Executive Summary - kumc.edu Vendor Questionnair… · Web viewThe proposal shall be submitted in Microsoft Word format as set forth below and will confine submission to those matters

KUMC – New Enterprise Asset Management System (EAMS) Implementation

RFQ 683F19-49

Issue Date 06/14/2019

Response Deadline: 07/05/2019 at 12:00 PM Central time

Scope of Work

The University of Kansas Medical Center (KUMC), Department of Facilities Management, is seeking a vendor to provide, configure and implement an off-premise, fully hosted, cloud/web-based SaaS Enterprise Asset Management System (EAMS) that will replace our current EAMS, IBM Maximo version 7.6

BackgroundCurrently, Facilities Management is using Maximo 7.6.0.1 in Windows OS virtual server environments, on an Oracle 12c database platform. There are no current direct integration points with other external application, and there are no custom developed reports. Below is additional information regarding our current Maximo instance and configuration:

1-Organization with 3-Sites Approximately 40 concurrent users. Current database size is approximately 10GB. Currently utilizing virtual server environments for a Production environment, a Test

environment, and a Development environment. EAMS data is used for interdepartmental billing via an external process. We utilize one internal integration within Maximo that captures billable transactions to be

used in our external interdepartmental billing process. EAMS data is being exported directly from the Maximo Oracle database instance and

integrated with our QlikView system for reporting and interdepartmental billing purposes. Currently, we are utilizing these core applications: Work Order Tracking, Quick

Reporting, Assets, Locations, Preventive Maintenance, Inventory, Job Plans, Purchasing, Assignment Manager, Service Requests.

Administrative

Any questions regarding this Request for Proposal, Vendor Questionnaire, or proposal format must be directed to:

Hayley Unke-Moore, CPSM, Associate Director of PurchasingKUMC Purchasing3901 Rainbow Blvd. Mailstop 2034Kansas City, KS 66160Phone: 913-588-1117email: [email protected]

University of Kansas Medical Center RFQ 683F19-49

mailto:[email protected]

Due Date:All proposals are due by 12:00 PM CDT Friday, 07/05/2019. Any proposal received after the required date specified shall be considered late and non-responsive. Any late proposals will not be evaluated for award. Once all submissions have been received, they will be compiled and forwarded to the requester for review. You will be contacted directly by the Procurement Officer if they wish to interview your representatives.

Proposal Submission:Award of the contract resulting from this RFP will be based upon the most responsive Vendor whose offer will be the most advantageous to KUMC in terms of cost, functionality and other factors as specified in this RFP.

KUMC reserves the right to:

Reject any or all offers and discontinue this RFP process without obligation or liability to any potential Vendor,

Accept a proposal other than the lowest priced offer, and Award a contract on the basis of initial offers received, without discussions or requests for best

and final offers

The response to this RFP will be incorporated into the final agreement between The University of Kansas Medical Center and the selected vendor(s) as an attachment. The proposal shall be submitted in Microsoft Word format as set forth below and will confine submission to those matters sufficient to define its proposal, and to provide an adequate basis for evaluation of the proposal.

1. Executive Summary2. Project Scope 3. Project Management Approach4. Detailed and Itemized Pricing5. Appendices

1. Executive SummaryThe Executive Summary should be a brief overview, and should identify the main features and benefits of the proposed solution.

2. Project ScopeThe proposal should reflect ability to meet each of the requirements and/or provide the services and functionality listed below:

A. Configure and implement an off-premise, fully hosted, cloud/web-based SaaS Enterprise Asset Management System (EAMS), as described in this Project Scope, the Functionality/Program Components Requirements (see Appendix I), and the Standard Technical Requirements (see Appendix II).

B. Perform data integrity and validation assessments of existing EAMS data prior to importing/migrating data into new EAMS.

C. Export/Import/migrate required data from existing EAMS into new EAMS.D. Configure application screens and mobile solution UI’s to support EAMS work processes.


E. Develop identified reports, dashboards and workflows.F. Facilitate user acceptance testing and make appropriate modifications to ensure proper

system operation.G. Provide end-user training, as identified by KUMC. H. Plan & Facilitate cutover to new Production system.I. Provide Go-Live Support.

3. Project Management ApproachInclude the method and approach used to manage the overall project and client correspondence. Specifically, describe how the engagement proceeds from beginning to end.

4. Detailed and Itemized PricingInclude a fee breakdown by project phase and annual ongoing maintenance fees, Monthly Recurring Charge (MRC), per user/license charge, upgrade fees (if any) or any training or storage costs. Also, provide any reduced pricing options for multi-year contracts.

5. AppendicesA. References

Please provide two (2) current references, with a similar project scope, preferably from four (4) year higher education institutions (comparable in number of students to the University of Kansas Medical Center), including University name, contact name, title, e-mail address, telephone number that the University of Kansas Medical Center may contact.

B. Company Overview

Official registered name (Corporate, D.B.A., Partnership, etc.), Dun & Bradstreet Number, Primary and secondary SIC numbers, address, main telephone number, toll-free numbers, and facsimile numbers.

Key contact name, title, address (if different from above address), direct telephone and fax numbers.

Person authorized to contractually bind the organization for any proposal against this RFP.

C. Project Team StaffingInclude biographies and relevant experience of key staff. List the personnel who would work on this project along with their qualifications and relevant experience, in reference to the project scope or system functionality.

Evaluation Criteria:

The University of Kansas Medical Center may, at their discretion and without explanation to the prospective Vendors, at any time choose to discontinue this RFP without obligation to prospective Vendors.


The University of Kansas Medical Center will have no obligation to complete a purchase pursuant to this RFP, even in the event that a preferred vendor is selected. The only obligation for the University of Kansas Medical Center to purchase will arise from a fully executed agreement.

Bidders may be asked to prepare a presentation and demonstration after the RFP closing.


Appendix I

EAMS Functionality & Program Components Requirements

General:Provide/specify system/hardware requirements for user workstations.Provide details regarding system support, upgrades, and system maintenance (on-going).Provide database platform (i.e., Oracle, SQL Server, etc.)Provide reporting tools/engine (i.e., Crystal Reports, BIRT, Cognos, etc.)Support Reliability Centered Maintenance (RCM) philosophy and methodologies.

Configurable to utilize RCM best practicesProvide delivered integrations with Workday, QlikView, Mapcom, Akitabox; or similar cloud ERP, business intelligence, and enterprise analytics systems.Support Single Sign-on

Support Staff:All In-House Team (Development, Support, Consulting)

Account Manager Implementation Specialist Sales Technical

Support Type: (24/7, 365) Chat Email Ticketing System online to track support status Phone

Training Methods: (On-going/Accessible)SeminarsBest PracticesOnline LibraryWebinarWorkshops:

Vendor Office Client Office Local Events

Program Components:Integrations:

Workday- Allow integration/import of Time Entry details


- Time Reporting QlikView MapCom Akitabox Or similar cloud ERP, business intelligence, and enterprise analytics systems.

Asset Management: Asset Reservations Equipment Hierarchy Multiple Languages supported Interactive Maps Ability to track facility, fleet, and different departments Replacement year Stationary Assets Mobile Assets Bar Coding QR Codes

Condition MonitoringPDF Editor within the systemInternal Document StorageContract and Warranty TrackingInventory ManagementProject ManagementBilling Functionality (Import/Export)Calibration MeasurementsInteractive Checklists/Inspection FormsMobile Solution:

Android or iPhone Apple Internet/Email Windows Connected & Disconnected operation Configurable mobile user interface

Preventative Maintenance: Calendar Based Rounds/Inspections Time Based Configure PM Routes

Sandbox practice accountTask Library- both prepopulated in the system and ability to add customVendor:

Contact Information Invoicing Shortcuts to Product


Contract TrackingWarranteesWork Orders:

Cause Codes Cost Ability to configure Shops/Work Groups/Crews Ability to setup Craft/Labor Codes Damage Codes Estimates Feedback to requester History Entering ID Codes Failure Codes Priority Procedure Link Generate Invoices/Quotes Audit Trails Time Stamps

Work Request Submission: (Configurable) Service Request Application/Module Email Online (application) Log In Account to track Status

Communication Ability to send automated notifications from the system via e-mail or text message

Graphical Work SchedulingProject Management

Operating Support Costs:Backups, updates, upgrades includedSupport for developing/creating new reportsMultiple User Levels:

View Request Edit/Delete Preset User Roles Customizable User Rights Ability to Copy User Rights between users

Program Management:Ability to Change Program LevelApplication/System Availability:

Desktop


Mobile Device Web

Customize PagesMultiple FormsConfigurable WorkflowsDashboardsData Storage:

Cloud Intranet

Ease of Use (Simplified/Configurable User Interface)Reports:

Asset Based (Asset Downtime) Asset Replacement Cost Category Based Cost Category Cost Total Failures (Failure Reporting) MTTR/MTTF Reporting PM Compliance Scheduling Compliance History Out of Box List of Reports Ability to Create and Customize New Reports Included

Advanced Search CapabilityUpload/Download/Export data via Excel


Appendix II

Standard Technical Requirements

1. It is highly preferred that user authentication occur via SAML as our current SSO infrastructure is Shibboleth front ended with CAS.

2. Any accounts that cannot use SAML for authentication must meet the following requirements. Password policy should match KUMC password policy. Passwords for access to the KUMC network and computer systems must meet the following requirements: Consist of a minimum of 12 and a maximum of 16 characters. Contain a minimum of one upper-case letters. Contain at least one number. Contain at least one special characters from the following set:! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ { | } ~

Have a maximum password lifetime of 365 days. (Passwords must be changed on an annual basis.)

Passwords must not be reused for a minimum of 10 cycles.3. Provide a data flow diagram4. Identify type(s) of information that are collected either manually or automatically from the

users/application. 5. All data that is transmitted, processed, or stored needs to be encrypted at rest and in transit.

Explain how your solution meets this requirement6. Proposed solution should follow industry standards regarding SDLC, information security

vulnerabilities, and other related risks. Explain how your solution meets this requirement. 7. Vendor must have a documented and publicly accessible privacy policy. Please provide a link8. Vendor must hold and actively carry a cyber-liability policy. If bid is accepted, a copy will need to

be provided9. Vendor should have a documented retention policy. Please attach policy. If it is not in alignment

with KUMC policies, KUMC may require a custom retention policy. 10. Data centers must reside within the United States.11. Solutions must support enterprise wireless networks or physical LAN connectivity12. Data must reside in the US for systems containing high risk data. KUMC defines data as high risk

when protection of data is required by law or regulation (i.e., HIPAA, FERPA, PCI, etc.)13. Solutions must work on all major browsers (Chrome, Firefox, Edge, IE) and mobile application

platforms.


Vendor Questionnaire: [Vendor name here]

This questionnaire asks for information that will enable KUMC to determine how your hardware or software will work in our environment. Please provide an answer to each question.

For any requirement that cannot be met or you believe to be not applicable, provide written explanation and proposed mitigation actions or compensating controls.

Review the Definitions of Secure Information included in Appendix A. If this system/application will be used to store or process protected health information (PHI) then

the attached separate HIPAA Security Checklist for Applications/Devices must also be completed and submitted with this document.

Vendor Name Today’s Date

System/Application Name Software Version Operating System

Dept / Sponsor Contact Contact Title Department

Vendor Sales Representative Contact Title Telephone/Email

Vendor Technical Representative Contact Title Telephone/Email

Vendor Security Representative Contact Title Telephone/Email

State Contract # (if applicable)

Form Completer Name Contact Title Telephone/Email

NOTE: You do not need to complete the System Questions section of this questionnaire if the product will be hosted off-site (vendor SaaS).


System Questions Response Notes

Describe the primary function of the system.

Is there an appliance option for this system?

Y N NA

Does this system need proprietary hardware?

Y N NA

Can this system be virtualized? Y N NA

Is virtualization fully supported? Y N NA

What virtualization platforms are supported?

If a physical server or appliance is required:

How many physical pieces of equipment are required?

What is the total amount of rack space required?

What are the power requirements?

What OS and version does it run?

What is the preferred OS?

Is the application 32 or 64 bit?

Can the system be made fault tolerant? If yes, how?

Y N NA

What type of storage is supported or required (SAN, NAS, DAS)

Can the system can be load balanced and how?

Y N NA

Does the system have networking real-time/latency requirements? (e.g. streaming voice or video)

Y N NA

What are network speed/bandwidth requirements?

What licenses are included: development, testing, QA, production?

Does this system require individual licensing or shared licensing? If shared, does the system require a license server in

Y N NA


System Questions Response Notes

our infrastructure? If yes, does the server need to be able to host physical USB dongles?

What load can the system handle (i.e., concurrent users)?

What is the recommended configuration for X number of users?

What monitoring can be used (SNMP and what version)?

What training options are available for maintaining the system?

Application Questions Response Notes

Accessibility

Is the product tested for compliance with Section 508 of the Rehabilitation Act of 1973 and the Americans with Disabilities Act?

Y N NA

Does the product comply with the WCAG (Web Content Accessibility Guidelines) 2.0 Level AA?

Y N NA

Is manual usability testing conducted periodically to ensure the pages are accessible to individuals with disabilities?

Y N NA

Has the company completed a VPAT (Voluntary Product Accessibility Template) and will you provide it to us?

Y N NA

Authentication

Which authentication methods are available? CAS, SAML (Shibboleth), Other (Please explain in notes).

If SAML, is your Service Provider (SP) part of the InCommon Federation?

Note: We do not provide SAML IDP initiated (Unsolicited Web) SSO.

Y N NA

If not in InCommon, can you provide your SP’s metadata (https://en.wikipedia.org/wiki/SAML_2.0#Service_Provider_Metadata)?

Y N NA


https://en.wikipedia.org/wiki/SAML_2.0#Service_Provider_Metadata


How are users authorized to use the application?

How are groups/roles managed?

Can groups/roles be controlled from outside the system (e.g. LDAP or Active Directory groups)?

Y N NA

User Access

Is application browser based? If yes, indicate what browsers are supported.

Y N NA

Is application client based? If yes, what OS does the client require? Y N NA

Are other methods of remote access allowed? If yes, indicate what methods.

Y N NA

How are user accounts provisioned in the system?

Access Control

Does the system automatically log users off after a specified period of inactivity?

Y N NA

Will all user login credentials be transmitted in an encrypted format, and what is the format?

Y N NA

Will passwords/PINS be entered into non-displayed fields (masked)? Y N NA

Will the vendor need remote support access to the system? If yes, describe the method.

Y N NA

Programming

What languages are involved?

What kind of Web containers are used? Apache, Tomcat, others?

Do you agree to place in escrow (with mutually agreeable entity) the source code for current and two previous versions of the software being proposed, with client being responsible for the account?

Y N NA

Mobile

Is the application accessible via a mobile device? If yes, what devices are supported (e.g. ios/iphone, android, etc.)

Y N NA

Is this a mobile app, or a mobile-friendly website? App

Website



Neither

How quickly will the application adapt to the latest mobile technology?

Data Management

Where is the data storage location? (Hosted or on-premise) If hosted, where?

How will data associated with this service be backed up? Is this our responsibility or the vendor’s?

Include SLA information on:

Recovery Point Objective (RPO) – the maximum tolerable period in which data might be lost from an IT service due to a major incident OR in the event of a system failure, how much data can a service afford to lose?

Recovery Time Objective (RTO) – the duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity OR how long a service can be down before data is restored.

If hosted, does vendor have a disaster recovery plan? Is there off-site storage of data, generators, etc.? Provide details of plan.

Y N NA

Attach a copy of your Business Continuity Plan.

How will vendor return all copies of data to the University at termination of agreement?

Can vendor return the actual hard drive to the University for disposal? Y N NA

Does vendor have breach notification policy & procedures in place? If so, provide them.

Y N NA

PCI

If the application supports eCommerce, is it PCI compliant? Y N NA

What PCI standards are followed?

Does the application integrate with TouchNet payment gateway? If not, what gateway(s) does it integrate with?

Y N NA

Data Storage

What databases are supported? Include vendor and version.



Can the database live on a shared instance?

Does the database need to reside on the same server as the application?

Data is moved in and out of the system using:

JSON? XML? CSV? Data exports/imports? Y N NA

Open database? Y N NA

Web Services (REST, SOAP)? Y N NA

API? Y N NA

Other (If yes, explain) Y N NA

Will passwords/PINS be stored in an encrypted format? What format? Y N NA

Can this application be hosted? If so, where? Y N NA

Will all access to the database system be auditable? Y N NA

Do database rights and user accounts enforce the principle of least privilege?

Y N NA

Will Sensitive Information be stored in an encrypted format? What format?

Y N NA

Security Administration

Can the system export log files to a central logging repository (e.g. syslog)?

Y N NA

Does the system provide reports of users/groups and their access levels?

Y N NA

Does the system provide varying levels of access within the application (e.g. role-based access)?

Y N NA

Does the system provide the capability to restrict access to particular records within the system based on userid?

Y N NA

Does your application require any anti-virus exclusions? Y N



NA

What is the strategy for logging access to the system – and how long are the logs retained? Is there a cost for us to obtain the logs?

Does your application support industry standard TLS encryption? Y N NA

Can your solution meet current FIPS compliance? Y N NA

Activity Logging

Does the system log unauthorized access attempts by date, time, user id, device and location?

Y N NA

Does the system maintain an audit trail of all security maintenance performed by date, time, user id, device and location?

Y N NA

Does the system log all accesses to end user interface and backend data storage systems?

Y N NA

Networking Compatibility

Does the system support encryption of externally transmitted Sensitive Information?

Y N NA

Can the system be placed behind a firewall? Y N NA

Are ports used by the application statically definable and predictable? Y N NA

What ports are used by the application?

Can the system be accessed via a secure protocols (SSH, SSL, HTTPS, etc.)?

Y N NA

Written Documentation

Vendor must supply documentation of the format, schema, and data stored by the application.

Does the vendor have written administrative policies & procedures for technical, Physical & Administrative Safeguards? If so, what?

Y N NA

What technical support documentation is available and where is it located?

Is the vendor willing to sign a Confidentiality Agreement as prescribed by the University?

Y N NA



Is the vendor willing to sign a Business Associate Agreement as prescribed by the University (for HIPAA)?

Y N NA

Certifications

Has the application been audited by a third party against any industry standard IT security certifications? If so which?

Y N NA

Vendor Support

What platform does vendor do application development on?

What is the vendor support model?

Tier 1/2/3?

What are the support hours?

Are we expected to do first/second level support then call?

Design and Dependencies

Please supply a design block diagram (high level block diagram of service interconnections)

What are your technology dependencies (assumptions about our environment)?

What are your software dependencies (e.g. specific version of Java)?

Does your software require outdated or end of life software?

Patching/Updates/Releases

What is your product SDLC?

When is the next scheduled release of your product?

How often do you issue patches and updates for the main application and any dependent software?

How often do you release security patches?

What testing and verification of OS patches are done?

What is involved in performing an upgrade?

Cloud

Describe in detail how you interact with customer IT teams, and how this process works.

How do we get backups of our data?



When/if this contract ends, provide details on how we get all of our data back, and how the data is destroyed in your location.

Describe what analytics are available and how we get them.

How do we monitor your solution?

Sensitive Information:

The following types of information are considered “Sensitive” by the University of Kansas Medical Center Information Resources, Information Security, and University Compliance & Privacy Offices

Data covered by state and/or federal law requiring the University to restrict access and release Non-directory student records as defined by Family Education Records Privacy Act and

University Student Records Policy (including grades, transcripts, private contact information etc) Social Security Numbers (e.g. faculty, staff, students, alumnae, parents, applicants, etc.) Financial aid and/or scholarship information Human Resource records that contain personally identifiable information about employee

performance, health, and/or benefits Identifier or numbers for students, staff, or faculty KUMC ID numbers Passwords or PIN numbers Digital Signatures Individually identifiable health information (IIHI) protected by state or federal law (including but

not limited to “protected health information” as defined by HIPAA) Individually identifiable information created and collected by research projects Financial account & transaction information (e.g. banking information, credit card transaction

information, credit/debit card information, Track 2 information, etc.) Research data Library transactions (e.g. list of patrons, donors, users, circulation, etc.) Information covered by non-disclosure or confidentiality agreements


Documents

Executive Summary - kumc.edu Vendor Questionnair… · Web viewThe proposal shall be submitted in Microsoft Word format as set forth below and will confine submission to those matters