarding SDLC, information security
vulnerabilities, and other related risks. Explain how your solution meets this requirement. 7. Vendor must have a documented and publicly accessible privacy policy. Please provide a link8. Vendor must hold and actively carry a cyber-liability policy. If bid is accepted, a copy will need to
be provided9. Vendor should have a documented retention policy. Please attach policy. If it is not in alignment
with KUMC policies, KUMC may require a custom retention policy. 10. Data centers must reside within the United States.11. Solutions must support enterprise wireless networks or physical LAN connectivity12. Data must reside in the US for systems containing high risk data. KUMC defines data as high risk
when protection of data is required by law or regulation (i.e., HIPAA, FERPA, PCI, etc.)13. Solutions must work on all major browsers (Chrome, Firefox, Edge, IE) and mobile application
platforms.
University of Kansas Medical Center RFQ 683F19-49
Vendor Questionnaire: [Vendor name here]
This questionnaire asks for information that will enable KUMC to determine how your hardware or software will work in our environment. Please provide an answer to each question.
For any requirement that cannot be met or you believe to be not applicable, provide written explanation and proposed mitigation actions or compensating controls.
Review the Definitions of Secure Information included in Appendix A. If this system/application will be used to store or process protected health information (PHI) then
the attached separate HIPAA Security Checklist for Applications/Devices must also be completed and submitted with this document.
Vendor Name Today’s Date
System/Application Name Software Version Operating System
Dept / Sponsor Contact Contact Title Department
Vendor Sales Representative Contact Title Telephone/Email
Vendor Technical Representative Contact Title Telephone/Email
Vendor Security Representative Contact Title Telephone/Email
State Contract # (if applicable)
Form Completer Name Contact Title Telephone/Email
NOTE: You do not need to complete the System Questions section of this questionnaire if the product will be hosted off-site (vendor SaaS).
University of Kansas Medical Center RFQ 683F19-49
System Questions Response Notes
Describe the primary function of the system.
Is there an appliance option for this system?
Y N NA
Does this system need proprietary hardware?
Y N NA
Can this system be virtualized? Y N NA
Is virtualization fully supported? Y N NA
What virtualization platforms are supported?
If a physical server or appliance is required:
How many physical pieces of equipment are required?
What is the total amount of rack space required?
What are the power requirements?
What OS and version does it run?
What is the preferred OS?
Is the application 32 or 64 bit?
Can the system be made fault tolerant? If yes, how?
Y N NA
What type of storage is supported or required (SAN, NAS, DAS)
Can the system can be load balanced and how?
Y N NA
Does the system have networking real-time/latency requirements? (e.g. streaming voice or video)
Y N NA
What are network speed/bandwidth requirements?
What licenses are included: development, testing, QA, production?
Does this system require individual licensing or shared licensing? If shared, does the system require a license server in
Y N NA
University of Kansas Medical Center RFQ 683F19-49
System Questions Response Notes
our infrastructure? If yes, does the server need to be able to host physical USB dongles?
What load can the system handle (i.e., concurrent users)?
What is the recommended configuration for X number of users?
What monitoring can be used (SNMP and what version)?
What training options are available for maintaining the system?
Application Questions Response Notes
Accessibility
Is the product tested for compliance with Section 508 of the Rehabilitation Act of 1973 and the Americans with Disabilities Act?
Y N NA
Does the product comply with the WCAG (Web Content Accessibility Guidelines) 2.0 Level AA?
Y N NA
Is manual usability testing conducted periodically to ensure the pages are accessible to individuals with disabilities?
Y N NA
Has the company completed a VPAT (Voluntary Product Accessibility Template) and will you provide it to us?
Y N NA
Authentication
Which authentication methods are available? CAS, SAML (Shibboleth), Other (Please explain in notes).
If SAML, is your Service Provider (SP) part of the InCommon Federation?
Note: We do not provide SAML IDP initiated (Unsolicited Web) SSO.
Y N NA
If not in InCommon, can you provide your SP’s metadata (https://en.wikipedia.org/wiki/SAML_2.0#Service_Provider_Metadata)?
Y N NA
University of Kansas Medical Center RFQ 683F19-49
Application Questions Response Notes
How are users authorized to use the application?
How are groups/roles managed?
Can groups/roles be controlled from outside the system (e.g. LDAP or Active Directory groups)?
Y N NA
User Access
Is application browser based? If yes, indicate what browsers are supported.
Y N NA
Is application client based? If yes, what OS does the client require? Y N NA
Are other methods of remote access allowed? If yes, indicate what methods.
Y N NA
How are user accounts provisioned in the system?
Access Control
Does the system automatically log users off after a specified period of inactivity?
Y N NA
Will all user login credentials be transmitted in an encrypted format, and what is the format?
Y N NA
Will passwords/PINS be entered into non-displayed fields (masked)? Y N NA
Will the vendor need remote support access to the system? If yes, describe the method.
Y N NA
Programming
What languages are involved?
What kind of Web containers are used? Apache, Tomcat, others?
Do you agree to place in escrow (with mutually agreeable entity) the source code for current and two previous versions of the software being proposed, with client being responsible for the account?
Y N NA
Mobile
Is the application accessible via a mobile device? If yes, what devices are supported (e.g. ios/iphone, android, etc.)
Y N NA
Is this a mobile app, or a mobile-friendly website? App
Website
University of Kansas Medical Center RFQ 683F19-49
Application Questions Response Notes
Neither
How quickly will the application adapt to the latest mobile technology?
Data Management
Where is the data storage location? (Hosted or on-premise) If hosted, where?
How will data associated with this service be backed up? Is this our responsibility or the vendor’s?
Include SLA information on:
Recovery Point Objective (RPO) – the maximum tolerable period in which data might be lost from an IT service due to a major incident OR in the event of a system failure, how much data can a service afford to lose?
Recovery Time Objective (RTO) – the duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity OR how long a service can be down before data is restored.
If hosted, does vendor have a disaster recovery plan? Is there off-site storage of data, generators, etc.? Provide details of plan.
Y N NA
Attach a copy of your Business Continuity Plan.
How will vendor return all copies of data to the University at termination of agreement?
Can vendor return the actual hard drive to the University for disposal? Y N NA
Does vendor have breach notification policy & procedures in place? If so, provide them.
Y N NA
PCI
If the application supports eCommerce, is it PCI compliant? Y N NA
What PCI standards are followed?
Does the application integrate with TouchNet payment gateway? If not, what gateway(s) does it integrate with?
Y N NA
Data Storage
What databases are supported? Include vendor and version.
University of Kansas Medical Center RFQ 683F19-49
Application Questions Response Notes
Can the database live on a shared instance?
Does the database need to reside on the same server as the application?
Data is moved in and out of the system using:
JSON? XML? CSV? Data exports/imports? Y N NA
Open database? Y N NA
Web Services (REST, SOAP)? Y N NA
API? Y N NA
Other (If yes, explain) Y N NA
Will passwords/PINS be stored in an encrypted format? What format? Y N NA
Can this application be hosted? If so, where? Y N NA
Will all access to the database system be auditable? Y N NA
Do database rights and user accounts enforce the principle of least privilege?
Y N NA
Will Sensitive Information be stored in an encrypted format? What format?
Y N NA
Security Administration
Can the system export log files to a central logging repository (e.g. syslog)?
Y N NA
Does the system provide reports of users/groups and their access levels?
Y N NA
Does the system provide varying levels of access within the application (e.g. role-based access)?
Y N NA
Does the system provide the capability to restrict access to particular records within the system based on userid?
Y N NA
Does your application require any anti-virus exclusions? Y N
University of Kansas Medical Center RFQ 683F19-49
Application Questions Response Notes
NA
What is the strategy for logging access to the system – and how long are the logs retained? Is there a cost for us to obtain the logs?
Does your application support industry standard TLS encryption? Y N NA
Can your solution meet current FIPS compliance? Y N NA
Activity Logging
Does the system log unauthorized access attempts by date, time, user id, device and location?
Y N NA
Does the system maintain an audit trail of all security maintenance performed by date, time, user id, device and location?
Y N NA
Does the system log all accesses to end user interface and backend data storage systems?
Y N NA
Networking Compatibility
Does the system support encryption of externally transmitted Sensitive Information?
Y N NA
Can the system be placed behind a firewall? Y N NA
Are ports used by the application statically definable and predictable? Y N NA
What ports are used by the application?
Can the system be accessed via a secure protocols (SSH, SSL, HTTPS, etc.)?
Y N NA
Written Documentation
Vendor must supply documentation of the format, schema, and data stored by the application.
Does the vendor have written administrative policies & procedures for technical, Physical & Administrative Safeguards? If so, what?
Y N NA
What technical support documentation is available and where is it located?
Is the vendor willing to sign a Confidentiality Agreement as prescribed by the University?
Y N NA
University of Kansas Medical Center RFQ 683F19-49
Application Questions Response Notes
Is the vendor willing to sign a Business Associate Agreement as prescribed by the University (for HIPAA)?
Y N NA
Certifications
Has the application been audited by a third party against any industry standard IT security certifications? If so which?
Y N NA
Vendor Support
What platform does vendor do application development on?
What is the vendor support model?
Tier 1/2/3?
What are the support hours?
Are we expected to do first/second level support then call?
Design and Dependencies
Please supply a design block diagram (high level block diagram of service interconnections)
What are your technology dependencies (assumptions about our environment)?
What are your software dependencies (e.g. specific version of Java)?
Does your software require outdated or end of life software?
Patching/Updates/Releases
What is your product SDLC?
When is the next scheduled release of your product?
How often do you issue patches and updates for the main application and any dependent software?
How often do you release security patches?
What testing and verification of OS patches are done?
What is involved in performing an upgrade?
Cloud
Describe in detail how you interact with customer IT teams, and how this process works.
How do we get backups of our data?
University of Kansas Medical Center RFQ 683F19-49
Application Questions Response Notes
When/if this contract ends, provide details on how we get all of our data back, and how the data is destroyed in your location.
Describe what analytics are available and how we get them.
How do we monitor your solution?
Sensitive Information:
The following types of information are considered “Sensitive” by the University of Kansas Medical Center Information Resources, Information Security, and University Compliance & Privacy Offices
Data covered by state and/or federal law requiring the University to restrict access and release Non-directory student records as defined by Family Education Records Privacy Act and
University Student Records Policy (including grades, transcripts, private contact information etc) Social Security Numbers (e.g. faculty, staff, students, alumnae, parents, applicants, etc.) Financial aid and/or scholarship information Human Resource records that contain personally identifiable information about employee
performance, health, and/or benefits Identifier or numbers for students, staff, or faculty KUMC ID numbers Passwords or PIN numbers Digital Signatures Individually identifiable health information (IIHI) protected by state or federal law (including but
not limited to “protected health information” as defined by HIPAA) Individually identifiable information created and collected by research projects Financial account & transaction information (e.g. banking information, credit card transaction
information, credit/debit card information, Track 2 information, etc.) Research data Library transactions (e.g. list of patrons, donors, users, circulation, etc.) Information covered by non-disclosure or confidentiality agreements
University of Kansas Medical Center RFQ 683F19-49